При отключении клиента нет пинга на шлюз
-
Зараз на сторінці 0 користувачів
Немає користувачів, що переглядають цю сторінку.
-
Схожий контент
-
Від ___FiNT___
Доброе время суток! Нужна помощь в утилизации natd.
rc.conf
#EXT I-FACE, REAL IP ifconfig_em0="inet 97.123.145.165 netmask 255.255.255.255" ifconfig_em0_alias0="inet 97.123.145.167 netmask 255.255.255.255" ifconfig_em0_alias1="inet 97.123.145.167 netmask 255.255.255.252"
natd.conf
same_ports yes use_sockets yes redirect_address 192.168.1.2 97.123.145.167 redirect_address 192.168.1.3 97.123.145.168
firewall.conf
ipfw='/sbin/ipfw -q ' ${ipfw} -f flush ${ipfw} table all flush ${ipfw} disable one_pass ${ipfw} pipe 10016 config bw 16Kbit/s mask dst-ip 0xffffffff. ${ipfw} pipe 10032 config bw 32Kbit/s mask dst-ip 0xffffffff. ${ipfw} pipe 10064 config bw 64Kbit/s mask dst-ip 0xffffffff. ${ipfw} pipe 10128 config bw 128Kbit/s mask dst-ip 0xffffffff. ${ipfw} pipe 10256 config bw 256Kbit/s mask dst-ip 0xffffffff. ${ipfw} pipe 10512 config bw 512Kbit/s mask dst-ip 0xffffffff ${ipfw} pipe 11024 config bw 1Mbit/s mask dst-ip 0xffffffff ${ipfw} pipe 12048 config bw 2Mbit/s mask dst-ip 0xffffffff ${ipfw} pipe 14096 config bw 4Mbit/s mask dst-ip 0xffffffff ${ipfw} pipe 18192 config bw 8Mbit/s mask dst-ip 0xffffffff ${ipfw} pipe 11000 config bw 10Mbit/s mask dst-ip 0xffffffff ${ipfw} pipe 11500 config bw 15Mbit/s mask dst-ip 0xffffffff ${ipfw} pipe 12000 config bw 20Mbit/s mask dst-ip 0xffffffff ${ipfw} pipe 12500 config bw 25Mbit/s mask dst-ip 0xffffffff ${ipfw} pipe 14000 config bw 40Mbit/s mask dst-ip 0xffffffff ${ipfw} pipe 16000 config bw 60Mbit/s mask dst-ip 0xffffffff ${ipfw} pipe 18000 config bw 80Mbit/s mask dst-ip 0xffffffff # Upload ${ipfw} pipe 20016 config bw 16Kbit/s mask src-ip 0xffffffff ${ipfw} pipe 20032 config bw 32Kbit/s mask src-ip 0xffffffff ${ipfw} pipe 20064 config bw 64Kbit/s mask src-ip 0xffffffff ${ipfw} pipe 20128 config bw 128Kbit/s mask src-ip 0xffffffff ${ipfw} pipe 20256 config bw 256Kbit/s mask src-ip 0xffffffff ${ipfw} pipe 20512 config bw 512Kbit/s mask src-ip 0xffffffff ${ipfw} pipe 21024 config bw 1Mbit/s mask src-ip 0xffffffff ${ipfw} pipe 22048 config bw 2Mbit/s mask src-ip 0xffffffff ${ipfw} pipe 24096 config bw 4Mbit/s mask src-ip 0xffffffff ${ipfw} pipe 28192 config bw 8Mbit/s mask src-ip 0xffffffff ${ipfw} pipe 21000 config bw 10Mbit/s mask src-ip 0xffffffff ${ipfw} pipe 21500 config bw 15Mbit/s mask src-ip 0xffffffff ${ipfw} pipe 22000 config bw 20Mbit/s mask src-ip 0xffffffff ${ipfw} pipe 22500 config bw 25Mbit/s mask src-ip 0xffffffff ${ipfw} pipe 24000 config bw 40Mbit/s mask src-ip 0xffffffff ${ipfw} pipe 25000 config bw 50Mbit/s mask src-ip 0xffffffff # external ip ${ipfw} table 70 add 97.123.145.167 ${ipfw} table 70 add 97.123.145.168 # GateWays ${ipfw} table 75 add 192.168.1.1 # Local Users ${ipfw} table 80 add 192.168.1.0/22 /etc/scripts/update_aqualan_table.pl >> null /etc/scripts/update_ukraine_table.pl >> null ${ipfw} add 100 check-state ${ipfw} add 200 allow ip from any to any via lo0 ${ipfw} add 210 allow tcp from me to any keep-state via em0 ${ipfw} add 210 allow udp from me to any keep-state via em0 ${ipfw} add 220 deny ip from any to 127.0.0.0/8 ${ipfw} add 230 deny ip from 127.0.0.0/8 to any #---------- Managing trafic LOCAL - ROUTER - SERVICE, VLAN --------------------------------------------- # Allowind traffic from gateways to service zone of LAN (file servers, Switches) ${ipfw} add 500 allow ip from "table(75)" to "table(90)" via em1 ${ipfw} add 510 allow ip from "table(90)" to "table(75)" via em1 # Allowind traffic from gateways to LOCAL USERS ${ipfw} add 520 allow ip from "table(75)" to "table(80)" via em1 ${ipfw} add 530 allow ip from "table(80)" to "table(75)" via em1 # Allowind traffic from Authorazed USERS to service zone of LAN ${ipfw} add 540 allow ip from "table(0)" to "table(90)" via em1 ${ipfw} add 550 allow ip from "table(90)" to "table(0)" via em1 # Allowind traffic from Authorazed USERS to oher V-LAN ${ipfw} add 560 allow ip from "table(0)" to "table(80)" via em1 ${ipfw} add 570 allow ip from "table(80)" to "table(0)" via em1 #---------- Managing trafic LOCAL - ROUTER - SERVICE, VLAN --------------------------------------------- #------------- Nating incomin packages form I-Net iface -------------------------------------------------- ${ipfw} add 900 divert natd ip from any to any in recv em0 #----------- Managing trafic LOCAL - ROUTER - UA-IX --------------------------------------------------- ${ipfw} add 1000 allow ip from "table(100)" to "table(1)" # разрешаем входящие пакеты от сетей UA-IX из таблицы 100 на авторизированных юзеров из таблицы 1 ${ipfw} add 1010 divert natd ip from "table(1)" to "table(100)" out xmit em0 # отправляем на NAT пакеты от авторизированых юзеров из таблицы 1 на сети UA-IX из таблицы 100 через внешний интерфейс ${ipfw} add 1020 allow ip from "table(1)" to "table(100)" # out xmit em0 # разрешаем входящие пакеты от авторизированых юзеров из таблицы 1 на сетиUA-IX из таблицы 100 ${ipfw} add 1030 allow ip from "table(100)" to any out via em0 # разрешаем принимать на сервер пакеты, адресованые от сетей UA-IX через внешний интерфейс ${ipfw} add 1200 deny log ip from "table(100)" to "table(80)" in recv em0 # запрешщаем входящие пакеты от сетей UA-IX из таблицы 100 на всех локальных юзеров таблица 80 через внешний интерфейс ${ipfw} add 1210 deny log ip from "table(80)" to "table(100)" out xmit em0 # запрещаем исходящие пакеты от локальных юзеров таблица 80 на сетиUA-IX из таблицы 100 через внешний интерфейс #----------- Managing trafic LOCAL - ROUTER - UA-IX --------------------------------------------------- #----------- Managing trafic LOCAL - ROUTER (SHAPING) - WORLD ---------------------------------------- # резрешения на прохождение через сервер исходящих пакетов от пользователей авторизированых для доступа к WORLD ${ipfw} add 2008 allow all from "table(8)" to any in recv em1 ${ipfw} add 2009 allow all from "table(9)" to any in recv em1 ${ipfw} add 2010 allow all from "table(10)" to any in recv em1 ${ipfw} add 2011 allow all from "table(11)" to any in recv em1 ${ipfw} add 2012 allow all from "table(12)" to any in recv em1 ${ipfw} add 2013 allow all from "table(13)" to any in recv em1 ${ipfw} add 2014 allow all from "table(14)" to any in recv em1 ${ipfw} add 2015 allow all from "table(15)" to any in recv em1 ${ipfw} add 2016 allow all from "table(16)" to any in recv em1 ${ipfw} add 2017 allow all from "table(17)" to any in recv em1 ${ipfw} add 2018 allow all from "table(18)" to any in recv em1 ${ipfw} add 2019 allow all from "table(19)" to any in recv em1 ${ipfw} add 2020 allow all from "table(20)" to any in recv em1 ${ipfw} add 2021 allow all from "table(21)" to any in recv em1 ${ipfw} add 2022 allow all from "table(22)" to any in recv em1 ${ipfw} add 2023 allow all from "table(23)" to any in recv em1 ${ipfw} add 2024 allow all from "table(24)" to any in recv em1 ${ipfw} add 2030 allow all from "table(60)" to any in recv em1 # резрешения на прохождение через сервер входящих пакетов от пакетов от WORLD к авотризированым пользователям ${ipfw} add 2108 allow all from any to "table(38)" out xmit em1 ${ipfw} add 2109 allow all from any to "table(39)" out xmit em1 ${ipfw} add 2110 allow all from any to "table(40)" out xmit em1 ${ipfw} add 2111 allow all from any to "table(41)" out xmit em1 ${ipfw} add 2112 allow all from any to "table(42)" out xmit em1 ${ipfw} add 2113 allow all from any to "table(43)" out xmit em1 ${ipfw} add 2114 allow all from any to "table(44)" out xmit em1 ${ipfw} add 2115 allow all from any to "table(45)" out xmit em1 ${ipfw} add 2116 allow all from any to "table(46)" out xmit em1 ${ipfw} add 2117 allow all from any to "table(47)" out xmit em1 ${ipfw} add 2118 allow all from any to "table(48)" out xmit em1 ${ipfw} add 2119 allow all from any to "table(49)" out xmit em1 ${ipfw} add 2120 allow all from any to "table(50)" out xmit em1 ${ipfw} add 2121 allow all from any to "table(51)" out xmit em1 ${ipfw} add 2122 allow all from any to "table(52)" out xmit em1 ${ipfw} add 2123 allow all from any to "table(53)" out xmit em1 ${ipfw} add 2130 allow all from any to "table(60)" out xmit em1 # нарезка скорости мир вход ${ipfw} add 2308 pipe 10016 all from any to "table(8)" in recv em0 ${ipfw} add 2309 pipe 10032 all from any to "table(9)" in recv em0 ${ipfw} add 2310 pipe 10064 all from any to "table(10)" in recv em0 ${ipfw} add 2311 pipe 10128 all from any to "table(11)" in recv em0 ${ipfw} add 2312 pipe 10256 all from any to "table(12)" in recv em0 ${ipfw} add 2313 pipe 10512 all from any to "table(13)" in recv em0 ${ipfw} add 2314 pipe 11024 all from any to "table(14)" in recv em0 ${ipfw} add 2315 pipe 12048 all from any to "table(15)" in recv em0 ${ipfw} add 2316 pipe 14096 all from any to "table(16)" in recv em0 ${ipfw} add 2317 pipe 18192 all from any to "table(17)" in recv em0 ${ipfw} add 2318 pipe 11000 all from any to "table(18)" in recv em0 ${ipfw} add 2319 pipe 11500 all from any to "table(19)" in recv em0 ${ipfw} add 2320 pipe 12000 all from any to "table(20)" in recv em0 ${ipfw} add 2320 pipe 12500 all from any to "table(21)" in recv em0 ${ipfw} add 2320 pipe 14000 all from any to "table(22)" in recv em0 ${ipfw} add 2320 pipe 16000 all from any to "table(23)" in recv em0 ${ipfw} add 2320 pipe 18000 all from any to "table(24)" in recv em0 # нарезка скорости мир исход ${ipfw} add 2408 pipe 20016 all from "table(38)" to any out xmit em0 ${ipfw} add 2409 pipe 20032 all from "table(39)" to any out xmit em0 ${ipfw} add 2410 pipe 20064 all from "table(40)" to any out xmit em0 ${ipfw} add 2411 pipe 20128 all from "table(41)" to any out xmit em0 ${ipfw} add 2412 pipe 20256 all from "table(42)" to any out xmit em0 ${ipfw} add 2413 pipe 20512 all from "table(43)" to any out xmit em0 ${ipfw} add 2414 pipe 21024 all from "table(44)" to any out xmit em0 ${ipfw} add 2415 pipe 22048 all from "table(45)" to any out xmit em0 ${ipfw} add 2416 pipe 24096 all from "table(46)" to any out xmit em0 ${ipfw} add 2417 pipe 28192 all from "table(47)" to any out xmit em0 ${ipfw} add 2418 pipe 21000 all from "table(48)" to any out xmit em0 ${ipfw} add 2419 pipe 21500 all from "table(49)" to any out xmit em0 ${ipfw} add 2420 pipe 22000 all from "table(50)" to any out xmit em0 ${ipfw} add 2420 pipe 22500 all from "table(51)" to any out xmit em0 ${ipfw} add 2420 pipe 24000 all from "table(52)" to any out xmit em0 ${ipfw} add 2420 pipe 25000 all from "table(53)" to any out xmit em0 # нарезка скорости мир исход ${ipfw} add 2500 divert natd ip from "table(80)" to any out xmit em0 ${ipfw} add 2600 allow ip from "table(70)" to any out via em0 # разрешаем покидать сервер пакетам, адресованым на внешние сети через внешний интерфейс ${ipfw} add 2610 allow ip from any to "table(80)" in via em0 # разрешаем принимать на сервер пакеты, адресованые на внутрение сети из мира через #----------- Managing trafic LOCAL - ROUTER (SHAPING) - WORLD ---------------------------------------- #-----------Устанавливаем разрешения для локальных пользователей, на IP адресах сервера------------------ # Opening traf thrue service ports (SSH,WWW,Inetacces,WEBMIN,StgAdmin) on local i-face ${ipfw} add 2999 allow ip from 97.123.145.165/32 to "table(80)","table(90)" via em1 # DNS ${ipfw} add 3000 allow tcp from "table(80)" to 97.123.145.165,192.168.1.2 53 ${ipfw} add 3000 allow udp from "table(80)" to 97.123.145.165,192.168.1.2 53 ${ipfw} add 3010 allow icmp from "table(80)","table(90)" to 97.123.145.165/32 via em1 ${ipfw} add 3100 allow ip from "table(80)","table(90)" to 97.123.145.165/32 dst-port 22 via em1 ${ipfw} add 3110 allow ip from "table(80)","table(90)" to 97.123.145.165/32 dst-port 80 via em1 ${ipfw} add 3120 allow ip from "table(80)" to "table(75)" dst-port 5555 via em1 ${ipfw} add 3130 allow ip from "table(80)","table(90)" to 97.123.145.165/32 dst-port 51530 via em1 ${ipfw} add 3140 allow ip from "table(80)","table(90)" to 97.123.145.165/32 dst-port 51535 via em1 ${ipfw} add 3140 allow ip from "table(80)","table(90)" to 97.123.145.165/32 dst-port 8000 via em1 ${ipfw} add 3600 allow udp from "table(80)" 137 to "table(80)" 137 via em1 ${ipfw} add 3600 allow udp from "table(80)" 138 to "table(80)" 138 via em1 ${ipfw} add 3600 allow udp from "table(80)" 631 to "table(80)" 631 via em1 #----------- Устанавливаем разрешения для локальных пользователей, на IP адресах сервера------------------ #--------- Устанавливаем разрешения для внешних пользователей, на внешние IP адресах сервера ------------- ${ipfw} add 4000 allow icmp from any to "table(70)" in via em0 icmptype 0,3,8,12 ${ipfw} add 4010 allow tcp from any to 97.123.145.165 53 ${ipfw} add 4010 allow udp from any to 97.123.145.165 53 ${ipfw} add 4100 allow tcp from any to 97.123.145.165 22 in via em0 #--------- Устанавливаем разрешения для внешних пользователей, на внешние IP адресах сервера ------------- # Set policy DENY ALL ${ipfw} add 65000 deny log ip from any to any
OnConnect
#!/usr/local/bin/bash fwcmd="/sbin/ipfw" LOGIN=$1 IP=$2 CASH=$3 ID=$4 DIRS=$5 AQUA=${DIRS:0:1}; UAIX=${DIRS:1:1}; WORLD=${DIRS:2:1}; DSPEED=`/etc/stargazer/GetDSpeed.php $LOGIN` USPEED=`/etc/stargazer/GetUSpeed.php $LOGIN` cur_date=`date \+\%Y.\%m.\%d` cur_time=`date \+\%H:\%M:\%S` if [ $AQUA = 1 ] then ${fwcmd} table 0 add ${IP} fi if [ $UAIX = 1 ] then ${fwcmd} table 1 add ${IP} fi if [ $WORLD = 1 ] then case ${DSPEED} in 16|16K|16k) ${fwcmd} table 8 add ${IP} ;; 32|32K|32k) ${fwcmd} table 9 add ${IP} ;; 64|64K|64k) ${fwcmd} table 10 add ${IP} ;; 128|128K|128k) ${fwcmd} table 11 add ${IP} ;; 256|256K|256k) ${fwcmd} table 12 add ${IP} ;; 512|512K|512k) ${fwcmd} table 13 add ${IP} ;; 1024|1024K|1024k|1M|1m|1) ${fwcmd} table 14 add ${IP} ;; 2048|2048K|2048k|2M|2m|2) ${fwcmd} table 15 add ${IP} ;; 4096|4096K|4096k|4M|4m|4) ${fwcmd} table 16 add ${IP} ;; 8192|8192K|8192k|8M|8m|8) ${fwcmd} table 17 add ${IP} ;; 10000|10000K|10000k|10M|10m|10) ${fwcmd} table 18 add ${IP} ;; 15000|15000K|15000k|15M|15m|15) ${fwcmd} table 19 add ${IP} ;; 20000|20000K|20000k|20M|20m|20) ${fwcmd} table 20 add ${IP} ;; 25000|25000K|25000k|25M|25m|25) ${fwcmd} table 21 add ${IP} ;; 40000|40000K|40000k|40M|40m|40) ${fwcmd} table 22 add ${IP} ;; 60000|60000K|60000k|60M|60m|60) ${fwcmd} table 23 add ${IP} ;; 80000|80000K|80000k|80M|80m|80) ${fwcmd} table 24 add ${IP} ;; unlim|UNLIM|unlimited|UNLIMITED) ${fwcmd} table 60 add ${IP} ;; *) ${fwcmd} table 8 add ${IP} ;; esac case ${USPEED} in 16|16K|16k) ${fwcmd} table 38 add ${IP} ;; 32|32K|32k) ${fwcmd} table 39 add ${IP} ;; 64|64K|64k) ${fwcmd} table 40 add ${IP} ;; 128|128K|128k) ${fwcmd} table 41 add ${IP} ;; 256|256K|256k) ${fwcmd} table 42 add ${IP} ;; 512|512K|512k) ${fwcmd} table 43 add ${IP} ;; 1024|1024K|1024k|1M|1m|1) ${fwcmd} table 44 add ${IP} ;; 2048|2048K|2048k|2M|2m|2) ${fwcmd} table 45 add ${IP} ;; 4096|4096K|4096k|4M|4m|4) ${fwcmd} table 46 add ${IP} ;; 8192|8192K|8192k|8M|8m|8) ${fwcmd} table 47 add ${IP} ;; 10000|10000K|10000k|10M|10m|10) ${fwcmd} table 48 add ${IP} ;; 15000|15000K|15000k|15M|15m|15) ${fwcmd} table 49 add ${IP} ;; 20000|20000K|20000k|20M|20m|20) ${fwcmd} table 50 add ${IP} ;; 25000|25000K|25000k|25M|25m|25) ${fwcmd} table 51 add ${IP} ;; 40000|40000K|40000k|40M|40m|40) ${fwcmd} table 52 add ${IP} ;; 50000|50000K|50000k|50M|50m|50) ${fwcmd} table 53 add ${IP} ;; unlim|UNLIM|unlimited|UNLIMITED) ${fwcmd} table 60 add ${IP} ;; *) ${fwcmd} table 38 add ${IP} ;; esac fi echo "C `date +%Y.%m.%d-%H.%M.%S` $ID $LOGIN $IP ${DSPEED}/${USPEED} LAN=$LAN UAIX=$UAIX WORLD=$WORLD" $CASH >> /var/stargazer/users/allconnect.log echo "<=;$cur_date;$cur_time;$ID;$LOGIN;$IP;${DSPEED}/${USPEED}; LAN=$LAN UAIX=$UAIX WORLD=$WORLD; $CASH" >> /var/log/stats/connect.log OnDisconnect
fwcmd="/sbin/ipfw" LOGIN=$1 IP=$2 CASH=$3 ID=$4 cur_date=`date \+\%Y.\%m.\%d` cur_time=`date \+\%H:\%M:\%S` ${fwcmd} table 0 delete ${IP}; ${fwcmd} table 1 delete ${IP}; i=8; while ( [ $i -lt 24 ]; ); do ${fwcmd} table ${i} delete ${IP}; i=$(expr $i \+ 1); done i=38; while ( [ $i -lt 53 ]; ); do ${fwcmd} table ${i} delete ${IP}; i=$(expr $i \+ 1); done ${fwcmd} table 60 delete ${IP}; #echo "D `date +%Y.%m.%d-%H.%M.%S` $ID $IP $CASH" >> /var/stargazer/users/$LOGIN/connect.log echo "D `date +%Y.%m.%d-%H.%M.%S` $ID $LOGIN $IP $CASH" >> /var/stargazer/users/allconnect.log echo "=>;$cur_date;$cur_time;$ID;$LOGIN;$IP;$CASH" >> /var/log/stats/connect.log
какие правила нужны для ната ext ip to int ip в ipfw
пробывал , не пронатил...
#!/bin/sh # firewall command FwCMD="/sbin/ipfw -q" ${FwCMD} -f flush # Networks define ${FwCMD} table 2 add 192.168.1.0/22 ${FwCMD} table 9 add 10.4.161.1 ${fwcmd} add 10 allow icmp from any to any ${fwcmd} add 308 allow udp from any to 192.168.1.1 5555 via em0 ${fwcmd} add 309 allow udp from 192.168.1.1 to any via em0 #NAT ${FwCMD} nat 1 config log if em1 reset same_ports ${FwCMD} add 6000 nat 1 ip from table\(2\) to not table\(9\) via em1 ${FwCMD} add 6001 nat 1 ip from any to 10.4.161.1 via em1 #NAT EXT to INT #${FwCMD} nat 2 config ip 10.4.161.54 same_ports redirect_addr 192.168.1.10 10.4.161.54 #${FwCMD} add 10130 skipto 10190 ip from 192.168.1.10 to any out xmit em1 #${FwCMD} add 10140 skipto 10210 ip from any to 10.4.161.54 in recv em1 #${FwCMD} add 10170 queue 2 ip from any to any in recv em1 #${FwCMD} add 10200 nat 2 ip from 192.168.1.10 to any out xmit em1 #${FwCMD} add 10210 nat 2 ip from any to 10.4.161.54 in recv em1 #${FwCMD} add 10220 queue 2 ip from any to any in recv em1 #blacklist #hack #${FwCMD} add 12002 allow ip from any to table\(4\) via em0 out #${FwCMD} add 12003 allow ip from table\(3\) to any via em0 in #Shaper - table 4 download speed, table 3 - upload speed ${FwCMD} add 12001 pipe tablearg ip from any to table\(4\) via em0 out ${FwCMD} add 12000 pipe tablearg ip from table\(3\) to any via em0 in ${FwCMD} add 65530 allow all from table\(2\) to 192.168.1.1 via em0 ${FwCMD} add 65531 allow all from 192.168.1.1 to table\(2\) via em0 # default block policy ${FwCMD} add 65533 deny all from table\(2\) to any via em0 ${FwCMD} add 65534 deny all from any to table\(2\) via em0 ${FwCMD} add 65535 allow all from any to any
-
Рекомендованные сообщения
Создайте аккаунт или войдите в него для комментирования
Вы должны быть пользователем, чтобы оставить комментарий
Создать аккаунт
Зарегистрируйтесь для получения аккаунта. Это просто!
Зарегистрировать аккаунтВхід
Уже зарегистрированы? Войдите здесь.
Войти сейчас