- 论坛徽章:
- 0
|
[原创]ipf+ipnat+ipfw建立带流量控制的透明网关。
ADSL用ipfw+natd可以进行端口影射呀!我实践过,请看我的配置文件:
rc.conf:
# -- sysinstall generated deltas -- # Fri Dec 5 11:44:37 2003
# Created: Fri Dec 5 11:44:37 2003
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
gateway_enable="YES"
hostname="FreeBSD4.7"
ifconfig_rl0="inet 192.168.0.1 netmask 255.255.255.0"
#ifconfig_rl1="inet 192.168.10.2 netmask 255.255.255.0"
inetd_enable="YES"
kern_securelevel_enable="NO"
linux_enable="YES"
nfs_reserved_port_only="YES"
#sendmail_enable="NO"
sshd_enable="YES"
usbd_enable="YES"
ppp_enable="YES"
ppp_mode="ddial"
#ppp_nat="YES"
ppp_profile="adsl"
firewall_enable="YES"
firewall_script="/etc/rc.firewall"
#firewall_type="OPEN"
firewall_type="/etc/ipfw.conf"
firewall_quiet="NO"
firewall_logging_enable="YES"
natd_enable="YES"
natd_interface="tun0"
natd_flags="-f /etc/natd.conf"
#natd_flags="-redirect_port tcp 192.168.0.2:80 80"
#route add default 192.168.100.1
route add -host For-DHCP -interface rl0
natd.conf:
log yes
#dynamic yes
redirect_port tcp 192.168.0.2:21 21
redirect_port tcp 192.168.0.2:80 193
#redirect_port udp 192.168.100.150:1604 1640
#redirect_port tcp 192.168.100.150:80 193
#redirect_port tcp 192.168.100.100:4893 4893
#redirect_port udp 192.168.100.210:27015 27015
ipfw.conf:
add 00050 divert natd ip from any to any via tun0
add 00001 deny log ip from any to any ipopt rr
add 00002 deny log ip from any to any ipopt ts
add 00003 deny log ip from any to any ipopt ssrr
add 00004 deny log ip from any to any ipopt lsrr
add 00005 deny tcp from any to any in tcpflags syn,fin
add 10000 allow tcp from any to any 22 in
add 10001 allow tcp from any to any 21 in
add 10002 allow tcp from any to any 193 in
add 10003 allow tcp from any to any 1494 in
add 10004 allow udp from any to any 1604 in
add 10005 allow tcp from any to any 4893 in
add 10006 allow udp from any to any 27015 in
add 10001 allow tcp from any to any 28 in
add 19997 check-state
add 19998 allow tcp from any to any out keep-state setup
add 19999 allow tcp from any to any out
#add 20000 allow icmp from any to any
add 20001 allow udp from any 53 to me in recv tun0
add 20002 allow udp from any to any 53 in recv tun0
add 29999 allow udp from any to any out
add 30000 allow icmp from any to any icmptypes 3
add 30001 allow icmp from any to any icmptypes 4
add 30002 allow icmp from any to any icmptypes 8 out
add 30003 allow icmp from any to any icmptypes 0 in
add 30004 allow icmp from any to any icmptypes 11 in
add 40000 allow all from 192.168.0.0/16 to any
add 40001 allow all from any to 192.168.0.0/16
还有要在rc.firewall中加入:sleep 20;目的是:在运行IPFW/NATD前,使tun0获得IP地址。 |
|