Problém s NATD
Pavel Obr
obr at sosgastro.cz
Mon Mar 6 15:30:55 CET 2006
Petr Bezděk napsal(a):
>> .........
>>
....................
>> Nekam do techto mist musite umistit pravidlo, ktere povoli prelozene
>> pakety pro port-forwarding.
>>
>> $cmd 395 allow tcp from any to 192.168.3.37 80 in via $pif setup limit src-addr 2
>>
>>
>> # Reject & Log all unauthorized incoming connections from the public
>> Internet
>> $cmd 400 deny log all from any to any in via $pif
>>
>> # Reject & Log all unauthorized out going connections to the public
>>
> Internet
>
>> $cmd 450 deny log all from any to any out via $pif
>>
>> # This is skipto location for outbound stateful rules
>> $cmd 800 divert natd ip from any to any out via $pif
>> $cmd 801 allow ip from any to any
>>
>> # Everything else is denied by default
>> # deny and log all packets that fell through to see what they are
>> $cmd 999 deny log all from any to any
>> ################ End of IPFW rules file
>>
> ###############################
>
>>
>
> Funkcnost lze overit pomoci tcpdumpu a pripadne prohlednutim logu
> (/vat/log/security) a zaznamu odpovidajici pravidlu s cislem 400.
>
> tcpdump -ns1500 -ixl0 host 192.168.1.10 port 8080
> tcpdump -ns1500 -irl0 host 192.168.3.37 port 80
>
Dík za radu a mate asi pravdu, ale abych se vyhnul problemum se spatne
nakonfigurovanymi pravidly firewallu a zjistil, zda "NAT zpet" vubec
funguje, nic jsem neomezil a zmenil
ipfw.rules na:
_________________________
#!/bin/sh
################ Start of IPFW rules file ###############################
# Flush out the list before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add"
pif="xl0" # public interface name of NIC
# facing the public Internet
#################################################################
# check if packet is inbound and nat address if it is
#################################################################
$cmd 014 divert natd ip from any to any in via $pif
#################################################################
# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by a allow keep-state statement.
#################################################################
$cmd 015 check-state
#################################################################
# Interface facing Public Internet (Outbound Section)
# Interrogate session start requests originating from behind the
# firewall on the private network or from this gateway server
# destine for the public Internet.
#################################################################
# This is skipto location for outbound stateful rules
$cmd 800 divert natd ip from any to any out via $pif
################ End of IPFW rules file ###############################
Dale jsem zmenil port na kterem posloucha ISS v LAN na 81
natd.conf ted vypadá takto:
redirect_port 192.168.3.37:81 8080
No a vysledek je ten, ze mi to stejne nefunguje.
Chci se zeptat...je moje uvaha spravna, ze pokud je firewall
nakonfigurovana tak, ze nic neomezuje, tak by NAT "obracene" mel
fungovat (jadro je zkompilovane s volbou
IPFIREWALL_DEFAULT_TO_ACCEPT)? Chyba je tedy jinde?
Dale jsem prekompiloval jadro, aby bylo vice "VERBOSE" pro logovani a tak se neco docetl ve /var/log/security - to vsak jeste nemohu vyskouset.
tcpdump -i xl0 (to je vnejsi iface) port 8080 pise:
15:19:07.732960 IP 192.168.1.3.2361 > hestia.8080: S 2724074282:2724074282(0) win 5840 <mss 1460,sackOK,timestamp 45328324 0,nop,wscale 0> - priznam se - nevim co to znamena - pokusim se vycist
tcpdump -i rl0 (to je vnitrni iface) port 81 nepise nic.
Ven ovsem NAT funguje normalne.
Chci jen jeste rici, ze "funkcnost" zkousim ze stroje, ktery ma adresu v rozsahu stejnem jako "vnejsi iface" xl0.
Pavel Obr
More information about the Users-l
mailing list