Date: Wed, 23 Aug 2006 11:49:57 GMT From: Vadym <vikulin@unitedthinkers.com> To: freebsd-gnats-submit@FreeBSD.org Subject: =?iso-8859-1?q?conf/102429=3A_FreeBSD_6=2E1+VPN+ipnat+ipf=3A_=CE?= =?iso-8859-1?q?=C5_=D2=C1=C2=CF=D4=C1=C5=D4_=D0=C5=D2=C5=CE=C1=D0?= =?iso-8859-1?q?=D2=C1=D7=CC=C5=CE=C9=C5_=D0=CF=D2=D4=CF=D7_=28port?= =?iso-8859-1?q?mapping=29?= Message-ID: <200608231149.k7NBnvKK061645@www.freebsd.org> Resent-Message-ID: <200608231150.k7NBoJ0r007387@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 102429
>Category: conf
>Synopsis: FreeBSD 6.1+VPN+ipnat+ipf: не работает перенаправление портов (portmapping)
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Aug 23 11:50:19 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Vadym
>Release: 6.1
>Organization:
United Thinkers
>Environment:
FreeBS.6.1-RELEASE FreeBSD 6/1 -RELEASE #0: Thu Jan 6 07:14:37 UTC 2000 root@FreeBSD.:/usr/src/sys/i386/compile/kernel_08_12_2006 I386
>Description:
Есть FreeBSD в качестве роутера для сети 192.168.0.х.
Одна сетевая смотрит в сеть провайдера (IP сетевой: 192.168.25.135).
Вторая - для локальной сети (IP: 192.168.0.1).
Для доступа к провайдеру создается VPN канал с 192.168.25.135 на VPN сервер 192.168.25.1 (PPTP клиент). NAT работает на ipnat c ipf
Суть проблемы такая:
не работает перенаправление портов 21 и 80 на адрес локального сервера 192.168.0.5.
>How-To-Repeat:
Исходные данные такие:
При поднятии VPN создается интерфейс tun0 c внешним IP: 195.39.x.x
ifconfig дает такое
__________________________________________________________________________________________________________________
rl0: 192.168.0.1/24 active
rl1: 192.168.25.135/24 active
tun0:195.39.x.x->10.100.101.1
ping на мир - в порядке
rc.conf
__________________________________________________________________________________________________________________
hostname=FreeBS.
nisdomainname="NO"
dhclient_program="/sbin/dhclient"
dhclient_flags=""
background_dhclient="NO"
firewall_enable="NO"
firewall_script="/etc/rc.firewall"
firewall_type="/etc/firewall.conf"
firewall_quiet="NO"
firewall_logging="NO"
firewall_flags=""
ip_portrange_first="NO"
ip_portrange_last="NO"
ike_enable="NO"
ike_program="/usr/local/sbin/isakmpd"
ike_flags=""
ipsec_enable="NO"
ipsec_file="/etc/ipsec.conf"
natd_program="/sbin/natd"
natd_enable="NO"
#natd_interface="rl1"
#natd_flags="-redirect_port tcp 192.168.0.5:21 21"
#natd_flags="-a 192.168.25.1"
#natd_flags="-f /etc/natd.conf"
ipfilter_enable="YES"
ipfilter_program="/sbin/ipf"
ipfilter_rules="/etc/ipf.rules"
ipfilter_flags=""
ipnat_enable="YES"
ipnat_program="/sbin/ipnat"
ipnat_rules="/etc/ipnat.rules"
ipnat_flags=""
ipmon_enable="YES"
ipmon_program="/sbin/ipmon"
ipmon_flags="-Ds"
ipfs_enable="YES"
ipfs_program="/sbin/ipfs"
ipfs_flags=""
pf_enable="NO"
pf_rules="/etc/pf.conf"
pf_program="/sbin/pfctl"
pf_flags=""
pflog_enable="NO"
pflog_logfile="/var/log/pflog"
pflog_program="/sbin/pflogd"
pflog_flags=""
pfsync_enable="NO"
pfsync_syncdev=""
pfsync_ifconfig=""
tcp_extensions="YES"
log_in_vain="0"
tcp_keepalive="YES"
tcp_drop_synfin="NO"
icmp_drop_redirect="YES"
icmp_log_redirect="YES"
network_interfaces="rl0 rl1 tun0 ng0"
cloned_interfaces=""
sppp_interfaces=""
gif_interfaces="NO"
ppp_enable="NO"
ppp_program="/usr/sbin/ppp"
ppp_mode="auto"
ppp_nat="YES"
ppp_profile="papchap"
ppp_user="root"
hostapd_enable="NO"
syslogd_enable="YES"
syslogd_program="/usr/sbin/syslogd"
syslogd_flags="-s"
inetd_enable="NO"
inetd_program="/usr/sbin/inetd"
inetd_flags="-wW -C 60"
#
# named. It may be possible to run named in a sandbox, man security for
# details.
#
named_enable="NO"
named_program="/usr/sbin/named"
#named_flags=""
named_pidfile="/var/run/named/pid"
named_uid="bind"
named_chrootdir="/var/named"
named_chroot_autoupdate="YES"
named_symlink_enable="YES"
defaultrouter=192.168.25.1
static_routes=""
natm_static_routes=""
gateway_enable="YES"
router_enable="NO"
router="/sbin/routed"
router_flags="-q"
mrouted_enable="NO"
mrouted_flags=""
ipxgateway_enable="NO"
ipxrouted_enable="NO"
ipxrouted_flags=""
arpproxy_all="NO"
forward_sourceroute="NO"
accept_sourceroute="NO"
### Miscellaneous network options: ###
icmp_bmcastecho="NO"
if [ -z "${source_rc_confs_defined}" ]; then
source_rc_confs_defined=yes
source_rc_confs () {
local i sourced_files
for i in ${rc_conf_files}; do
case ${sourced_files} in
*:$i:*)
;;
*)
sourced_files="${sourced_files}:$i:"
if [ -r $i ]; then
. $i
fi
;;
esac
done
}
fi
ifconfig_rl0="inet 192.168.0.1 netmask 0xffffff00"
ifconfig_rl1="inet 192.168.25.135 netmask 0xffffff00"
ifconfig_lo0="inet 127.0.0.1"
__________________________________________________________________________________________________________________
ppp.conf
__________________________________________________________________________________________________________________
vpn:
dns enable
nat enable yes
set authname nikolay
set authkey 911
set timeout 0
set ifaddr 0 0
add default HISADDR
__________________________________________________________________________________________________________________
ipnat.rules
__________________________________________________________________________________________________________________
rdr tun0 195.39.253.24/32 port 21 -> 192.168.0.5 port 21
rdr tun0 195.39.253.24/32 port 80 -> 192.168.0.5 port 80
map tun0 192.168.0.0/24 -> 195.39.253.24/32 proxy port ftp ftp/tcp
map tun0 192.168.0.0/24 -> 195.39.253.24/32 portmap tcp/udp 10000:60000
map tun0 192.168.0.0/24 -> 195.39.253.24/32
__________________________________________________________________________________________________________________
ipf.rules
__________________________________________________________________________________________________________________
pass in all
pass out all
__________________________________________________________________________________________________________________
для соединения с ftp сервера(192.168.0.5) на порт 21
tcpdump rl0 дает такое:
__________________________________________________________________________________________________________________
08:38:19 3528202 arp who-has 192.168.0.1 tell 192.168.0.5
352829 arp replay 192.168.0.1 is-at 00:02:44:66:05:a1 (oi Unknown)
352925 IP 192.168.0.5.4332 > 195.39.253.24.ftp: S 2706215230:2706215230 (0) win 65535 <msss 1460,nop, nop, sack Ok>
352969 IP 195.39.x.x.ftp: > 192.168.0.5.4332: R 0:0(0) ack 2706215231 win 0
813373 IP 192.168.0.5.4332 > 195.39.x.x.ftp : S 2706215230:2706215230 (0) win 65535 <mss 1460, nop, nop,sackOk>
813400 IP 195.39.x.x.ftp > 192.168.0.5.4332 : R 0:0(0) ack 1 win 0
316291 IP 192.168.0.5.4332 > 195.39.x.x.ftp : S 2706215230:2706215230 (0) win 65535 <mss 1460, nop, nop, sackOk>
316324 IP 195.39.x.x.ftp > 192.168.0.5.4332 : R 0:0(0) ack 1 win 0
__________________________________________________________________________________________________________________
Аналогично и для порта 80.
>Fix:
Не известно
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200608231149.k7NBnvKK061645>