freebsd7的内核级nat设置端口重定向
luyued 发布于 2011-04-20 21:42 浏览 N 次
rc.conf:
ifconfig_fxp0="inet 192.168.0.100 netmask 255.255.255.0"
ifconfig_fxp1="inet 192.168.1.1 netmask 255.255.255.0"
defaultrouter="192.168.0.10"
hostname="#########"
gateway_enable="YES"
firewall_enable="YES"
firewall_type="OPEN"
firewall_logging="YES"
firewall_nat_enable="YES"
firewall_nat_interface="fxp0"
rc.firewall:
ipfw add 100 allow all from any to any via lo0
ipfw add 110 deny all from any to 127.0.0.0/8
ipfw add 120 deny all from 127.0.0.0/8 to any
ipfw add 300 nat 10 all from any to any via fxp0
ipfw nat 10 config if fxp0
ipfw nat 50 config redirect_port tcp 192.168.1.1:1180 1180
ipfw add 1000 allow all from 192.168.1.0/24 to any
ipfw add 2000 allow all from any to 192.168.1.0/24
ipfw add 65000 deny all from any to any
访问网络正常
将192.168.0.100的1180端口重定向到192.168.1.12的1180端口不能成功
=========================================================================================
自己搞定了。
ipfw add 00100 allow all from any to any via lo0
ipfw add 00110 deny all from any to 127.0.0.0/8
ipfw add 00120 deny all from 127.0.0.0/8 to any
ipfw add 00300 nat 10 all from any to any via fxp0
ipfw nat 10 config if fxp0 redirect_port tcp 192.168.1.1:1180 1180
ipfw add 01030 allow all from 192.168.0.0/16 to any
ipfw add 01040 allow all from any to 192.168.0.0/16
ipfw add 04000 deny all from any to any
==========================================================================================
贴个我的完整rules,带流量控制和上网控制的。
ipfw -f flush
ipfw="ipfw add"
pipe="ipfw pipe"
skip="skipto 65000"
outif="fxp0"
inif="fxp1"
dns="202.96.104.27,202.96.104.17"
myip="192.168.0.11,192.168.0.100"
allsvc="192.168.0.3,192.168.0.12,192.168.0.34,192.168.0.16,192.168.0.17,192.168.0.18,192.168.0.19"
guest="192.168.0.21,192.168.0.22,192.168.0.23,192.168.0.24,192.168.0.25,192.168.0.81"
wwwport="80,8080,443,4430"
wwwuser1="192.168.0.31,192.168.0.32,192.168.0.33,192.168.0.34,
192.168.0.35,192.168.0.36,192.168.0.37,192.168.0.38,
192.168.0.39,192.168.0.41,192.168.0.42,192.168.0.43 "
wwwuser2="192.168.0.44,192.168.0.45,192.168.0.46,192.168.0.47,
192.168.0.49,192.168.0.50,192.168.0.54,192.168.0.62,
192.168.0.78,192.168.0.20,192.168.0.12"
serverip="192.168.0.1,192.168.0.2,192.168.0.4,192.168.0.5"
mailport="25,110"
zqport="1025,2869,6677,7708-7711,7776,7777,8001,8601,8605,9999,22223"
zquser="192.168.0.36,192.168.0.37,192.168.0.42,192.168.0.49,
192.168.0.50,192.168.0.51,192.168.0.54,192.168.0.78"
nhqhport="6656,6666,6668,17991,13152-13153"
nhqhuser="192.168.0.42"
hxjmport="7001,7002,1380,1381,2121"
hxjmuser="192.168.0.43,192.168.0.41"
yzdport="6780,6791"
yzduser="192.168.0.36"
rstpport="554"
rstpuser="192.168.0.62,192.168.0.41"
openport="1180"
$pipe 1 config mask dst-ip 0x000000ff bw 300KBytes/s
$pipe 2 config mask src-ip 0x000000ff bw 100KBytes/s
$ipfw 20 nat 20 log all from any to any via $outif
ipfw nat 20 config if $outif redirect_port tcp 192.168.0.12:1180 1180
$ipfw 100 allow ip from any to any via tun0
$ipfw 110 allow ip from any to any via ng0
$ipfw 200 allow ip from any to any via lo0
$ipfw 300 deny ip from any to 127.0.0.0/8
$ipfw 400 deny ip from 127.0.0.0/8 to any
$ipfw 401 allow ip from $dns to any in via $outif
$ipfw 402 allow all from any to $dns 53 in via $inif
$ipfw 410 allow ip from any to me
$ipfw 420 allow ip from me to any
$ipfw 500 skipto 65500 all from $myip to any in via $inif
$ipfw 510 allow all from any to $myip out via $inif
$ipfw 1000 $skip ip from $allsvc to any in via $inif
$ipfw 1100 $skip ip from $guest to any in via $inif
$ipfw 1200 $skip ip from $wwwuser1 to any $wwwport in via $inif
$ipfw 1300 $skip ip from $wwwuser2 to any $wwwport in via $inif
$ipfw 1400 $skip ip from $wwwuser1 to any $mailport in via $inif
$ipfw 1500 $skip ip from $wwwuser2 to any $mailport in via $inif
$ipfw 1600 $skip ip from $zquser to any $zqport in via $inif
$ipfw 1700 $skip ip from $nhqhuser to any $nhqhport in via $inif
$ipfw 1800 $skip ip from $hxjmuser to any $hxjmport in via $inif
$ipfw 1900 $skip ip from $yzduser to any $yzdport in via $inif
$ipfw 2000 $skip ip from $rstpuser to any $rstpport in via $inif
$ipfw 2100 $skip ip from any $openport to any in via $inif
$ipfw 2200 $skip ip from $serverip to any $wwwport in via $inif
$ipfw 60000 pipe 1 ip from any to any out via $inif
$ipfw 64000 deny log all from any to any
$ipfw 65000 pipe 2 ip from any to any in via $inif
$ipfw 65500 allow all from any to any
完!
下面这条定义nat并将外网的1180端口镜像到192.168.0.12的1180端口上
ipfw nat 20 config if $outif redirect_port tcp 192.168.0.12:1180 1180
如果还要加别的端口,可在这条语句后继续添加,如:
ipfw nat 20 config if $outif redirect_port tcp 192.168.0.12:1180 1180 \
redirect_port tcp 192.168.0.11:25 25 \
redirect_port tcp 192.168.0.11:110 110
这样就可以了。
===========================================================
原文地址
http://www.freebsdchina.org/forum/viewtopic.php?t=41751
- 05-20· 证 据 目 录的格式
- 05-14· 发现一个BUG nForce2 的主板
- 05-14· NEC EXPRESSCLUSTER X3.0 FOR WIN
- 05-14· 最近有什么好听的歌呢?
- 05-13· 小园子的惊喜
- 05-13· 推荐的电脑配置
- 05-13· 飒飒秋风起,点点胭脂泪
- 05-13· 振作!!
- 05-11· 宏碁/精英有意并购浩鑫
- 05-11· [转]真实:17岁少年在校不
- 05-09· 3、21--3、25成长足迹公布
- 05-09· 和小伙伴闹矛盾(3月5日)
- 05-09· 浩鑫简约 X27D
- 05-09· 今天有点烦躁
- 05-09· 为什么富士康郭台铭最看
- 05-09· 南通热线信息超市_南通汽
- 05-09· [置顶]iPad2零组件供应商剖
- 05-09· 北京富士康科技有限公司
- 05-09· 富士康去年亏损2.18亿美元
- 05-09· 《富士康十二连跳在这以
- 今日
- 本周
- 年度