Problém s NATD

Pavel Obr obr at sosgastro.cz
Mon Mar 6 15:44:05 CET 2006


Pavel Obr napsal(a):

mala oprava ...
v natd.conf je samozrejme

redirect_port tcp 192.168.3.37:81 8080


Petr Bezděk napsal(a):
>>> .........
>>>     
>>>       
> ....................
>   
>>> Nekam do techto mist musite umistit pravidlo, ktere povoli prelozene 
>>> pakety pro port-forwarding.
>>>
>>> $cmd 395 allow tcp from any to 192.168.3.37 80 in via $pif setup limit src-addr 2
>>>
>>>     
>>> # Reject & Log all unauthorized incoming connections from the public 
>>> Internet
>>> $cmd 400 deny log all from any to any in via $pif
>>>
>>> # Reject & Log all unauthorized out going connections to the public
>>>     
>>>       
>> Internet
>>   
>>     
>>> $cmd 450 deny log all from any to any out via $pif
>>>
>>> # This is skipto location for outbound stateful rules
>>> $cmd 800 divert natd ip from any to any out via $pif
>>> $cmd 801 allow ip from any to any
>>>
>>> # Everything else is denied by default
>>> # deny and log all packets that fell through to see what they are
>>> $cmd 999 deny log all from any to any
>>> ################ End of IPFW rules file
>>>     
>>>       
>> ###############################
>>   
>>     
>>>     
>>>       
>> Funkcnost lze overit pomoci tcpdumpu a pripadne prohlednutim logu 
>> (/vat/log/security) a zaznamu odpovidajici pravidlu s cislem 400.
>>
>> tcpdump -ns1500 -ixl0 host 192.168.1.10 port 8080
>> tcpdump -ns1500 -irl0 host 192.168.3.37 port 80
>>   
>>     
>
> Dík za radu a mate asi pravdu, ale abych se vyhnul problemum se spatne 
> nakonfigurovanymi pravidly firewallu a zjistil, zda "NAT zpet" vubec 
> funguje, nic jsem neomezil a zmenil
>
> ipfw.rules na:
> _________________________
> #!/bin/sh
> ################ Start of IPFW rules file ###############################
> # Flush out the list before we begin.
> ipfw -q -f flush
>
> # Set rules command prefix
> cmd="ipfw -q add"
> pif="xl0"     # public interface name of NIC
>               # facing the public Internet
>
> #################################################################
> # check if packet is inbound and nat address if it is
> #################################################################
> $cmd 014 divert natd ip from any to any in via $pif
> #################################################################
> # Allow the packet through if it has previous been added to the
> # the "dynamic" rules table by a allow keep-state statement.
> #################################################################
> $cmd 015 check-state
> #################################################################
> # Interface facing Public Internet (Outbound Section)
> # Interrogate session start requests originating from behind the
> # firewall on the private network or from this gateway server
> # destine for the public Internet.
> #################################################################
> # This is skipto location for outbound stateful rules
> $cmd 800 divert natd ip from any to any out via $pif
> ################ End of IPFW rules file ###############################
>
> Dale jsem zmenil port na kterem posloucha ISS v LAN na 81
>
> natd.conf ted vypadá takto:
>
> redirect_port 192.168.3.37:81 8080
>
>
> No a vysledek je ten, ze mi to stejne nefunguje.
>
> Chci se zeptat...je moje uvaha  spravna, ze pokud  je firewall 
> nakonfigurovana tak, ze nic neomezuje, tak by NAT "obracene" mel 
> fungovat (jadro je zkompilovane s volbou
>
> IPFIREWALL_DEFAULT_TO_ACCEPT)? Chyba je tedy jinde?
>
> Dale jsem prekompiloval jadro, aby bylo vice "VERBOSE" pro logovani a tak se neco docetl ve /var/log/security - to vsak jeste nemohu vyskouset.
>
> tcpdump -i xl0 (to je vnejsi iface) port 8080 pise:
> 15:19:07.732960 IP 192.168.1.3.2361 > hestia.8080: S 2724074282:2724074282(0) win 5840 <mss 1460,sackOK,timestamp 45328324 0,nop,wscale 0> - priznam se - nevim co to znamena - pokusim se vycist
>
> tcpdump -i rl0 (to je vnitrni iface) port 81 nepise nic. 
> Ven ovsem NAT funguje normalne.
>
> Chci jen jeste rici, ze "funkcnost" zkousim ze stroje, ktery ma adresu v rozsahu stejnem jako "vnejsi iface" xl0.
>
> Pavel Obr
>
>
>
>   





More information about the Users-l mailing list