论坛徽章:: 0

电梯直达

1楼 [收藏(0)] [报告]

发表于 2010-09-27 15:52 |只看该作者 |倒序浏览

本帖最后由 ltokok 于 2010-09-27 15:53 编辑

各位达人，最近遇到pf下的端口映射的棘手问题，请大家帮忙看看是为什么。
【环境简介】
A 客户端 124.93.240.206
B 服务器内网IP 172.24.3.15 外网IP 219.216.100.78 静态路由 192.168.102.0/24 —> 172.24.3.1
C WEB服务器 192.168.102.16
设计目标 A访问 219.216.100.78:80 B服务器将80端口映射到内网的web服务器192.168.102.16上

【rc.conf】

test# more /etc/rc.conf
ifconfig_le1="inet 219.216.100.78 netmask 255.255.255.0"
ifconfig_le0="inet 172.24.3.15 netmask 255.255.255.0"
defaultrouter="219.216.100.1"
hostname="test.cn"
gateway_enable="YES"
sshd_enable="YES"
inetd_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""
ftpproxy_enable="YES"
/sbin/route add -net 172.23.0.0/16 172.24.3.1
/sbin/route add -net 192.168.102.0/24 172.24.3.1

复制代码

【pf.conf】

ext_if="le1"
int_if="le0"
webserver1="192.168.102.16"
lan_network="{192.168.102.0/24,172.23.0.0/16,172.24.3.0/24}"
nat on $ext_if from $lan_network to any -> ($ext_if)
rdr on $ext_if proto tcp from any to $ext_if port 80 -> $webserver1
pass out
pass in

复制代码

【sysctl】

test# sysctl -a | grep net.inet.ip.forwarding
net.inet.ip.forwarding: 1

复制代码

【pfctl -sa】

TRANSLATION RULES:
nat on le1 inet from 192.168.102.0/24 to any -> (le1) round-robin
nat on le1 inet from 172.23.0.0/16 to any -> (le1) round-robin
nat on le1 inet from 172.24.3.0/24 to any -> (le1) round-robin
rdr on le1 inet proto tcp from any to 219.216.100.78 port = http -> 192.168.102.16
FILTER RULES:
pass out all flags S/SA keep state
pass in all flags S/SA keep state
STATES:
all tcp 219.216.100.78:22 <- 124.93.240.206:53801 ESTABLISHED:ESTABLISHED
all tcp 192.168.102.16:80 <- 219.216.100.78:80 <- 124.93.240.206:57291 CLOSED:SYN_SENT
all tcp 124.93.240.206:57291 -> 192.168.102.16:80 SYN_SENT:CLOSED
all tcp 192.168.102.16:80 <- 219.216.100.78:80 <- 124.93.240.206:59522 CLOSED:SYN_SENT
all tcp 124.93.240.206:59522 -> 192.168.102.16:80 SYN_SENT:CLOSED