Sifrovany nat a nebo Squid OPENVPN doplneno
Jaroslav Pavlicek
freebsd at pavrda.cz
Mon Mar 13 22:47:59 CET 2006
Ahoj,
kdyz vidim ten seznam vsech moznych pravidel a nastaveni na nekolik
stranek, je mi z toho spatne. :) Pro tunel mezi nekolika lokalitama
pouzivam vestavene FreeBSD tunelovadlo gif s timto nastavenim:
/etc/rc.conf
# 10.0.0.1(2) je moje(jeho) adresa ve verejne siti
# 192.168.168.1(2).254 je moje(jeho) adresa ve vnitrni siti
gif_interfaces="gif0"
gifconfig_gif0="10.0.0.1 10.0.0.2"
ifconfig_gif0="inet 192.168.1.254 192.168.2.254 netmask 0xffffff00"
static_routes="pryc"
route_pryc="-net 192.168.0.0/16 -iface gif0"
na druhe strane je to same, akorat se jednicky vymeni za dvojky.
Pridat NAT bude otazka opet par radek, ale ten tady zaply nemam a tak
nechci varit z vody.
--- Jarda
Pentium wrote:
> Tak problem byl ve firewallu ted uz opravdu vse jede tim myslim vzajemny
> ping mezi stanicema
>
> ted jde o to jak zakodovat provoz bud celeho natu a nebo alspon HTTP
>
> Ceho chci dosahnout
> LAN (192.168.1.x) - SERVER1 Freebsd Wifi Nat Transparent proxy ----
> Internet chci mit kodovane --- Server2 Freebsd Nat Proxy ----- Internet uz
> nekodovany
>
>
>
> Pro uplnost prikladam client
> remote 62.2.73.211
> dev tun
> ifconfig 10.0.0.2 10.0.0.1
> secret secret.key
>
> Server
> dev tun
> ifconfig 10.0.0.1 10.0.0.2
> secret secret.keyp
>
> A muj PF snad trochu upravenej
>
>
> # Macros: define common values, so they can be referenced and changed
> easily.
> ext_if="wi0" # replace with actual external interface name i.e., rl0
> int_if="rl0" # replace with actual internal interface name i.e., dc1
> int_if2="rl1" # replace with actual internal interface name i.e., dc1
> int_ssh="tun0"
> internal_net="192.168.1.0/24"
> #external_addr="192.168.144.172"
> external_addr="10.102.41.172"
>
>
> # Tables: similar to macros, but more flexible for many addresses.
> table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 }
>
> table <trusted_hosts> { }
> table <spoofed> { 127.0.0.1/8, !192.168.1.0/24, 192.168.0.0/16,
> 172.16.0.0/12, 224.0.0.0/3, 10.0.0.0/8 }
> table <blacklist> { }
>
> icmp_types = "echoreq"
> blocked_ports="{ 135, 137 >< 139, 445 }"
>
> scrub in all
>
> #nat on $ext_if from $internal_net to any -> ($ext_if)
> #nat on $ext_if from 192.168.1.1 to any -> ($int_ssh)
> nat on $ext_if from 192.168.1.45 to any -> ($ext_if)
> nat on $ext_if from 192.168.1.1 to any -> ($ext_if)
>
> ###############################
> #### Redirect ################
> ###############################
> # rdr outgoing FTP requests to the ftp-proxy
> # rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
> # rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port
> 3128
> # rdr on $ext_if proto tcp from any to any port 80 -> 192.168.1.1 port 80
>
> #Povoleni VNC
> # rdr on $ext_if proto tcp from any to any port 5900 -> 192.168.1.1 port
> 5900
> # rdr on $ext_if proto tcp from any to any port 5800 -> 192.168.1.1 port
> 5800
>
> # Povoleni statistiky
> rdr on $int_if inet proto tcp from 192.168.1.1 to 192.168.144.129 port 80 ->
> 192.168.144.129 port 80
>
> # Transparent Proxy
> rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port
> 3128
> rdr on $int_if2 inet proto tcp from any to any port www -> 127.0.0.1 port
> 3128
>
> # Filtering: the implicit first two rules are
> pass in all
> pass out all
>
> # allow loopback packets
> pass in quick on lo0 all
> pass out quick on lo0 all
>
> pass out quick on $int_ssh proto { udp, icmp } all keep state
> pass in quick on $int_ssh proto { udp, icmp } all keep state
> pass out quick on $ext_if proto { udp, icmp } all keep state
> pass in quick on $ext_if proto { udp, icmp } all keep state
>
>
> ##################################
> ######## POVOLENE PORTY ##########
> ##################################
> # povoleni VPN
> # pass in quick on $ext_if inet proto udp from any to any
> # pass out quick on $ext_if inet proto udp from any to any
> # pass in quick inet proto udp from any to (self) port 1194 keep state
>
> # SSH Dovnitr jen z jedne IP
> pass in quick on $ext_if proto tcp from 62.245.73.216 to $ext_if port 22
> keep state
> # pass in quick on $ext_if proto tcp from any to $ext_if port 22 keep state
>
> # allow ICMP request/reply (ping)
> pass in quick on $ext_if inet proto icmp all icmp-type $icmp_types keep
> state
>
> # Transparent Proxy
> pass in quick on $int_if inet proto tcp from any to 127.0.0.1 port 3128
> keep state
> pass in quick on $int_if2 inet proto tcp from any to 127.0.0.1 port 3128
> keep state
>
> # Povoleni statistiky
> pass in quick on $int_if inet proto tcp from 192.168.1.1 to
> 192.168.144.129 port 80 keep state
> pass in quick on $int_if inet proto tcp from 192.168.1.1 to 10.102.41.1
> port 80 keep state
>
> # Povoleno pro komunikaci Proxy servru venku
> pass in quick on $ext_if inet proto tcp from 62.245.73.216 to any port 82
> keep state
>
> # Povoleni VZDALENEJ ACCES na 192.168.1.1
> # pass in quick on $ext_if proto tcp from any to $ext_if port 5900 flags
> S/SA keep state
> # pass in quick on $ext_if proto tcp from any to 192.168.1.1 port 5900 flags
> S/SA keep state
> # pass in quick on $ext_if proto tcp from any to $ext_if port 5800 flags
> S/SA keep state
> # pass in quick on $ext_if proto tcp from any to 192.168.1.1 port 5800 flags
> S/SA keep state
> # pass in quick on $ext_if proto tcp from any to $ext_if port 3389 flags
> S/SA keep state
> # pass in quick on $ext_if proto tcp from any to 192.168.1.1 port 3389 flags
> S/SA keep state
>
>
> #################################
> # ODTUD JE UZ VSE ZAKAZANE ######
> #################################
>
> # generic rules for incoming/outgoing connections on ext_if
>
> block in log on $ext_if all
> block out log on $ext_if all
> block in quick log from <blacklist> to any
> block out quick log from any to <blacklist>
> block in quick proto { tcp, udp } from any to any port $blocked_ports
> block in log quick from <spoofed> to any
> block in log quick from any to <spoofed>
> antispoof for $ext_if inet
>
> # allow ICMP request/reply (ping)
> pass in quick on $ext_if inet proto icmp all icmp-type $icmp_types keep
> state
> pass out quick on $ext_if proto { tcp, udp, icmp } all keep state
>
More information about the Users-l
mailing list