模板
教程
环境
性能
功能
管理
FB下实现透明代理简单一例
MILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">此例为一个试验,在192.168.33.0/24网段内的一台机子上(两块网卡)安装系统FreeBSD,加载防火墙和NAT规则,然后代理另一个网段192.168.1.0/24的计算机上网.这台机子的IP地址如下:
外网卡rl0的IP为192.168.33.8
内网卡fxp0的IP为 192.168.1.8
1. 系统
(1)光盘安装FB5.3,完成后,分别做了系统和内核的升级.
(2)内核中加载ipfilter
cd /usr/src/sys/i386/conf
cp GENERIC MYFIREWALL
ee MYFIREWALL
加入: options IPFILTER
options IPFILTER_LOG
options IPFILTER_DEFAULT_BLOCK
然后config MYFIREWALL
cd ../compile/MYFIREWALL
make depend
make
make install
重启.
2. 配置文件
主要改写或创建的文件如下:
(1) /etc/rc.conf
# -- sysinstall generated deltas -- # Sat Jun 18 08:08:00 2005
# -- sysinstall generated deltas -- # Sat Jun 18 13:25:55 2005
# Created: Sat Jun 18 08:08:00 2005
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
defaultrouter="192.168.33.6"
firewall_enable="NO"
gateway_enable="YES"
hostname="chen.chenchen.com"
ifconfig_rl0="inet 192.168.33.8 netmask 255.255.255.0"
ifconfig_fxp0="inet 192.168.1.8 netmask 255.255.255.0"
inetd_enable="YES"
linux_enable="YES"
sshd_enable="YES"
usbd_enable="YES"
portmap_enable="NO"
kern_securelevel_enable="YES"
kern_securelevel="2"
syslogd_enable="YES"
syslogd_flags="-ss"
ipfilter_enable="NO"
#ipfilter_program="/sbin/ipf"
#ipfilter_rules="/etc/ipf.rules"
ipmon_enable="YES"
ipmon_flags="-Ds"
ipmon -o N > /tmp/nat.log &
#ipnat_enable="YES"
#ipnat_program="/sbin/ipnat -CF -f"
#ipnat_rules="/etc/ipnat.rules"
(2) /etc/ipf.rules
内容如下:
chen# more ipf.rules
/sbin/ipf -Fa -f - << EOF
#############################################################
#优化系统
#############################################################
block in quick all with ipopts
block in quick all with frag
block in quick all with short
#############################################################
# Resist the attack of the virus
#############################################################
block in quick proto tcp/udp from any to any port 134 >< 140
block in quick proto tcp/udp from any to any port = 445
block in quick proto tcp/udp from any to any port = 593
block in quick proto tcp/udp from any to any port = 333
block in quick proto tcp/udp from any to any port = 5554
block in quick proto tcp/udp from any to any port = 9995
block in quick proto tcp/udp from any to any port = 9996
block in quick proto tcp/udp from any to any port = tftp
block in quick proto tcp/udp from any to any port = 554
block in quick proto tcp/udp from any to any port = 1434
block in quick proto tcp/udp from any to any port = 4444
############################################################
# Loopback Interface
############################################################
# ----------------------------------------------------------
# Allow everything to/from your loopback interface so you
# can ping yourself
# ----------------------------------------------------------
#pass in quick on lo0 all
#pass out quick on lo0 all
############################################################
############################################################
# Inside Interface fxp0
############################################################
# ----------------------------------------------------------
# Allow out all TCP,UDP,and ICMP traffic &keep state
# ----------------------------------------------------------
pass out quick on fxp0 proto tcp from any to any keep state
pass out quick on fxp0 proto udp from any to any keep state
pass out quick on fxp0 proto icmp from any to any keep state
block out quick on fxp0 all
# ----------------------------------------------------------
# Allow in all TCP,UDP,and ICMP traffic &keep state
# ----------------------------------------------------------
block in log quick on fxp0 from any to 192.168.1.0/32
block in log quick on fxp0 from any to 192.168.1.255/32
#pass in quick on fxp0 proto tcp from any to any port = 80 keep state
#pass in quick on fxp0 proto tcp from any to any port = 21 keep state
#pass in quick on fxp0 proto tcp from any to any port = 22 keep state
pass in quick on fxp0 proto tcp from any to any keep state
pass in quick on fxp0 proto udp from any to any keep state
pass in quick on fxp0 proto icmp from any to any keep state
block in quick on fxp0 all
############################################################
# Outside Interface rl0
############################################################
# ----------------------------------------------------------
# Block out all traffce to the private address
# ----------------------------------------------------------
#pass out quick on rl0 from any to 192.168.33.0/24
#pass out quick on rl0 from any to 192.168.31.0/24
block out quick on rl0 from any to 192.168.0.0/16
block out quick on rl0 from any to 172.16.0.0/12
block out quick on rl0 from any to
block out quick on rl0 from any to 127.0.0.0/8
block out quick on rl0 from any to
block out quick on rl0 from any to 169.254.0.0/16
block out quick on rl0 from any to 192.0.2.0/24
block out quick on rl0 from any to 204.152.64.0/23
block out quick on rl0 from any to 224.0.0.0/3
# ----------------------------------------------------------
# Allow out all TCP,UDP,and ICMP traffic & keep state on it
# so that it's allowed back in
# ----------------------------------------------------------
pass out quick on rl0 proto tcp from any to any keep state
pass out quick on rl0 proto udp from any to any keep state
pass out quick on rl0 proto icmp from any to any keep state
block out quick on rl0 all
# ----------------------------------------------------------
# Block in all traffic from the private address
# ----------------------------------------------------------
#pass in quick on rl0 from 192.168.33.0/24 to any
#pass in quick on rl0 from 192.168.31.0/24 to any
block in quick on rl0 from 192.168.0.0/16 to any
block in quick on rl0 from 172.16.0.0/12 to any
block in quick on rl0 from
block in quick on rl0 from 127.0.0.0/8 to any
block in quick on rl0 from
block in quick on rl0 from 169.254.0.0/16 to any
block in quick on rl0 from 192.0.2.0/24 to any
block in quick on rl0 from 204.152.64.0/24 to any
block in quick on rl0 from 224.0.0.0/3 to any
block in log quick on rl0 from any to 192.168.33.0/32
block in log quick on rl0 from any to 192.168.33.25/32
block in log quick on rl0 from any to 192.168.31.0/32
block in log quick on rl0 from any to 192.168.31.255/32
# -----------------------------------------------------------
# Block all remaining traffic coming into the firewall
# -----------------------------------------------------------
pass in quick on rl0 proto tcp from any to any port = 21 flags S keep state
pass in quick on rl0 proto tcp from any to any port = 22 flags S keep state
pass in quick on rl0 proto tcp from any to any port = 80 flags S keep state
#pass in quick on rl0 from any to any port = 53 flags S keep state
block in quick on rl0 all
(3) /etc/ipnat.rules
内容如下:
chen# more ipnat.rules
/sbin/ipnat -CF -f - << EOF
#rdr rl0 192.168.33.8/32 port 8080 -> 192.168.1.11 port 8080
map rl0 192.168.1.0/24 -> 192.168.33.8/32 portmap tcp/udp 10000:39999
map rl0 192.168.1.0/24 -> 192.168.33.8/32
(4)从/etc/rc.conf中可以看到,ipf.rules及ipnat.rules没有加载在rc.conf中,而是写成脚本放在了/usr/local/etc/rc.d中
ipf.loadrules.sh内容:
#!/bin/sh
sh /etc/ipf.rules
然后:chmod u+x ipf.loadrules.sh
ipnat.loadrules.sh内容:
#!/bin/sh
sh /etc/ipnat.rules
重启后,192.168.1.0/24的机子可以通过这台FB系统的机子上网.
但是上例中也有一个问题一直没有弄明白,在/etc/ipf.rules中做了外网口出去方向的block out quick on rl0 from any to 192.168.0.0/16,想阻止192.168.1.0/24机子访问192.168.33.0/24和192.168.31.0/24的机子(在192.168.33.0/24的网关处另连的一个网段,且这个网关允许192.168.33.0/24的机子访问192.168.31.0/24的机器),从FB系统的代理服务器(192.168.33.8)上用PING 192.168.33.0/24中的一台机子显示
chen# ping 192.168.31.3
ping: sendto: No route to host
ping: sendto: No route to host
但是由192.168.33.8代理上网的一台机子(192.168.1.11)ping 同一个IP却显示:
C:\>ping 192.168.31.3
Pinging 192.168.31.3 with 32 bytes of data:
Reply from 192.168.31.3:bytes=32 time=1ms TTL=62
Reply from 192.168.31.3:bytes=32 time=1ms TTL=62
一直不明白为什么为这样.
说明:此例中也参考了一些网上的文章与贴子,谢谢了^_^
