morfey 82 Опубликовано: 2010-02-27 17:10:07 Share Опубликовано: 2010-02-27 17:10:07 Задача: Відкрити для не підключених клієнтів 5555 порт для підключення авторизатора, 80 порт і днс(53) і форвардить на сторінку з повідомленням. Ну і підключених клієнтів випускати в інет. Наваяв правила, але не працює, вірніше працює але в інет не пускає(( Що змінити? rc.firewall #!/bin/sh fwcmd="/sbin/ipfw -q add" fwpipe="/sbin/ipfw -q pipe" fw="/sbin/ipfw -q " flush=`${fw} -f flush` flush_table=`${fw} table all flush` flush_pipe=`${fwpipe} flush` local_if="em0" global_if="em1" net="10.10.0.0/16" local_ip="10.10.10.10" global_ip="xxx.xxx.xxx.xx0" # адреса сервера ${flush} ${flush_table} ${flush_pipe} ${fwcmd} 5 allow all from any to any via lo0 ${fw} table 14 add 10.10.10.2 ${fw} table 14 add 10.10.10.3 ${fw} table 14 add ${local_ip} ${fw} table 14 add 10.10.10.11 ${fw} table 14 add 10.10.10.13 ${fw} table 14 add 10.10.10.14 ${fw} table 15 add xxx.xxx.xxx.xx1 ${fw} table 15 add xxx.xxx.xxx.xx2 ${fw} table 15 add xxx.xxx.xxx.xx3 ${fw} table 15 add xxx.xxx.xxx.xx4 ${fw} table 15 add xxx.xxx.xxx.xx5 ${fw} table 15 add xxx.xxx.xxx.xx6 ${fw} table 15 add xxx.xxx.xxx.xx7 ${fw} table 15 add xxx.xxx.xxx.xx8 ${fw} table 15 add xxx.xxx.xxx.xx9 ${fwcmd} 100 deny icmp from any to any frag ${fwcmd} 101 deny log icmp from any to 255.255.255.255 in via ${global_if} ${fwcmd} 102 deny log icmp from any to 255.255.255.255 out via ${global_if} ${fwcmd} 201 allow all from ${net} to me 5555 via ${local_if} ${fwcmd} 202 allow all from me 5555 to ${net} via ${local_if} ${fwcmd} 203 allow all from ${net} to me 22 via ${local_if} ${fwcmd} 204 allow all from me 22 to ${net} via ${local_if} ${fwcmd} 205 allow tcp from any to me 80 via ${global_if} ${fwcmd} 206 allow tcp from me 80 to any via ${global_if} ${fwcmd} 207 allow tcp from me 80 to ${net} via ${local_if} ${fwcmd} 208 allow tcp from ${net} to me 80 via ${local_if} ${fwcmd} 209 allow udp from ${net} to me 53 via ${local_if} ${fwcmd} 210 allow udp from me 53 to ${net} via ${local_if} ${fwcmd} 211 allow icmp from any to any via ${local_if} ${fwcmd} 212 allow icmp from any to any icmptypes 0,8,11 #старт таблиці з тарифами ${fwcmd} 1000 pipe 1000 ip from any to table\(1\) out xmit ${local_if} ${fwcmd} 1001 pipe 1001 ip from table\(1\) to any in recv ${local_if} ${fwpipe} 1000 config mask dst-ip 0xffffffff bw 128kbit/s ${fwpipe} 1001 config mask src-ip 0xffffffff bw 128kbit/s ${fwcmd} 1002 pipe 1002 ip from any to table\(2\) out xmit ${local_if} ${fwcmd} 1003 pipe 1003 ip from table\(2\) to any in recv ${local_if} ${fwpipe} 1002 config mask dst-ip 0xffffffff bw 256kbit/s ${fwpipe} 1003 config mask src-ip 0xffffffff bw 256kbit/s ${fwcmd} 1004 pipe 1004 ip from any to table\(3\) out xmit ${local_if} ${fwcmd} 1005 pipe 1005 ip from table\(3\) to any in recv ${local_if} ${fwpipe} 1004 config mask dst-ip 0xffffffff bw 512kbit/s ${fwpipe} 1005 config mask src-ip 0xffffffff bw 512kbit/s ${fwcmd} 1006 pipe 1006 ip from any to table\(4\) out xmit ${local_if} ${fwcmd} 1007 pipe 1007 ip from table\(4\) to any in recv ${local_if} ${fwpipe} 1006 config mask dst-ip 0xffffffff bw 1024kbit/s ${fwpipe} 1007 config mask src-ip 0xffffffff bw 1024kbit/s ${fwcmd} 1008 pipe 1008 ip from any to table\(5\) out xmit ${local_if} ${fwcmd} 1009 pipe 1009 ip from table\(5\) to any in recv ${local_if} ${fwpipe} 1008 config mask dst-ip 0xffffffff bw 1536kbit/s ${fwpipe} 1009 config mask src-ip 0xffffffff bw 1536kbit/s ${fwcmd} 1010 pipe 1010 ip from any to table\(6\) out xmit ${local_if} ${fwcmd} 1011 pipe 1011 ip from table\(6\) to any in recv ${local_if} ${fwpipe} 1010 config mask dst-ip 0xffffffff bw 2048kbit/s ${fwpipe} 1011 config mask src-ip 0xffffffff bw 2048kbit/s ${fwcmd} 1012 pipe 1012 ip from any to table\(7\) out xmit ${local_if} ${fwcmd} 1013 pipe 1013 ip from table\(7\) to any in recv ${local_if} ${fwpipe} 1012 config mask dst-ip 0xffffffff bw 3072kbit/s ${fwpipe} 1013 config mask src-ip 0xffffffff bw 3072kbit/s ${fwcmd} 1014 pipe 1014 ip from any to table\(8\) out xmit ${local_if} ${fwcmd} 1015 pipe 1015 ip from table\(8\) to any in recv ${local_if} ${fwpipe} 1014 config mask dst-ip 0xffffffff bw 4096kbit/s ${fwpipe} 1015 config mask src-ip 0xffffffff bw 4096kbit/s ${fwcmd} 1016 pipe 1016 ip from any to table\(9\) out xmit ${local_if} ${fwcmd} 1017 pipe 1017 ip from table\(9\) to any in recv ${local_if} ${fwpipe} 1016 config mask dst-ip 0xffffffff bw 5120kbit/s ${fwpipe} 1017 config mask src-ip 0xffffffff bw 5120kbit/s ${fwcmd} 1018 pipe 1018 ip from any to table\(10\) out xmit ${local_if} ${fwcmd} 1019 pipe 1019 ip from table\(10\) to any in recv ${local_if} ${fwpipe} 1018 config mask dst-ip 0xffffffff bw 10240kbit/s ${fwpipe} 1019 config mask src-ip 0xffffffff bw 10240kbit/s ${fwcmd} 1020 pipe 1020 ip from any to table\(11\) out xmit ${local_if} ${fwcmd} 1021 pipe 1021 ip from table\(11\) to any in recv ${local_if} ${fwpipe} 1020 config mask dst-ip 0xffffffff bw 20480kbit/s ${fwpipe} 1021 config mask src-ip 0xffffffff bw 20480kbit/s ${fwcmd} 1022 pipe 1022 ip from any to table\(12\) out xmit ${local_if} ${fwcmd} 1023 pipe 1023 ip from table\(12\) to any in recv ${local_if} ${fwpipe} 1022 config mask dst-ip 0xffffffff bw 102400kbit/s ${fwpipe} 1023 config mask src-ip 0xffffffff bw 102400kbit/s #енд таблиці з тарифами #старт довірені хости ${fwcmd} 1024 allow all from any to table\(14\) ${fwcmd} 1025 allow all from table\(14\) to any #енд довірені хости #старт реальні адреси ${fwcmd} 1026 allow all from any to table\(15\) ${fwcmd} 1027 allow all from table\(15\) to any #енд реальні адреси ${fwcmd} 2000 fwd 127.0.0.1,8080 all from table\(13\) to not me via ${local_if} # завертаєм всі адреси, що в цій таблиці на потрібне мені повідомлення, що висить на 8080 порту (Напевно потрібно завертати тільки хттп трафік...) #старт Забороняємо локальні адреси на зовнішньому інтерфейсі ${fwcmd} 3000 deny all from 192.168.0.0/16 to any via ${global_if} #RFC 1918 private IP ${fwcmd} 3001 deny all from 172.16.0.0/12 to any via ${global_if} #RFC 1918 private IP ${fwcmd} 3002 deny all from 10.0.0.0/8 to any via ${global_if} #RFC 1918 private IP ${fwcmd} 3003 deny all from 127.0.0.0/8 to any via ${global_if} #loopback ${fwcmd} 3004 deny all from 0.0.0.0/8 to any via ${global_if} #loopback ${fwcmd} 3005 deny all from 169.254.0.0/16 to any via ${global_if} #DHCP auto-config ${fwcmd} 3006 deny all from 192.0.2.0/24 to any via ${global_if} #reserved for docs ${fwcmd} 3007 deny all from 204.152.64.0/23 to any via ${global_if} #Sun cluster ${fwcmd} 3008 deny all from 224.0.0.0/3 to any via ${global_if} #Class D & E multicast #енд Забороняємо локальні адреси на зовнішньому інтерфейсі ${fwcmd} 65534 deny log all from any to any #65534 - allow ip from any to any - за замовчуванням OnConnect #!/bin/sh LOGIN=$1 IP=$2 CASH=$3 ID=$4 SPEED=`/etc/stargazer/param speed $LOGIN` fwcmd="/sbin/ipfw -q" ${fwcmd} table 13 delete ${IP} if [ ${SPEED} = 128 ] then ${fwcmd} table 1 add ${IP} else fi if [ ${SPEED} = 256 ] then ${fwcmd} table 2 add ${IP} else fi if [ ${SPEED} = 512 ] then ${fwcmd} table 3 add ${IP} else fi if [ ${SPEED} = 1024 ] then ${fwcmd} table 4 add ${IP} else fi if [ ${SPEED} = 1536 ] then ${fwcmd} table 5 add ${IP} else fi if [ ${SPEED} = 2048 ] then ${fwcmd} table 6 add ${IP} else fi if [ ${SPEED} = 3072 ] then ${fwcmd} table 7 add ${IP} else fi if [ ${SPEED} = 4096 ] then ${fwcmd} table 8 add ${IP} else fi if [ ${SPEED} = 5120 ] then ${fwcmd} table 9 add ${IP} else fi if [ ${SPEED} = 10240 ] then ${fwcmd} table 10 add ${IP} else fi if [ ${SPEED} = 20480 ] then ${fwcmd} table 11 add ${IP} else fi if [ ${SPEED} = 102400 ] then ${fwcmd} table 12 add ${IP} else fi OnDisconnect #!/bin/sh LOGIN=$1 IP=$2 CASH=$3 ID=$4 fwcmd="/sbin/ipfw -q" SPEED=`/etc/stargazer/param speed $LOGIN` if [ ${SPEED} = 128 ] then ${fwcmd} table 1 delete ${IP}. else fi if [ ${SPEED} = 256 ] then ${fwcmd} table 2 delete ${IP}. else fi if [ ${SPEED} = 512 ] then ${fwcmd} table 3 delete ${IP}. else fi if [ ${SPEED} = 1024 ] then ${fwcmd} table 4 delete ${IP}. else fi if [ ${SPEED} = 1536 ] then ${fwcmd} table 5 delete ${IP}. else fi if [ ${SPEED} = 2048 ] then ${fwcmd} table 6 delete ${IP}. else fi if [ ${SPEED} = 3072 ] then ${fwcmd} table 7 delete ${IP}. else fi if [ ${SPEED} = 4096 ] then ${fwcmd} table 8 delete ${IP}. else fi if [ ${SPEED} = 5120 ] then ${fwcmd} table 9 delete ${IP}. else fi if [ ${SPEED} = 10240 ] then ${fwcmd} table 10 delete ${IP} else fi if [ ${SPEED} = 20480 ] then ${fwcmd} table 11 delete ${IP}. else fi if [ ${SPEED} = 102400 ] then ${fwcmd} table 12 delete ${IP}. else fi ${fwcmd} table 13 add ${IP} P.S. Спойлер потрібен на форумі Ссылка на сообщение Поделиться на других сайтах
morfey 82 Опубліковано: 2010-03-02 15:20:10 Автор Share Опубліковано: 2010-03-02 15:20:10 ап.. Ссылка на сообщение Поделиться на других сайтах
Kucher2 122 Опубліковано: 2010-03-09 13:52:41 Share Опубліковано: 2010-03-09 13:52:41 Я делал ещё проще, вешал виртуал-хост в Апаче, на 81-й порт, а потом в Онконнекте проверял и если условие верно - форвард http на 81-й порт. Ну ещё сообщение посылал через sgconf. Просто редиректить - у меня в ipfw не получалось. По поводу правил - начните с простого, для одной машины - явно задайте параметры, уберите всё лишнее. Так же на шлюзе смотрите куда трафик идёт tcpdumpo'm или trafshow. Ссылка на сообщение Поделиться на других сайтах
morfey 82 Опубліковано: 2010-03-18 16:07:54 Автор Share Опубліковано: 2010-03-18 16:07:54 Прошу перевірить скрипт фаєра, бо ще не дуже "гуру" в цьому)) Все працює,але щоб боком потім не вилізло )) скрипт ’param’ - видає швидкість (пхп) Дякую OnConnect #!/bin/sh LOGIN=$1 IP=$2 CASH=$3 ID=$4 SPEED=`/etc/stargazer/param speed $LOGIN` fwcmd="/sbin/ipfw -q" ${fwcmd} table 13 delete ${IP} if [ ${SPEED} = 128 ] then ${fwcmd} table 1 add ${IP} else fi if [ ${SPEED} = 256 ] then ${fwcmd} table 2 add ${IP} else fi if [ ${SPEED} = 512 ] then ${fwcmd} table 3 add ${IP} else fi if [ ${SPEED} = 1024 ] then ${fwcmd} table 4 add ${IP} else fi if [ ${SPEED} = 1536 ] then ${fwcmd} table 5 add ${IP} else fi if [ ${SPEED} = 2048 ] then ${fwcmd} table 6 add ${IP} else fi if [ ${SPEED} = 3072 ] then ${fwcmd} table 7 add ${IP} else fi if [ ${SPEED} = 4096 ] then ${fwcmd} table 8 add ${IP} else fi if [ ${SPEED} = 5120 ] then ${fwcmd} table 9 add ${IP} else fi if [ ${SPEED} = 10240 ] then ${fwcmd} table 10 add ${IP} else fi if [ ${SPEED} = 20480 ] then ${fwcmd} table 11 add ${IP} else fi if [ ${SPEED} = 102400 ] then ${fwcmd} table 12 add ${IP} fi OnDisconnect #!/bin/sh LOGIN=$1 IP=$2 CASH=$3 ID=$4 fwcmd="/sbin/ipfw -q" SPEED=`/etc/stargazer/param speed $LOGIN` if [ ${SPEED} = 128 ] then ${fwcmd} table 1 delete ${IP}. else fi if [ ${SPEED} = 256 ] then ${fwcmd} table 2 delete ${IP}. else fi if [ ${SPEED} = 512 ] then ${fwcmd} table 3 delete ${IP}. else fi if [ ${SPEED} = 1024 ] then ${fwcmd} table 4 delete ${IP}. else fi if [ ${SPEED} = 1536 ] then ${fwcmd} table 5 delete ${IP}. else fi if [ ${SPEED} = 2048 ] then ${fwcmd} table 6 delete ${IP}. else fi if [ ${SPEED} = 3072 ] then ${fwcmd} table 7 delete ${IP}. else fi if [ ${SPEED} = 4096 ] then ${fwcmd} table 8 delete ${IP}. else fi if [ ${SPEED} = 5120 ] then ${fwcmd} table 9 delete ${IP}. else fi if [ ${SPEED} = 10240 ] then ${fwcmd} table 10 delete ${IP} else fi if [ ${SPEED} = 20480 ] then ${fwcmd} table 11 delete ${IP}. else fi if [ ${SPEED} = 102400 ] then ${fwcmd} table 12 delete ${IP}. else fi ${fwcmd} table 13 add ${IP} /etc/rc.firewall #!/bin/sh fwcmd="/sbin/ipfw -q add" fw="/sbin/ipfw -q" flush=`${fw} -f flush` flush_table=`${fw} table all flush` flush_pipe=`${fw} pipe flush` local_if="re1" global_if="re0" local_ip="10.10.0.1" global_ip="xxx.xxx.xxx.xxx" ${flush} ${flush_table} ${flush_pipe} ${fwcmd} 5 allow all from any to any via lo0 ${fwcmd} 10 allow icmp from any to any ${fwcmd} 20 deny all from any to ${global_ip} 22 via ${global_if} #trusted ips ${fw} table 14 add 10.10.10.2 ${fw} table 14 add 127.0.0.1 ${fw} table 14 add 10.10.10.3 ${fw} table 14 add ${local_ip} ${fw} table 14 add ${global_ip} ${fw} table 14 add 10.10.10.11 ${fw} table 14 add 10.10.10.13 ${fw} table 14 add 10.10.10.14 #real ips ${fw} table 15 add xxx.xxx.xxx.xx1 ${fw} table 15 add xxx.xxx.xxx.xx2 ${fw} table 15 add xxx.xxx.xxx.xx3 ${fw} table 15 add xxx.xxx.xxx.xx4 ${fw} table 15 add xxx.xxx.xxx.xx5 ${fw} table 15 add xxx.xxx.xxx.xx6 ${fw} table 15 add xxx.xxx.xxx.xx7 ${fw} table 15 add xxx.xxx.xxx.xx8 ${fw} table 15 add xxx.xxx.xxx.xx9 ${fwcmd} 5001 allow all from any to table\(14\) ${fwcmd} 5002 allow all from table\(14\) to any ${fwcmd} 5003 allow all from any to table\(15\) ${fwcmd} 5004 allow all from table\(15\) to any ${fwcmd} 6003 allow all from any http to table\(13\) ${fwcmd} 6004 allow all from table\(13\) to any http ${fwcmd} 6000 fwd 127.0.0.1,80 all from table\(13\) to any http,https,8080 ${fw} pipe 1000 config mask dst-ip 0xffffffff bw 128kbit/s ${fw} pipe 1001 config mask src-ip 0xffffffff bw 128kbit/s ${fwcmd} 10000 pipe 1000 ip from any to table\(1\) out xmit ${local_if} ${fwcmd} 10001 pipe 1001 ip from table\(1\) to any in recv ${local_if} ${fwcmd} 10000 allow ip from any to table\(1\) ${fwcmd} 10001 allow ip from table\(1\) to any ${fw} pipe 1002 config mask dst-ip 0xffffffff bw 256kbit/s ${fw} pipe 1003 config mask src-ip 0xffffffff bw 256kbit/s ${fwcmd} 10002 pipe 1002 ip from any to table\(2\) out xmit ${local_if} ${fwcmd} 10003 pipe 1003 ip from table\(2\) to any in recv ${local_if} ${fwcmd} 10002 allow ip from any to table\(2\) ${fwcmd} 10003 allow ip from table\(2\) to any ${fw} pipe 1004 config mask dst-ip 0xffffffff bw 512kbit/s ${fw} pipe 1005 config mask src-ip 0xffffffff bw 512kbit/s ${fwcmd} 10004 pipe 1004 ip from any to table\(3\) out xmit ${local_if} ${fwcmd} 10005 pipe 1005 ip from table\(3\) to any in recv ${local_if} ${fwcmd} 10004 allow ip from any to table\(3\) ${fwcmd} 10005 allow ip from table\(3\) to any ${fw} pipe 1006 config mask dst-ip 0xffffffff bw 1024kbit/s ${fw} pipe 1007 config mask src-ip 0xffffffff bw 1024kbit/s ${fwcmd} 10006 pipe 1006 ip from any to table\(4\) out xmit ${local_if} ${fwcmd} 10007 pipe 1007 ip from table\(4\) to any in recv ${local_if} ${fwcmd} 10006 allow ip from any to table\(4\) ${fwcmd} 10007 allow ip from table\(4\) to any ${fw} pipe 1008 config mask dst-ip 0xffffffff bw 1536kbit/s ${fw} pipe 1009 config mask src-ip 0xffffffff bw 1536kbit/s ${fwcmd} 10008 pipe 1008 ip from any to table\(5\) out xmit ${local_if} ${fwcmd} 10009 pipe 1009 ip from table\(5\) to any in recv ${local_if} ${fwcmd} 10008 allow ip from any to table\(5\) ${fwcmd} 10009 allow ip from table\(5\) to any ${fw} pipe 1010 config mask dst-ip 0xffffffff bw 2048kbit/s ${fw} pipe 1011 config mask src-ip 0xffffffff bw 2048kbit/s ${fwcmd} 10010 pipe 1010 ip from any to table\(6\) out xmit ${local_if} ${fwcmd} 10011 pipe 1011 ip from table\(6\) to any in recv ${local_if} ${fwcmd} 10010 allow ip from any to table\(6\) ${fwcmd} 10011 allow ip from table\(6\) to any ${fw} pipe 1012 config mask dst-ip 0xffffffff bw 3072kbit/s ${fw} pipe 1013 config mask src-ip 0xffffffff bw 3072kbit/s ${fwcmd} 10012 pipe 1012 ip from any to table\(7\) out xmit ${local_if} ${fwcmd} 10013 pipe 1013 ip from table\(7\) to any in recv ${local_if} ${fwcmd} 10012 allow ip from any to table\(7\) ${fwcmd} 10013 allow ip from table\(7\) to any ${fw} pipe 1014 config mask dst-ip 0xffffffff bw 4096kbit/s ${fw} pipe 1015 config mask src-ip 0xffffffff bw 4096kbit/s ${fwcmd} 10014 pipe 1014 ip from any to table\(8\) out xmit ${local_if} ${fwcmd} 10015 pipe 1015 ip from table\(8\) to any in recv ${local_if} ${fwcmd} 10014 allow ip from any to table\(8\) ${fwcmd} 10015 allow ip from table\(8\) to any ${fw} pipe 1016 config mask dst-ip 0xffffffff bw 5120kbit/s ${fw} pipe 1017 config mask src-ip 0xffffffff bw 5120kbit/s ${fwcmd} 10016 pipe 1016 ip from any to table\(9\) out xmit ${local_if} ${fwcmd} 10017 pipe 1017 ip from table\(9\) to any in recv ${local_if} ${fwcmd} 10016 allow ip from any to table\(9\) ${fwcmd} 10017 allow ip from table\(9\) to any ${fw} pipe 1018 config mask dst-ip 0xffffffff bw 10240kbit/s ${fw} pipe 1019 config mask src-ip 0xffffffff bw 10240kbit/s ${fwcmd} 10018 pipe 1018 ip from any to table\(10\) out xmit ${local_if} ${fwcmd} 10019 pipe 1019 ip from table\(10\) to any in recv ${local_if} ${fwcmd} 10018 allow ip from any to table\(10\) ${fwcmd} 10019 allow ip from table\(10\) to any ${fw} pipe 1020 config mask dst-ip 0xffffffff bw 20480kbit/s ${fw} pipe 1021 config mask src-ip 0xffffffff bw 20480kbit/s ${fwcmd} 10020 pipe 1020 ip from any to table\(11\) out xmit ${local_if} ${fwcmd} 10021 pipe 1021 ip from table\(11\) to any in recv ${local_if} ${fwcmd} 10020 allow ip from any to table\(11\) ${fwcmd} 10021 allow ip from table\(11\) to any ${fw} pipe 1022 config mask dst-ip 0xffffffff bw 102400kbit/s ${fw} pipe 1023 config mask src-ip 0xffffffff bw 102400kbit/s ${fwcmd} 10022 pipe 1022 ip from any to table\(12\) out xmit ${local_if} ${fwcmd} 10023 pipe 1023 ip from table\(12\) to any in recv ${local_if} ${fwcmd} 10022 allow ip from any to table\(12\) ${fwcmd} 10023 allow ip from table\(12\) to any ${fwcmd} 65534 deny log all from any to any Ссылка на сообщение Поделиться на других сайтах
Рекомендованные сообщения
Создайте аккаунт или войдите в него для комментирования
Вы должны быть пользователем, чтобы оставить комментарий
Создать аккаунт
Зарегистрируйтесь для получения аккаунта. Это просто!
Зарегистрировать аккаунтВхід
Уже зарегистрированы? Войдите здесь.
Войти сейчас