Пиво поставь студентам, вот тебе рекомендация как это все замутить без всякого гимора.
Я долго и нудно лазил по всему инету и так не нашел нормальных рекомендаций как поднять NAT в две сети.
Попадались статьи только типа как поднять два natd на одном интерфейсе и что то в том же духе, короче через одно место ...
Тогда я немного поэксперементировал со своим багажом знаний и придумал простейшее и надежнейшее решение этой проблемы.
Скоро подробные рекомендации по некоторым заковыристым аспектам работы с корпоративными серверами я выложу на http://www.it-ramenskoe.ru/Эта конструкция позволяет с минимальными телодвижениями сделать NAT в две сети (интернет и сеть твоего провайдера)
/usr/src/sys/i386/conf/YOU_NAME_COPY_GENERIC:
Я привел пример что я закоментировал и какие добавил опции, смысл - все лишнее - долой:
machine i386
#cpu I486_CPU
#cpu I586_CPU
cpu I686_CPU
ident YOU_NAME_COPY_GENERIC
#makeoptions DEBUG=-g # Build kernel with gdb(1) debug symbols
#options NFSCLIENT # Network Filesystem Client
#options NFSSERVER # Network Filesystem Server
#options NFS_ROOT # NFS usable as /, requires NFSCLIENT
#options MSDOSFS # MSDOS Filesystem
#options CD9660 # ISO 9660 Filesystem
#options COMPAT_FREEBSD4 # Compatible with FreeBSD4
#options COMPAT_FREEBSD5 # Compatible with FreeBSD5
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=50
options IPFIREWALL_FORWARD
options IPDIVERT
options TCP_DROP_SYNFIN
#device fdc
#device ataraid # ATA RAID drives
#device atapicd # ATAPI CDROM drives
#device atapifd # ATAPI floppy drives
#device ahb # EISA AHA1742 family
и т.д. ...
/etc/rc.conf:
blanktime="3600"
font8x14="cp866-8x14"
font8x16="cp866b-8x16"
font8x8="cp866-8x8"
gateway_enable="YES"
hostname="NAME.DOMAIN.ru"
network_interfaces="lo0 em0 sis0 ng0"
ifconfig_em0="inet 192.168.0.1 netmask 255.255.255.0"
ifconfig_sis0="inet 172.22.32.246 netmask 255.255.255.0"
defaultrouter="172.22.32.254"
static_routes="r_oskar1 r_oskar2 r_zhuknet1 r_zhuknet2 r_zhuknet3 r_dns"
route_r_oskar1="-net 172.16.0.0/12 172.22.32.254"
route_r_oskar2="-net 62.117.80.120/29 172.22.32.254"
route_r_zhuknet1="-net 87.245.133.0/24 172.22.32.254"
route_r_zhuknet2="-net 10.248.0.0/16 172.22.32.254"
route_r_zhuknet3="-net 10.140.0.0/16 172.22.32.254"
route_r_dns="-host 62.117.104.19 172.22.32.254"
ipv6_enable="YES"
tcp_drop_synfin="YES"
icmp_drop_redirect="YES"
icmp_log_redirect="YES"
named_enable="YES"
named_flags="-u bind -t /etc/namedb -c /etc/namedb/named.conf"
keymap="ru.koi8-r"
keyrate="fast"
mousechar_start="3"
ntpdate_enable="YES"
ntpdate_flags="87.245.133.16"
saver="blank"
scrnmap="koi8-r2cp866"
sshd_enable="YES"
mpd_enable="YES"
firewall_enable="YES"
firewall_script="/usr/local/etc/rc.firewall"
ipnat_enable="YES"
ipnat_rules="/usr/local/etc/ipnat.rules"
squid_enable="YES"
squid_chdir="/var/log/squid"
apache22_enable="YES"
vsftpd_enable="YES"
postfix_enable="YES"
postgrey_enable="YES"
postgresql_enable="YES"
postgresql_data="/var/pgsql/data"
postgresql_flags="-w -s -m fast"
postgresql_initdb_flags="--encoding=koi8-r --lc-collate=C"
postgresql_class="default"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
kern_securelevel_enable="YES"
/usr/local/etc/ipnat.rules:
#!/sbin/ipnat -f
map ng0 192.168.4.0/24 -> YOU_EXTERNAL_IP/32 proxy port ftp ftp/tcp
map sis0 192.168.4.0/24 -> 172.22.32.246/32 proxy port ftp ftp/tcp
map ng0 192.168.4.0/24 -> 0/32 portmap tcp/udp 40000:60000
map sis0 192.168.4.0/24 -> 0/32 portmap tcp/udp 40000:60000
map ng0 192.168.4.0/24 -> 0/32
map sis0 192.168.4.0/24 -> 0/32
map ng0 192.168.4.0/24 -> YOU_EXTERNAL_IP/32 portmap tcp/udp 40000:60000
map sis0 192.168.4.0/24 -> 172.22.32.246/32 portmap tcp/udp 40000:60000
map ng0 192.168.4.0/24 -> YOU_EXTERNAL_IP/32
map sis0 192.168.4.0/24 -> 172.22.32.246/32
/usr/local/etc/rc.firewall:
#!/bin/sh
ipfw="/sbin/ipfw -q"
ournet="192.168.4.0/24"
uprefix="192.168.4"
ifout1="sis0"
ifout2="ng0"
ifuser="em0"
oskarvpn="172.22.22.24"
inetip="YOU_EXTERNAL_IP"
oskarip="172.22.32.246"
localip="192.168.4.1"
adminiplocal="192.168.4.2,192.168.4.3"
adminiposkar="172.22.24.24"
extproxyip="10.248.193.160"
dns_servers="62.117.104.19,87.245.133.5,87.245.133.7"
# Clear rules
${ipfw} -f flush
# Check dinamic rules
${ipfw} add check-state
# Deny death icmp
${ipfw} add deny icmp from any to any in icmptype 5,9,13,14,15,16,17
# Deny spoofing local net
${ipfw} add deny all from ${ournet} to any in via ${ifout1}
${ipfw} add deny all from ${ournet} to any in via ${ifout2}
# Deny spoofing ip inet
${ipfw} add deny all from 172.16.0.0/12 to any in via ${ifout2}
${ipfw} add deny all from 10.0.0.0/8 to any in via ${ifout2}
${ipfw} add deny all from 87.245.133.0/24 to any in via ${ifout2}
${ipfw} add deny all from 192.168.0.0/16 to any in via ${ifout2}
# Loopback
${ipfw} add pass all from any to any via lo0
${ipfw} add deny all from any to 127.0.0.0/8
${ipfw} add deny all from 127.0.0.0/8 to any
# ICMP
${ipfw} add allow icmp from any to me in
${ipfw} add allow icmp from me to any out
# Game (TO)
${ipfw} add allow udp from ${uprefix}.2 to any via ng0 keep-state
# FTP Access
${ipfw} add allow tcp from any to me ftp in
${ipfw} add allow tcp from me ftp to any out
${ipfw} add allow tcp from me 20 to any out
${ipfw} add allow tcp from any to me 20 in
${ipfw} add deny tcp from any to me ftp in
${ipfw} add deny tcp from me ftp to any out
${ipfw} add deny tcp from any to me 20 in
${ipfw} add deny tcp from me 20 to any out
# Access DNS
${ipfw} add allow udp from any to me domain in
${ipfw} add allow udp from me to ${dns_servers} domain keep-state
${ipfw} add allow udp from me domain to any out
${ipfw} add deny udp from any to any domain
${ipfw} add deny udp from any domain to any
# Access NAT in local net
${ipfw} add allow udp from ${ournet} 123 to ${localip} in via ${ifuser}
# VPN pptp connect to provaider inet
${ipfw} add allow gre from ${oskarip} to ${oskarvpn} out via ${ifout1}
${ipfw} add allow gre from ${oskarvpn} to ${oskarip} in via ${ifout1}
${ipfw} add allow tcp from ${oskarip} to ${oskarvpn} 1723 out via ${ifout1}
${ipfw} add allow tcp from ${oskarvpn} 1723 to ${oskarip} in via ${ifout1}
# SQUID
${ipfw} add allow tcp from ${ournet} to ${localip} 3128 in via ${ifuser}
${ipfw} add allow tcp from ${oskarip} to ${extproxyip} 3128 out via ${ifout1}
${ipfw} add allow tcp from ${extproxyip} 3128 to ${oskarip} in via ${ifout1}
${ipfw} add allow tcp from ${oskarip} 3128 to any ftp,http,https via ${ifout1} keep-state
${ipfw} add allow tcp from ${inetip} 3128 to any ftp,http,https via ${ifout2} keep-state
${ipfw} add allow tcp from ${localip} 3128 to ${ournet} out via ${ifuser}
# Access ssh
${ipfw} add allow tcp from ${adminiplocal} to ${localip} ssh in via ${ifuser}
${ipfw} add allow tcp from ${localip} ssh to ${adminiplocal} out via ${ifuser}
${ipfw} add allow tcp from ${adminiposkar} to ${oskarip} ssh in via ${ifout1}
${ipfw} add allow tcp from ${oskarip} ssh to ${adminiposkar} out via ${ifout1}
${ipfw} add deny tcp from any to any ssh
# Access http server
${ipfw} add allow tcp from any to me http in
${ipfw} add allow tcp from me http to any out
#
${ipfw} add deny tcp from any to me http in
${ipfw} add deny tcp from me http to any out
# Redirect to squid
#${ipfw} add fwd 127.0.0.1,3128 tcp from ${ournet} to any http out via ${ifout2}
# Allow all from local net
${ipfw} add allow all from ${uprefix}.2 to any keep-state
${ipfw} add allow all from ${uprefix}.3 to any keep-state
${ipfw} add allow all from ${uprefix}.4 to any keep-state
# Allow all from firewall
${ipfw} add allow all from me to any keep-state
${ipfw} add allow all from me to any
# Deny All
${ipfw} add deny all from any to any
/usr/local/etc/mpd/up_ng0.sh:
Это первый вариант скрипта, он работает в лоб ...
#!/bin/sh
/sbin/route change default 62.117.104.22
/bin/sh /usr/local/etc/mpd/apache22 start
/bin/sh /usr/local/etc/mpd/vsftpd_start.sh start
/bin/sh /usr/local/etc/mpd/squid start
exit 0
Из каталога /usr/local/etc/rc.d/ убраны в /usr/local/etc/mpd/ все скрипты запуска приложений использующих интерфейс ng0, то есть они стартуют только при подключении к интернету ...