Problém s NATD

Pavel Obr obr at sosgastro.cz
Mon Mar 6 09:00:23 CET 2006


Jen jsem zapomnel na drobnost....
presmerovat chci pozadavek pro port 192.168.1.1:8080 na 192.168.3.37:80 
- to vsak plyne z natd.conf

Obr Pavel napsal(a):
> Dobry den,
> resim problem s natd...Zkousel jsem kde co a hledal na internetu, ale 
> opravdu nevim co je spatne...
> NAT pozivam nejakou dobu smerem ven bez problemu podle handbooku, ale 
> presmerovani "dovnitr" se mi nevede....
>
> K pripojeni na internet pouzivame router naseho providera. Pokud 
> potrebuji povolit u nas na serveru nejakou sluzbu na urcitem portu, 
> pozadam ho a on mi dany port presmeruje na muj stroj.
> Router providera ma IP 192.168.1.1 a moje z internetu dostupne sluzby 
> jsou na strojich s IP 192.168.1.0/24 (zde poskytuji z internetu dostupne
>
> sluzby + Apache, proxy, NAT). Moje LAN ma IP v rozsahu 192.168.3.0/24.
> Bohuzel musim zacit poskytovat z jednoho stroje z vnitrni LAN 
> (192.168.3.0/24) jednu sluzbu, kterou je mozne zatim provozovat na 
> Windows stroji - jde o sluzbu vazanou na ISS webovsky server microsoftu.
>
> Windows mam jen na stanicich v LAN 192.168.3.0/24.
> To znamena musim pouzit NAT "obracene" u stroje s 2 sitovkami, který 
> poskytuje NAT + squid proxy a odeslat pozadavek na dany windows stroj. 
> Jedna sitovka je 192.168.1.0/24 a druha je clenem 192.168.3.0/24.
> NAT smerem ven mi funguje, ovsem dovnitr (presmerovani na onu windows 
> stanici) vubec...
> Asi bude problem v ipfw.rules, ale nevim co.
> Diky za radu....
> Pavel
>
>
> Jadro je zkompilovane s temito volbami:
> _______________________________________
>
> options IPFIREWALL
> options IPDIVERT
> options IPFIREWALL_VERBOSE
> options IPFIREWALL_VERBOSE_LIMIT=5
> options IPFIREWALL_DEFAULT_TO_ACCEPT # tuto volbu chci po vzreseni 
> problemz odebrat a znova prekompilovat
>
> Soubor rc.conf:
> _______________________________________
> sendmail_enable="NONE"
> sshd_enable="YES"
> #Nastaveni site
> ifconfig_xl0="inet 192.168.1.10 netmask 255.255.255.0"
> ifconfig_rl0="inet 192.168.3.12 netmask 255.255.255.0"
> defaultrouter="192.168.1.1" # router providera
> hostname="xxx.xxx.xxx.cz"
> apm_enable="NO"
> #Apache
> apache_enable="YES" # Apache posloucha na portu 80
> apache_flags="-DSSL"
> apache_pidfile="/var/run/httpd.pid"
> #MySQL
> mysql_enable="YES"
> #NTPDate - nastaveni casu
> ntpdate_flags="ntp.karpo.cz"
> ntpdate_enable="YES"
> # volby pro NAT
> gateway_enable="YES"
> natd_enable="YES"
> natd_interface="xl0" # "vnejsi" adresa 192.168.1.10
> natd_flags="-f /etc/natd.conf"
> firewall_type="OPEN"
> firewall_enable="YES"
> firewall_script="/etc/ipfw.rules"
> firewall_logging="YES"
> squid_enable="YES"
>
>
> ipfw.rules: je stejny jako v prikladu v HANDBOOKU
> ______________________________________
>
> #!/bin/sh
> ################ Start of IPFW rules file
> ###############################
> # Flush out the list before we begin.
> ipfw -q -f flush
>
> # Set rules command prefix
> cmd="ipfw -q add"
> skip="skipto 800"
> pif="xl0"     # public interface name of NIC
>               # facing the public Internet
>
> #################################################################
> # No restrictions on Inside LAN Interface for private network
> # Change xl0 to your LAN NIC interface name
> #################################################################
> $cmd 005 allow all from any to any via rl0
>
> #################################################################
> # No restrictions on Loopback Interface
> #################################################################
> $cmd 010 allow all from any to any via lo0
>
> #################################################################
> # check if packet is inbound and nat address if it is
> #################################################################
> $cmd 014 divert natd ip from any to any in via $pif
>
> #################################################################
> # Allow the packet through if it has previous been added to the
> # the "dynamic" rules table by a allow keep-state statement.
> #################################################################
> $cmd 015 check-state
>
> #################################################################
> # Interface facing Public Internet (Outbound Section)
> # Interrogate session start requests originating from behind the
> # firewall on the private network or from this gateway server
> # destine for the public Internet.
> #################################################################
>
> # Allow out access to my ISP's Domain name server.
> # x.x.x.x must be the IP address of your ISP's DNS
> # Dup these lines if your ISP has more than one DNS server
> # Get the IP addresses from /etc/resolv.conf file
> $cmd 020 $skip tcp from any to 62.77.67.2 53 out via $pif setup
> keep-state
>
>
> # Allow out access to my ISP's DHCP server for cable/DSL configurations.
> #$cmd 030 $skip udp from any to x.x.x.x 67 out via $pif keep-state
>
> # Allow out non-secure standard www function
> $cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state
>
> # Allow out secure www function https over TLS SSL
> $cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state
>
> # Allow out send & get email function
> $cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state
> $cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state
>
> # Allow out FreeBSD (make install & CVSUP) functions
> # Basically give user root "GOD" privileges.
> $cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root
>
> # Allow out ping
> $cmd 080 $skip icmp from any to any out via $pif keep-state
>
> # Allow out Time
> $cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state
>
> # Allow out nntp news (i.e. news groups)
> $cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state
>
> # Allow out secure FTP, Telnet, and SCP
> # This function is using SSH (secure shell)
> $cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state
>
> # Allow out whois
> $cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state
>
> # Allow ntp time server
> $cmd 130 $skip udp from any to any 123 out via $pif keep-state
>
> #################################################################
> # Interface facing Public Internet (Inbound Section)
> # Interrogate packets originating from the public Internet
> # destine for this gateway server or the private network.
> #################################################################
>
> # Deny all inbound traffic from non-routable reserved address spaces
> #$cmd 300 deny all from 192.168.0.0/16  to any in via $pif  #RFC 1918 
> private IP
> $cmd 301 deny all from 172.16.0.0/12   to any in via $pif  #RFC 1918 
> private IP
> $cmd 302 deny all from 10.0.0.0/8      to any in via $pif  #RFC 1918 
> private IP
> $cmd 303 deny all from 127.0.0.0/8     to any in via $pif  #loopback
> $cmd 304 deny all from 0.0.0.0/8       to any in via $pif  #loopback
> $cmd 305 deny all from 169.254.0.0/16  to any in via $pif  #DHCP
> auto-config
> $cmd 306 deny all from 192.0.2.0/24    to any in via $pif  #reserved for
>
> docs
> $cmd 307 deny all from 204.152.64.0/23 to any in via $pif  #Sun cluster
> $cmd 308 deny all from 224.0.0.0/3     to any in via $pif  #Class D & E 
> multicast
>
> # Deny ident
> $cmd 315 deny tcp from any to any 113 in via $pif
>
> # Deny all Netbios service. 137=name, 138=datagram, 139=session
> # Netbios is MS/Windows sharing services.
> # Block MS/Windows hosts2 name server requests 81
> $cmd 320 deny tcp from any to any 137 in via $pif
> $cmd 321 deny tcp from any to any 138 in via $pif
> $cmd 322 deny tcp from any to any 139 in via $pif
> $cmd 323 deny tcp from any to any 81  in via $pif
>
> # Deny any late arriving packets
> $cmd 330 deny all from any to any frag in via $pif
>
> # Deny ACK packets that did not match the dynamic rule table
> $cmd 332 deny tcp from any to any established in via $pif
>
> # Allow traffic in from ISP's DHCP server. This rule must contain
> # the IP address of your ISP's DHCP server as it's the only
> # authorized source to send this packet type.
> # Only necessary for cable or DSL configurations.
> # This rule is not needed for 'user ppp' type connection to
> # the public Internet. This is the same IP address you captured
> # and used in the outbound section.
> #$cmd 360 allow udp from x.x.x.x to any 68 in via $pif keep-state
>
> # Allow in standard www function because I have Apache server
> $cmd 370 allow tcp from any to me 80 in via $pif setup limit src-addr 2
> $cmd 375 allow tcp from any to me 443 in via $pif setup limit src-addr 2
>
> # Allow in secure FTP, Telnet, and SCP from public Internet
> $cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2
>
> # Allow in non-secure Telnet session from public Internet
> # labeled non-secure because ID & PW are passed over public
> # Internet as clear text.
> # Delete this sample group if you do not have telnet server enabled.
> #$cmd 390 allow tcp from any to me 23 in via $pif setup limit src-addr 2
>
> # Reject & Log all unauthorized incoming connections from the public 
> Internet
> $cmd 400 deny log all from any to any in via $pif
>
> # Reject & Log all unauthorized out going connections to the public
> Internet
> $cmd 450 deny log all from any to any out via $pif
>
> # This is skipto location for outbound stateful rules
> $cmd 800 divert natd ip from any to any out via $pif
> $cmd 801 allow ip from any to any
>
> # Everything else is denied by default
> # deny and log all packets that fell through to see what they are
> $cmd 999 deny log all from any to any
> ################ End of IPFW rules file ###############################
>
>
> soubor natd.conf:
> ___________________________________
> redirect_port tcp 192.168.3.37:80 8080
>
>
>
>
>  
>
>   





More information about the Users-l mailing list