[FUGSPBR] Apanhando do IPFW + NATD

Márcio Luciano Donada marcio em sl.unochapeco.rct-sc.br
Dom Jul 13 18:58:47 BRT 2003 


Olá Vitor,
Nunca fiz isso, mas como vou ter que fazer daqui mais alguns dias, vamos por
partes, bom quantas interfaces de rede você tem?


Pessoal,

Estou aqui  apanhando do ipfw + natd.

Estou com duas redes aqui:
10.1.0.0/16
10.2.0.0/16

Eu preciso fazer o NAT apendas de uma rede, que é a rede 10.2.0.0/16. Para a
rede 10.1.0.0/16 não é preciso, pois o acesso dela será apenas via proxy
transparente, pelo squid.
Só que eu não estou conseguindo fazer isso funcionar.

As duas redes 10.1.0.0/16 10.2.0.0/16 (apersar de fazer nat para elas) terão
que passar pelo proxy transparente.


Abaixo segue as minhas confs:

kernel:

#####################################################################
# NETWORKING OPTIONS
#
# Protocol families:
#  Only the INET (Internet) family is officially supported in FreeBSD.
#  Source code for the NS (Xerox Network Service) is provided for amusement
#  value.
#
options         INET                    # Internet communications protocols
options         IPDIVERT                # divert sockets
options         IPFIREWALL              # firewall
options         IPFIREWALL_FORWARD      # enable transparent proxy support
options         IPFIREWALL_VERBOSE      # print information about dropped
packets
options         IPFIREWALL_VERBOSE_LIMIT=100    #limit verbosity
options         IPFILTER                # ipfilter support
options         IPFILTER_LOG            # ipfilter logging
options         TCPDEBUG

#
# ICMP_BANDLIM enables icmp error response bandwidth limiting.   You
# typically want this option as it will help protect the machine from
# D.O.S. packet attacks.
#
options         ICMP_BANDLIM
options         TCP_DROP_SYNFIN         #drop TCP packets with SYN+FIN

Abaixo segue o /etc/rc.conf

firewall_enable="YES"                   # Set to YES to enable firewall
functionality
firewall_script="/etc/rc.firewall"      # Which script to run to set up the
firewall
firewall_type="simple"                  # Firewall type (see
/etc/rc.firewall)
firewall_quiet="YES"                    # Set to YES to suppress rule
display
natd_program="/sbin/natd"              # path to natd, if you want a
different one.
natd_enable="YES"                      # Enable natd (if firewall_enable ==
YES).
natd_interface="tun0"                  # Public interface or IPaddress to
use.
natd_flags="-f /etc/natd.conf"         # Additional flags for natd.

/etc/natd.conf

interface tun0
dynamic yes
same_ports yes
use_sockets yes

Agora vamos la com o /etc/rc.firewall

${fwcmd} add pass all from any to any via lo0
${fwcmd} add deny all from any to 127.0.0.0/8
${fwcmd} add deny ip from 127.0.0.0/8 to any

# NATD
${fwcmd} add 50 divert natd all from ${nadm} to any via ${myif}
${fwcmd} add 50 divert natd all from ${nadm} to any via ${myif}

# Proxy transparente
${fwcmd} add 51 fwd 127.0.0.1,3128 tcp from ${nadm} to any 80,81,8080
${fwcmd} add 51 fwd 127.0.0.1,3128 tcp from ${nacad} to any 80,81,8080

# Bloqueia a comunicacao entre as redes ACAD e ADM
${fwcmd} add 90 reset from ${acad} to ${adm}
${fwcmd} add 90 reset from ${adm} to ${acad}

# Stop RFC1918 nets on the outside interface
# Comentado porque eh minha rede privada
${fwcmd} add deny all from any to 10.0.0.0/8 via ${myif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${myif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${myif}

# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from any to 0.0.0.0/8 via ${myif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${myif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${myif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${myif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${myif}

# Stop RFC1918 nets on the outside interface
# Comentado porque eh minha rede privada
#${fwcmd} add deny all from 10.0.0.0/8 to any via ${myif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${myif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${myif}

# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from 0.0.0.0/8 to any via ${myif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${myif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${myif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${myif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${myif}

# Nega pacotes fragmentados
${fwcmd} add deny all from any to any frag

# check state
${fwcmd} add check-state

# FTP para o mundo
${fwcmd} add pass tcp from ${myip} to any 21 keep-state
${fwcmd} add pass tcp from ${nacad} to any 21 keep-state
${fwcmd} add pass tcp from ${nadm} to any 21 keep-state

# SSH
${fwcmd} add pass tcp from ${nacad} to ${ipacad} 22 keep-state
${fwcmd} add pass tcp from ${nadm} to ${ipadm} 22 keep-state

# My DNS-Server
${fwcmd} add pass udp from ${myip} to ${mydns} 53 keep-state
${fwcmd} add pass udp from ${mydns} 53 to ${myip} keep-state
${fwcmd} add pass udp from ${acad} 53 to ${mydns} keep-state
${fwcmd} add pass udp from ${adm} 53 to ${mydns} keep-state

# HTTP para o servidor
${fwcmd} add pass tcp from any to ${myip} 80 keep-state
# HTTPS para o mundo
${fwcmd} add pass tcp from ${myip} to any 443 keep-state
${fwcmd} add pass tcp from ${nacad} to any 443 keep-state
${fwcmd} add pass tcp from ${nadm} to any 443 keep-state

# Allow NTP queries out in the world
${fwcmd} add pass udp from ${myip} to any 123 out via {myif} keep-state

# Cvsup
${fwcmd} add pass tcp from ${myip} to any 5999 via ${myif} keep-state

# Libera tudo das rede ADM e MYIP para o mundo
${fwcmd} add 95 pass from ${myip} to any keep-state
${fwcmd} add 95 pass from ${adm} to any keep-state

# PROXY
${fwcmd} add reset tcp from any to {myip} 3128

# ICMP IN and OUT
${fwcmd} add pass icmp from ${myip} to any icmptypes 8 keep-state
${fwcmd} add pass icmp from $(nacad} to ${ipcad} icmptypes 8 keep-state
${fwcmd} add pass icmp from $(nadm} to ${ipadm} icmptypes 8 keep-state
${fwcmd} add reset icmp from any to ${myip} icmptypes
5,8,9,10,12,13,14,15,16,17,18

# Rejeitar broadcasts from outside interface
${fwcmd} add reset ip from any to 0.0.0.255:0.0.0.255 in via ${myif}

# Define o firewall como closed e faz o log de tudo que eh negado
${fwcmd} add 65534 deny log ip from any to any via tun0

myip = meu ip real
nacad = rede acad
nadm = rede adm
ipacad = ip rede acad
ipadm = ip rede adm
if acad = interface da placa de rede da rede acad
if adm =  interface da placa de rede da rede adm

O que está de errado nessas minhas regras?


 Regards,

---------------------------------------------------
Vitor de Matos Carvalho - #5602098
Softinfo Network Administrator
+55 (71)9971-5011 / +55 (71)9986-9317
Salvador - Bahia - Brazil
FreeBSD: The silent Workhorse

_______________________________________________________________
Sair da Lista: http://www2.fugspbr.org/mailman/listinfo/fugspbr
Historico: http://www4.fugspbr.org/lista/html/FUG-BR/


_______________________________________________________________
Sair da Lista: http://www2.fugspbr.org/mailman/listinfo/fugspbr
Historico: http://www4.fugspbr.org/lista/html/FUG-BR/

Mais detalhes sobre a lista de discussão freebsd