[FUG-BR] Dúvida Natd (fluxo de pacotes pelo ipfw)

Joao Paulo Marques Mattos jampa25 em gmail.com
Sexta Agosto 24 10:28:32 BRT 2007 

Rodolfo,

Vee se esse script te ajuda... fiz ele ja faz um tempo, seria apenas um 
exemplo que separa o fluxo, se alguma coisa der errado ou nao funcionar 
verifique os logs

[]´s

JP


#!/bin/sh
# Regras de Firewall (ipfw - IP firewall and traffic shaper control program)
# Escrito por Joao Paulo Marques Mattos (jampa25 at gmail.com)
# Data: 27/12/2002
#
#
# para que este script funcione eh necessario que seja indicado a 
localizacao
# dele no arquivo "/etc/rc.conf", procure por: firewall_enable="YES"
# e insira na proxima linha: firewall_script="/etc/firewall/fwrules"

# define o comando do firewall (igual ao /etc/rc.firewall) para simplificar
# a referencia. facilita a leitura.
fwcmd="/sbin/ipfw"

# define a interface externa e o seu IP
exteth="rl1"
extIP="200.0.0.139/32"

# define a interface interna
inteth="rl0"

# forca a remocao das regras atuais antes de carregar
$fwcmd -f flush

# dummynet setando o pipe e a sua velocidade
#$fwcmd pipe 10 config mask src-ip 0x000000ff bw 64kbit/s queue 6Kbytes
#$fwcmd pipe 11 config mask dst-ip 0x000000ff bw 64kbit/s queue 6Kbytes

# Verifica todo o trafego entrante... interface externa
# em caso positivo pula para a regra 50000
##################################################################################
$fwcmd add skipto 50000 all from any to me in recv $exteth

##################################################################################
# Filtra e verifica todo trafego sainte e (com regras dinamicas)
# todo trafego entrante
##################################################################################
# libera pelo NAT
$fwcmd add skipto 40000 tcp from 192.168.1.10 to any keep-state out xmit 
$exteth

# ICMP GERAL
$fwcmd add skipto 40000 icmp from any to any icmptypes 0,3,8,11

##################################################################################
# permite todas as conexoes confiaveis - interface interna
##################################################################################

# localhost
$fwcmd add allow ip from any to any via lo0

# dummynet para squid
#$fwcmd add pipe 10 log all from 192.168.1.10 to me 3128 out via $exteth
#$fwcmd add pipe 11 log all from me 3128 to 192.168.1.10 in via $exteth

# liberado somente para interface interna
$fwcmd add allow tcp from any to any out xmit $exteth setup
$fwcmd add allow udp from any to any out xmit $exteth

# uma vez que uma conexao foi estabelecida, permite que fique aberta
$fwcmd add allow tcp from any to any via $exteth established

# Libera e loga o resto do trafego da interface interna
$fwcmd add allow log ip from any to any via $inteth

$fwcmd add allow udp from any 53 to any in via $exteth

# Pra ter certeza de que nao passara nada que nao for permitido
$fwcmd add deny log ip from any to any

##################################################################################
# Somente passarao por estas regras em duas circunstancias:
# 1) Qualquer pacote sainte que recebeu a flag keep-state
# 2) Qualquer pacote entrante que encontrar uma regra dinamica
##################################################################################

# NAT
$fwcmd add 40000 divert natd all from any to any out xmit $exteth

# dummynet
$fwcmd add pipe 11 log all from any 80 to 192.168.1.10 in via $exteth

# Interface interna
$fwcmd add allow ip from any to any via $inteth

# conexoes iniciadas pelo servidor
$fwcmd add allow tcp from any to any out xmit $exteth setup
$fwcmd add allow udp from any to any out xmit $exteth

# uma vez que uma conexao foi estabelecida, permite que fique aberta
$fwcmd add allow tcp from any to any via $exteth established

# ICMP (para ping e traceroute funcionarem)
$fwcmd add allow icmp from any to any

# DNS
$fwcmd add allow udp from any 53 to any 1024-65535 in via $exteth

# Liberacao de todo resto com log para debug
$fwcmd add allow log all from any to any

# Pra ter certeza de que nao passara nada que nao for permitido
$fwcmd add deny log all from any to any

##################################################################################
# Somente passarao por estas regras trafego entrante. Precisamos
# definir o que queremos aceitar ou nao. A flag ckeck-state
# ira disparar a regra dinamica e pular para a 40000
##################################################################################

$fwcmd add 50000 divert natd all from any to any in recv $exteth
$fwcmd add check-state

# conexoes iniciadas pelo servidor
$fwcmd add allow tcp from any to any out xmit $exteth setup
$fwcmd add allow udp from any to any out xmit $exteth

# uma vez que uma conexao foi estabelecida, permite que fique aberta
$fwcmd add allow tcp from any to any via $exteth established

# UDP - DNS
$fwcmd add allow udp from any 53 to any in
$fwcmd add allow udp from any to any 53 in

# ICMP (para ping e traceroute funcionarem)
$fwcmd add allow icmp from any to any

# rejeita o resto
$fwcmd add deny log all from any to any

Mais detalhes sobre a lista de discussão freebsd