jax2004
Newbie | Редактировать | Профиль | Сообщение | Цитировать | Сообщить модератору помогите пожалуста я только розбираюсь в freebsd!! есть правила ipwf.rules надо пару компам по ip дать полный доступ к инету!! прога через прокси неработает хочет прямой инет!! конфиг не я писал помогите что мне в нем дописать!!! #!/bin/sh ###Clear ipfw rulset /sbin/ipfw -f flush ###Some variable deffinition cmd="/sbin/ipfw -q add" #tcmd="/sbin/ipfw -q table" ncmd="/sbin/ipfw nat" #skip="skipto 9900" infjust_if="rl0" infjust_ip="10.2.112.2" mpls_if="rl1" mpls_ip="192.168.1.2,172.16.23.2" lan_if="rl2" lan_ip="192.168.0.1" ukrtel_inet_if="tun100" ukrtel_mpls_if="rl4" infjust_net="10.2.112.0/21" infjust_servers_net="10.2.113.0/28" mpls_net="192.168.2.0/25,192.168.10.0/23,172.16.0.0/17" lan_net="192.168.0.1/24" eng_ip="192.168.0.108" torrent_port="6881" liga_ip="192.168.0.110" liga_port="30583" pib_ip="192.168.0.134" pib_port="10000" edr_ip="192.168.0.139,192.168.0.140,192.168.0.97,192.168.0.99,192.168.0.132" edr_port="8086,8000,80,4307,139,443,4310" ic_inet_net="193.111.173.0/24" local_services_ports="20,21,22,25,80,110,143,993,3128" infjust_dns_ip="10.2.113.1" infjust_nod_ip="10.2.113.1" infjust_proxy_ip="10.2.113.1" infjust_mail_ip="10.2.113.1" #configure kernel nat instances # 1 for inet # 2 for infjust inet_nat=1 infjust_nat=2 ukrtel_mpls_nat=3 $ncmd ${inet_nat} config redirect_port tcp ${eng_ip}:${torrent_port} ${torrent_port} if ${ukrtel_inet_if} same_ports $ncmd ${infjust_nat} config if ${infjust_if} same_ports #$ncmd ${ukrtel_mpls_nat} config redirect_port tcp ${liga_ip}:${liga_port} ${liga_port} redirect_port tcp ${liga_ip}:1411 1411 if ${ukrtel_mpls_if} same_ports ################################################################# # No restrictions on Loopback Interface ################################################################# $cmd 0010 allow all from any to any via lo0 #Allow intranet without proxy $cmd 0020 allow tcp from ${lan_net},${mpls_net} to me 80,443,8080 in #Force transparent proxy $cmd 0030 fwd 127.0.0.1,3128 tcp from ${lan_net},${mpls_net} to any 80,443,8080 keep-state # hole for local services $cmd 0050 allow ip from any to me ${local_services_ports} in $cmd 0055 allow ip from me ${local_services_ports} to any out ################################################################# # check if packet is inbound and nat address if it is ################################################################# ###$cmd 0110 divert natd ip from any to any in via ${ukrtel_inet_if} $cmd 0110 nat ${inet_nat} all from any to any in via ${ukrtel_inet_if} $cmd 0120 nat ${infjust_nat} all from any to any in via ${infjust_if} ################################################################# # Allow the packet through if it has previous been added to the # the "dynamic" rules table by a allow keep-state statement. ################################################################# $cmd 0130 check-state # DNS $cmd 0200 allow udp from ${lan_net},${mpls_net} to me 53 keep-state $cmd 0210 allow udp from me to ${infjust_dns_ip} 53 keep-state $cmd 0215 allow tcp from me to ${infjust_dns_ip} 53 keep-state $cmd 0211 allow udp from me 53 to ${infjust_net} keep-state $cmd 0216 allow tcp from me 53 to ${infjust_net} keep-state $cmd 0220 allow udp from me to any 53 out via ${ukrtel_inet_if} keep-state #if we whant to secondary uprjust zone $cmd 0230 allow udp from ${infjust_dns_ip} 53 to me keep-state $cmd 0240 allow tcp from ${infjust_dns_ip} 53 to me keep-state # SSH ##$cmd 0300 allow tcp from 10.2.113.20 to 10.2.113.34 22 setup keep-state ##$cmd 0310 allow tcp from 10.2.113.34 22 to 10.2.113.20 setup keep-state $cmd 0320 allow tcp from ${lan_net},${mpls_net},${infjust_net} to ${lan_net},${mpls_net},${infjust_net} 22 setup keep-state # Registry $cmd 0410 allow ip from ${lan_net},${mpls_net} to 193.111.173.53 8080 keep-state $cmd 0420 allow ip from ${lan_net},${mpls_net} to 193.111.173.54 8080 keep-state $cmd 0430 allow ip from ${lan_net},${mpls_net} to 193.111.173.55 8080 keep-state $cmd 0440 allow ip from ${lan_net},${mpls_net} to 193.111.173.56 8080 keep-state $cmd 0450 allow ip from ${lan_net},${mpls_net} to 193.111.173.57 8080 keep-state $cmd 0455 allow ip from ${lan_net},${mpls_net} to 193.111.173.58 8080 keep-state $cmd 0460 allow ip from ${lan_net},${mpls_net} to 193.111.173.37,193.111.173.38,193.111.173.39,193.111.173.40 keep-state #MRO aka REZ ##$cmd 0450 $skip tcp from ${lan_net},${mpls_net} to 212.82.216.42 80 setup keep-state ##$cmd 0460 $skip tcp from ${lan_net},${mpls_net} to 92.240.97.198 80 setup keep-state $cmd 0450 allow tcp from ${lan_net},${mpls_net} to 212.82.216.42 80 in $cmd 0460 allow tcp from ${lan_net},${mpls_net} to 92.240.97.198 80 in $cmd 0470 nat ${infjust_nat} tcp from ${lan_net},${mpls_net} to 212.82.216.42 80 out via ${infjust_if} setup keep-state $cmd 0480 nat ${infjust_nat} tcp from ${lan_net},${mpls_net} to 92.240.97.198 80 out via ${infjust_if} setup keep-state #NOD32 updater from zk.informjust.ua $cmd 0510 allow tcp from me to ${infjust_nod_ip} 2221 keep-state #some minjust registry $cmd 0520 nat ${inet_nat} tcp from ${lan_net},${mpls_net} to 204.232.192.26 5900 out via ${ukrtel_inet_if} setup keep-state #204.232.192.26,5900 # Outgoing HTTP acces #UKRTEL INET $cmd 0610 allow tcp from me to any 80,443,8080 out via ${ukrtel_inet_if} setup keep-state #INFJUST HTTP ACCESS $cmd 0620 allow tcp from me to any 80,443,8080 out via ${infjust_if} setup keep-state #delete them later $cmd 0630 allow tcp from ${lan_net},${mpls_net} to any 80,443,8080 in setup keep-state $cmd 0640 allow tcp from any 80,443,8080 to ${lan_net},${mpls_net} out setup keep-state # Incoming HTTP access for intranet web only! $cmd 0710 allow tcp from ${lan_net},${mpls_net} to ${lan_ip},${mpls_ip} 80,443,8080 setup keep-state # Local Mail SMTP POP3 IMAP IMAPS $cmd 0810 allow tcp from ${lan_net},${mpls_net} to ${lan_ip},${mpls_ip} 25,110,143,993 setup keep-state # For real inet mail delivery $cmd 0820 allow tcp from me to any 25 out via ${ukrtel_inet_if} setup keep-state $cmd 0830 allow tcp from any 25 to me in via ${ukrtel_inet_if} setup keep-state #for zk.informjust.ua mail $cmd 0840 allow tcp from ${lan_net},${mpls_net} to ${infjust_servers_net} 25,110,143,993 in $cmd 0850 nat ${infjust_nat} tcp from ${lan_net},${mpls_net} to ${infjust_servers_net} 25,110,143,993 out via ${infjust_if} setup keep-state # SQUID Proxy $cmd 0910 allow tcp from ${lan_net},${mpls_net} to ${lan_ip},${mpls_ip} 3128 setup keep-state $cmd 0910 allow tcp from me to ${infjust_proxy_ip} 3128 setup keep-state #ESET NOD32 mirror $cmd 0920 allow tcp from ${lan_net},${mpls_net} to ${lan_ip},${mpls_ip} 2221 setup keep-state # Jabber in far future #$cmd 1010 $skip ip from ${lan_net},${mpls_net} to any 5222,5223,5269 out via ${ukrtel_inet_if} keep-state #CVSUP $cmd 1110 allow ip from me to any 5999 keep-state # Outgoing FTP #UKRTEL $cmd 1210 allow tcp from me to any 20 out via ${ukrtel_inet_if} keep-state $cmd 1215 allow tcp from me to any 21 out via ${ukrtel_inet_if} keep-state #UKRTEL $cmd 1220 allow tcp from any 20 to me in via ${ukrtel_inet_if} keep-state # Incoming FTP $cmd 1310 allow tcp from ${lan_net},${mpls_net} to ${lan_ip},${mpls_ip} 20,21 setup keep-state $cmd 1320 allow tcp from ${lan_net},${mpls_net} to ${lan_ip},${mpls_ip} 30000-30015 setup keep-state # NTP ##$cmd 1410 $skip ip from me to any 123 out via ${ukrtel_inet_if} keep-state $cmd 1410 allow ip from me to any 123 $cmd 1430 nat ${infjust_nat} ip from me to any 123 out via ${infjust_if} keep-state $cmd 1440 nat ${inet_nat} ip from me to any 123 out via ${ukrtel_inet_if} keep-state # SSH acces from INET $cmd 1510 allow tcp from any to me 22 setup keep-state #NFS Client $cmd 1520 allow tcp from 10.2.112.2 to ${infjust_net} 111,730,963,1022,2049 keep-state $cmd 1521 allow udp from 10.2.112.2 to ${infjust_net} 111,730,963,1022,2049 keep-state # Allow ICMP $cmd 1610 allow icmp from any to any keep-state # Allow reverse connection from LAN-IP to MPLS- & LAN- NET's DO WE REALY NEED IT? $cmd 1710 allow ip from ${lan_ip},${mpls_ip} to ${lan_net},${mpls_net} keep-state #TNT! $cmd 1810 allow ip from any to me ${torrent_port} $cmd 1815 allow ip from any to ${eng_ip} ${torrent_port} $cmd 1820 nat ${inet_nat} ip from ${eng_ip} to any keep-state #LIGA $cmd 1821 allow ip from any to me ${liga_port} keep-state #in via ${ukrtel_mpls_if} $cmd 1822 allow ip from any to ${liga_ip} ${liga_port} $cmd 1823 nat ${ukrtel_mpls_nat} ip from ${liga_ip} ${liga_port} to any keep-state #$cmd 1824 nat ${infjust_nat} ip from ${liga_ip} ${liga_port} to any keep-state #PIB #$cmd 1824 allow ip from any to ${pib_ip} ${pib_port} $cmd 1825 nat ${inet_nat} ip from ${pib_ip} to any ${pib_port} keep-state #edr $cmd 1826 nat ${inet_nat} ip from ${edr_ip} to any ${edr_port} keep-state #ut4 $cmd 1850 nat ${inet_nat} ip from me to any 27961 out via ${ukrtel_inet_if} keep-state #GMAIL $cmd 1900 nat ${inet_nat} ip from 192.168.0.102 to any 465,995 keep-state #Remote conrol #$cmd 3389 allow tcp from 192.168.0.108 to any 3389 keep-state # Reject & Log all unauthorized connections $cmd 9000 deny log all from any to any |