Merhaba Mesut bey,
netustad.natd dosyasindaki
interface sk0 satirini
yerine interface tun0 yapmalisiniz.
sorun cozulecektir
Mesut GÜLNAZ yazmış:
ipfw kurulu bir default gateway de
LAN 192.168.2.0/24 networkü.
bu network de bir www server var.
dışarıdan buna erişimi sağlamaya çalışıyorum.
sistem:
-su-2.05b# ps ax | grep nat
338 ?? Ss 5:34.38 /usr/sbin/ppp -quiet -ddial -nat adsl
61651 p0 S+ 0:00.00 grep nat
netustad kullanmaya çalışıyorum.
ipfw kurulu serverdan 192.168.2.0/24 networkünde ki www server a ping
atabilmeme rağmen port 80 ine telnet açamıyor um.
ipfw kurallarım aşağıdaki gibidir.
-su-2.05b# ipfw -a list
00100 347549 31425483 deny udp from any to any dst-port 137-139,445
00200 107356 5154188 deny tcp from any to any dst-port 137-139,445
00201 28 1276 divert 8668 tcp from 192.168.2.7 80 to any
00202 11005 556068 divert 8668 log logamount 100 tcp from any
to me dst-port 80 in via tun0
00300 636 42822 deny udp from any 137-139,445 to any
00400 0 0 deny tcp from any 137-139,445 to any
00500 35 1680 deny ip from any to 10.0.0.0/8 via tun0
00600 0 0 deny ip from any to 172.16.0.0/12 via tun0
00700 0 0 deny ip from any to 0.0.0.0/8 via tun0
00800 0 0 deny ip from any to 169.254.0.0/16 via tun0
00900 0 0 deny ip from any to 192.0.2.0/24 via tun0
01000 0 0 deny ip from any to 224.0.0.0/4 via tun0
01100 0 0 deny ip from any to 240.0.0.0/4 via tun0
01200 10 480 deny ip from 10.0.0.0/8 to any via bge0
01300 0 0 deny ip from 172.16.0.0/12 to any via bge0
01400 1185 391656 deny ip from 0.0.0.0/8 to any via bge0
01500 1 53 deny ip from 169.254.0.0/16 to any via bge0
01600 0 0 deny ip from 192.0.2.0/24 to any via bge0
01700 0 0 deny ip from 224.0.0.0/4 to any via bge0
01800 0 0 deny ip from 240.0.0.0/4 to any via bge0
01900 2099566 282257191 fwd 192.168.2.1,3128 tcp from any to any
dst-port 80 in via bge0
65535 12101031 7181080386 allow ip from any to any
------------------------------------
-su-2.05b# less netustad.natd
log yes
verbose no
deny_incoming no
log_denied yes
log_facility security
use_sockets yes
same_ports yes
unregistered_only yes
interface sk0
redirect_port tcp 192.168.2.7:80 XX.XXX.XX.XXX:80
--------------------------------------
netustad.ipfw
/sbin/ipfw add deny udp from any to any 137-139,445
/sbin/ipfw add deny tcp from any to any 137-139,445
/sbin/ipfw add deny udp from any 137-139,445 to any
/sbin/ipfw add deny tcp from any 137-139,445 to any
/sbin/ipfw add deny all from any to 10.0.0.0/8 via tun0
/sbin/ipfw add deny all from any to 172.16.0.0/12 via tun0
/sbin/ipfw add deny all from any to 0.0.0.0/8 via tun0
/sbin/ipfw add deny all from any to 169.254.0.0/16 via tun0
/sbin/ipfw add deny all from any to 192.0.2.0/24 via tun0
/sbin/ipfw add deny all from any to 224.0.0.0/4 via tun0
/sbin/ipfw add deny all from any to 240.0.0.0/4 via tun0
/sbin/ipfw add deny all from 10.0.0.0/8 to any via bge0
/sbin/ipfw add deny all from 172.16.0.0/12 to any via bge0
/sbin/ipfw add deny all from 0.0.0.0/8 to any via bge0
/sbin/ipfw add deny all from 169.254.0.0/16 to any via bge0
/sbin/ipfw add deny all from 192.0.2.0/24 to any via bge0
/sbin/ipfw add deny all from 224.0.0.0/4 to any via bge0
/sbin/ipfw add deny all from 240.0.0.0/4 to any via bge0
/sbin/ipfw add 201 divert natd tcp from 192.168.2.7 80 to any
/sbin/ipfw add 202 divert natd tcp from any to me dst-port 80 in via tun0
/sbin/ipfw add fwd 192.168.2.1,3128 tcp from any to any dst-port 80 in
via bge0
----------------------------------------------------
-su-2.05b# cat /etc/rc.conf
#defaultrouter="172.16.0.1"
gateway_enable="YES"
hostname="proxy.asmpmyo.edu.tr"
ifconfig_bge0="inet 192.168.2.1 netmask 255.255.255.0"
keyrate="fast"
linux_enable="YES"
saver="daemon"
sshd_enable="YES"
accounting_enable="YES" # Turn on process accounting (or NO).
nfs_reserved_port_only="YES" # Provide NFS only on secure port (or NO).
nfs_client_enable="NO" # This host is an NFS client (or NO).
rpcbind_enable="NO" # Run the portmapper service (YES/NO).
syslogd_enable="YES" # Run syslog daemon (or NO).
syslogd_flags="-ss"
icmp_bmcastecho="NO" # respond to broadcast ping packets
tcp_drop_synfin="YES" # Set to YES to drop TCP packets with
SYN+FIN
keymap=tr.iso9.q #/usr/share/sysconf/keymap/tr.iso9.q.kbd dosyasy
font8x16=iso09-8x16 #/usr/share/sysconf/fonts/iso09-8x16.fnt dosyasy
ntpdate_enable="YES"
ntpdate_flags="ntp.nasa.gov"
sendmail_enable="NO"
ipnat_enable="YES"
ipnat_program="/sbin/ipnat -CF -f"
ipnat_rules="/etc/ipnat.rules"
ipnat_flags=""
ppp_enable="YES"
ppp_mode="ddial"
ppp_profile="adsl"
ppp_nat="YES"
sleep 4
natd_enable="YES"
natd_interface="tun0"
natd_flags="-f /usr/local/etc/netustad/netustad.natd
#natd_flags="-f /etc/natd.conf"
squid_enable="YES"
kern_securelevel_enable="YES" # kernel security level (see init(8))
kern_securelevel="1"
apache_enable="YES"
netustad_enable="YES"
firewall_enable="YES"
firewall_script="/usr/local/etc/netustad/netustad.ipfw"
named_enable="YES" # Run named, the DNS server (or NO).
-su-2.05b#
saygılar...
iyi çalışmalar....
---------------------------------------------------------------------
Cikmak icin, e-mail: [EMAIL PROTECTED]
Liste arsivi: http://lists.enderunix.org
Turkiye'nin ilk FreeBSD kitabi: http://www.acikakademi.com/freebsd.php