Товарищи, всем добрый вечер, прошу помочь разобраться
Сразу надо попросить прощение за некоторый мусор в конфигепайпы реализованы только для балансировки нагрузки интернет каналов
Есть следующий файл с правилами:
#!/bin/sh.
###start here###
FwCMD="/sbin/ipfw -q"
LanOut="em1"
LanOut2="em2"
LanIn="em0"
LanVPN="tun0"
IpOut="1.1.1.1"
IpOut2="2.2.2.2"
GwOut="1.1.1.2"
IpIn="192.168.0.2"
NetMask="21"
NetIn="192.168.0.0"
${FwCMD} -f flush
${FwCMD} add check-state
${FwCMD} add allow ip from any to any via lo0
${FwCMD} add deny ip from any to 127.0.0.0/8
${FwCMD} add deny ip from 127.0.0.0/8 to any
###deny-icmp-DDOS###
${FwCMD} add deny ip from any to 10.0.0/8 in via ${LanOut}
${FwCMD} add deny ip from any to 172.16.0.0/12 in via ${LanOut}
#${FwCMD} add deny ip from any to 192.168.0.0/16 in via ${LanOut}
${FwCMD} add deny ip from any to 0.0.0.0/8 in via ${LanOut}
${FwCMD} add deny ip from any to 169.254.0.0/16 in via ${LanOut}
${FwCMD} add deny ip from any to 240.0.0.0/4 in via ${LanOut}
${FwCMD} add deny icmp from any to any frag
${FwCMD} add deny icmp from any to 255.255.255.255 in via ${LanOut}
${FwCMD} add deny icmp from any to 255.255.255.255 out via ${LanOut}
${FwCMD} add deny ip from any to 10.0.0/8 in via ${LanOut2}
${FwCMD} add deny ip from any to 172.16.0.0/12 in via ${LanOut2}
#${FwCMD} add deny ip from any to 192.168.0.0/16 in via ${LanOut2}
${FwCMD} add deny ip from any to 0.0.0.0/8 in via ${LanOut2}
${FwCMD} add deny ip from any to 169.254.0.0/16 in via ${LanOut2}
${FwCMD} add deny ip from any to 240.0.0.0/4 in via ${LanOut2}
${FwCMD} add deny icmp from any to 255.255.255.255 in via ${LanOut2}
${FwCMD} add deny icmp from any to 255.255.255.255 out via ${LanOut2}
#Следующее правило включено только в one_pass=1
#${FwCMD} add deny tcp from any to ${IpOut} 22,80,10050,10051,3128,3129,3130,10000, 139, 445 via ${LanOut}
#${FwCMD} add deny icmp from any to ${IpOut} via ${LanOut}
#${FwCMD} add 500 deny icmp from any to me in icmptype 5,9,13,14,15,16,17
###IPFW-NAT###
${FwCMD} nat 1 config if ${LanOut} same_ports reset log
${FwCMD} nat 2 config if ${LanOut2} same_ports reset log
${FwCMD} add nat 1 ip4 from any to any via ${LanOut}
${FwCMD} add nat 2 ip4 from any to any via ${LanOut2}
${FwCMD} add allow ip from any to any via ${LanIn}
#${FwCMD} add nat 1 config log if ${LanOut} reset same_ports deny_in \
###Speed###
${FwCMD} pipe 1 config bw 99Mbit/s
${FwCMD} pipe 11 config bw 99Mbit/s
${FwCMD} queue 1 config pipe 1 mask dst-ip 0xffffffff
${FwCMD} queue 2 config pipe 11 mask src-ip 0xffffffff
${FwCMD} add queue 1 ip from any to 192.168.0.0/21 via ${LanOut}
${FwCMD} add queue 2 ip from 192.168.0.0/21 to any via ${LanOut}
###SecondSpeed###
${FwCMD} pipe 2 config bw 9Mbit/s
${FwCMD} pipe 22 config bw 9Mbit/s
${FwCMD} queue 3 config pipe 2 mask dst-ip 0xffffffff
${FwCMD} queue 4 config pipe 22 mask src-ip 0xffffffff
${FwCMD} add queue 3 ip from any to 192.168.0.0/21 via ${LanOut2}
${FwCMD} add queue 4 ip from 192.168.0.0/21 to any via ${LanOut2}
###Gods###
${FwCMD} add allow ip from 192.168.7.224/27 to any
${FwCMD} add allow ip from any to 192.168.7.224/27
###SQUID###
#${FwCMD} add skipto 3000 all from 192.168.7.224/27 to any #exceptions squid
#${FwCMD} add skipto 3000 all from any to 192.168.7.224/27 #exceptions squid
#${FwCMD} add skipto 3000 ip from 192.168.0.0/22 to any #exceptions squid
#${FwCMD} add skipto 3000 ip from any to 192.168.0.0/22 #exceptions squid
${FwCMD} add allow tcp from me to any out via ${LanOut} keep-state uid squid
${FwCMD} add allow tcp from me to any out via ${LanOut2} keep-state uid squid
${FwCMD} add fwd 127.0.0.1,3129 tcp from 192.168.0.0/22 to any 80,8080 via ${LanOut}
${FwCMD} add fwd 127.0.0.1,3129 tcp from 192.168.0.0/22 to any 80,8080 via ${LanOut2}
${FwCMD} add fwd 127.0.0.1,3127 tcp from 192.168.0.0/22 to any 443 via ${LanOut}
${FwCMD} add fwd 127.0.0.1,3127 tcp from 192.168.0.0/22 to any 443 via ${LanOut2}
###OpenVPN###
${FwCMD} add allow ip from any to any via tun0
${FwCMD} add allow ip from any to me 1194
${FwCMD} add allow ip from 192.168.11.0/24 to me
${FwCMD} add allow ip from me to 192.168.11.0/24
###IPsec_l2tp###
${FwCMD} add allow tcp from any to me dst-port 1701 setup keep-state
###All_other_rules#######
###Tcp_connection###
${FwCMD} add allow tcp from any to any established
###ishodyashie paketi###
#${FwCMD} add allow ip from ${IpOut} to any out xmit rl1
###SKYPE###
${FwCMD} add allow ip from any to any 9010 via ${LanOut}
${FwCMD} add allow ip from any 9010 to any via ${LanOut}
###DNS###
${FwCMD} add allow udp from any to any 53 via ${LanOut}
${FwCMD} add allow udp from any 53 to any via ${LanOut}
${FwCMD} add allow tcp from any to any 53 via ${LanOut}
${FwCMD} add allow udp from any to any 53 via ${LanOut2}
${FwCMD} add allow udp from any 53 to any via ${LanOut2}
${FwCMD} add allow tcp from any to any 53 via ${LanOut2}
###NTPd###
${FwCMD} add allow udp from any to any 123 via ${LanOut}
${FwCMD} add allow udp from any to any 123 via ${LanOut2}
###FTP###
${FwCMD} add allow tcp from me 21,20 to any 21, 20 via ${LanOut}
${FwCMD} add allow tcp from any 21, 20 to me 21, 20 via ${LanOut}
###SIP, Messenger and other###
${FwCMD} add allow tcp from any to ${IpOut} 50000-50100 via ${LanOut}
${FwCMD} add allow tcp from any to ${IpOut2} 50000-50100 via ${LanOut2}
${FwCMD} add allow icmp from any to any icmptypes 0,8,11
#${FwCMD} add allow tcp from any to ${IpOut} 80 via ${LanOut}
###SMTP###
${FwCMD} add allow tcp from any to ${IpOut} 25 via ${LanOut}
${FwCMD} add allow tcp from any to ${IpOut2} 25 via ${LanOut2}
###SSH###
#${FwCMD} add allow tcp from any to ${IpOut} 22 via ${LanOut}
${FwCMD} add pass udp from any 87 to any via ${LanOut}
${FwCMD} add pass udp from any to any 87 via ${LanOut}
${FwCMD} add pass udp from any 87 to any via ${LanOut2}
${FwCMD} add pass udp from any to any 87 via ${LanOut2}
${FwCMD} add pass tcp from any to any 1024 via ${LanOut}
${FwCMD} add pass tcp from any 1024 to any via ${LanOut}
${FwCMD} add pass tcp from any to any 1024 via ${LanOut2}
${FwCMD} add pass tcp from any 1024 to any via ${LanOut2}
###https2###
${FwCMD} add pass tcp from any to any 9443 via ${LanOut}
${FwCMD} add pass tcp from any 9443 to any via ${LanOut}
${FwCMD} add pass tcp from any to any 9443 via ${LanOut2}
${FwCMD} add pass tcp from any 9443 to any via ${LanOut2}
###Jabber###
${FwCMD} add pass tcp from any 8010 to any via ${LanOut}
${FwCMD} add pass tcp from any to any 8010 via ${LanOut}
${FwCMD} add pass tcp from any 8010 to any via ${LanOut2}
${FwCMD} add pass tcp from any to any 8010 via ${LanOut2}
###pop-imap###
${FwCMD} add allow tcp from any to ${IpOut} 143 via ${LanOut}
${FwCMD} add allow tcp from any to ${IpOut2} 143 via ${LanOut2}
${FwCMD} add allow tcp from ${NetIn}/${NetMask} to ${IpIn} 110 via ${LanIn}
###Na vnutrinniy interface##
${FwCMD} add pass ip from 192.168.0.0/21 to 192.168.0.0/21 via ${LanIn}
#${FwCMD} add allow tcp from any to any via ${LanIn}
${FwCMD} add allow udp from any to any via ${LanIn}
${FwCMD} add allow icmp from any to any via ${LanIn}
${FwCMD} add pass tcp from 192.168.0.0/21 to any 21,49000-65535 keep-state
###Mail, FTP, HTTPS, and other###
${FwCMD} add pass tcp from 192.168.0.0/21 to any http,https,21,9443,3128,21,20,993,465,587,143,110,995,25,15100,2082,8443,443 in via ${LanIn}
${FwCMD} add pass tcp from any http,https,21,9443,3128,993,465,587,143,110,995,25,15100,2082,8443,443 to 192.168.0.0/21 out via ${LanIn}
###ICQ###
${FwCMD} add allow tcp from 192.168.0.0/21 to any 5190 in via ${LanIn}
${FwCMD} add allow tcp from any 5190 to 192.168.0.0/21 out via ${LanIn}
###RDP###
${FwCMD} add pass tcp from any 3389 to any via ${LanIn}
${FwCMD} add pass tcp from any to any 3389 via ${LanIn}
###IBank###
${FwCMD} add allow tcp from 192.168.0.0/21 to any 9091 in via ${LanIn}
${FwCMD} add allow tcp from any 9091 to 192.168.0.0/21 out via ${LanIn}
${FwCMD} add deny ip from any to any
Проблема заключается в том, что диапазон ip адресов из блока ###Gods### перестаёт работать при включении one_pass
Даже при написании явных правил, например allow ip from any 80,443 to any 80,443
интернет не появляется.
Пробовал указывать интерфейс, и даже направления
${FwCMD} add allow ip from 192.168.7.224/27 to any in via ${LanIn}
${FwCMD} add allow ip from any to 192.168.7.224/27 out via ${LanIn}
Но всё равно не работает :(
если добавить allow ip from any to any, то всё начинает работать
Кто может подсказать в чём дело?
Свернуть нити
Пометить прочитанным
Diozan, (Шифрование, SSH, SSL / Linux) 16-Май-18, 09:22 [⋘ | ☳ | ⋙
| ⚟
] [линейный вид] [смотреть все] [раскрыть новое]
, (Проблемы с безопасностью / Linux) -Дек-, 00: [⋘ | ☳ | ⋙
| ⚟
] [линейный вид] [смотреть все]
Создать тему
