Problém s NATD
Pavel Obr
obr at sosgastro.cz
Tue Mar 7 07:46:34 CET 2006
Mám tam 5.4-RELEASE-p11 s GENERIC kernelem + pridane volby pro NAT
(podle handbooku):
options IPFIREWALL
options IPDIVERT
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=5 # tuto volbu jsem vcera zmenil na 100 a zkusim prohlednout logy
options IPFIREWALL_DEFAULT_TO_ACCEPT # tuto volbu chci po vzreseni problemu odebrat a znova prekompilovat
Pavel Obr
Petr Macek napsal(a):
> Jako verzi BSD tam mas?
> Minuly tyden se mi objevil ten samy problem na jednom stroji. Na 10
> jinych mi to takhle funguje, na tomhle ne. Hral jsem si dlouho s
> firewallem, natem, ... v logu neni nic videt, pozadavek na vnejsim
> rozhrani tcdumpem vidim, na vnitrnim uz ne. Je to asi po posedni
> kompilaci kernelu a worldu, co jsem delal. Na nic jsem ale neprisel a do
> zdrojaku uz jsem nesel ...
> Mam to na 5.3-RELEASE-p26
> PM
>
> Pavel Obr wrote:
>
>> Petr Bezděk napsal(a):
>>
>>>> .........
>>>>
>>>>
>> ....................
>>
>>>> Nekam do techto mist musite umistit pravidlo, ktere povoli prelozene
>>>> pakety pro port-forwarding.
>>>>
>>>> $cmd 395 allow tcp from any to 192.168.3.37 80 in via $pif setup limit src-addr 2
>>>>
>>>>
>>>> # Reject & Log all unauthorized incoming connections from the public
>>>> Internet
>>>> $cmd 400 deny log all from any to any in via $pif
>>>>
>>>> # Reject & Log all unauthorized out going connections to the public
>>>>
>>>>
>>> Internet
>>>
>>>
>>>> $cmd 450 deny log all from any to any out via $pif
>>>>
>>>> # This is skipto location for outbound stateful rules
>>>> $cmd 800 divert natd ip from any to any out via $pif
>>>> $cmd 801 allow ip from any to any
>>>>
>>>> # Everything else is denied by default
>>>> # deny and log all packets that fell through to see what they are
>>>> $cmd 999 deny log all from any to any
>>>> ################ End of IPFW rules file
>>>>
>>>>
>>> ###############################
>>>
>>>
>>>>
>>>>
>>> Funkcnost lze overit pomoci tcpdumpu a pripadne prohlednutim logu
>>> (/vat/log/security) a zaznamu odpovidajici pravidlu s cislem 400.
>>>
>>> tcpdump -ns1500 -ixl0 host 192.168.1.10 port 8080
>>> tcpdump -ns1500 -irl0 host 192.168.3.37 port 80
>>>
>>>
>> Dík za radu a mate asi pravdu, ale abych se vyhnul problemum se spatne
>> nakonfigurovanymi pravidly firewallu a zjistil, zda "NAT zpet" vubec
>> funguje, nic jsem neomezil a zmenil
>>
>> ipfw.rules na:
>> _________________________
>> #!/bin/sh
>> ################ Start of IPFW rules file ###############################
>> # Flush out the list before we begin.
>> ipfw -q -f flush
>>
>> # Set rules command prefix
>> cmd="ipfw -q add"
>> pif="xl0" # public interface name of NIC
>> # facing the public Internet
>>
>> #################################################################
>> # check if packet is inbound and nat address if it is
>> #################################################################
>> $cmd 014 divert natd ip from any to any in via $pif
>> #################################################################
>> # Allow the packet through if it has previous been added to the
>> # the "dynamic" rules table by a allow keep-state statement.
>> #################################################################
>> $cmd 015 check-state
>> #################################################################
>> # Interface facing Public Internet (Outbound Section)
>> # Interrogate session start requests originating from behind the
>> # firewall on the private network or from this gateway server
>> # destine for the public Internet.
>> #################################################################
>> # This is skipto location for outbound stateful rules
>> $cmd 800 divert natd ip from any to any out via $pif
>> ################ End of IPFW rules file ###############################
>>
>> Dale jsem zmenil port na kterem posloucha ISS v LAN na 81
>>
>> natd.conf ted vypadá takto:
>>
>> redirect_port 192.168.3.37:81 8080
>>
>>
>> No a vysledek je ten, ze mi to stejne nefunguje.
>>
>> Chci se zeptat...je moje uvaha spravna, ze pokud je firewall
>> nakonfigurovana tak, ze nic neomezuje, tak by NAT "obracene" mel
>> fungovat (jadro je zkompilovane s volbou
>>
>> IPFIREWALL_DEFAULT_TO_ACCEPT)? Chyba je tedy jinde?
>>
>> Dale jsem prekompiloval jadro, aby bylo vice "VERBOSE" pro logovani a tak se neco docetl ve /var/log/security - to vsak jeste nemohu vyskouset.
>>
>> tcpdump -i xl0 (to je vnejsi iface) port 8080 pise:
>> 15:19:07.732960 IP 192.168.1.3.2361 > hestia.8080: S 2724074282:2724074282(0) win 5840 <mss 1460,sackOK,timestamp 45328324 0,nop,wscale 0> - priznam se - nevim co to znamena - pokusim se vycist
>>
>> tcpdump -i rl0 (to je vnitrni iface) port 81 nepise nic.
>> Ven ovsem NAT funguje normalne.
>>
>> Chci jen jeste rici, ze "funkcnost" zkousim ze stroje, ktery ma adresu v rozsahu stejnem jako "vnejsi iface" xl0.
>>
>> Pavel Obr
>>
>>
>>
>>
>
>
>
More information about the Users-l
mailing list