SRV1:FreeBSD 10.3,IP:10.0.0.1,PPPOe ADSL(ppp),ethernetx1:fxp0 SRV2:FreeBSD 10.3,IP:10.0.0.2

[Goals]

port forwarding: SRV1 [port:8922] ----> SRV2 [port:22] SRV [port:8080] ----> SRV2 [port:80]

Estou experimentando o encaminhamento de porta e passei algumas semanas para resolver isso. Após pesquisar e pesquisar no fórum, o problema ainda não foi resolvido.

Eu tentei 3 métodos acima, mas nada funciona. Claro que começo o serviço normalmente. Quer saber se não é posibble fazer o reencaminhamento de portas de SRV1 (ethernet x 1, ADSL PPPOe) para SRV2? Por favor me dê conselhos e muito obrigada.

#

[Try1: ipfw]

/etc/ipfw.rules     #! / bin / sh     ipfw -q flush

add="ipfw -q add"
WAN="tun0"
LAN="fxp0"
ipfw -q nat 1 config if $WAN reset\
                redirect_port tcp 10.11.11.2:22 8922\
                redirect_port tcp 10.11.11.2:80 8080

# Allow everything within the LAN
$add 10 allow ip from any to any via $LAN
$add 20 allow ip from any to any via lo0
$add 30 allow ip from any to any via ng*

# Catch spoofing from outside
$add 90 deny ip from any to any not antispoof in

$add 100 nat 1 ip from any to any via $WAN in
$add 101 check-state
$add 200 skipto 10000 tcp from any to any 8922 via $WAN in setup keep-state
$add 203 skipto 10000 tcp from any to any  22 via $WAN in keep-state

# Rules for outgoing traffic - allow everything that is not explicitely denied
$add 1000 deny ip from not me to any 25, 53 via $WAN out

# Allow all other outgoing connections
$add 2000 skipto 10000 tcp from any to any via $WAN out setup keep-state
$add 2010 skipto 10000 udp from any to any via $WAN out keep-state

# Rules for incomming traffic - deny everything that is not explicitely allowed
# vpn mpd5:1723
$add 4999 allow tcp,udp from any to any 47,1723  via $WAN in setup limit src-addr 10
# vpn mpd5:1723
$add 5000 allow tcp from any to any 4, 80, 443, 548,  8822, 8922  via $WAN in setup limit src-addr 10

# Catch tcp/udp packets, but don't touch gre, esp, icmp traffic
$add 9998 deny tcp from any to any via $WAN
$add 9999 deny udp from any to any via $WAN

$add 10000 nat 1 ip from any to any via $WAN out
$add 65534 allow ip from any to any

[Try2: pf]

/etc/pf.conf

#對外的網路卡
ext_if = "tun0"

#對內的網路卡
int_if = "fxp0"
ext_ip = "xxx.xxx.xxx.xxx"

# PIMA(DMZ後面的server)
INT_SRV1 = "10.0.0.1"
INT_SRV2 = "10.0.0.2"

# --- ftp services ---
SSH_PORT1 = "{ 8922 }"
WWW_PORT1 = "{ 8080 }"
open_services = "{22, 47, 1723, 54, 80, 443}"

# Port forwarding to internal Server
rdr_port_to_pima =  "{8922 8080}"

#Private IP
priv_nets = "{ 127.0.0.0/8, 10.11.11.0/27}"

# --- hosts with internet access ---
table <allowed> { 127.0.0.0/8, 10.11.11.0/27}

# options
#設定拒絕連線封包的處理方式
set block-policy return
set optimization aggressive
#紀錄 $ext_if
set loginterface $ext_if
set loginterface $int_if
# scrub
scrub in all

#NAT
# --- TRANSLATION (NAT/RDR) section ---
nat on $ext_if from <allowed> to any -> $ext_ip
rdr pass on $ext_if proto tcp from any to $ext_ip port $SSH_PORT1 -> $INT_SRV1 port 22
rdr on $ext_if proto tcp from any to $ext_ip/32 port 21 -> $INT_SRV1 port 21    #outside to FTP

rdr pass on $ext_if proto { tcp udp } from any to $ext_ip port $SSH_PORT1 -> $INT_SRV1 port 22
rdr pass on $ext_if proto { tcp udp } from any to $ext_ip/32 port $WWW_PORT1 -> $INT_SRV1 port 80

antispoof log quick for $ext_if


#open loopback
pass quick on lo0 all

pass in on $int_if inet proto tcp from any to any port $open_services flags S/SA keep state

pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

block drop in quick on $ext_if from <ssh-bruteforce>
block return-icmp(net-unr) in quick on $ext_if proto udp all

[Try3: ipnat]

# /etc/ipnat.rules

map tun0 10.11.11.0/27 -> 0.0.0.0/32 portmap tcp/udp 8000:65000
map tun0 10.11.11.0/27 -> 0.0.0.0/32

rdr tun0 106.104.138.251/32 port 8922 -> 10.11.11.2 port 22