Problém s NATD

Pavel Obr obr at sosgastro.cz
Tue Mar 7 07:46:34 CET 2006


Mám tam 5.4-RELEASE-p11 s GENERIC kernelem + pridane volby pro NAT 
(podle handbooku):

options IPFIREWALL
options IPDIVERT
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=5 # tuto volbu jsem vcera zmenil na 100 a zkusim prohlednout logy
options IPFIREWALL_DEFAULT_TO_ACCEPT # tuto volbu chci po vzreseni problemu odebrat a znova prekompilovat


Pavel Obr




Petr Macek napsal(a):
> Jako verzi BSD tam mas?
> Minuly tyden se mi objevil ten samy problem na jednom stroji. Na 10 
> jinych mi to takhle funguje, na tomhle ne. Hral jsem si dlouho s 
> firewallem, natem, ... v logu neni nic videt, pozadavek na vnejsim 
> rozhrani tcdumpem vidim, na vnitrnim uz ne. Je to asi po posedni 
> kompilaci kernelu a worldu, co jsem delal. Na nic jsem ale neprisel a do 
> zdrojaku uz jsem nesel ...
> Mam to na 5.3-RELEASE-p26
> PM
>
> Pavel Obr wrote:
>   
>> Petr Bezděk napsal(a):
>>     
>>>> .........
>>>>    
>>>>         
>> ....................
>>     
>>>> Nekam do techto mist musite umistit pravidlo, ktere povoli prelozene 
>>>> pakety pro port-forwarding.
>>>>
>>>> $cmd 395 allow tcp from any to 192.168.3.37 80 in via $pif setup limit src-addr 2
>>>>
>>>>    
>>>> # Reject & Log all unauthorized incoming connections from the public 
>>>> Internet
>>>> $cmd 400 deny log all from any to any in via $pif
>>>>
>>>> # Reject & Log all unauthorized out going connections to the public
>>>>    
>>>>         
>>> Internet
>>>  
>>>       
>>>> $cmd 450 deny log all from any to any out via $pif
>>>>
>>>> # This is skipto location for outbound stateful rules
>>>> $cmd 800 divert natd ip from any to any out via $pif
>>>> $cmd 801 allow ip from any to any
>>>>
>>>> # Everything else is denied by default
>>>> # deny and log all packets that fell through to see what they are
>>>> $cmd 999 deny log all from any to any
>>>> ################ End of IPFW rules file
>>>>    
>>>>         
>>> ###############################
>>>  
>>>       
>>>>    
>>>>         
>>> Funkcnost lze overit pomoci tcpdumpu a pripadne prohlednutim logu 
>>> (/vat/log/security) a zaznamu odpovidajici pravidlu s cislem 400.
>>>
>>> tcpdump -ns1500 -ixl0 host 192.168.1.10 port 8080
>>> tcpdump -ns1500 -irl0 host 192.168.3.37 port 80
>>>  
>>>       
>> Dík za radu a mate asi pravdu, ale abych se vyhnul problemum se spatne 
>> nakonfigurovanymi pravidly firewallu a zjistil, zda "NAT zpet" vubec 
>> funguje, nic jsem neomezil a zmenil
>>
>> ipfw.rules na:
>> _________________________
>> #!/bin/sh
>> ################ Start of IPFW rules file ###############################
>> # Flush out the list before we begin.
>> ipfw -q -f flush
>>
>> # Set rules command prefix
>> cmd="ipfw -q add"
>> pif="xl0"     # public interface name of NIC
>>               # facing the public Internet
>>
>> #################################################################
>> # check if packet is inbound and nat address if it is
>> #################################################################
>> $cmd 014 divert natd ip from any to any in via $pif
>> #################################################################
>> # Allow the packet through if it has previous been added to the
>> # the "dynamic" rules table by a allow keep-state statement.
>> #################################################################
>> $cmd 015 check-state
>> #################################################################
>> # Interface facing Public Internet (Outbound Section)
>> # Interrogate session start requests originating from behind the
>> # firewall on the private network or from this gateway server
>> # destine for the public Internet.
>> #################################################################
>> # This is skipto location for outbound stateful rules
>> $cmd 800 divert natd ip from any to any out via $pif
>> ################ End of IPFW rules file ###############################
>>
>> Dale jsem zmenil port na kterem posloucha ISS v LAN na 81
>>
>> natd.conf ted vypadá takto:
>>
>> redirect_port 192.168.3.37:81 8080
>>
>>
>> No a vysledek je ten, ze mi to stejne nefunguje.
>>
>> Chci se zeptat...je moje uvaha  spravna, ze pokud  je firewall 
>> nakonfigurovana tak, ze nic neomezuje, tak by NAT "obracene" mel 
>> fungovat (jadro je zkompilovane s volbou
>>
>> IPFIREWALL_DEFAULT_TO_ACCEPT)? Chyba je tedy jinde?
>>
>> Dale jsem prekompiloval jadro, aby bylo vice "VERBOSE" pro logovani a tak se neco docetl ve /var/log/security - to vsak jeste nemohu vyskouset.
>>
>> tcpdump -i xl0 (to je vnejsi iface) port 8080 pise:
>> 15:19:07.732960 IP 192.168.1.3.2361 > hestia.8080: S 2724074282:2724074282(0) win 5840 <mss 1460,sackOK,timestamp 45328324 0,nop,wscale 0> - priznam se - nevim co to znamena - pokusim se vycist
>>
>> tcpdump -i rl0 (to je vnitrni iface) port 81 nepise nic. 
>> Ven ovsem NAT funguje normalne.
>>
>> Chci jen jeste rici, ze "funkcnost" zkousim ze stroje, ktery ma adresu v rozsahu stejnem jako "vnejsi iface" xl0.
>>
>> Pavel Obr
>>
>>
>>
>>     
>
>
>   





More information about the Users-l mailing list