Problém s NATD

[Petr Macek]

Jako verzi BSD tam mas?
Minuly tyden se mi objevil ten samy problem na jednom stroji. Na 10 
jinych mi to takhle funguje, na tomhle ne. Hral jsem si dlouho s 
firewallem, natem, ... v logu neni nic videt, pozadavek na vnejsim 
rozhrani tcdumpem vidim, na vnitrnim uz ne. Je to asi po posedni 
kompilaci kernelu a worldu, co jsem delal. Na nic jsem ale neprisel a do 
zdrojaku uz jsem nesel ...
Mam to na 5.3-RELEASE-p26
PM

Pavel Obr wrote:
> Petr Bezděk napsal(a):
>>>.........
>>>    
> ....................
>>>Nekam do techto mist musite umistit pravidlo, ktere povoli prelozene 
>>>pakety pro port-forwarding.
>>>
>>>$cmd 395 allow tcp from any to 192.168.3.37 80 in via $pif setup limit src-addr 2
>>>
>>>    
>>># Reject & Log all unauthorized incoming connections from the public 
>>>Internet
>>>$cmd 400 deny log all from any to any in via $pif
>>>
>>># Reject & Log all unauthorized out going connections to the public
>>>    
>>Internet
>>  
>>>$cmd 450 deny log all from any to any out via $pif
>>>
>>># This is skipto location for outbound stateful rules
>>>$cmd 800 divert natd ip from any to any out via $pif
>>>$cmd 801 allow ip from any to any
>>>
>>># Everything else is denied by default
>>># deny and log all packets that fell through to see what they are
>>>$cmd 999 deny log all from any to any
>>>################ End of IPFW rules file
>>>    
>>###############################
>>  
>>>    
>>Funkcnost lze overit pomoci tcpdumpu a pripadne prohlednutim logu 
>>(/vat/log/security) a zaznamu odpovidajici pravidlu s cislem 400.
>>
>>tcpdump -ns1500 -ixl0 host 192.168.1.10 port 8080
>>tcpdump -ns1500 -irl0 host 192.168.3.37 port 80
>>  
> 
> Dík za radu a mate asi pravdu, ale abych se vyhnul problemum se spatne 
> nakonfigurovanymi pravidly firewallu a zjistil, zda "NAT zpet" vubec 
> funguje, nic jsem neomezil a zmenil
> 
> ipfw.rules na:
> _________________________
> #!/bin/sh
> ################ Start of IPFW rules file ###############################
> # Flush out the list before we begin.
> ipfw -q -f flush
> 
> # Set rules command prefix
> cmd="ipfw -q add"
> pif="xl0"     # public interface name of NIC
>               # facing the public Internet
> 
> #################################################################
> # check if packet is inbound and nat address if it is
> #################################################################
> $cmd 014 divert natd ip from any to any in via $pif
> #################################################################
> # Allow the packet through if it has previous been added to the
> # the "dynamic" rules table by a allow keep-state statement.
> #################################################################
> $cmd 015 check-state
> #################################################################
> # Interface facing Public Internet (Outbound Section)
> # Interrogate session start requests originating from behind the
> # firewall on the private network or from this gateway server
> # destine for the public Internet.
> #################################################################
> # This is skipto location for outbound stateful rules
> $cmd 800 divert natd ip from any to any out via $pif
> ################ End of IPFW rules file ###############################
> 
> Dale jsem zmenil port na kterem posloucha ISS v LAN na 81
> 
> natd.conf ted vypadá takto:
> 
> redirect_port 192.168.3.37:81 8080
> 
> 
> No a vysledek je ten, ze mi to stejne nefunguje.
> 
> Chci se zeptat...je moje uvaha  spravna, ze pokud  je firewall 
> nakonfigurovana tak, ze nic neomezuje, tak by NAT "obracene" mel 
> fungovat (jadro je zkompilovane s volbou
> 
> IPFIREWALL_DEFAULT_TO_ACCEPT)? Chyba je tedy jinde?
> 
> Dale jsem prekompiloval jadro, aby bylo vice "VERBOSE" pro logovani a tak se neco docetl ve /var/log/security - to vsak jeste nemohu vyskouset.
> 
> tcpdump -i xl0 (to je vnejsi iface) port 8080 pise:
> 15:19:07.732960 IP 192.168.1.3.2361 > hestia.8080: S 2724074282:2724074282(0) win 5840 <mss 1460,sackOK,timestamp 45328324 0,nop,wscale 0> - priznam se - nevim co to znamena - pokusim se vycist
> 
> tcpdump -i rl0 (to je vnitrni iface) port 81 nepise nic. 
> Ven ovsem NAT funguje normalne.
> 
> Chci jen jeste rici, ze "funkcnost" zkousim ze stroje, ktery ma adresu v rozsahu stejnem jako "vnejsi iface" xl0.
> 
> Pavel Obr
> 
> 
> 


-- 
# ---------------
# Petr Macek
# pm at kostax.cz
# icq: 87323239
# www.kostax.cz

# MySQL www client (PHP) ... try it!
# http://the.cz/mywwwatcher