> В общем случает правило нужно изменить для одностороннего прохождения пакетов.Учел этот момент, спасибо.
>> Одному Ходже Насреддину известно...
Я же писал - это для тестов :) Итоговый вариант пока вот такой:
localnet="192.168.1.0/24"
vpnnet="192.168.0.0/24"
extip="XX.XX.XX.XX"
intip="192.168.1.1"
vpnip="192.168.0.1"
extiface="rl0"
intiface="vr0"
vpniface="ng0" – добавился VPN интерфейс, через MPD5 для доступа к localnet извне
bcast="255.255.255.255"
${fwcmd} table 1 flush – для bruteblock
${fwcmd} table 2 flush
${fwcmd} table 2 add 10.0.0.0/8
${fwcmd} table 2 add 169.254.0.0/16
${fwcmd} table 2 add 172.16.0.0/12
${fwcmd} table 2 add 192.168.0.0/12
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
${fwcmd} add 09999 skipto 10000 all from any to any via ${extiface}
${fwcmd} add 09999 skipto 11000 all from any to any via ${intiface}
${fwcmd} add 09999 skipto 12000 all from any to any via ${vpniface}
# ETXERNAL INTERFACE
${fwcmd} add 10110 deny ip from any to table\(2\) in recv ${extiface}
${fwcmd} add 10110 deny ip from table\(2\) to any in recv ${extiface}
${fwcmd} add 10110 deny ip from table\(1\) to any in recv ${extiface}
${fwcmd} add 10120 deny icmp from any to any in icmptype 5,9,13,14,15,16,17 recv ${extiface}
${fwcmd} add 10510 divert natd all from ${localnet} to any out xmit ${extiface}
${fwcmd} add 10530 divert natd all from any to ${extip} in recv ${extiface}
${fwcmd} add 10920 allow gre from ${extip} to any out xmit ${extiface}
${fwcmd} add 10920 allow gre from any to ${extip} in recv ${extiface}
${fwcmd} add 10930 check-state
${fwcmd} add 10940 allow tcp from me to any out xmit ${extiface} setup keep-state
${fwcmd} add 10940 allow udp from me to any out xmit ${extiface} keep-state
${fwcmd} add 10940 allow icmp from any to any via ${extiface} keep-state
${fwcmd} add 10950 allow tcp from any to ${extip} 22 in recv ${extiface} keep-state
${fwcmd} add 10960 allow tcp from any to ${extip} 1723 in recv ${extiface} keep-state
${fwcmd} add 10990 allow all from any to ${localnet} out xmit ${extiface}
${fwcmd} add 10990 allow all from any to ${vpnnet} out xmit ${extiface}
${fwcmd} add 10998 deny log all from any to any via ${extiface}
# INTERNAL INTERFACE
${fwcmd} add 11110 deny all from not ${localnet} to any in recv ${intiface}
${fwcmd} add 11520 fwd ${intip},3128 tcp from ${localnet} to any 23,70,80,210,280,488,591,777,2041,2042,5190,9080,9443 recv ${intiface}
${fwcmd} add 11910 allow all from any to ${localnet} out xmit ${intiface}
${fwcmd} add 11910 allow all from ${localnet} to any in recv ${intiface}
${fwcmd} add 11920 allow all from any to ${bcast} via ${intiface}
${fwcmd} add 11920 allow all from ${bcast} to any via ${intiface}
${fwcmd} add 11998 deny log all from any to any via ${intiface}
# VPN INTERFACE
${fwcmd} add 13110 deny all from not ${vpnnet} to any in recv ${vpniface}
${fwcmd} add 13910 allow all from any to ${vpnnet} out xmit ${vpniface}
${fwcmd} add 13910 allow all from ${vpnnet} to any in recv ${vpniface}
${fwcmd} add 13920 allow all from any to ${bcast} via ${vpniface}
${fwcmd} add 13920 allow all from ${bcast} to any via ${vpniface}
${fwcmd} add 13998 deny log all from any to any via ${vpniface}
# DEFAULT RULE
${fwcmd} add 65535 deny log all from any to any
И есть еще вопрос – необходимо, чтоб у клиента VPN при подключении был доступ к интернет. Как правильно это прописать? Добавить правило
${fwcmd} add 10520 divert natd all from ${vpnnet} to any out xmit ${extiface} ?
Вариант для распечатки
