tag-icon tag-icon freebsd

SRV1:FreeBSD 10.3,IP:10.0.0.1,PPPOe ADSL(ppp),ethernetx1:fxp0 SRV2:FreeBSD 10.3,IP:10.0.0.2

[目标]

端口转发: SRV1 [端口:8922] ----> SRV2 [端口:22] SRV [端口:8080] ----> SRV2 [端口:80]

我正在尝试端口转发,并且花了几周的时间来解决这个问题。经过谷歌搜索和论坛搜索后,问题仍然没有解决。

我已经尝试了以上3种方法,但没有效果。当然我正常启动服务。想知道是否无法将端口从 SRV1(以太网 x 1、ADSL PPPOe)转发到 SRV2?请给我建议,非常感谢。

#

[尝试1:ipfw]

/etc/ipfw.规则 #!/bin/sh ipfw -q 刷新

add="ipfw -q add"
WAN="tun0"
LAN="fxp0"
ipfw -q nat 1 config if $WAN reset\
                redirect_port tcp 10.11.11.2:22 8922\
                redirect_port tcp 10.11.11.2:80 8080

# Allow everything within the LAN
$add 10 allow ip from any to any via $LAN
$add 20 allow ip from any to any via lo0
$add 30 allow ip from any to any via ng*

# Catch spoofing from outside
$add 90 deny ip from any to any not antispoof in

$add 100 nat 1 ip from any to any via $WAN in
$add 101 check-state
$add 200 skipto 10000 tcp from any to any 8922 via $WAN in setup keep-state
$add 203 skipto 10000 tcp from any to any  22 via $WAN in keep-state

# Rules for outgoing traffic - allow everything that is not explicitely denied
$add 1000 deny ip from not me to any 25, 53 via $WAN out

# Allow all other outgoing connections
$add 2000 skipto 10000 tcp from any to any via $WAN out setup keep-state
$add 2010 skipto 10000 udp from any to any via $WAN out keep-state

# Rules for incomming traffic - deny everything that is not explicitely allowed
# vpn mpd5:1723
$add 4999 allow tcp,udp from any to any 47,1723  via $WAN in setup limit src-addr 10
# vpn mpd5:1723
$add 5000 allow tcp from any to any 4, 80, 443, 548,  8822, 8922  via $WAN in setup limit src-addr 10

# Catch tcp/udp packets, but don't touch gre, esp, icmp traffic
$add 9998 deny tcp from any to any via $WAN
$add 9999 deny udp from any to any via $WAN

$add 10000 nat 1 ip from any to any via $WAN out
$add 65534 allow ip from any to any

[尝试2:pf]

/etc/pf.conf

#對外的網路卡
ext_if = "tun0"

#對內的網路卡
int_if = "fxp0"
ext_ip = "xxx.xxx.xxx.xxx"

# PIMA(DMZ後面的server)
INT_SRV1 = "10.0.0.1"
INT_SRV2 = "10.0.0.2"

# --- ftp services ---
SSH_PORT1 = "{ 8922 }"
WWW_PORT1 = "{ 8080 }"
open_services = "{22, 47, 1723, 54, 80, 443}"

# Port forwarding to internal Server
rdr_port_to_pima =  "{8922 8080}"

#Private IP
priv_nets = "{ 127.0.0.0/8, 10.11.11.0/27}"

# --- hosts with internet access ---
table <allowed> { 127.0.0.0/8, 10.11.11.0/27}

# options
#設定拒絕連線封包的處理方式
set block-policy return
set optimization aggressive
#紀錄 $ext_if
set loginterface $ext_if
set loginterface $int_if
# scrub
scrub in all

#NAT
# --- TRANSLATION (NAT/RDR) section ---
nat on $ext_if from <allowed> to any -> $ext_ip
rdr pass on $ext_if proto tcp from any to $ext_ip port $SSH_PORT1 -> $INT_SRV1 port 22
rdr on $ext_if proto tcp from any to $ext_ip/32 port 21 -> $INT_SRV1 port 21    #outside to FTP

rdr pass on $ext_if proto { tcp udp } from any to $ext_ip port $SSH_PORT1 -> $INT_SRV1 port 22
rdr pass on $ext_if proto { tcp udp } from any to $ext_ip/32 port $WWW_PORT1 -> $INT_SRV1 port 80

antispoof log quick for $ext_if


#open loopback
pass quick on lo0 all

pass in on $int_if inet proto tcp from any to any port $open_services flags S/SA keep state

pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

block drop in quick on $ext_if from <ssh-bruteforce>
block return-icmp(net-unr) in quick on $ext_if proto udp all

[尝试3:ipnat]

# /etc/ipnat.rules

map tun0 10.11.11.0/27 -> 0.0.0.0/32 portmap tcp/udp 8000:65000
map tun0 10.11.11.0/27 -> 0.0.0.0/32

rdr tun0 106.104.138.251/32 port 8922 -> 10.11.11.2 port 22

相关内容