From owner-freebsd-bugs@FreeBSD.ORG Wed Aug 23 11:50:20 2006 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6FC7116A4E1 for ; Wed, 23 Aug 2006 11:50:20 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A785A43D5A for ; Wed, 23 Aug 2006 11:50:19 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k7NBoJh2007388 for ; Wed, 23 Aug 2006 11:50:19 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k7NBoJ0r007387; Wed, 23 Aug 2006 11:50:19 GMT (envelope-from gnats) Resent-Date: Wed, 23 Aug 2006 11:50:19 GMT Resent-Message-Id: <200608231150.k7NBoJ0r007387@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Vadym Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7A58816A4DF for ; Wed, 23 Aug 2006 11:49:58 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [216.136.204.117]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1026C43D46 for ; Wed, 23 Aug 2006 11:49:58 +0000 (GMT) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k7NBnvUk061647 for ; Wed, 23 Aug 2006 11:49:57 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.13.1/8.13.1/Submit) id k7NBnvKK061645; Wed, 23 Aug 2006 11:49:57 GMT (envelope-from nobody) Message-Id: <200608231149.k7NBnvKK061645@www.freebsd.org> Date: Wed, 23 Aug 2006 11:49:57 GMT From: Vadym To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-2.3 Cc: Subject: =?iso-8859-1?q?conf/102429=3A_FreeBSD_6=2E1+VPN+ipnat+ipf=3A_=CE?= =?iso-8859-1?q?=C5_=D2=C1=C2=CF=D4=C1=C5=D4_=D0=C5=D2=C5=CE=C1=D0?= =?iso-8859-1?q?=D2=C1=D7=CC=C5=CE=C9=C5_=D0=CF=D2=D4=CF=D7_=28port?= =?iso-8859-1?q?mapping=29?= X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Aug 2006 11:50:20 -0000 >Number: 102429 >Category: conf >Synopsis: FreeBSD 6.1+VPN+ipnat+ipf: не работает перенаправление портов (portmapping) >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Aug 23 11:50:19 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Vadym >Release: 6.1 >Organization: United Thinkers >Environment: FreeBS.6.1-RELEASE FreeBSD 6/1 -RELEASE #0: Thu Jan 6 07:14:37 UTC 2000 root@FreeBSD.:/usr/src/sys/i386/compile/kernel_08_12_2006 I386 >Description: Есть FreeBSD в качестве роутера для сети 192.168.0.х. Одна сетевая смотрит в сеть провайдера (IP сетевой: 192.168.25.135). Вторая - для локальной сети (IP: 192.168.0.1). Для доступа к провайдеру создается VPN канал с 192.168.25.135 на VPN сервер 192.168.25.1 (PPTP клиент). NAT работает на ipnat c ipf Суть проблемы такая: не работает перенаправление портов 21 и 80 на адрес локального сервера 192.168.0.5. >How-To-Repeat: Исходные данные такие: При поднятии VPN создается интерфейс tun0 c внешним IP: 195.39.x.x ifconfig дает такое __________________________________________________________________________________________________________________ rl0: 192.168.0.1/24 active rl1: 192.168.25.135/24 active tun0:195.39.x.x->10.100.101.1 ping на мир - в порядке rc.conf __________________________________________________________________________________________________________________ hostname=FreeBS. nisdomainname="NO" dhclient_program="/sbin/dhclient" dhclient_flags="" background_dhclient="NO" firewall_enable="NO" firewall_script="/etc/rc.firewall" firewall_type="/etc/firewall.conf" firewall_quiet="NO" firewall_logging="NO" firewall_flags="" ip_portrange_first="NO" ip_portrange_last="NO" ike_enable="NO" ike_program="/usr/local/sbin/isakmpd" ike_flags="" ipsec_enable="NO" ipsec_file="/etc/ipsec.conf" natd_program="/sbin/natd" natd_enable="NO" #natd_interface="rl1" #natd_flags="-redirect_port tcp 192.168.0.5:21 21" #natd_flags="-a 192.168.25.1" #natd_flags="-f /etc/natd.conf" ipfilter_enable="YES" ipfilter_program="/sbin/ipf" ipfilter_rules="/etc/ipf.rules" ipfilter_flags="" ipnat_enable="YES" ipnat_program="/sbin/ipnat" ipnat_rules="/etc/ipnat.rules" ipnat_flags="" ipmon_enable="YES" ipmon_program="/sbin/ipmon" ipmon_flags="-Ds" ipfs_enable="YES" ipfs_program="/sbin/ipfs" ipfs_flags="" pf_enable="NO" pf_rules="/etc/pf.conf" pf_program="/sbin/pfctl" pf_flags="" pflog_enable="NO" pflog_logfile="/var/log/pflog" pflog_program="/sbin/pflogd" pflog_flags="" pfsync_enable="NO" pfsync_syncdev="" pfsync_ifconfig="" tcp_extensions="YES" log_in_vain="0" tcp_keepalive="YES" tcp_drop_synfin="NO" icmp_drop_redirect="YES" icmp_log_redirect="YES" network_interfaces="rl0 rl1 tun0 ng0" cloned_interfaces="" sppp_interfaces="" gif_interfaces="NO" ppp_enable="NO" ppp_program="/usr/sbin/ppp" ppp_mode="auto" ppp_nat="YES" ppp_profile="papchap" ppp_user="root" hostapd_enable="NO" syslogd_enable="YES" syslogd_program="/usr/sbin/syslogd" syslogd_flags="-s" inetd_enable="NO" inetd_program="/usr/sbin/inetd" inetd_flags="-wW -C 60" # # named. It may be possible to run named in a sandbox, man security for # details. # named_enable="NO" named_program="/usr/sbin/named" #named_flags="" named_pidfile="/var/run/named/pid" named_uid="bind" named_chrootdir="/var/named" named_chroot_autoupdate="YES" named_symlink_enable="YES" defaultrouter=192.168.25.1 static_routes="" natm_static_routes="" gateway_enable="YES" router_enable="NO" router="/sbin/routed" router_flags="-q" mrouted_enable="NO" mrouted_flags="" ipxgateway_enable="NO" ipxrouted_enable="NO" ipxrouted_flags="" arpproxy_all="NO" forward_sourceroute="NO" accept_sourceroute="NO" ### Miscellaneous network options: ### icmp_bmcastecho="NO" if [ -z "${source_rc_confs_defined}" ]; then source_rc_confs_defined=yes source_rc_confs () { local i sourced_files for i in ${rc_conf_files}; do case ${sourced_files} in *:$i:*) ;; *) sourced_files="${sourced_files}:$i:" if [ -r $i ]; then . $i fi ;; esac done } fi ifconfig_rl0="inet 192.168.0.1 netmask 0xffffff00" ifconfig_rl1="inet 192.168.25.135 netmask 0xffffff00" ifconfig_lo0="inet 127.0.0.1" __________________________________________________________________________________________________________________ ppp.conf __________________________________________________________________________________________________________________ vpn: dns enable nat enable yes set authname nikolay set authkey 911 set timeout 0 set ifaddr 0 0 add default HISADDR __________________________________________________________________________________________________________________ ipnat.rules __________________________________________________________________________________________________________________ rdr tun0 195.39.253.24/32 port 21 -> 192.168.0.5 port 21 rdr tun0 195.39.253.24/32 port 80 -> 192.168.0.5 port 80 map tun0 192.168.0.0/24 -> 195.39.253.24/32 proxy port ftp ftp/tcp map tun0 192.168.0.0/24 -> 195.39.253.24/32 portmap tcp/udp 10000:60000 map tun0 192.168.0.0/24 -> 195.39.253.24/32 __________________________________________________________________________________________________________________ ipf.rules __________________________________________________________________________________________________________________ pass in all pass out all __________________________________________________________________________________________________________________ для соединения с ftp сервера(192.168.0.5) на порт 21 tcpdump rl0 дает такое: __________________________________________________________________________________________________________________ 08:38:19 3528202 arp who-has 192.168.0.1 tell 192.168.0.5 352829 arp replay 192.168.0.1 is-at 00:02:44:66:05:a1 (oi Unknown) 352925 IP 192.168.0.5.4332 > 195.39.253.24.ftp: S 2706215230:2706215230 (0) win 65535 352969 IP 195.39.x.x.ftp: > 192.168.0.5.4332: R 0:0(0) ack 2706215231 win 0 813373 IP 192.168.0.5.4332 > 195.39.x.x.ftp : S 2706215230:2706215230 (0) win 65535 813400 IP 195.39.x.x.ftp > 192.168.0.5.4332 : R 0:0(0) ack 1 win 0 316291 IP 192.168.0.5.4332 > 195.39.x.x.ftp : S 2706215230:2706215230 (0) win 65535 316324 IP 195.39.x.x.ftp > 192.168.0.5.4332 : R 0:0(0) ack 1 win 0 __________________________________________________________________________________________________________________ Аналогично и для порта 80. >Fix: Не известно >Release-Note: >Audit-Trail: >Unformatted: