{"id":2575,"date":"2017-11-11T16:42:00","date_gmt":"2017-11-11T16:42:00","guid":{"rendered":"https:\/\/tst-amo.pp.ua\/blog\/?p=2575"},"modified":"2017-11-13T14:33:45","modified_gmt":"2017-11-13T14:33:45","slug":"ipfw-nat","status":"publish","type":"post","link":"https:\/\/tst-amo.net.ua\/blog\/?p=2575","title":{"rendered":"IPFW NAT"},"content":{"rendered":"

\u041d\u0430\u0447\u043d\u0435\u043c<\/p>\n

uname -a\r\nFreeBSD roller.amo.ka 10.3-STABLE FreeBSD 10.3-STABLE #0: Thu Nov 9 22:33:21 \r\nEET 2017 svm@roller.amo.ka:\/usr\/obj\/usr\/src\/sys\/ROLLER i386<\/pre>\n
\u0421\u043e\u0431\u0438\u0440\u0430\u0435\u043c \u044f\u0434\u0440\u043e \u0441 \u0442\u0430\u043a\u0438\u043c\u0438 \u043e\u043f\u0446\u0438\u044f\u043c\u0438:<\/p>\n
IPFW NAT ########################\r\noptions IPFIREWALL\r\noptions IPFIREWALL_DEFAULT_TO_ACCEPT\r\noptions IPFIREWALL_VERBOSE\r\noptions IPFIREWALL_VERBOSE_LIMIT=50\r\noptions IPFIREWALL_NAT\r\noptions LIBALIAS\r\noptions ROUTETABLES=2\r\noptions DUMMYNET\r\n#####################################<\/pre>\n
\u0438 \u0434\u043e\u0431\u0430\u0432\u043b\u044f\u0435\u043c \u0432 sysctl \u0438\u00a0 \u0434\u0435\u043b\u0430\u0435\u043c sysctl restart<\/p>\n
net.inet.ip.fw.one_pass=1<\/pre>\n
\u0438\u043b\u0438 \u043f\u0440\u043e\u0441\u0442\u043e \u0434\u0430\u0435\u043c \u043a\u043e\u043c\u0430\u043d\u0434\u0443<\/p>\n
sysctl net.inet.ip.fw.one_pass=1<\/pre>\n
net.inet.ip.fw.one_pass: 1<\/em><\/span>\u00a0\u041a\u043e\u0433\u0434\u0430 \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u043e, \u043f\u0430\u043a\u0435\u0442, \u0432\u044b\u0445\u043e\u0434\u044f\u0449\u0438\u0439 \u0438\u0437 \u043f\u043e\u0442\u043e\u043a\u0430\u00a0dummynet<\/em>, \u043d\u0435 \u043f\u0440\u043e\u0445\u043e\u0434\u0438\u0442 \u0447\u0435\u0440\u0435\u0437 \u0431\u0440\u0430\u043d\u0434\u043c\u0430\u0443\u044d\u0440 \u043f\u043e\u0432\u0442\u043e\u0440\u043d\u043e, \u0432 \u043f\u0440\u043e\u0442\u0438\u0432\u043d\u043e\u043c \u0441\u043b\u0443\u0447\u0430\u0435, \u043f\u043e\u0441\u043b\u0435 \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u043a\u0438 \u043a\u0430\u043d\u0430\u043b\u0430 \u043f\u0430\u043a\u0435\u0442 \u043f\u043e\u0432\u0442\u043e\u0440\u043d\u043e \u0432\u0432\u043e\u0434\u0438\u0442\u0441\u044f \u0432 \u0431\u0440\u0430\u043d\u0434\u043c\u0430\u0443\u044d\u0440 \u043f\u043e \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0435\u043c\u0443 \u043f\u0440\u0430\u0432\u0438\u043b\u0443.<\/p>\n
\u0421\u0438\u043d\u0442\u0430\u043a\u0441\u0438\u0441 \u043d\u0430\u043f\u0438\u0441\u0430\u043d\u0438\u044f \u043f\u0440\u0430\u0432\u0438\u043b \u044f\u0434\u0435\u0440\u043d\u043e\u0433\u043e IPFW NAT \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u0439:<\/p>\n
ipfw [-q] nat number config config-options<\/pre>\n
\u0415\u0441\u043b\u0438 \u044f\u0432\u043d\u043e \u043d\u0435 \u0443\u043a\u0430\u0437\u0430\u0442\u044c \u043d\u043e\u043c\u0435\u0440 \u043f\u0440\u0430\u0432\u0438\u043b\u0430 nat, \u0441\u0438\u0441\u0442\u0435\u043c\u0430 \u043f\u0440\u0438\u0441\u0432\u0430\u0438\u0432\u0430\u0435\u0442 \u043f\u0440\u0430\u0432\u0438\u043b\u0443 \u043d\u043e\u043c\u0435\u0440 123.<\/p>\n
\u0412 \/etc\/rc.conf \u0434\u043e\u0431\u0430\u0432\u043b\u044f\u0435\u043c<\/p>\n
gateway_enable=\u00abYES\u00bb\r\n\r\nfirewall_enable=\"YES\"\r\nfirewall_nat_enable=\"YES\"\r\nfirewall_script=\"\/etc\/firewall.script\"\r\nfirewall_logging=\"YES\"\r\ndummynet_enable=\"YES\"<\/pre>\n
\u0414\u0435\u043b\u0430\u0435\u043c \u043f\u0440\u043e\u0441\u0442\u0435\u0439\u0448\u0438\u0439 \u0444\u0430\u0439\u0435\u0440\u0432\u043e\u043b<\/p>\n
ee \/firewall.script\r\n\r\n#!\/bin\/sh\r\n\r\n# \u0417\u0430\u0434\u0430\u0451\u043c \u0441\u0442\u0440\u043e\u043a\u0443 \u0434\u043b\u044f \u043e\u0431\u0440\u0430\u0449\u0435\u043d\u0438\u044f \u043a ipfw.\r\nipfw=\"\/sbin\/ipfw -q\"\r\n\r\n# \u0421\u0435\u0442\u0435\u0432\u0430\u044f \u043a\u0430\u0440\u0442\u0430 \u0432 \u043a\u043e\u0442\u043e\u0440\u0443\u044e \u0432\u0441\u0442\u0430\u0432\u043b\u0435\u043d \u043f\u0440\u043e\u0432\u043e\u0434 \u043e\u0442 \u043f\u0440\u043e\u0432\u0430\u0439\u0434\u0435\u0440\u0430.\r\nLanOut=\"em0\"\r\nIpOut=\"192.168.1.134\"\r\n\r\n# \u0421\u0435\u0442\u0435\u0432\u0430\u044f \u043a\u0430\u0440\u0442\u0430 \"\u0441\u043c\u043e\u0442\u0440\u044f\u0449\u0430\u044f\" \u0432\u043e \u0432\u043d\u0443\u0442\u0440\u0435\u043d\u043d\u044e\u044e \u0441\u0435\u0442\u044c.\r\nLanIn=\"em2\"\r\nIpIn=\"10.0.0.1\"\r\n\r\n# DMZ\r\nLanDmz=\"em1\"\r\nIpDmz=\"192.168.2.162\"\r\nNetDmz=\"192.168.2.0\"\r\nMaskDmz=\"28\"\r\n\r\n# \u0412\u043d\u0443\u0442\u0440\u0435\u043d\u043d\u044f\u044f \u043f\u043e\u0434\u0441\u0435\u0442\u044c.\r\nNetIn=\"10.0.0.0\"\r\n\r\n# \u0421\u0435\u0442\u0435\u0432\u0430\u044f \u043c\u0430\u0441\u043a\u0430 \u0432\u043d\u0443\u0442\u0440\u0435\u043d\u043d\u0435\u0439 \u043f\u043e\u0434\u0441\u0435\u0442\u0438.\r\nNetMask=\"24\"\r\n\r\n# \u0415\u0441\u043b\u0438 \u0434\u043e \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f \u044d\u0442\u043e\u0433\u043e \u0441\u0446\u0435\u043d\u0430\u0440\u0438\u044f \u0432 \u0444\u0430\u0435\u0440\u0432\u043e\u043b\u0435\r\n# \u0431\u044b\u043b\u0438 \u043a\u0430\u043a\u0438\u0435-\u0442\u043e \u043f\u0440\u0430\u0432\u0438\u043b\u0430 - \u0441\u0431\u0440\u0430\u0441\u044b\u0432\u0430\u0435\u043c \u0438\u0445.\r\n${ipfw} -f flush\r\n\r\n# \u0421\u043e\u0437\u0434\u0430\u0451\u043c \u0442\u0430\u0431\u043b\u0438\u0446\u0443 \u0441 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f\u043c\u0438, \u043a\u043e\u0442\u043e\u0440\u044b\u043c \u0440\u0430\u0437\u0440\u0435\u0448\u0435\u043d \u0434\u043e\u0441\u0442\u0443\u043f \u0432 \u0418\u043d\u0442\u0435\u0440\u043d\u0435\u0442.\r\n# \u0415\u0441\u043b\u0438 \u0432 \u0442\u0430\u0431\u043b\u0438\u0446\u0435 0 \u0431\u044b\u043b\u0438 \u043a\u0430\u043a\u0438\u0435-\u0442\u043e \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u044f - \u0441\u0431\u0440\u0430\u0441\u044b\u0432\u0430\u0435\u043c \u0438\u0445.\r\n${ipfw} -f table 0 flush\r\n${ipfw} table 0 add 10.0.0.0\/24\r\n\r\n# \u0421\u0431\u0440\u0430\u0441\u044b\u0432\u0430\u0435\u043c \u0432\u0441\u0435 \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0438\u0442\u0435\u043b\u0438.\r\n${ipfw} -f pipe flush\r\n\r\n# \u0421\u0431\u0440\u0430\u0441\u044b\u0432\u0430\u0435\u043c \u0432\u0441\u0435 \u043e\u0447\u0435\u0440\u0435\u0434\u0438.\r\n${ipfw} -f queue flush\r\n\r\n# \u0422\u0430\u0431\u043b\u0438\u0446\u0430 DMZ\r\n${ipfw} table 10 add 192.168.2.161\r\n${ipfw} table 10 add 192.168.2.163\r\n${ipfw} table 10 add 192.168.2.164\r\n\r\n${ipfw} add deny ip from any to any not verrevpath in\r\n\r\n# MAIL\r\n${ipfw} add allow tcp from any to 192.168.2.163 25, 587\r\n${ipfw} add allow tcp from 192.168.2.163 to any 25, 587\r\n\r\n# NAT\r\n${ipfw} add nat 1 config log if em0 reset same_ports\r\n${ipfw} add nat 1 ip from table\\(0\\) to not table\\(10\\) via em0\r\n#${ipfw} add nat 1 ip from 10.0.0.0\/24 to not table\\(10\\) via em0\r\n${ipfw} add nat 1 ip from any to 192.168.1.134 via em0<\/pre>\n
\u0413\u0434\u0435 table 10<\/em> \u2013 \u043d\u0435 \u0438\u0434\u0435\u0442 \u0447\u0435\u0440\u0435\u0437 NAT<\/em><\/p>\n
\u0421\u0442\u0430\u0442\u0438\u0441\u0442\u0438\u043a\u0443 \u043c\u043e\u0436\u043d\u043e \u043f\u043e\u0441\u043c\u043e\u0442\u0440\u0435\u0442\u044c \u0442\u0430\u043a:<\/p>\n
ipfw nat 1 show<\/pre>\n
\u041f\u0440\u0438\u043c\u0435\u0440:<\/em><\/strong> \u043d\u0443\u0436\u043d\u043e \u0441\u0434\u0435\u043b\u0430\u0442\u044c \u043f\u0440\u043e\u0431\u0440\u043e\u0441 \u043f\u043e\u0440\u0442\u043e\u0432 \u0434\u043b\u044f RDP \u0441\u0435\u0440\u0432\u0435\u0440\u0430 \u0432\u043e \u0432\u043d\u0443\u0442\u0440\u0435\u043d\u043d\u0435\u0439 \u0441\u0435\u0442\u0438 \u0441 IP 10.0.0.20. \u0422\u043e\u0433\u0434\u0430 \u043f\u0440\u0430\u0432\u0438\u043b\u043e \u041d\u0410\u0422\u0430 \u043f\u0440\u0438\u043c\u0435\u0442 \u0432\u0438\u0434<\/p>\n
${ipfw} add nat 1 config log if em0 reset same_ports \\\r\n       redirect_port tcp 10.0.0.20:3389 3389<\/pre>\n
\u041f\u0435\u0440\u0435\u0437\u0430\u0433\u0440\u0443\u0436\u0430\u0435\u043c IPFW \u0438 \u0441\u043c\u043e\u0442\u0440\u0438\u043c<\/p>\n
 ipfw nat 1 show config<\/pre>\n
 <\/p>\n
http:\/\/www.lissyara.su\/articles\/freebsd\/tuning\/ipfw_nat\/<\/a>
\nhttp:\/\/ipfw.ism.kiev.ua\/ipfw.html<\/a>
\nhttps:\/\/mdex-nn.ru\/page\/probros-portov-v-jadernom-ipfw-nat.html<\/a><\/p>\n
 <\/p>\n
\"image_pdf\"<\/a>\"image_print\"<\/a><\/div>","protected":false},"excerpt":{"rendered":"
\u041d\u0430\u0447\u043d\u0435\u043c uname -a FreeBSD roller.amo.ka 10.3-STABLE FreeBSD 10.3-STABLE #0: Thu Nov 9 22:33:21 EET 2017 svm@roller.amo.ka:\/usr\/obj\/usr\/src\/sys\/ROLLER i386 \u0421\u043e\u0431\u0438\u0440\u0430\u0435\u043c \u044f\u0434\u0440\u043e \u0441 \u0442\u0430\u043a\u0438\u043c\u0438 \u043e\u043f\u0446\u0438\u044f\u043c\u0438: IPFW NAT ######################## options IPFIREWALL options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=50 options IPFIREWALL_NAT options LIBALIAS options ROUTETABLES=2 options DUMMYNET ##################################### \u0438 \u0434\u043e\u0431\u0430\u0432\u043b\u044f\u0435\u043c \u0432 sysctl \u0438\u00a0 \u0434\u0435\u043b\u0430\u0435\u043c sysctl restart net.inet.ip.fw.one_pass=1 \u0438\u043b\u0438 \u043f\u0440\u043e\u0441\u0442\u043e \u0434\u0430\u0435\u043c \u043a\u043e\u043c\u0430\u043d\u0434\u0443 …<\/p>\n
Continue reading ‘IPFW NAT’ »<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[50,106,26],"tags":[],"class_list":["post-2575","post","type-post","status-publish","format-standard","hentry","category-freebsd","category-ipfw","category-nat"],"_links":{"self":[{"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=\/wp\/v2\/posts\/2575"}],"collection":[{"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2575"}],"version-history":[{"count":8,"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=\/wp\/v2\/posts\/2575\/revisions"}],"predecessor-version":[{"id":2589,"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=\/wp\/v2\/posts\/2575\/revisions\/2589"}],"wp:attachment":[{"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2575"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2575"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2575"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}