The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

форумы
правила/FAQ
поиск
регистрация
вход
слежка
RSS



Версия для распечатки Пред. тема | След. тема
Новые ответы [ Отслеживать ]
доступ к внутренним ресурсам через внешний адрес., !*! mrs.blaileen, 03-Фев-15, 11:21  [смотреть все]
Ситуевина: есть веб ресурс внутри сетки. Отзывается на IP, скажем, 192.168.0.50. Извне к нему настроен доступ вида www.mydomain.ru:1234 (80 порт занят другим ресурсом). Как настроить доступ изнутри сетки по этому адресу: www.mydomain.ru:1234

ОС шлюза FreeBSD 9.0
В ядро добавлено:

options         PERFMON
options         IPFIREWALL              
options         IPFIREWALL_VERBOSE              
options         IPFIREWALL_VERBOSE_LIMIT=100    
options         IPFIREWALL_FORWARD
options         IPFILTER
options         IPFILTER_LOG
options         IPDIVERT                
options         IPSTEALTH
options         DUMMYNET
options         IPFIREWALL_DEFAULT_TO_ACCEPT

ipfw:

        ${fwcmd} add 4 allow tcp from 192.168.0.18 to me 22
        ${fwcmd} add 5 reject all from any to me 22,3128,3306,5038 via fxp0

        ${fwcmd} add 6 reject all from any to me dst-port 123

        ${FwCMD} add 10 allow ip from any to any via lo0
        ${FwCMD} add 11 deny ip from any to 127.0.0.0/8
        ${FwCMD} add 12 deny ip from 127.0.0.0/8 to any

        ${FwCMD} add 15 deny ip from ${NetIn} to any in via ${LanOut}
        ${FwCMD} add 16 deny ip from ${NetOut} to any in via ${LanIn}

        ${FwCMD} add 20 deny ip from any to 10.0.0.0/8 in via ${LanOut}
        ${FwCMD} add 21 deny ip from any to 172.16.0.0/12 in via ${LanOut}
        ${FwCMD} add 22 deny ip from any to 192.168.0.0/16 in via ${LanOut}
        ${FwCMD} add 23 deny ip from any to 0.0.0.0/8 in via ${LanOut}

        ${FwCMD} add 25 deny ip from any to 169.254.0.0/16 in via ${LanOut}
        ${FwCMD} add 26 deny ip from any to 224.0.0.0/4 in via ${LanOut}
        ${FwCMD} add 27 deny ip from any to 240.0.0.0/4 in via ${LanOut}
        ${FwCMD} add 28 deny icmp from any to any frag
        ${FwCMD} add 29 deny log icmp from any to 255.255.255.255 in via ${LanOut}
        ${FwCMD} add 30 deny log icmp from any to 255.255.255.255 out via ${LanOut}
        ${fwcmd} add 35 divert natd ip from ${ip_lan}.246 to any via ${LanOut}
        ${fwcmd} add 36 divert natd ip from ${ip_lan}.244 to any via ${LanOut}
        ${fwcmd} add 37 divert natd ip from ${ip_lan}.245 to any via ${LanOut}

        ${FwCMD} add 38 divert natd ip from ${ip_lan}.241 to any via ${LanOut}
        ${fwcmd} add 39 divert natd ip from ${ip_lan}.242 to any via ${LanOut}
        ${fwcmd} add 41 divert natd ip from ${ip_lan}.5 to any via ${LanOut}
        ${fwcmd} add 42 divert natd ip from ${ip_lan}.15 to any via ${LanOut}
        ${fwcmd} add 43 divert natd ip from ${ip_lan}.18 to any via ${LanOut}
        ${fwcmd} add 44 divert natd ip from ${ip_lan}.213 to any via ${LanOut}
        ${fwcmd} add 45 divert natd ip from ${ip_lan}.87 to any via ${LanOut}
        ${fwcmd} add 46 divert natd ip from ${ip_lan}.198 to any via ${LanOut}
        ${fwcmd} add 47 divert natd ip from ${ip_lan}.211 to any via ${LanOut}
        ${fwcmd} add 48 divert natd ip from ${ip_lan}.161 to any via ${LanOut}
        ${fwcmd} add 49 divert natd ip from ${ip_lan}.8 to any via ${LanOut}
        ${fwcmd} add 50 divert natd ip from ${ip_lan}.12 to any via ${LanOut}

        ${fwcmd} add 51 divert natd ip from ${ip_lan}.66 to 55.251.189.1 via ${LanOut}
        ${fwcmd} add 52 divert natd ip from ${ip_lan}.66 to 84.204.56.210 via ${LanOut}
        ${fwcmd} add 53 divert natd ip from ${ip_lan}.66 to 84.204.56.212 via ${LanOut}
        ${fwcmd} add 54 divert natd ip from ${ip_lan}.66 to 84.204.56.213 via ${LanOut}
        ${fwcmd} add 55 divert natd ip from ${ip_lan}.66 to any dst-port 87,1024,2222 via ${LanOut}
        ${fwcmd} add 56 divert natd ip from ${ip_lan}.157 to 55.251.189.1 via ${LanOut}
        ${fwcmd} add 57 divert natd ip from ${ip_lan}.157 to 84.204.34.245 via ${LanOut}
        ${fwcmd} add 58 divert natd ip from ${ip_lan}.157 to 84.204.56.212 via ${LanOut}
        ${fwcmd} add 59 divert natd ip from ${ip_lan}.157 to 84.204.56.213 via ${LanOut}
        ${fwcmd} add 60 divert natd ip from ${ip_lan}.157 to any dst-port 87,1024,2222,9443 via ${LanOut}
        ${fwcmd} add 61 divert natd ip from 178.238.31.0/27 to 81.3.135.249 via ${LanOut}

        ${fwcmd} add 62 divert natd ip from ${ip_lan}.58 to any dst-port 35010,35012 via ${LanOut}
        ${fwcmd} add 63 divert natd ip from ${ip_lan}.21 to any dst-port 1959,1966,1961 via ${LanOut}
        ${fwcmd} add 64 divert natd ip from ${NetIn} to any dst-port 5050,6050,3389,5190,5116,7772 via ${LanOut}
5050,6050,3389,5190,5116,7772 via ${LanOut}
        ${fwcmd} add 65 divert natd ip from ${ip_lan}.69 to 217.15.49.231 via ${LanOut}
        ${fwcmd} add 66 divert nats ip from ${ip_lan}.215 to any via ${LanOut}
        ${fwcmd} add 70 divert natd ip from ${ip_lan}.63 to any dst-port 8444 via ${LanOut}
        ${fwcmd} add 71 divert natd ip from ${ip_lan}.63 to 213.182.169.32 dst-port 40226 via ${LanOut}
        ${fwcmd} add 72 divert natd ip from ${ip_lan}.63 to any dst-port 50025,50110 via ${LanOut}
        ${fwcmd} add 91 divert natd ip from 192.168.0.0/20 to 81.243.4.183 dst-port 35012 via re1
        ${fwcmd} add 92 divert natd ip from 192.168.0.249 to any dst-port 8585,110 via re1
via fxp0
        ${fwcmd} add 95 deny ip from 192.168.0.0/20 to any dst-port 8000

        ${fwcmd} add 301 reject all from 211.144.68.74 to me in via ${LanOut}

        ${FwCMD} add 331 fwd 127.0.0.1,3128 tcp from ${NetIn} to any 80 via ${LanOut}

        ${FwCMD} add 332 divert natd ip from ${NetIn} to any out via ${LanOut}
        ${FwCMD} add 334 divert natd ip from any to ${IpOut} in via ${LanOut}

        ${FwCMD} add 335 deny ip from 10.0.0.0/8 to any out via ${LanOut}
        ${FwCMD} add 336 deny ip from 172.16.0.0/12 to any out via ${LanOut}
        ${FwCMD} add 337 deny ip from 192.168.0.0/16 to any out via ${LanOut}
        ${fwcmd} add 337 deny ip from 192.168.22.0/16 to any out via ${LanOut}
        ${FwCMD} add 338 deny ip from 0.0.0.0/8 to any out via ${LanOut}
        ${FwCMD} add 339 deny ip from 169.254.0.0/16 to any out via ${LanOut}
        ${FwCMD} add 340 deny ip from 224.0.0.0/4 to any out via ${LanOut}
        ${FwCMD} add 341 deny ip from 240.0.0.0/4 to any out via ${LanOut}

        ${FwCMD} add 345 allow icmp from any to any icmptypes 0,8,11

        ${FwCMD} add 350 allow ip from any to ${NetIn} in via ${LanIn}
        ${FwCMD} add 355 allow ip from ${NetIn} to any out via ${LanIn}

        ${FwCMD} add 356 allow tcp from any to any established

        ${fwcmd} add 359 allow ip from any to ${IpOut} dst-port 3357,3380-3399,5116,5218,13339,20089,33389,23389,33100,10088,20088,53389,20090,1982,1987 in via ${LanOut}
        ${FwCMD} add 360 allow udp from any to ${IpOut} 53 in via ${LanOut}
        ${FwCMD} add 361 allow udp from ${IpOut} 53 to any out via ${LanOut}
        ${FwCMD} add 362 allow udp from any 53 to ${IpOut} in via ${LanOut}
        ${FwCMD} add 363 allow udp from ${IpOut} to any 53 out via ${LanOut}
        ${FwCMD} add 364 allow udp from any to any 123 via ${LanOut}

        ${FwCMD} add 365 allow tcp from any to ${IpOut} 53 in via ${LanOut} setup
                              
        ${FwCMD} add 366 allow tcp from any to ${IpOut} 80 in via ${LanOut} setup
                              
        ${FwCMD} add 367 allow tcp from any to ${IpOut} 20,21 in via ${LanOut} setup
        ${FwCMD} add 368 allow tcp from any to ${IpOut} 25,110,993,995,26,443 in via ${LanOut} setup
#       ${FwCMD} add 369 allow tcp from any to ${IpOut} 22 in via ${LanOut} setup
        ${fwcmd} add 370 allow tcp from any to ${IpOut} 1723 in via ${LanOut} setup
        ${FwCMD} add 371 allow tcp from any to ${IpOut} 20,21 in via ${LanOut} setup
        ${fwcmd} add 372 allow ip from any to ${IpOut} 25565,25566 in via ${LanOut} setup

        ${fwcmd} add 373 allow ip from any to ${IpOut} 1799 in via ${LanOut} setup
        ${FwCMD} add 380 deny log tcp from any to ${IpOut} in via ${LanOut} setup

        ${FwCMD} add 381 allow tcp from ${IpOut} to any out via ${LanOut} setup
        ${FwCMD} add 382 allow tcp from any to ${IpOut} in via ${LanIn} setup

#       ${FwCMD} add 400 allow tcp from ${NetIn} to any 5190 in via ${LanIn} setup

        ${FwCMD} add 410 allow tcp from ${ip_lan}.18 to not ${NetIn} in via ${LanIn} setup
        ${FwCMD} add 420 allow tcp from ${ip_lan}.87 to not ${NetIn} in via ${LanIn} setup
#       ${FwCMD} add 430 allow tcp from ${ip_lan}.154 to not ${NetIn} in via ${LanIn} setup
#       ${fwcmd} add 200 divert natd ip from ${ip_lan}.87 to any via ${LanOut}

        ${FwCMD} add 65535 deny ip from any to any
        ;;

rc.conf:

keymap="ru.koi8-r.kbd"

sshd_enable="YES"
moused_enable="YES"

# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"

firewall_enable="YES"
firewall_type="ZALUPA"
firewall_logging="YES"
gateway_enable="YES"
natd_enable="YES"
natd_interface="re1"

inetd_enable="YES"
ipnat_enable="YES"

ntpd_enable="YES"
ntpd_flags="-l /var/log/ntpd.log -p /var/run/ntpd.pid"
ntpdate_enable="YES"
ntpdate_flags="-u ntp.psn.ru"

named_enable="YES"
named_flags="-u bind"

squid_enable="YES"
apache22_enable="YES"
apache22_http_accept_enable="YES"
mysql_enable="YES"
pureftpd_enable="YES"
mpd_enable="YES"

minecraft_enable="NO"

Ответить | Сообщить модератору

Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей 		Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру