morfey Posted February 27, 2010 Posted February 27, 2010 Задача: Відкрити для не підключених клієнтів 5555 порт для підключення авторизатора, 80 порт і днс(53) і форвардить на сторінку з повідомленням. Ну і підключених клієнтів випускати в інет. Наваяв правила, але не працює, вірніше працює але в інет не пускає(( Що змінити? rc.firewall #!/bin/sh fwcmd="/sbin/ipfw -q add" fwpipe="/sbin/ipfw -q pipe" fw="/sbin/ipfw -q " flush=`${fw} -f flush` flush_table=`${fw} table all flush` flush_pipe=`${fwpipe} flush` local_if="em0" global_if="em1" net="10.10.0.0/16" local_ip="10.10.10.10" global_ip="xxx.xxx.xxx.xx0" # адреса сервера ${flush} ${flush_table} ${flush_pipe} ${fwcmd} 5 allow all from any to any via lo0 ${fw} table 14 add 10.10.10.2 ${fw} table 14 add 10.10.10.3 ${fw} table 14 add ${local_ip} ${fw} table 14 add 10.10.10.11 ${fw} table 14 add 10.10.10.13 ${fw} table 14 add 10.10.10.14 ${fw} table 15 add xxx.xxx.xxx.xx1 ${fw} table 15 add xxx.xxx.xxx.xx2 ${fw} table 15 add xxx.xxx.xxx.xx3 ${fw} table 15 add xxx.xxx.xxx.xx4 ${fw} table 15 add xxx.xxx.xxx.xx5 ${fw} table 15 add xxx.xxx.xxx.xx6 ${fw} table 15 add xxx.xxx.xxx.xx7 ${fw} table 15 add xxx.xxx.xxx.xx8 ${fw} table 15 add xxx.xxx.xxx.xx9 ${fwcmd} 100 deny icmp from any to any frag ${fwcmd} 101 deny log icmp from any to 255.255.255.255 in via ${global_if} ${fwcmd} 102 deny log icmp from any to 255.255.255.255 out via ${global_if} ${fwcmd} 201 allow all from ${net} to me 5555 via ${local_if} ${fwcmd} 202 allow all from me 5555 to ${net} via ${local_if} ${fwcmd} 203 allow all from ${net} to me 22 via ${local_if} ${fwcmd} 204 allow all from me 22 to ${net} via ${local_if} ${fwcmd} 205 allow tcp from any to me 80 via ${global_if} ${fwcmd} 206 allow tcp from me 80 to any via ${global_if} ${fwcmd} 207 allow tcp from me 80 to ${net} via ${local_if} ${fwcmd} 208 allow tcp from ${net} to me 80 via ${local_if} ${fwcmd} 209 allow udp from ${net} to me 53 via ${local_if} ${fwcmd} 210 allow udp from me 53 to ${net} via ${local_if} ${fwcmd} 211 allow icmp from any to any via ${local_if} ${fwcmd} 212 allow icmp from any to any icmptypes 0,8,11 #старт таблиці з тарифами ${fwcmd} 1000 pipe 1000 ip from any to table\(1\) out xmit ${local_if} ${fwcmd} 1001 pipe 1001 ip from table\(1\) to any in recv ${local_if} ${fwpipe} 1000 config mask dst-ip 0xffffffff bw 128kbit/s ${fwpipe} 1001 config mask src-ip 0xffffffff bw 128kbit/s ${fwcmd} 1002 pipe 1002 ip from any to table\(2\) out xmit ${local_if} ${fwcmd} 1003 pipe 1003 ip from table\(2\) to any in recv ${local_if} ${fwpipe} 1002 config mask dst-ip 0xffffffff bw 256kbit/s ${fwpipe} 1003 config mask src-ip 0xffffffff bw 256kbit/s ${fwcmd} 1004 pipe 1004 ip from any to table\(3\) out xmit ${local_if} ${fwcmd} 1005 pipe 1005 ip from table\(3\) to any in recv ${local_if} ${fwpipe} 1004 config mask dst-ip 0xffffffff bw 512kbit/s ${fwpipe} 1005 config mask src-ip 0xffffffff bw 512kbit/s ${fwcmd} 1006 pipe 1006 ip from any to table\(4\) out xmit ${local_if} ${fwcmd} 1007 pipe 1007 ip from table\(4\) to any in recv ${local_if} ${fwpipe} 1006 config mask dst-ip 0xffffffff bw 1024kbit/s ${fwpipe} 1007 config mask src-ip 0xffffffff bw 1024kbit/s ${fwcmd} 1008 pipe 1008 ip from any to table\(5\) out xmit ${local_if} ${fwcmd} 1009 pipe 1009 ip from table\(5\) to any in recv ${local_if} ${fwpipe} 1008 config mask dst-ip 0xffffffff bw 1536kbit/s ${fwpipe} 1009 config mask src-ip 0xffffffff bw 1536kbit/s ${fwcmd} 1010 pipe 1010 ip from any to table\(6\) out xmit ${local_if} ${fwcmd} 1011 pipe 1011 ip from table\(6\) to any in recv ${local_if} ${fwpipe} 1010 config mask dst-ip 0xffffffff bw 2048kbit/s ${fwpipe} 1011 config mask src-ip 0xffffffff bw 2048kbit/s ${fwcmd} 1012 pipe 1012 ip from any to table\(7\) out xmit ${local_if} ${fwcmd} 1013 pipe 1013 ip from table\(7\) to any in recv ${local_if} ${fwpipe} 1012 config mask dst-ip 0xffffffff bw 3072kbit/s ${fwpipe} 1013 config mask src-ip 0xffffffff bw 3072kbit/s ${fwcmd} 1014 pipe 1014 ip from any to table\(8\) out xmit ${local_if} ${fwcmd} 1015 pipe 1015 ip from table\(8\) to any in recv ${local_if} ${fwpipe} 1014 config mask dst-ip 0xffffffff bw 4096kbit/s ${fwpipe} 1015 config mask src-ip 0xffffffff bw 4096kbit/s ${fwcmd} 1016 pipe 1016 ip from any to table\(9\) out xmit ${local_if} ${fwcmd} 1017 pipe 1017 ip from table\(9\) to any in recv ${local_if} ${fwpipe} 1016 config mask dst-ip 0xffffffff bw 5120kbit/s ${fwpipe} 1017 config mask src-ip 0xffffffff bw 5120kbit/s ${fwcmd} 1018 pipe 1018 ip from any to table\(10\) out xmit ${local_if} ${fwcmd} 1019 pipe 1019 ip from table\(10\) to any in recv ${local_if} ${fwpipe} 1018 config mask dst-ip 0xffffffff bw 10240kbit/s ${fwpipe} 1019 config mask src-ip 0xffffffff bw 10240kbit/s ${fwcmd} 1020 pipe 1020 ip from any to table\(11\) out xmit ${local_if} ${fwcmd} 1021 pipe 1021 ip from table\(11\) to any in recv ${local_if} ${fwpipe} 1020 config mask dst-ip 0xffffffff bw 20480kbit/s ${fwpipe} 1021 config mask src-ip 0xffffffff bw 20480kbit/s ${fwcmd} 1022 pipe 1022 ip from any to table\(12\) out xmit ${local_if} ${fwcmd} 1023 pipe 1023 ip from table\(12\) to any in recv ${local_if} ${fwpipe} 1022 config mask dst-ip 0xffffffff bw 102400kbit/s ${fwpipe} 1023 config mask src-ip 0xffffffff bw 102400kbit/s #енд таблиці з тарифами #старт довірені хости ${fwcmd} 1024 allow all from any to table\(14\) ${fwcmd} 1025 allow all from table\(14\) to any #енд довірені хости #старт реальні адреси ${fwcmd} 1026 allow all from any to table\(15\) ${fwcmd} 1027 allow all from table\(15\) to any #енд реальні адреси ${fwcmd} 2000 fwd 127.0.0.1,8080 all from table\(13\) to not me via ${local_if} # завертаєм всі адреси, що в цій таблиці на потрібне мені повідомлення, що висить на 8080 порту (Напевно потрібно завертати тільки хттп трафік...) #старт Забороняємо локальні адреси на зовнішньому інтерфейсі ${fwcmd} 3000 deny all from 192.168.0.0/16 to any via ${global_if} #RFC 1918 private IP ${fwcmd} 3001 deny all from 172.16.0.0/12 to any via ${global_if} #RFC 1918 private IP ${fwcmd} 3002 deny all from 10.0.0.0/8 to any via ${global_if} #RFC 1918 private IP ${fwcmd} 3003 deny all from 127.0.0.0/8 to any via ${global_if} #loopback ${fwcmd} 3004 deny all from 0.0.0.0/8 to any via ${global_if} #loopback ${fwcmd} 3005 deny all from 169.254.0.0/16 to any via ${global_if} #DHCP auto-config ${fwcmd} 3006 deny all from 192.0.2.0/24 to any via ${global_if} #reserved for docs ${fwcmd} 3007 deny all from 204.152.64.0/23 to any via ${global_if} #Sun cluster ${fwcmd} 3008 deny all from 224.0.0.0/3 to any via ${global_if} #Class D & E multicast #енд Забороняємо локальні адреси на зовнішньому інтерфейсі ${fwcmd} 65534 deny log all from any to any #65534 - allow ip from any to any - за замовчуванням OnConnect #!/bin/sh LOGIN=$1 IP=$2 CASH=$3 ID=$4 SPEED=`/etc/stargazer/param speed $LOGIN` fwcmd="/sbin/ipfw -q" ${fwcmd} table 13 delete ${IP} if [ ${SPEED} = 128 ] then ${fwcmd} table 1 add ${IP} else fi if [ ${SPEED} = 256 ] then ${fwcmd} table 2 add ${IP} else fi if [ ${SPEED} = 512 ] then ${fwcmd} table 3 add ${IP} else fi if [ ${SPEED} = 1024 ] then ${fwcmd} table 4 add ${IP} else fi if [ ${SPEED} = 1536 ] then ${fwcmd} table 5 add ${IP} else fi if [ ${SPEED} = 2048 ] then ${fwcmd} table 6 add ${IP} else fi if [ ${SPEED} = 3072 ] then ${fwcmd} table 7 add ${IP} else fi if [ ${SPEED} = 4096 ] then ${fwcmd} table 8 add ${IP} else fi if [ ${SPEED} = 5120 ] then ${fwcmd} table 9 add ${IP} else fi if [ ${SPEED} = 10240 ] then ${fwcmd} table 10 add ${IP} else fi if [ ${SPEED} = 20480 ] then ${fwcmd} table 11 add ${IP} else fi if [ ${SPEED} = 102400 ] then ${fwcmd} table 12 add ${IP} else fi OnDisconnect #!/bin/sh LOGIN=$1 IP=$2 CASH=$3 ID=$4 fwcmd="/sbin/ipfw -q" SPEED=`/etc/stargazer/param speed $LOGIN` if [ ${SPEED} = 128 ] then ${fwcmd} table 1 delete ${IP}. else fi if [ ${SPEED} = 256 ] then ${fwcmd} table 2 delete ${IP}. else fi if [ ${SPEED} = 512 ] then ${fwcmd} table 3 delete ${IP}. else fi if [ ${SPEED} = 1024 ] then ${fwcmd} table 4 delete ${IP}. else fi if [ ${SPEED} = 1536 ] then ${fwcmd} table 5 delete ${IP}. else fi if [ ${SPEED} = 2048 ] then ${fwcmd} table 6 delete ${IP}. else fi if [ ${SPEED} = 3072 ] then ${fwcmd} table 7 delete ${IP}. else fi if [ ${SPEED} = 4096 ] then ${fwcmd} table 8 delete ${IP}. else fi if [ ${SPEED} = 5120 ] then ${fwcmd} table 9 delete ${IP}. else fi if [ ${SPEED} = 10240 ] then ${fwcmd} table 10 delete ${IP} else fi if [ ${SPEED} = 20480 ] then ${fwcmd} table 11 delete ${IP}. else fi if [ ${SPEED} = 102400 ] then ${fwcmd} table 12 delete ${IP}. else fi ${fwcmd} table 13 add ${IP} P.S. Спойлер потрібен на форумі
Kucher2 Posted March 9, 2010 Posted March 9, 2010 Я делал ещё проще, вешал виртуал-хост в Апаче, на 81-й порт, а потом в Онконнекте проверял и если условие верно - форвард http на 81-й порт. Ну ещё сообщение посылал через sgconf. Просто редиректить - у меня в ipfw не получалось. По поводу правил - начните с простого, для одной машины - явно задайте параметры, уберите всё лишнее. Так же на шлюзе смотрите куда трафик идёт tcpdumpo'm или trafshow.
morfey Posted March 18, 2010 Author Posted March 18, 2010 Прошу перевірить скрипт фаєра, бо ще не дуже "гуру" в цьому)) Все працює,але щоб боком потім не вилізло )) скрипт ’param’ - видає швидкість (пхп) Дякую OnConnect #!/bin/sh LOGIN=$1 IP=$2 CASH=$3 ID=$4 SPEED=`/etc/stargazer/param speed $LOGIN` fwcmd="/sbin/ipfw -q" ${fwcmd} table 13 delete ${IP} if [ ${SPEED} = 128 ] then ${fwcmd} table 1 add ${IP} else fi if [ ${SPEED} = 256 ] then ${fwcmd} table 2 add ${IP} else fi if [ ${SPEED} = 512 ] then ${fwcmd} table 3 add ${IP} else fi if [ ${SPEED} = 1024 ] then ${fwcmd} table 4 add ${IP} else fi if [ ${SPEED} = 1536 ] then ${fwcmd} table 5 add ${IP} else fi if [ ${SPEED} = 2048 ] then ${fwcmd} table 6 add ${IP} else fi if [ ${SPEED} = 3072 ] then ${fwcmd} table 7 add ${IP} else fi if [ ${SPEED} = 4096 ] then ${fwcmd} table 8 add ${IP} else fi if [ ${SPEED} = 5120 ] then ${fwcmd} table 9 add ${IP} else fi if [ ${SPEED} = 10240 ] then ${fwcmd} table 10 add ${IP} else fi if [ ${SPEED} = 20480 ] then ${fwcmd} table 11 add ${IP} else fi if [ ${SPEED} = 102400 ] then ${fwcmd} table 12 add ${IP} fi OnDisconnect #!/bin/sh LOGIN=$1 IP=$2 CASH=$3 ID=$4 fwcmd="/sbin/ipfw -q" SPEED=`/etc/stargazer/param speed $LOGIN` if [ ${SPEED} = 128 ] then ${fwcmd} table 1 delete ${IP}. else fi if [ ${SPEED} = 256 ] then ${fwcmd} table 2 delete ${IP}. else fi if [ ${SPEED} = 512 ] then ${fwcmd} table 3 delete ${IP}. else fi if [ ${SPEED} = 1024 ] then ${fwcmd} table 4 delete ${IP}. else fi if [ ${SPEED} = 1536 ] then ${fwcmd} table 5 delete ${IP}. else fi if [ ${SPEED} = 2048 ] then ${fwcmd} table 6 delete ${IP}. else fi if [ ${SPEED} = 3072 ] then ${fwcmd} table 7 delete ${IP}. else fi if [ ${SPEED} = 4096 ] then ${fwcmd} table 8 delete ${IP}. else fi if [ ${SPEED} = 5120 ] then ${fwcmd} table 9 delete ${IP}. else fi if [ ${SPEED} = 10240 ] then ${fwcmd} table 10 delete ${IP} else fi if [ ${SPEED} = 20480 ] then ${fwcmd} table 11 delete ${IP}. else fi if [ ${SPEED} = 102400 ] then ${fwcmd} table 12 delete ${IP}. else fi ${fwcmd} table 13 add ${IP} /etc/rc.firewall #!/bin/sh fwcmd="/sbin/ipfw -q add" fw="/sbin/ipfw -q" flush=`${fw} -f flush` flush_table=`${fw} table all flush` flush_pipe=`${fw} pipe flush` local_if="re1" global_if="re0" local_ip="10.10.0.1" global_ip="xxx.xxx.xxx.xxx" ${flush} ${flush_table} ${flush_pipe} ${fwcmd} 5 allow all from any to any via lo0 ${fwcmd} 10 allow icmp from any to any ${fwcmd} 20 deny all from any to ${global_ip} 22 via ${global_if} #trusted ips ${fw} table 14 add 10.10.10.2 ${fw} table 14 add 127.0.0.1 ${fw} table 14 add 10.10.10.3 ${fw} table 14 add ${local_ip} ${fw} table 14 add ${global_ip} ${fw} table 14 add 10.10.10.11 ${fw} table 14 add 10.10.10.13 ${fw} table 14 add 10.10.10.14 #real ips ${fw} table 15 add xxx.xxx.xxx.xx1 ${fw} table 15 add xxx.xxx.xxx.xx2 ${fw} table 15 add xxx.xxx.xxx.xx3 ${fw} table 15 add xxx.xxx.xxx.xx4 ${fw} table 15 add xxx.xxx.xxx.xx5 ${fw} table 15 add xxx.xxx.xxx.xx6 ${fw} table 15 add xxx.xxx.xxx.xx7 ${fw} table 15 add xxx.xxx.xxx.xx8 ${fw} table 15 add xxx.xxx.xxx.xx9 ${fwcmd} 5001 allow all from any to table\(14\) ${fwcmd} 5002 allow all from table\(14\) to any ${fwcmd} 5003 allow all from any to table\(15\) ${fwcmd} 5004 allow all from table\(15\) to any ${fwcmd} 6003 allow all from any http to table\(13\) ${fwcmd} 6004 allow all from table\(13\) to any http ${fwcmd} 6000 fwd 127.0.0.1,80 all from table\(13\) to any http,https,8080 ${fw} pipe 1000 config mask dst-ip 0xffffffff bw 128kbit/s ${fw} pipe 1001 config mask src-ip 0xffffffff bw 128kbit/s ${fwcmd} 10000 pipe 1000 ip from any to table\(1\) out xmit ${local_if} ${fwcmd} 10001 pipe 1001 ip from table\(1\) to any in recv ${local_if} ${fwcmd} 10000 allow ip from any to table\(1\) ${fwcmd} 10001 allow ip from table\(1\) to any ${fw} pipe 1002 config mask dst-ip 0xffffffff bw 256kbit/s ${fw} pipe 1003 config mask src-ip 0xffffffff bw 256kbit/s ${fwcmd} 10002 pipe 1002 ip from any to table\(2\) out xmit ${local_if} ${fwcmd} 10003 pipe 1003 ip from table\(2\) to any in recv ${local_if} ${fwcmd} 10002 allow ip from any to table\(2\) ${fwcmd} 10003 allow ip from table\(2\) to any ${fw} pipe 1004 config mask dst-ip 0xffffffff bw 512kbit/s ${fw} pipe 1005 config mask src-ip 0xffffffff bw 512kbit/s ${fwcmd} 10004 pipe 1004 ip from any to table\(3\) out xmit ${local_if} ${fwcmd} 10005 pipe 1005 ip from table\(3\) to any in recv ${local_if} ${fwcmd} 10004 allow ip from any to table\(3\) ${fwcmd} 10005 allow ip from table\(3\) to any ${fw} pipe 1006 config mask dst-ip 0xffffffff bw 1024kbit/s ${fw} pipe 1007 config mask src-ip 0xffffffff bw 1024kbit/s ${fwcmd} 10006 pipe 1006 ip from any to table\(4\) out xmit ${local_if} ${fwcmd} 10007 pipe 1007 ip from table\(4\) to any in recv ${local_if} ${fwcmd} 10006 allow ip from any to table\(4\) ${fwcmd} 10007 allow ip from table\(4\) to any ${fw} pipe 1008 config mask dst-ip 0xffffffff bw 1536kbit/s ${fw} pipe 1009 config mask src-ip 0xffffffff bw 1536kbit/s ${fwcmd} 10008 pipe 1008 ip from any to table\(5\) out xmit ${local_if} ${fwcmd} 10009 pipe 1009 ip from table\(5\) to any in recv ${local_if} ${fwcmd} 10008 allow ip from any to table\(5\) ${fwcmd} 10009 allow ip from table\(5\) to any ${fw} pipe 1010 config mask dst-ip 0xffffffff bw 2048kbit/s ${fw} pipe 1011 config mask src-ip 0xffffffff bw 2048kbit/s ${fwcmd} 10010 pipe 1010 ip from any to table\(6\) out xmit ${local_if} ${fwcmd} 10011 pipe 1011 ip from table\(6\) to any in recv ${local_if} ${fwcmd} 10010 allow ip from any to table\(6\) ${fwcmd} 10011 allow ip from table\(6\) to any ${fw} pipe 1012 config mask dst-ip 0xffffffff bw 3072kbit/s ${fw} pipe 1013 config mask src-ip 0xffffffff bw 3072kbit/s ${fwcmd} 10012 pipe 1012 ip from any to table\(7\) out xmit ${local_if} ${fwcmd} 10013 pipe 1013 ip from table\(7\) to any in recv ${local_if} ${fwcmd} 10012 allow ip from any to table\(7\) ${fwcmd} 10013 allow ip from table\(7\) to any ${fw} pipe 1014 config mask dst-ip 0xffffffff bw 4096kbit/s ${fw} pipe 1015 config mask src-ip 0xffffffff bw 4096kbit/s ${fwcmd} 10014 pipe 1014 ip from any to table\(8\) out xmit ${local_if} ${fwcmd} 10015 pipe 1015 ip from table\(8\) to any in recv ${local_if} ${fwcmd} 10014 allow ip from any to table\(8\) ${fwcmd} 10015 allow ip from table\(8\) to any ${fw} pipe 1016 config mask dst-ip 0xffffffff bw 5120kbit/s ${fw} pipe 1017 config mask src-ip 0xffffffff bw 5120kbit/s ${fwcmd} 10016 pipe 1016 ip from any to table\(9\) out xmit ${local_if} ${fwcmd} 10017 pipe 1017 ip from table\(9\) to any in recv ${local_if} ${fwcmd} 10016 allow ip from any to table\(9\) ${fwcmd} 10017 allow ip from table\(9\) to any ${fw} pipe 1018 config mask dst-ip 0xffffffff bw 10240kbit/s ${fw} pipe 1019 config mask src-ip 0xffffffff bw 10240kbit/s ${fwcmd} 10018 pipe 1018 ip from any to table\(10\) out xmit ${local_if} ${fwcmd} 10019 pipe 1019 ip from table\(10\) to any in recv ${local_if} ${fwcmd} 10018 allow ip from any to table\(10\) ${fwcmd} 10019 allow ip from table\(10\) to any ${fw} pipe 1020 config mask dst-ip 0xffffffff bw 20480kbit/s ${fw} pipe 1021 config mask src-ip 0xffffffff bw 20480kbit/s ${fwcmd} 10020 pipe 1020 ip from any to table\(11\) out xmit ${local_if} ${fwcmd} 10021 pipe 1021 ip from table\(11\) to any in recv ${local_if} ${fwcmd} 10020 allow ip from any to table\(11\) ${fwcmd} 10021 allow ip from table\(11\) to any ${fw} pipe 1022 config mask dst-ip 0xffffffff bw 102400kbit/s ${fw} pipe 1023 config mask src-ip 0xffffffff bw 102400kbit/s ${fwcmd} 10022 pipe 1022 ip from any to table\(12\) out xmit ${local_if} ${fwcmd} 10023 pipe 1023 ip from table\(12\) to any in recv ${local_if} ${fwcmd} 10022 allow ip from any to table\(12\) ${fwcmd} 10023 allow ip from table\(12\) to any ${fwcmd} 65534 deny log all from any to any
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now