用ipfilter在动态ip环境下做重定向 v0.02

bsdbase

这个短文的v0.01我在这里发过，不过现在不能用搜索功能，找不到了  

看到这个帖子里一堆的“关注”，再贴出来，看看能不能有点帮助

http://chinaunix.net/forum/viewtopic.php?t=40859

from: https://bbs.bsdbase.com/index.php?s=34aa56e62f6325ed5494bb7162a683d7&act=ST&f=1&t=152

1. 
   
2.           用ipfilter在动态ip环境下做重定向
   
3.               阿土 tutu@bsdbase.com
   
4. 
   
5. v0.01 2002.11.29 初始总结
   
6. v0.02 2003.04.04 修正了一些错误；
   
7. 
   
8.     在这里，我希望提供的是思路，而不是这个粗浅的script。
   
9. 
   
10.     在ipfilter的nat规则中，如果出口ip地址是动态ip，比如PPPoE拨号或DHCP，那么可以使用类似
    
11. map tun0 192.168.0.0/24 ->; 0.0.0.0/32 的语法进行地址（端口）映射；可是类似
    
12. rdr tun0 0/32 port 80 ->; 192.168.2.100 port 80 tcp/udp这样的语法却是不对的，因为rdr
    
13. 规则要求第三个域是ip包的目的地址，通常是该出口网卡的地址，显然，当别人访问你的机器的时候
    
14. tcp/udp包的目的地址是你的当前地址，而不是0/32,所以，rdr tun0 0/32 ...这样的规则是不会生效的，
    
15. 你必须以该网卡的当前ip地址来做这个规则；ipfilter本身没有提供这样的定义使得我们可以方便的做
    
16. 这样的规则，下面是我做的脚本，用来动态的获得当前出口网卡地址，并一次刷新ipfilter规则。
    
17. 
    
18. 1。内核中编译ipfilter的支持，不能让ipfilter以模块的形式载入；
    
19. 因为我没有在/etc/rc.conf中指定ipfilter_enable="yes";
    
20. 2。编制如下shell script；
    
21. 
    
22. #!/bin/sh
    
23. #vi /usr/local/sbin/ipf.sh
    
24. #此脚本用来刷新ipf规则；
    
25. #注意/etc/ipf.rules是根据/etc/ipf.rules.template这个模板自动生成的；
    
26. #所以，如果你要改规则，应该改/etc/ipf.rules.template这个模板;
    
27. #For dynamic ip ipf rules
    
28. #$EXT_NIC is the internet connected NIC
    
29. #$EXT_ADDR is the internet connected NIC ADDRESS.
    
30. 
    
31. #get dynamic nic.
    
32. #获得默认路由经过的网卡，即所谓的外网网卡；
    
33. EXT_NIC=`netstat -arn | grep "default\>;" | awk '{print $6 }'`
    
34. if [ -z $EXT_NIC ];
    
35. then
    
36.         echo "ERROR default gateway NO found !!!"
    
37.         exit 1
    
38. else
    
39.         export EXT_NIC
    
40.         #get dynamic nic and ip.
    
41.         #获得外网卡地址；
    
42.         EXT_ADDR=`ifconfig $EXT_NIC | grep "inet\>;" | awk '{print $2}'`
    
43.         if [ -z $EXT_ADDR ];
    
44.         then
    
45.                 echo "ERROR:EXT_ADDR NO found !!!"
    
46.                 exit 1
    
47.         else
    
48.                 export EXT_ADDR
    
49.                 #根据上述信息参照模板生成规则；
    
50.                 echo "#NOTE:" >;/etc/ipf.rules
    
51.                 echo "#DON'T modify /etc/ipf.rules for your ipf rules ,Just modify /etc/ipf.rules.template instance !!!" >;>;/etc/ipf.rules
    
52.                 echo "#Read /usr/local/sbin/ipf.sh for detail." >;>;/etc/ipf.rules
    
53.                 echo "#." >;>;/etc/ipf.rules  
    
54.                 echo "#Reflashed date:`date`." >;>;/etc/ipf.rules
    
55.                 sed s/\$EXT_NIC/$EXT_NIC/g /etc/ipf.rules.template >;/etc/ipf.rules.nic
    
56.                 sed s/\$EXT_ADDR/$EXT_ADDR/g /etc/ipf.rules.nic >;>;/etc/ipf.rules
    
57.                 #刷新规则；
    
58.                 /sbin/ipf -Fa
    
59.                 /sbin/ipf -y -f /etc/ipf.rules
    
60. fi
    
61. fi
    
62. #end /usr/local/sbin/ipf.sh
    
63. 
    
64. #!/bin/sh
    
65. #vi /usr/local/sbin/ipnat.sh
    
66. #此脚本用来刷新ipnat规则；
    
67. #注意/etc/ipnat.rules是根据/etc/ipnat.rules.template这个模板自动生成的；
    
68. #所以，如果你要改规则，应该改/etc/ipnat.rules.template这个模板;
    
69. #For dynamic ip ipnat rules
    
70. #$EXT_NIC is the internet connected NIC
    
71. #$EXT_ADDR is the internet connected NIC ADDRESS.
    
72. 
    
73. #get dynamic nic.
    
74. #获得默认路由经过的网卡，即所谓的外网网卡；
    
75. EXT_NIC=`netstat -arn | grep "default\>;" | awk '{print $6 }'`
    
76. if [ -z $EXT_NIC ];
    
77. then
    
78.         echo "ERROR default gateway NO found !!!"
    
79.         exit 1
    
80. else
    
81.         export EXT_NIC
    
82.         #get dynamic nic and ip.
    
83.         #获得外网卡地址；
    
84.         EXT_ADDR=`ifconfig $EXT_NIC | grep "inet\>;" | awk '{print $2}'`
    
85.         if [ -z $EXT_ADDR ];
    
86.         then
    
87.                 echo "ERROR:EXT_ADDR NO found !!!"
    
88.                 exit 1
    
89.         else
    
90.                 export EXT_ADDR
    
91.                 #根据上述信息参照模板生成规则；
    
92.                 echo "#NOTE:" >;/etc/ipnat.rules
    
93.                 echo "#DON'T modify /etc/ipnat.rules for your nat rules ,Just modify /etc/ipnat.rules.template instance !!!" >;>;/etc/ipnat.rules
    
94.                 echo "#Read /usr/local/sbin/ipnat.sh for detail." >;>;/etc/ipnat.rules
    
95.                 echo "#." >;>;/etc/ipnat.rules  
    
96.                 echo "#Reflashed date:`date`." >;>;/etc/ipnat.rules               
    
97.                 sed s/\$EXT_NIC/$EXT_NIC/g /etc/ipnat.rules.template >;/etc/ipnat.rules.nic
    
98.                 sed s/\$EXT_ADDR/$EXT_ADDR/g /etc/ipnat.rules.nic >;>;/etc/ipnat.rules
    
99.                 #刷新规则；
    
100.                 /sbin/ipnat -C
     
101.                 /sbin/ipnat -v -f /etc/ipnat.rules
     
102.         fi
     
103. fi
     
104. #end /usr/local/sbin/ipnat.sh
     
105. 
     
106. #!/bin/sh
     
107. #vi /usr/local/sbin/ipfrenew
     
108. #调用预先编制的脚本刷新ipf以及ipnat规则；
     
109. /usr/local/sbin/ipf.sh
     
110. /usr/local/sbin/ipnat.sh
     
111. #显示当前状况；
     
112. /sbin/ipnat -l |grep -v '<- ->; '
     
113. echo List of active sessions have been cutted.
     
114. /sbin/ipfstat -if
     
115. /sbin/ipfstat -of
     
116. #end of /usr/local/sbin/ipfrenew
     
117. 
     
118. #设置可执行；
     
119. chmod 700 /usr/local/sbin/*
     
120. 
     
121. 3。在会更换ip的程序中调用/usr/local/sbin/ipfrenew
     
122. PPPoE:
     
123. 
     
124. #vi /etc/ppp/ppp.linkup
     
125. default:
     
126. pppoe:
     
127.   shell "/usr/local/sbin/ipfrenew"
     
128. #end of /etc/ppp/ppp.linkup
     
129.   
     
130. #假设你的PPPoE配置名称叫pppoe;
     
131. 
     
132. DHCP(Cable modem):
     
133. 
     
134. #!/bin/sh
     
135. #vi /etc/dhclient-exit-hooks
     
136. /usr/local/sbin/ipfrenew
     
137. #end of /etc/dhclient-exit-hooks
     
138. 
     
139. #至于说调用的语法，自己查man，都说的很清楚了；
     
140. 
     
141. #begin of /etc/ipnat.rules.template
     
142. #这里使用$EXT_ADDR是必须的，因为每次获得的ip不同；
     
143. rdr $EXT_NIC $EXT_ADDR/32 port 80 ->; 192.168.0.82 port 80
     
144. #当然，如果你想好用，还得配合动态dns client，另文说明；
     
145. 
     
146. 
     
147. 
     
148. #下面是一些常用的map规则；
     
149. # For 192.168.0.0/24
     
150. # ------------------------------------------------------------
     
151. # Use ipfilter FTP proxy for hosts behind NAT doing transfer
     
152. # mode active.
     
153. # ------------------------------------------------------------
     
154. map $EXT_NIC 192.168.0.0/24 ->; 0/32 proxy port ftp ftp/tcp
     
155. 
     
156. 
     
157. # -----------------------------------------------------------
     
158. # Use ipfilter IKE proxy for ESP packets for hosts behind NAT
     
159. # IP Filter 3.4.21 and beyond only.
     
160. # -----------------------------------------------------------
     
161. map $EXT_NIC 192.168.0.0/24 ->; 0/32 proxy port 500 ipsec/udp
     
162. 
     
163. 
     
164. # -----------------------------------------------------------
     
165. # Use ipfilter RealAudio proxy for hosts behind NAT
     
166. # -----------------------------------------------------------
     
167. map $EXT_NIC 192.168.0.0/24 ->; 0/32 proxy port 7070 raudio/tcp
     
168. 
     
169. # -----------------------------------------------------------
     
170. # Use ipfilter H323 proxy for hosts behind NAT
     
171. # -----------------------------------------------------------
     
172. map $EXT_NIC 192.168.0.0/24 ->; 0/32 proxy port 1720 h323/tcp
     
173. 
     
174. 
     
175. # -----------------------------------------------------------
     
176. # Map all internal UDP and TCP traffic to the external IP address
     
177. # -----------------------------------------------------------
     
178. map $EXT_NIC 192.168.0.0/24 ->; 0/32 portmap tcp/udp 40000:60000
     
179. 
     
180. 
     
181. # -----------------------------------------------------------
     
182. # Map all other traffic e.g. ICMP to the external IP address
     
183. # -----------------------------------------------------------
     
184. map $EXT_NIC 192.168.0.0/24 ->; 0/32
     
185. #end of /etc/ipnat.rules.template
     
186. 
     
187. 
     
188. 
     
189. #begin of /etc/ipf.rules.template
     
190. #一个简单的规则，注意没有对pptp提供支持；
     
191. #ipfilter default to pass;
     
192. block in quick all with ipopts
     
193. block in quick all with short
     
194. #小心拦截碎片，一些程序就是会产生碎片，ipfilter的碎片拦截不会对碎片进行合法性检查。
     
195. #block in quick all with frag  
     
196. 
     
197. block in on $EXT_NIC all
     
198. block out on $EXT_NIC all
     
199. 
     
200. block in quick on $EXT_NIC from 10.0.0.0/8 to any
     
201. block in log quick on $EXT_NIC from 192.168.0.0/16 to any
     
202. block in log quick on $EXT_NIC from 172.16.0.0/12 to any
     
203. block in log quick on $EXT_NIC from 127.0.0.0/8 to any
     
204. block in log quick on $EXT_NIC from 169.254.0.0/16 to any
     
205. 
     
206. pass in on $EXT_NIC proto icmp from any to any icmp-type echo
     
207. pass in on $EXT_NIC proto icmp from any to any icmp-type echorep
     
208. 
     
209. #for http and https
     
210. pass in quick on $EXT_NIC proto tcp from any to any port = 80 keep state
     
211. pass in quick on $EXT_NIC proto tcp from any to any port = 443 keep state
     
212. 
     
213. #for mail
     
214. pass in quick on $EXT_NIC proto tcp from any to any port = 25 keep state
     
215. pass in quick on $EXT_NIC proto tcp from any to any port = 110 keep state
     
216. 
     
217. pass out quick on $EXT_NIC proto tcp/udp from any to any keep state
     
218. pass out quick on $EXT_NIC proto icmp from any to any keep state
     
219. 
     
220. block return-rst in log on $EXT_NIC proto tcp from any to any
     
221. block return-icmp-as-dest(port-unr) in log on $EXT_NIC proto udp from any to any
     
222. #end of /etc/ipf.rules.template
     

复制代码

红袖添香

...

bsdbase = 阿土？  

bsdbase

原帖由 "红袖添香" 发表：
...

bsdbase = 阿土？  

sure. 假设你说的是 tutux .