Sifrovany nat a nebo Squid OPENVPN doplneno

Jaroslav Pavlicek freebsd at pavrda.cz
Mon Mar 13 22:47:59 CET 2006


Ahoj,

kdyz vidim ten seznam vsech moznych pravidel a nastaveni na nekolik 
stranek, je mi z toho spatne. :) Pro tunel mezi nekolika lokalitama 
pouzivam vestavene FreeBSD tunelovadlo gif s timto nastavenim:

/etc/rc.conf
# 10.0.0.1(2) je moje(jeho) adresa ve verejne siti
# 192.168.168.1(2).254 je moje(jeho) adresa ve vnitrni siti
gif_interfaces="gif0"
gifconfig_gif0="10.0.0.1 10.0.0.2"
ifconfig_gif0="inet 192.168.1.254 192.168.2.254 netmask 0xffffff00"
static_routes="pryc"
route_pryc="-net 192.168.0.0/16 -iface gif0"

na druhe strane je to same, akorat se jednicky vymeni za dvojky.
Pridat NAT bude otazka opet par radek, ale ten tady zaply nemam a tak 
nechci varit z vody.

--- Jarda


Pentium wrote:
> Tak problem byl ve firewallu ted uz opravdu vse jede tim myslim vzajemny
> ping mezi stanicema
> 
> ted jde o to jak zakodovat provoz bud celeho natu a nebo alspon HTTP
> 
> Ceho chci dosahnout 
> LAN (192.168.1.x) - SERVER1 Freebsd Wifi Nat Transparent proxy  ----
> Internet chci mit kodovane --- Server2 Freebsd Nat Proxy ----- Internet uz
> nekodovany
> 
> 
> 
> Pro uplnost prikladam  client
> remote 62.2.73.211
> dev tun
> ifconfig 10.0.0.2 10.0.0.1
> secret secret.key
> 
> Server
> dev tun
> ifconfig 10.0.0.1 10.0.0.2
> secret secret.keyp
> 
> A muj PF snad trochu upravenej
> 
> 
> # Macros: define common values, so they can be referenced and changed
> easily.
> ext_if="wi0"    # replace with actual external interface name i.e., rl0
> int_if="rl0"    # replace with actual internal interface name i.e., dc1
> int_if2="rl1"   # replace with actual internal interface name i.e., dc1
> int_ssh="tun0"
> internal_net="192.168.1.0/24"
> #external_addr="192.168.144.172"
> external_addr="10.102.41.172"
> 
> 
> # Tables: similar to macros, but more flexible for many addresses.
> table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 }
> 
> table <trusted_hosts> { }
> table <spoofed> { 127.0.0.1/8, !192.168.1.0/24, 192.168.0.0/16,
> 172.16.0.0/12, 224.0.0.0/3, 10.0.0.0/8 }
> table <blacklist> { }
> 
> icmp_types = "echoreq"
> blocked_ports="{ 135, 137 >< 139, 445 }"
> 
> scrub in all
> 
> #nat on $ext_if from $internal_net to any -> ($ext_if)
> #nat on $ext_if from 192.168.1.1 to any -> ($int_ssh)
> nat on $ext_if from 192.168.1.45 to any -> ($ext_if)
> nat on $ext_if from 192.168.1.1 to any -> ($ext_if)
> 
> ###############################
> #### Redirect  ################
> ###############################
> # rdr outgoing FTP requests to the ftp-proxy
> # rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
> # rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port
> 3128
> # rdr on $ext_if proto tcp from any to any port 80 -> 192.168.1.1 port 80
> 
> #Povoleni VNC
> # rdr on $ext_if proto tcp from any to any port 5900 -> 192.168.1.1 port
> 5900
> # rdr on $ext_if proto tcp from any to any port 5800 -> 192.168.1.1 port
> 5800
> 
> # Povoleni statistiky
> rdr on $int_if inet proto tcp from 192.168.1.1 to 192.168.144.129 port 80 ->
> 192.168.144.129 port 80
> 
> # Transparent Proxy
> rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port
> 3128
> rdr on $int_if2 inet proto tcp from any to any port www -> 127.0.0.1 port
> 3128
> 
> # Filtering: the implicit first two rules are
>  pass in  all
>  pass out all
> 
> # allow loopback packets
>  pass in quick on lo0 all
>  pass out quick on lo0 all
> 
> pass out quick on $int_ssh proto { udp, icmp } all keep state
> pass in quick on $int_ssh proto { udp, icmp } all keep state
> pass out quick on $ext_if proto { udp, icmp } all keep state
> pass in quick on $ext_if proto { udp, icmp } all keep state
> 
> 
> ##################################
> ######## POVOLENE PORTY ##########
> ##################################
> # povoleni VPN
> # pass in quick on $ext_if inet proto udp from any to any
> # pass out quick on $ext_if inet proto udp from any to any
> # pass in quick inet proto udp  from any to (self) port 1194 keep state
> 
> # SSH Dovnitr jen z jedne IP
>   pass in quick on $ext_if proto tcp from 62.245.73.216 to $ext_if port 22
> keep state
> # pass in quick on $ext_if proto tcp from any to $ext_if port 22 keep state
> 
> # allow ICMP request/reply (ping)
>   pass in quick on $ext_if inet proto icmp all icmp-type $icmp_types keep
> state
> 
> # Transparent Proxy
>   pass in quick on $int_if inet proto tcp from any to 127.0.0.1 port 3128
> keep state
>   pass in quick on $int_if2 inet proto tcp from any to 127.0.0.1 port 3128
> keep state
> 
> # Povoleni statistiky
>   pass in quick on $int_if inet proto tcp from 192.168.1.1 to
> 192.168.144.129 port 80 keep state
>   pass in quick on $int_if inet proto tcp from 192.168.1.1 to 10.102.41.1
> port 80 keep state
> 
> # Povoleno pro komunikaci Proxy servru venku
>   pass in quick on $ext_if inet proto tcp from 62.245.73.216 to any port 82
> keep state
> 
> # Povoleni VZDALENEJ ACCES  na 192.168.1.1
> # pass in quick on $ext_if proto tcp from any to $ext_if port 5900 flags
> S/SA keep state
> # pass in quick on $ext_if proto tcp from any to 192.168.1.1 port 5900 flags
> S/SA keep state
> # pass in quick on $ext_if proto tcp from any to $ext_if port 5800 flags
> S/SA keep state
> # pass in quick on $ext_if proto tcp from any to 192.168.1.1 port 5800 flags
> S/SA keep state
> # pass in quick on $ext_if proto tcp from any to $ext_if port 3389 flags
> S/SA keep state
> # pass in quick on $ext_if proto tcp from any to 192.168.1.1 port 3389 flags
> S/SA keep state
> 
> 
> #################################
> # ODTUD JE UZ VSE ZAKAZANE ######
> #################################
> 
> # generic rules for incoming/outgoing connections on ext_if
> 
>  block in log on $ext_if all
>  block out log on $ext_if all
>  block in quick log from <blacklist> to any
>  block out quick log from any to <blacklist>
>  block in quick proto { tcp, udp } from any to any port $blocked_ports
>  block in log quick from <spoofed> to any
>  block in log quick from any to <spoofed>
>  antispoof for $ext_if inet
> 
> # allow ICMP request/reply (ping)
> pass in quick on $ext_if inet proto icmp all icmp-type $icmp_types keep
> state
> pass out quick on $ext_if proto { tcp, udp, icmp } all keep state
> 



More information about the Users-l mailing list