SRV1:FreeBSD 10.3,IP:10.0.0.1,PPPOe ADSL(ppp),ethernetx1:fxp0
SRV2:FreeBSD 10.3,IP:10.0.0.2
[Goals]
port forwarding: SRV1 [port:8922] ----> SRV2 [port:22] SRV [port:8080] ----> SRV2 [port:80]
Estou experimentando o encaminhamento de porta e passei algumas semanas para resolver isso. Após pesquisar e pesquisar no fórum, o problema ainda não foi resolvido.
/etc/ipfw.rules #! / bin / sh ipfw -q flush
add="ipfw -q add"
WAN="tun0"
LAN="fxp0"
ipfw -q nat 1 config if $WAN reset\
redirect_port tcp 10.11.11.2:22 8922\
redirect_port tcp 10.11.11.2:80 8080
# Allow everything within the LAN
$add 10 allow ip from any to any via $LAN
$add 20 allow ip from any to any via lo0
$add 30 allow ip from any to any via ng*
# Catch spoofing from outside
$add 90 deny ip from any to any not antispoof in
$add 100 nat 1 ip from any to any via $WAN in
$add 101 check-state
$add 200 skipto 10000 tcp from any to any 8922 via $WAN in setup keep-state
$add 203 skipto 10000 tcp from any to any 22 via $WAN in keep-state
# Rules for outgoing traffic - allow everything that is not explicitely denied
$add 1000 deny ip from not me to any 25, 53 via $WAN out
# Allow all other outgoing connections
$add 2000 skipto 10000 tcp from any to any via $WAN out setup keep-state
$add 2010 skipto 10000 udp from any to any via $WAN out keep-state
# Rules for incomming traffic - deny everything that is not explicitely allowed
# vpn mpd5:1723
$add 4999 allow tcp,udp from any to any 47,1723 via $WAN in setup limit src-addr 10
# vpn mpd5:1723
$add 5000 allow tcp from any to any 4, 80, 443, 548, 8822, 8922 via $WAN in setup limit src-addr 10
# Catch tcp/udp packets, but don't touch gre, esp, icmp traffic
$add 9998 deny tcp from any to any via $WAN
$add 9999 deny udp from any to any via $WAN
$add 10000 nat 1 ip from any to any via $WAN out
$add 65534 allow ip from any to any
/etc/pf.conf
#對外的網路卡
ext_if = "tun0"
#對內的網路卡
int_if = "fxp0"
ext_ip = "xxx.xxx.xxx.xxx"
# PIMA(DMZ後面的server)
INT_SRV1 = "10.0.0.1"
INT_SRV2 = "10.0.0.2"
# --- ftp services ---
SSH_PORT1 = "{ 8922 }"
WWW_PORT1 = "{ 8080 }"
open_services = "{22, 47, 1723, 54, 80, 443}"
# Port forwarding to internal Server
rdr_port_to_pima = "{8922 8080}"
#Private IP
priv_nets = "{ 127.0.0.0/8, 10.11.11.0/27}"
# --- hosts with internet access ---
table <allowed> { 127.0.0.0/8, 10.11.11.0/27}
# options
#設定拒絕連線封包的處理方式
set block-policy return
set optimization aggressive
#紀錄 $ext_if
set loginterface $ext_if
set loginterface $int_if
# scrub
scrub in all
#NAT
# --- TRANSLATION (NAT/RDR) section ---
nat on $ext_if from <allowed> to any -> $ext_ip
rdr pass on $ext_if proto tcp from any to $ext_ip port $SSH_PORT1 -> $INT_SRV1 port 22
rdr on $ext_if proto tcp from any to $ext_ip/32 port 21 -> $INT_SRV1 port 21 #outside to FTP
rdr pass on $ext_if proto { tcp udp } from any to $ext_ip port $SSH_PORT1 -> $INT_SRV1 port 22
rdr pass on $ext_if proto { tcp udp } from any to $ext_ip/32 port $WWW_PORT1 -> $INT_SRV1 port 80
antispoof log quick for $ext_if
#open loopback
pass quick on lo0 all
pass in on $int_if inet proto tcp from any to any port $open_services flags S/SA keep state
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
block drop in quick on $ext_if from <ssh-bruteforce>
block return-icmp(net-unr) in quick on $ext_if proto udp all
# /etc/ipnat.rules
map tun0 10.11.11.0/27 -> 0.0.0.0/32 portmap tcp/udp 8000:65000
map tun0 10.11.11.0/27 -> 0.0.0.0/32
rdr tun0 106.104.138.251/32 port 8922 -> 10.11.11.2 port 22
Tags freebsd