Sifrovany nat a nebo Squid OPENVPN doplneno

Pentium pentium.konference at seznam.cz
Mon Mar 13 21:33:34 CET 2006


Tak problem byl ve firewallu ted uz opravdu vse jede tim myslim vzajemny
ping mezi stanicema

ted jde o to jak zakodovat provoz bud celeho natu a nebo alspon HTTP

Ceho chci dosahnout 
LAN (192.168.1.x) - SERVER1 Freebsd Wifi Nat Transparent proxy  ----
Internet chci mit kodovane --- Server2 Freebsd Nat Proxy ----- Internet uz
nekodovany



Pro uplnost prikladam  client
remote 62.2.73.211
dev tun
ifconfig 10.0.0.2 10.0.0.1
secret secret.key

Server
dev tun
ifconfig 10.0.0.1 10.0.0.2
secret secret.keyp

A muj PF snad trochu upravenej


# Macros: define common values, so they can be referenced and changed
easily.
ext_if="wi0"    # replace with actual external interface name i.e., rl0
int_if="rl0"    # replace with actual internal interface name i.e., dc1
int_if2="rl1"   # replace with actual internal interface name i.e., dc1
int_ssh="tun0"
internal_net="192.168.1.0/24"
#external_addr="192.168.144.172"
external_addr="10.102.41.172"


# Tables: similar to macros, but more flexible for many addresses.
table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 }

table <trusted_hosts> { }
table <spoofed> { 127.0.0.1/8, !192.168.1.0/24, 192.168.0.0/16,
172.16.0.0/12, 224.0.0.0/3, 10.0.0.0/8 }
table <blacklist> { }

icmp_types = "echoreq"
blocked_ports="{ 135, 137 >< 139, 445 }"

scrub in all

#nat on $ext_if from $internal_net to any -> ($ext_if)
#nat on $ext_if from 192.168.1.1 to any -> ($int_ssh)
nat on $ext_if from 192.168.1.45 to any -> ($ext_if)
nat on $ext_if from 192.168.1.1 to any -> ($ext_if)

###############################
#### Redirect  ################
###############################
# rdr outgoing FTP requests to the ftp-proxy
# rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
# rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port
3128
# rdr on $ext_if proto tcp from any to any port 80 -> 192.168.1.1 port 80

#Povoleni VNC
# rdr on $ext_if proto tcp from any to any port 5900 -> 192.168.1.1 port
5900
# rdr on $ext_if proto tcp from any to any port 5800 -> 192.168.1.1 port
5800

# Povoleni statistiky
rdr on $int_if inet proto tcp from 192.168.1.1 to 192.168.144.129 port 80 ->
192.168.144.129 port 80

# Transparent Proxy
rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port
3128
rdr on $int_if2 inet proto tcp from any to any port www -> 127.0.0.1 port
3128

# Filtering: the implicit first two rules are
 pass in  all
 pass out all

# allow loopback packets
 pass in quick on lo0 all
 pass out quick on lo0 all

pass out quick on $int_ssh proto { udp, icmp } all keep state
pass in quick on $int_ssh proto { udp, icmp } all keep state
pass out quick on $ext_if proto { udp, icmp } all keep state
pass in quick on $ext_if proto { udp, icmp } all keep state


##################################
######## POVOLENE PORTY ##########
##################################
# povoleni VPN
# pass in quick on $ext_if inet proto udp from any to any
# pass out quick on $ext_if inet proto udp from any to any
# pass in quick inet proto udp  from any to (self) port 1194 keep state

# SSH Dovnitr jen z jedne IP
  pass in quick on $ext_if proto tcp from 62.245.73.216 to $ext_if port 22
keep state
# pass in quick on $ext_if proto tcp from any to $ext_if port 22 keep state

# allow ICMP request/reply (ping)
  pass in quick on $ext_if inet proto icmp all icmp-type $icmp_types keep
state

# Transparent Proxy
  pass in quick on $int_if inet proto tcp from any to 127.0.0.1 port 3128
keep state
  pass in quick on $int_if2 inet proto tcp from any to 127.0.0.1 port 3128
keep state

# Povoleni statistiky
  pass in quick on $int_if inet proto tcp from 192.168.1.1 to
192.168.144.129 port 80 keep state
  pass in quick on $int_if inet proto tcp from 192.168.1.1 to 10.102.41.1
port 80 keep state

# Povoleno pro komunikaci Proxy servru venku
  pass in quick on $ext_if inet proto tcp from 62.245.73.216 to any port 82
keep state

# Povoleni VZDALENEJ ACCES  na 192.168.1.1
# pass in quick on $ext_if proto tcp from any to $ext_if port 5900 flags
S/SA keep state
# pass in quick on $ext_if proto tcp from any to 192.168.1.1 port 5900 flags
S/SA keep state
# pass in quick on $ext_if proto tcp from any to $ext_if port 5800 flags
S/SA keep state
# pass in quick on $ext_if proto tcp from any to 192.168.1.1 port 5800 flags
S/SA keep state
# pass in quick on $ext_if proto tcp from any to $ext_if port 3389 flags
S/SA keep state
# pass in quick on $ext_if proto tcp from any to 192.168.1.1 port 3389 flags
S/SA keep state


#################################
# ODTUD JE UZ VSE ZAKAZANE ######
#################################

# generic rules for incoming/outgoing connections on ext_if

 block in log on $ext_if all
 block out log on $ext_if all
 block in quick log from <blacklist> to any
 block out quick log from any to <blacklist>
 block in quick proto { tcp, udp } from any to any port $blocked_ports
 block in log quick from <spoofed> to any
 block in log quick from any to <spoofed>
 antispoof for $ext_if inet

# allow ICMP request/reply (ping)
pass in quick on $ext_if inet proto icmp all icmp-type $icmp_types keep
state
pass out quick on $ext_if proto { tcp, udp, icmp } all keep state




More information about the Users-l mailing list