[FUGSPBR] Apanhando do IPFW + NATD

[Vitor de Matos Carvalho]

Pessoal,

Estou aqui  apanhando do ipfw + natd.

Estou com duas redes aqui:
10.1.0.0/16
10.2.0.0/16

Eu preciso fazer o NAT apendas de uma rede, que é a rede 10.2.0.0/16. Para a rede 10.1.0.0/16 não é preciso, pois o acesso dela será apenas via proxy transparente, pelo squid. 
Só que eu não estou conseguindo fazer isso funcionar.

As duas redes 10.1.0.0/16 10.2.0.0/16 (apersar de fazer nat para elas) terão que passar pelo proxy transparente.


Abaixo segue as minhas confs:

kernel:

#####################################################################
# NETWORKING OPTIONS
#
# Protocol families:
#  Only the INET (Internet) family is officially supported in FreeBSD.
#  Source code for the NS (Xerox Network Service) is provided for amusement
#  value.
#
options         INET                    # Internet communications protocols
options         IPDIVERT                # divert sockets
options         IPFIREWALL              # firewall
options         IPFIREWALL_FORWARD      # enable transparent proxy support
options         IPFIREWALL_VERBOSE      # print information about dropped packets
options         IPFIREWALL_VERBOSE_LIMIT=100    #limit verbosity
options         IPFILTER                # ipfilter support
options         IPFILTER_LOG            # ipfilter logging
options         TCPDEBUG

#
# ICMP_BANDLIM enables icmp error response bandwidth limiting.   You
# typically want this option as it will help protect the machine from
# D.O.S. packet attacks.
#
options         ICMP_BANDLIM
options         TCP_DROP_SYNFIN         #drop TCP packets with SYN+FIN

Abaixo segue o /etc/rc.conf

firewall_enable="YES"                   # Set to YES to enable firewall functionality
firewall_script="/etc/rc.firewall"      # Which script to run to set up the firewall
firewall_type="simple"                  # Firewall type (see /etc/rc.firewall)
firewall_quiet="YES"                    # Set to YES to suppress rule display
natd_program="/sbin/natd"              # path to natd, if you want a different one.
natd_enable="YES"                      # Enable natd (if firewall_enable == YES).
natd_interface="tun0"                  # Public interface or IPaddress to use.
natd_flags="-f /etc/natd.conf"         # Additional flags for natd.

/etc/natd.conf

interface tun0
dynamic yes
same_ports yes
use_sockets yes

Agora vamos la com o /etc/rc.firewall

${fwcmd} add pass all from any to any via lo0
${fwcmd} add deny all from any to 127.0.0.0/8
${fwcmd} add deny ip from 127.0.0.0/8 to any

# NATD
${fwcmd} add 50 divert natd all from ${nadm} to any via ${myif}
${fwcmd} add 50 divert natd all from ${nadm} to any via ${myif}

# Proxy transparente
${fwcmd} add 51 fwd 127.0.0.1,3128 tcp from ${nadm} to any 80,81,8080
${fwcmd} add 51 fwd 127.0.0.1,3128 tcp from ${nacad} to any 80,81,8080

# Bloqueia a comunicacao entre as redes ACAD e ADM
${fwcmd} add 90 reset from ${acad} to ${adm}
${fwcmd} add 90 reset from ${adm} to ${acad}

# Stop RFC1918 nets on the outside interface
# Comentado porque eh minha rede privada
${fwcmd} add deny all from any to 10.0.0.0/8 via ${myif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${myif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${myif}

# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from any to 0.0.0.0/8 via ${myif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${myif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${myif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${myif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${myif}

# Stop RFC1918 nets on the outside interface
# Comentado porque eh minha rede privada
#${fwcmd} add deny all from 10.0.0.0/8 to any via ${myif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${myif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${myif}

# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from 0.0.0.0/8 to any via ${myif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${myif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${myif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${myif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${myif}

# Nega pacotes fragmentados
${fwcmd} add deny all from any to any frag

# check state
${fwcmd} add check-state

# FTP para o mundo
${fwcmd} add pass tcp from ${myip} to any 21 keep-state
${fwcmd} add pass tcp from ${nacad} to any 21 keep-state
${fwcmd} add pass tcp from ${nadm} to any 21 keep-state

# SSH
${fwcmd} add pass tcp from ${nacad} to ${ipacad} 22 keep-state
${fwcmd} add pass tcp from ${nadm} to ${ipadm} 22 keep-state

# My DNS-Server
${fwcmd} add pass udp from ${myip} to ${mydns} 53 keep-state
${fwcmd} add pass udp from ${mydns} 53 to ${myip} keep-state
${fwcmd} add pass udp from ${acad} 53 to ${mydns} keep-state
${fwcmd} add pass udp from ${adm} 53 to ${mydns} keep-state

# HTTP para o servidor
${fwcmd} add pass tcp from any to ${myip} 80 keep-state
# HTTPS para o mundo
${fwcmd} add pass tcp from ${myip} to any 443 keep-state
${fwcmd} add pass tcp from ${nacad} to any 443 keep-state
${fwcmd} add pass tcp from ${nadm} to any 443 keep-state

# Allow NTP queries out in the world
${fwcmd} add pass udp from ${myip} to any 123 out via {myif} keep-state

# Cvsup
${fwcmd} add pass tcp from ${myip} to any 5999 via ${myif} keep-state

# Libera tudo das rede ADM e MYIP para o mundo
${fwcmd} add 95 pass from ${myip} to any keep-state
${fwcmd} add 95 pass from ${adm} to any keep-state

# PROXY
${fwcmd} add reset tcp from any to {myip} 3128

# ICMP IN and OUT
${fwcmd} add pass icmp from ${myip} to any icmptypes 8 keep-state
${fwcmd} add pass icmp from $(nacad} to ${ipcad} icmptypes 8 keep-state
${fwcmd} add pass icmp from $(nadm} to ${ipadm} icmptypes 8 keep-state
${fwcmd} add reset icmp from any to ${myip} icmptypes 5,8,9,10,12,13,14,15,16,17,18

# Rejeitar broadcasts from outside interface
${fwcmd} add reset ip from any to 0.0.0.255:0.0.0.255 in via ${myif}

# Define o firewall como closed e faz o log de tudo que eh negado
${fwcmd} add 65534 deny log ip from any to any via tun0

myip = meu ip real
nacad = rede acad
nadm = rede adm
ipacad = ip rede acad
ipadm = ip rede adm
if acad = interface da placa de rede da rede acad
if adm =  interface da placa de rede da rede adm

O que está de errado nessas minhas regras?


 Regards,

---------------------------------------------------
Vitor de Matos Carvalho - #5602098
Softinfo Network Administrator
+55 (71)9971-5011 / +55 (71)9986-9317
Salvador - Bahia - Brazil
FreeBSD: The silent Workhorse

_______________________________________________________________
Sair da Lista: http://www2.fugspbr.org/mailman/listinfo/fugspbr
Historico: http://www4.fugspbr.org/lista/html/FUG-BR/