|
ru.unix.bsd
- RU.UNIX.BSD ------------------------------------------------------------------
From : Andrew Yermakov 2:5020/400 01 Nov 2005 14:30:26
To : Alexander Korolev
Subject : Re: Редирект портов в локалку
--------------------------------------------------------------------------------
Alexander Korolev пишет:
> All, приветствую!
>
> Я пока новичок во FreeBSD.
>
> Имеется сервер на FreeBSD 5.4 и машинка с почтовым сервером в локальной сети.
> Требуется настроить редирект приходящей почты из Инета на внутренний
> сервер локальной сети через FreeBSD.
>
> Hастроил вроде все, но не работает.
> Из локальной сети обращаясь на внешний IP FreeBSD по 25 и 110 портам, все
> редиректиться как надо, а вот из вне никак. Порты 25 и 110 на FreeBSD
> разрешены на вход. Что я делаю не
> так. rc.conf --------------------------------------------------------- firewal
> l_enable="YES" firewall_type="Simple" gateway_enable="YES" hostname="мой_домен
> " inetd_enable="YES" sshd_enable="YES" usbd_enable="YES" natd_enable="YES" nat
> d_interface="rl0" natd_flags="-f /etc/natd.conf" ifconfig_rl0="inet
> мой_внешний_IP netmask 255.255.255.0" ifconfig_rl1="inet 192.168.0.2 netmask
> 255.255.255.0" defaultrouter="шлюз_прова" ------------------------------------
> --------------------- natd.conf -------------------------------------- use_soc
> kets yes same_ports yes unregistered_only yes redirect_port tcp 192.168.0.1:25
> 25 redirect_port tcp 192.168.0.1:110
> 110 -------------------------------------- rc.firewall -----------------------
> ------------------------------------------------- # set these to your outside
> interface network and netmask and ip oif="rl0" onet="внешняя_сеть"
> omask="255.255.255.240" oip="мой_внешний_ip" # set these to your inside
> interface network and netmask and ip iif="rl1" inet="192.168.0.0"
> imask="255.255.255.240" iip="192.168.0.2" setup_loopback # Redirect
> for mailserver ${fwcmd} add 10 divert natd tcp from any 25 to any
> ${fwcmd} add 11 divert natd tcp from any to any 25 ${fwcmd} add 12 divert
> natd tcp from any 110 to any ${fwcmd} add 13 divert natd tcp from any to
> any 110
Этих дивертов, наверное, не нужно.
> # Stop spoofing
> ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
> ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
>
> # Stop RFC1918 nets on the outside interface
> ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
> ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
> ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
>
> # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
> # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
> # on the outside interface
> ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
> ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
> ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
> ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
> ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
>
> case ${natd_enable} in
> [Yy][Ee][Ss])
> if [ -n "${natd_interface}" ]; then
> ${fwcmd} add divert natd all from any to any via ${natd_interface}
> fi
> ;;
> esac
>
> # Stop RFC1918 nets on the outside interface
> ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
> ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
> ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
>
> # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
> # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
> # on the outside interface
> ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
> ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
> ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
> ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
> ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
>
Попробуйте сюда вставить такие правила:
${fwcmd} add pass tcp from any to 192.168.0.1 25 in via ${oif} setup
${fwcmd} add pass tcp from any to 192.168.0.1 110 in via ${oif} setup
> # Allow TCP through if setup succeeded
> ${fwcmd} add pass tcp from any to any established
>
> # Allow IP fragments to pass through
> ${fwcmd} add pass all from any to any frag
>
> # Allow setup of incoming email
> ${fwcmd} add pass tcp from any to any 25
> ${fwcmd} add pass tcp from any to any 110
>
> # Allow access to our DNS
> ${fwcmd} add pass tcp from any to ${oip} 53 setup
> ${fwcmd} add pass udp from any to ${oip} 53
> ${fwcmd} add pass udp from ${oip} 53 to any
>
> # Reject&Log all setup of incoming connections from the outside
> ${fwcmd} add deny log tcp from any to any in via ${oif} setup
>
> # Allow setup of any other TCP connection
> ${fwcmd} add pass tcp from any to any setup
>
> # Allow DNS queries out in the world
> ${fwcmd} add pass udp from ${oip} to any 53 keep-state
>
> # Allow NTP queries out in the world
> ${fwcmd} add pass udp from ${oip} to any 123 keep-state
>
> ;;
> ------------------------------------------------------------------------
>
> До свидания.
> Александр.
--
With best regards,
Andrew A. Yermakov +380 642 343006
mailto:andrew@ltk.com.ua
--- ifmail v.2.15dev5.3
* Origin: Demos online service (2:5020/400)
Вернуться к списку тем, сортированных по: возрастание даты уменьшение даты тема автор
|
Re: Редирект портов в локалку 