Re: [FreeBSD] ipfw ve virtual server

Mon, 10 Oct 2005 08:05:52 -0700 

 Merhaba Mesut bey,

netustad.natd dosyasindaki

interface sk0  satirini
yerine interface tun0 yapmalisiniz.
sorun cozulecektir


Mesut GÜLNAZ yazmış:


ipfw kurulu bir default gateway de
LAN 192.168.2.0/24 networkü.
bu network de bir www server var. 
dışarıdan buna erişimi sağlamaya çalışıyorum.
sistem: 
-su-2.05b# ps ax | grep nat
  338  ??  Ss     5:34.38 /usr/sbin/ppp -quiet -ddial -nat adsl
61651  p0  S+     0:00.00 grep nat
netustad kullanmaya çalışıyorum. ipfw kurulu serverdan 192.168.2.0/24 networkünde ki www server a ping atabilmeme rağmen port 80 ine telnet açamıyor um. ipfw kurallarım aşağıdaki gibidir. -su-2.05b# ipfw -a list 
00100   347549   31425483 deny udp from any to any dst-port 137-139,445
00200   107356    5154188 deny tcp from any to any dst-port 137-139,445
00201       28       1276 divert 8668 tcp from 192.168.2.7 80 to any
00202 11005 556068 divert 8668 log logamount 100 tcp from any to me dst-port 80 in via tun0 
00300      636      42822 deny udp from any 137-139,445 to any
00400        0          0 deny tcp from any 137-139,445 to any
00500       35       1680 deny ip from any to 10.0.0.0/8 via tun0
00600        0          0 deny ip from any to 172.16.0.0/12 via tun0
00700        0          0 deny ip from any to 0.0.0.0/8 via tun0
00800        0          0 deny ip from any to 169.254.0.0/16 via tun0
00900        0          0 deny ip from any to 192.0.2.0/24 via tun0
01000        0          0 deny ip from any to 224.0.0.0/4 via tun0
01100        0          0 deny ip from any to 240.0.0.0/4 via tun0
01200       10        480 deny ip from 10.0.0.0/8 to any via bge0
01300        0          0 deny ip from 172.16.0.0/12 to any via bge0
01400     1185     391656 deny ip from 0.0.0.0/8 to any via bge0
01500        1         53 deny ip from 169.254.0.0/16 to any via bge0
01600        0          0 deny ip from 192.0.2.0/24 to any via bge0
01700        0          0 deny ip from 224.0.0.0/4 to any via bge0
01800        0          0 deny ip from 240.0.0.0/4 to any via bge0
01900 2099566 282257191 fwd 192.168.2.1,3128 tcp from any to any dst-port 80 in via bge0 
65535 12101031 7181080386 allow ip from any to any
------------------------------------
-su-2.05b# less netustad.natd
log                     yes
verbose                 no
deny_incoming           no
log_denied              yes
log_facility            security
use_sockets             yes
same_ports              yes
unregistered_only       yes
interface sk0
redirect_port tcp 192.168.2.7:80 XX.XXX.XX.XXX:80
--------------------------------------
netustad.ipfw
/sbin/ipfw add deny udp from any to any 137-139,445 
/sbin/ipfw add deny tcp from any to any 137-139,445
/sbin/ipfw add deny udp from any 137-139,445 to any
/sbin/ipfw add deny tcp from any 137-139,445 to any
/sbin/ipfw add deny all from any to 10.0.0.0/8 via tun0
/sbin/ipfw add deny all from any to 172.16.0.0/12 via tun0
/sbin/ipfw add deny all from any to 0.0.0.0/8 via tun0
/sbin/ipfw add deny all from any to 169.254.0.0/16 via tun0
/sbin/ipfw add deny all from any to 192.0.2.0/24 via tun0
/sbin/ipfw add deny all from any to 224.0.0.0/4 via tun0
/sbin/ipfw add deny all from any to 240.0.0.0/4 via tun0
/sbin/ipfw add deny all from 10.0.0.0/8 to any via bge0
/sbin/ipfw add deny all from 172.16.0.0/12 to any via bge0
/sbin/ipfw add deny all from 0.0.0.0/8 to any via bge0
/sbin/ipfw add deny all from 169.254.0.0/16 to any via bge0
/sbin/ipfw add deny all from 192.0.2.0/24 to any via bge0
/sbin/ipfw add deny all from 224.0.0.0/4 to any via bge0
/sbin/ipfw add deny all from 240.0.0.0/4 to any via bge0
/sbin/ipfw add 201 divert natd tcp from 192.168.2.7 80 to any
/sbin/ipfw add 202 divert natd tcp from any to me dst-port 80 in via tun0
/sbin/ipfw add fwd 192.168.2.1,3128 tcp from any to any dst-port 80 in via bge0 
----------------------------------------------------
-su-2.05b# cat /etc/rc.conf
#defaultrouter="172.16.0.1"
gateway_enable="YES"
hostname="proxy.asmpmyo.edu.tr"
ifconfig_bge0="inet 192.168.2.1  netmask 255.255.255.0"
keyrate="fast"
linux_enable="YES"
saver="daemon"
sshd_enable="YES"
accounting_enable="YES" # Turn on process accounting (or NO).
nfs_reserved_port_only="YES"    # Provide NFS only on secure port (or NO).
nfs_client_enable="NO"          # This host is an NFS client (or NO).
rpcbind_enable="NO"             # Run the portmapper service (YES/NO).
syslogd_enable="YES"            # Run syslog daemon (or NO).
syslogd_flags="-ss"
icmp_bmcastecho="NO"    # respond to broadcast ping packets
tcp_drop_synfin="YES" # Set to YES to drop TCP packets with SYN+FIN 
keymap=tr.iso9.q #/usr/share/sysconf/keymap/tr.iso9.q.kbd dosyasy
font8x16=iso09-8x16 #/usr/share/sysconf/fonts/iso09-8x16.fnt dosyasy
ntpdate_enable="YES"
ntpdate_flags="ntp.nasa.gov"
sendmail_enable="NO"
ipnat_enable="YES"
ipnat_program="/sbin/ipnat -CF -f"
ipnat_rules="/etc/ipnat.rules"
ipnat_flags=""
ppp_enable="YES" ppp_mode="ddial" ppp_profile="adsl" ppp_nat="YES" 
sleep 4
natd_enable="YES"
natd_interface="tun0"
natd_flags="-f /usr/local/etc/netustad/netustad.natd
#natd_flags="-f /etc/natd.conf"
squid_enable="YES"
kern_securelevel_enable="YES"   # kernel security level (see init(8))
kern_securelevel="1"
apache_enable="YES"
netustad_enable="YES"
firewall_enable="YES"
firewall_script="/usr/local/etc/netustad/netustad.ipfw"
named_enable="YES"              # Run named, the DNS server (or NO).
-su-2.05b#
saygılar... iyi çalışmalar.... 


---------------------------------------------------------------------
Cikmak icin, e-mail: [EMAIL PROTECTED]
Liste arsivi: http://lists.enderunix.org
Turkiye'nin ilk FreeBSD kitabi: http://www.acikakademi.com/freebsd.php

Cevap