常见问题常见问题   搜索搜索   会员列表会员列表   团队团队   注册注册    个人资料个人资料   登录查看您的站内信件登录查看您的站内信件   登录登录 

求教 freebsd 10.1 ipfw 端口转发

 
发表新文章   回复文章    FreeBSD China -> 技术交流
阅读上一个主题 :: 阅读下一个主题  
作者 留言
wangjb
半仙


注册时间: 2015-04-22
文章: 5

文章发表于: Wed 2015-04-22 16:20:31    发表主题: 求教 freebsd 10.1 ipfw 端口转发 引用并回复

公司一台服务器有两个网卡 em0(公网地址) em1(内网卡192.168.9.99),想通过redirect_port 80端口转发到 内部的192.168.9.6 80端口 上面,弄了10多天了,一直都没有搞定,头痛死了。看了很多资料,都没有搞定。
系统freebsd 10.1

#cat /etc/rc.conf
hostname="fwd"
ifconfig_em0="inet 116.228.168.99 netmask 255.255.255.240"
defaultrouter="116.228.168.97"
ifconfig_em1="inet 192.168.9.99 netmask 255.255.255.0"
sshd_enable="YES"
ntpd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"

firewall_enable="YES"
firewall_logging="YES"
firewall_nat_enable="YES"
firewall_script="/etc/ipfw.rules"

#cat /etc/sysctl.conf

net.inet.ip.fw.one_pass=0

cat /etc/ipfw.rules

#!/bin/sh
# Flush out the list before we begin.
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"
pif="em0" # interface name of NIC attached to Internet
iif="em1" # interface name of NIC attached to LAN
server="192.168.9.99"
inside="192.168.9.0/24"
me="116.228.168.99" # Public WAN address
ks="keep-state" # Laziness
skip="skipto 600"

# Create the NAT redirect rules
######################################
ipfw -q nat 1 config if $pif unreg_only reset \
redirect_port tcp 192.168.9.6:80 80 \
redirect_port tcp 192.168.9.6:22 1022


######################################

# Setup all the NAT reflection stuff
######################################
$cmd 00002 fwd 127.0.0.1,50080 tcp from 192.168.9.0/24 to $me 80 in via em0
######################################


# Allow everything through the local NIC
######################################
$cmd 00020 allow all from any to any via em0
######################################

# No restrictions on Loopback Interface
######################################
$cmd 00025 allow all from any to any via lo0
######################################

# Catch spoofing from outside
######################################
$cmd 00090 deny ip from any to any not antispoof in
######################################

# NAT the inbound stuff
######################################
$cmd 0100 nat 1 ip from any to any in via $pif
######################################

# Allow packet through if it matches existing entry in dynamic rules
######################################
$cmd 00101 check-state
######################################

# Allow all outgoing packets
######################################
$cmd 00110 $skip tcp from any to any out via $pif setup $ks
$cmd 00120 $skip udp from any to any out via $pif $ks
######################################

# Deny all inbound traffic from non-routable reserved address spaces
######################################
$cmd 00300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP
$cmd 00301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP
$cmd 00302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP
$cmd 00303 deny all from 127.0.0.0/8 to any in via $pif #loopback
$cmd 00304 deny all from 0.0.0.0/8 to any in via $pif #loopback
$cmd 00305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config
$cmd 00306 deny all from 192.0.2.0/24 to any in via $pif #reserved for doc’s
$cmd 00307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect
$cmd 00308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast
######################################

# Deny public pings
######################################
$cmd 00310 deny icmp from any to any in via $pif
######################################

# Allow specific ports IN now (for services behind NAT)
######################################
$cmd 00425 $skip tcp from any to any 80 in via $pif setup $ks
######################################

# Deny all other troublemakers
$cmd 00550 deny tcp from any to any via $pif
$cmd 00551 deny udp from any to any via $pif

# Skip location for NAT
$cmd 600 nat 1 ip from any to any out via $pif
$cmd 610 allow ip from any to any


可是就是不行,请帮忙。
返回页首
阅览会员资料 发送站内信件
lsstarboy
半仙


注册时间: 2007-08-08
文章: 164

文章发表于: Wed 2015-05-20 10:18:32    发表主题: Re: 求教 freebsd 10.1 ipfw 端口转发 引用并回复

wangjb 写到:
公司一台服务器有两个网卡 em0(公网地址) em1(内网卡192.168.9.99),想通过redirect_port 80端口转发到 内部的192.168.9.6 80端口 上面,弄了10多天了,一直都没有搞定,头痛死了。看了很多资料,都没有搞定。
系统freebsd 10.1

#cat /etc/rc.conf
hostname="fwd"
ifconfig_em0="inet 116.228.168.99 netmask 255.255.255.240"
defaultrouter="116.228.168.97"
ifconfig_em1="inet 192.168.9.99 netmask 255.255.255.0"
sshd_enable="YES"
ntpd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"

firewall_enable="YES"
firewall_logging="YES"
firewall_nat_enable="YES"
firewall_script="/etc/ipfw.rules"

#cat /etc/sysctl.conf

net.inet.ip.fw.one_pass=0

cat /etc/ipfw.rules

#!/bin/sh
# Flush out the list before we begin.
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"
pif="em0" # interface name of NIC attached to Internet
iif="em1" # interface name of NIC attached to LAN
server="192.168.9.99"
inside="192.168.9.0/24"
me="116.228.168.99" # Public WAN address
ks="keep-state" # Laziness
skip="skipto 600"

# Create the NAT redirect rules
######################################
ipfw -q nat 1 config if $pif unreg_only reset \
redirect_port tcp 192.168.9.6:80 80 \
redirect_port tcp 192.168.9.6:22 1022


######################################

# Setup all the NAT reflection stuff
######################################
$cmd 00002 fwd 127.0.0.1,50080 tcp from 192.168.9.0/24 to $me 80 in via em0
######################################


# Allow everything through the local NIC
######################################
$cmd 00020 allow all from any to any via em0
######################################

# No restrictions on Loopback Interface
######################################
$cmd 00025 allow all from any to any via lo0
######################################

# Catch spoofing from outside
######################################
$cmd 00090 deny ip from any to any not antispoof in
######################################

# NAT the inbound stuff
######################################
$cmd 0100 nat 1 ip from any to any in via $pif
######################################

# Allow packet through if it matches existing entry in dynamic rules
######################################
$cmd 00101 check-state
######################################

# Allow all outgoing packets
######################################
$cmd 00110 $skip tcp from any to any out via $pif setup $ks
$cmd 00120 $skip udp from any to any out via $pif $ks
######################################

# Deny all inbound traffic from non-routable reserved address spaces
######################################
$cmd 00300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP
$cmd 00301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP
$cmd 00302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP
$cmd 00303 deny all from 127.0.0.0/8 to any in via $pif #loopback
$cmd 00304 deny all from 0.0.0.0/8 to any in via $pif #loopback
$cmd 00305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config
$cmd 00306 deny all from 192.0.2.0/24 to any in via $pif #reserved for doc’s
$cmd 00307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect
$cmd 00308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast
######################################

# Deny public pings
######################################
$cmd 00310 deny icmp from any to any in via $pif
######################################

# Allow specific ports IN now (for services behind NAT)
######################################
$cmd 00425 $skip tcp from any to any 80 in via $pif setup $ks
######################################

# Deny all other troublemakers
$cmd 00550 deny tcp from any to any via $pif
$cmd 00551 deny udp from any to any via $pif

# Skip location for NAT
$cmd 600 nat 1 ip from any to any out via $pif
$cmd 610 allow ip from any to any


可是就是不行,请帮忙。


我给你定个简单的:
1、先把rc.conf中nat那句删除;
2、ipfw.rules:

ipfw nat 1 config ip 116.228.168.99 redirect_port tcp 192.168.9.99:80 80

ipfw add 100 nat 1 ip from any to any in via em0
ipfw add 200 nat 1 ip from any to any out via em0

ipfw add 65530 allow ip from any to any
返回页首
阅览会员资料 发送站内信件 浏览发表者的主页
从以前的文章开始显示:   
发表新文章   回复文章    FreeBSD China -> 技术交流 论坛时间为 北京时间
1页/共1

 
转跳到:  
不能发布新主题
不能在这个论坛回复主题
不能在这个论坛编辑自己的文章
不能在这个论坛删除自己的文章
不能在这个论坛发表投票


Powered by phpBB 2023cc © 2003 Opensource Steps; © 2003-2009 The FreeBSD Simplified Chinese Project
Powered by phpBB © 2001, 2005 phpBB Group
Protected by Project Honey Pot and phpBB.cc
silvery-trainer
The FreeBSD China Project 网站: 中文计划网站 社区网站
The FreeBSD China Project 版权所有 (C) 1999 - 2003 网页设计版权 著作权和商标