- 论坛徽章:
- 0
|
系统环境:freebsd4.8,ipfiter是3.4.31
网络环境:双网卡,一块接adsl,一块接hub连内网。
现象:客户端的pc会不定期的出现不能连接internet的现象,ping 任何网址都不通,但此时服务器却可以与internet相连,也就是说上网的线路并没有问题。
我的ipfiter配置文件如下:
我是通过脚本文件配合ipf模板来产生ipf规则
#!/bin/sh
IPF_TEMPLATE="/etc/ipf.rules.template"
IPF_RULES="/etc/ipf.rules"
EXT_NIC=`netstat -arn | grep "default\>;" | awk '{print $6 }'`
if [ -z $EXT_NIC ];
then
echo "ERROR default gateway NO set !!!"
exit 1
else
export EXT_NIC
#get dynamic nic and ip.
EXT_ADDR=`ifconfig $EXT_NIC | grep "inet\>;" | awk '{print $2}'`
if [ -z $EXT_ADDR ];
then
echo "ERROR default gateway NO set !!!"
exit 1
else
export EXT_ADDR
fi
fi
/usr/local/sbin/var-replace.sh $IPF_TEMPLATE $IPF_RULES
echo "#NOTE:" >;>;/etc/ipf.rules
echo "#DON'T modify /etc/ipf.rules for your ipf rules ,Just modify /etc/ipf.rules.template instance !!!" >;>;/etc/ipf.rules
echo "#Read /usr/local/sbin/ipf.sh for detail." >;>;/etc/ipf.rules
echo "#." >;>;/etc/ipf.rules
echo "#Reflashed date:`date`." >;>;/etc/ipf.rules
if [ -z ${IPFRENEW_FLAG:=$1} ]
then
:
fi
case ${IPFRENEW_FLAG} in
-C)
/sbin/ipf -Fa
;;
*)
:
;;
esac
/sbin/ipf -y -f /etc/ipf.rules
#end /usr/local/sbin/ipf.sh
#!/bin/sh
IPNAT_TEMPLATE="/etc/ipnat.rules.template"
IPNAT_RULES="/etc/ipnat.rules"
EXT_NIC=`netstat -arn | grep "default\>;" | awk '{print $6 }'`
if [ -z $EXT_NIC ];
then
echo "ERROR default gateway NO set !!!"
exit 1
else
export EXT_NIC
#get dynamic nic and ip.
EXT_ADDR=`ifconfig $EXT_NIC | grep "inet\>;" | awk '{print $2}'`
if [ -z $EXT_ADDR ];
then
echo "ERROR default gateway NO set !!!"
exit 1
else
export EXT_ADDR
fi
fi
/usr/local/sbin/var-replace.sh $IPNAT_TEMPLATE $IPNAT_RULES
echo "#NOTE:" >;>;/etc/ipnat.rules
echo "#DON'T modify /etc/ipnat.rules for your ipnat rules ,Just modify /etc/ipnat.rules.template instance !!!" >;>;/etc/ipnat.rules
echo "#Read /usr/local/sbin/ipnat.sh for detail." >;>;/etc/ipnat.rules
echo "#." >;>;/etc/ipnat.rules
echo "#Reflashed date:`date`." >;>;/etc/ipnat.rules
if [ -z ${IPFRENEW_FLAG:=$1} ]
then
:
fi
case ${IPFRENEW_FLAG} in
-C)
/sbin/ipnat -CF
;;
*)
:
;;
esac
/sbin/ipnat -f /etc/ipnat.rules
#end /usr/local/sbin/ipnat.sh
#!/bin/sh
if [ -z ${IPFRENEW_FLAG:=$1} ]
then
:
fi
case ${IPFRENEW_FLAG} in
-C)
/usr/local/sbin/ipf.sh -C >;/dev/null 2>;&1
/usr/local/sbin/ipnat.sh -C >;/dev/null 2>;&1
;;
-D)
echo "Call ipf.sh -C"
/usr/local/sbin/ipf.sh -C
echo "Call ipnat.sh -C"
/usr/local/sbin/ipnat.sh -C
;;
*)
echo "You can use -C option to clear ipfilter status."
/usr/local/sbin/ipf.sh >;/dev/null 2>;&1
/usr/local/sbin/ipnat.sh >;/dev/null 2>;&1
;;
esac
/sbin/ipnat -l |grep -v '<- ->; '
echo List of active sessions have been cutted.
/sbin/ipfstat -if
/sbin/ipfstat -of
#!/bin/sh
#this script should load by another script run by /bin/sh.
DEBUG_FLAG=0
if [ -x /usr/bin/logger ]; then
LOGGER="/usr/bin/logger -s -p user.notice -t dn-ipfilter"
else
LOGGER=echo
fi
LOGGER=echo
if [ ! $# -eq 2 ]
then
$LOGGER "usage: $0 <input file>; <output file>;"
exit 1
else
INPUT_FILE=$1
if [ ! -r $INPUT_FILE ]
then
$LOGGER "ERROR:Can't open input file $INPUT_FILE for read."
exit 1
else
if [ $DEBUG_FLAG -eq 1 ]
then
$LOGGER "open input $INPUT_FILE for read."
fi
fi
OUTPUT_FILE=$2
touch $OUTPUT_FILE
if [ ! -r $OUTPUT_FILE ]
then
$LOGGER "ERROR:Can't open output file $OUTPUT_FILE for write."
exit 1
else
if [ $DEBUG_FLAG -eq 1 ]
then
$LOGGER "open output $OUTPUT_FILE for write."
fi
fi
fi
#VAR_DIR="$HOME"
VAR_DIR="/var/run"
VAR_REPLACE_TMP_FILE="$VAR_DIR/var-replace.$$.tmp"
TMP_OUT="$VAR_DIR/tmp_out.$$.tmp"
set >;$VAR_REPLACE_TMP_FILE
cat $VAR_REPLACE_TMP_FILE | grep "=" | grep -v "'" >;$VAR_REPLACE_TMP_FILE.2
cp $VAR_REPLACE_TMP_FILE.2 $VAR_REPLACE_TMP_FILE
rm -f $VAR_REPLACE_TMP_FILE.2
if [ ! -r $VAR_REPLACE_TMP_FILE ]
then
$LOGGER "ERROR:Can't open variables list file $VAR_REPLACE_TMP_FILE for read."
exit 1
else
if [ $DEBUG_FLAG -eq 1 ]
then
$LOGGER "open variables list file $VAR_REPLACE_TMP_FILE for read."
fi
fi
cp $INPUT_FILE $OUTPUT_FILE
while read VAR_ENTRY_LINE
do
VAR_NAME=`echo $VAR_ENTRY_LINE | awk -F= '{ print $1 }'`
VAR_VAL=`echo $VAR_ENTRY_LINE | awk -F= '{ print $2 }'`
#cat $OUTPUT_FILE | sed s=\$$VAR_NAME=$VAR_VAL=g >;$OUTPUT_FILE
cat $OUTPUT_FILE | sed s=\$$VAR_NAME=$VAR_VAL=g >;$TMP_OUT
cp $TMP_OUT $OUTPUT_FILE
done<$VAR_REPLACE_TMP_FILE
#cat $OUTPUT_FILE
#rm -f $OUTPUT_FILE
rm -f $VAR_REPLACE_TMP_FILE
rm -f $TMP_OUT
#begin of /etc/ipnat.rules.template
#rdr $EXT_NIC $EXT_ADDR/32 port 80 ->; 192.168.0.5 port 80
# For 192.168.0.0/24
# ------------------------------------------------------------
# Use ipfilter FTP proxy for hosts behind NAT doing transfer
# mode active.
# ------------------------------------------------------------
map $EXT_NIC 192.168.0.0/16 ->; $EXT_ADDR/32 proxy port ftp ftp/tcp
# -----------------------------------------------------------
# Use ipfilter IKE proxy for ESP packets for hosts behind NAT
# IP Filter 3.4.21 and beyond only.
# -----------------------------------------------------------
map $EXT_NIC 192.168.0.0/16 ->; $EXT_ADDR/32 proxy port 500 ipsec/udp
# -----------------------------------------------------------
# Use ipfilter RealAudio proxy for hosts behind NAT
# -----------------------------------------------------------
map $EXT_NIC 192.168.0.0/16 ->; $EXT_ADDR/32 proxy port 7070 raudio/tcp
# -----------------------------------------------------------
# Use ipfilter H323 proxy for hosts behind NAT
# -----------------------------------------------------------
map $EXT_NIC 192.168.0.0/16 ->; $EXT_ADDR/32 proxy port 1720 h323/tcp
# -----------------------------------------------------------
# Map all internal UDP and TCP traffic to the external IP address
# -----------------------------------------------------------
map $EXT_NIC 192.168.0.0/16 ->; $EXT_ADDR/32 portmap tcp/udp 40000:60000
# -----------------------------------------------------------
# Map all other traffic e.g. ICMP to the external IP address
# -----------------------------------------------------------
map $EXT_NIC 192.168.0.0/16 ->; $EXT_ADDR/32
#end of /etc/ipnat.rules.template
#bengin of ipf.rules
#Ipfilter default to PASS.
#$EXT_NIC is the internet connected NIC
#$EXT_ADDR is the internet connected NIC ADDRESS.
pass in on $EXT_NIC all head 100
pass out on $EXT_NIC all head 200
block in quick all with ipopts group 100
block in quick all with short group 100
in quick on $EXT_NIC from 10.0.0.0/8 to any group 100
block in quick on $EXT_NIC from 192.168.0.0/16 to any group 100
block in quick on $EXT_NIC from 172.16.0.0/12 to any group 100
block in quick on $EXT_NIC from 127.0.0.0/8 to any group 100
block in quick on $EXT_NIC from 169.254.0.0/16 to any group 100
pass in log quick on $EXT_NIC proto tcp from any to $EXT_ADDR port = 80 flags S/SA keep state group 100
pass in log quick on $EXT_NIC proto tcp from any to $EXT_ADDR port = 443 flags S/SA keep state group 100
pass in log quick on $EXT_NIC proto tcp from any to $EXT_ADDR port = 25 flags S/SA keep state group 100
pass in log quick on $EXT_NIC proto tcp from any to $EXT_ADDR port = 110 flags S/SA keep state group 100
block out quick on $EXT_NIC proto tcp/udp from any to any port = 113 group 200
pass out quick on $EXT_NIC all keep state group 200
block in quick on $EXT_NIC all group 100
#block in on $EXT_NIC proto tcp from any to any flags S/SA group 100
#block return-rst in on $EXT_NIC proto tcp from any to any flags S/SA group 100
#block return-icmp-as-dest(port-unr) in on $EXT_NIC proto udp from any to any group 100
#end of ipf.rules
#!/bin/sh
if [ -z ${IPFRENEW_FLAG:=$1} ]
then
:
fi
case ${IPFRENEW_FLAG} in
-C)
/usr/local/sbin/ipf.sh -C >;/dev/null 2>;&1
/usr/local/sbin/ipnat.sh -C >;/dev/null 2>;&1
;;
-D)
echo "Call ipf.sh -C"
/usr/local/sbin/ipf.sh -C
echo "Call ipnat.sh -C"
/usr/local/sbin/ipnat.sh -C
;;
*)
echo "You can use -C option to clear ipfilter status."
/usr/local/sbin/ipf.sh >;/dev/null 2>;&1
/usr/local/sbin/ipnat.sh >;/dev/null 2>;&1
;;
esac
/sbin/ipnat -l |grep -v '<- ->; '
echo List of active sessions have been cutted.
/sbin/ipfstat -if
/sbin/ipfstat -of
当出现问题后,我执行ipfrenew -C 可以使客户机恢复正常,但是我该怎样让系统不出问题呢? |
|