如何使用 ipfw 的备用路由表转发流量

tag-icon tag-icon networking router routing firewall ipfw
如何使用 ipfw 的备用路由表转发流量

我一直在尝试在公司基础设施中嵌入反向代理。我们有 2 条 ISP 光纤线路。

  • tun0-第一个 ISP 的接口,输出数据包应使用 fib=0,网关 ip xxxx
  • vr1 - 第二个 ISP 的接口,输出数据包应使用 fib=1,网关 ip yyyy
  • vr0-本地网络接口,网关ip 192.168.0.1

第二个提供商接口是通过 ipfw 配置的。

ipfw 配置如下所示:

ipfw -f -q flush

ipfw nat 1 config if vr1 deny_in same_ports reset redirect_port tcp 192.168.0.3:80 80
ipfw add 00010 check-state :default
ipfw add 00020 setfib 1 log logamount 200 tag 2 ip from any to any tagged 1 keep-state :default
ipfw add 00050 nat 1 log logamount 200 tag 1 ip from any to any via vr1

ipfw add 00100 allow ip from any to any via lo0
ipfw add 00200 deny ip from any to 127.0.0.0/8
ipfw add 00300 deny ip from 127.0.0.0/8 to any
ipfw add 00400 deny ip from any to ::1
ipfw add 00500 deny ip from ::1 to any
ipfw add 00600 allow ipv6-icmp from :: to ff02::/16
ipfw add 00700 allow ipv6-icmp from fe80::/10 to fe80::/10
ipfw add 00800 allow ipv6-icmp from fe80::/10 to ff02::/16
ipfw add 00900 allow ipv6-icmp from any to any ip6 icmp6types 1
ipfw add 01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
ipfw add 65000 allow ip from any to any

因此它将来自 vr1 接口上端口 80 的流量转换为本地网络中的 Web 服务器,并为来自第二个提供商的数据包设置 fib=1。日志如下所示:

Feb 13 10:37:34 gateway kernel: ipfw: 50 Nat TCP 146.185.157.19:36346 84.204.61.126:80 in via vr1
Feb 13 10:37:34 gateway kernel: ipfw: 20 SetFib 1 TCP 146.185.157.19:36346 192.168.0.3:80 out via vr0
Feb 13 10:37:34 gateway kernel: ipfw: 20 SetFib 1 TCP 192.168.0.3:80 146.185.157.19:36346 in via vr0
Feb 13 10:37:34 gateway kernel: ipfw: 20 SetFib 1 TCP 192.168.0.3:80 146.185.157.19:36346 out via vr1
Feb 13 10:37:34 gateway kernel: ipfw: 50 Nat TCP 192.168.0.3:80 146.185.157.19:36346 out via vr1

我需要做的是将流量引导到 127.0.0.1:8088 或 192.168.0.1:8088,以便它进入反向代理。

我所做的是:

ipfw -f -q flush

ipfw add 00005 setfib 1 log logamount 200 all from any to any via vr1 keep-state
ipfw add 00010 fwd localhost,8088 log logamount 200 all from any to me 80 in via vr1
ipfw add 00015 allow ip from any to any

乍一看它是有效的,但是当我查看日志时我看到

日志:

Feb 13 11:21:18 gateway kernel: ipfw: 5 SetFib 1 TCP 146.185.157.19:55774 84.204.61.126:80 in via vr1
Feb 13 11:21:18 gateway kernel: ipfw: 10 Forward to [::1]:8088 TCP 146.185.157.19:55774 84.204.61.126:80 in via vr1
Feb 13 11:21:18 gateway kernel: ipfw: 5 SetFib 1 TCP 84.204.61.126:80 146.185.157.19:55774 out via tun0

因此它通过 tun0 出去。没有任何东西通过 vr1 出去。不好。我想知道如何告诉 ipfw 让流量从 vr1 流回到 vr1。setfib 似乎不起作用。我没有太多调整防火墙的经验,而且我完全陷入困境。我不知道。也许我应该使用 nat 到 192.168.0.1。我试过了,但无济于事。它看起来像这样:

ipfw nat 1 config if vr1 deny_in same_ports reset redirect_port tcp 192.168.0.1:8088 80
ipfw add 00010 check-state :MEGAFON_INBOUND
ipfw add 00020 setfib 1 log logamount 200 ip from any to any tagged 1 keep-state :MEGAFON_INBOUND
ipfw add 00050 nat 1 log logamount 200 tag 1 ip from any to any via vr1
ipfw add 00060 allow ip from any to any

日志:

ipfw: 50 Nat TCP 146.185.157.19:51022 84.204.61.126:80 in via vr1

就是这样。我做错了什么?我甚至不知道我应该使用 nat、fwd 还是 divert。如果能提供任何线索,我将不胜感激。

答案1

好吧,这是我经过一番头痛之后取得的成果

#!/bin/sh

ipfw -f -q flush

ISP1_IF="tun0"
ISP2_IF="vr1"
LAN_IF="vr0"

REDIRECT_PORTS_ISP1="redirect_port tcp 127.0.0.1:8088 80
        redirect_port tcp 192.168.0.3:443 443
        redirect_port tcp 192.168.0.4:25 25
        redirect_port tcp 192.168.0.4:587 587
        redirect_port tcp 192.168.0.4:465 465
        redirect_port tcp 192.168.0.4:143 143
        redirect_port tcp 192.168.0.4:993 993
        redirect_port tcp 192.168.0.4:110 110
        redirect_port tcp 192.168.0.11:8008 8008
        redirect_port tcp 192.168.0.11:8448 8448
        redirect_port tcp 192.168.0.5:3000 55000"

REDIRECT_PORTS_ISP2="redirect_port tcp 127.0.0.1:8089 80
        redirect_port tcp 192.168.0.3:443 443
        redirect_port tcp 192.168.0.4:25 25
        redirect_port tcp 192.168.0.4:587 587
        redirect_port tcp 192.168.0.4:465 465
        redirect_port tcp 192.168.0.4:143 143
        redirect_port tcp 192.168.0.4:993 993
        redirect_port tcp 192.168.0.4:110 110
        redirect_port tcp 192.168.0.11:8008 8008
        redirect_port tcp 192.168.0.11:8448 8448
        redirect_port tcp 192.168.0.5:3000 55000"

ipfw nat 1 config if ${ISP1_IF} deny_in reset same_ports ${REDIRECT_PORTS_ISP1}
ipfw nat 2 config if ${ISP2_IF} deny_in reset same_ports ${REDIRECT_PORTS_ISP2}

ipfw add 00300 check-state :isp1
ipfw add 00400 check-state :isp2

ipfw add 00500 set 1 skipto 02000 all from any to any in recv ${LAN_IF}
ipfw add 00500 set 2 skipto 03000 all from any to any in recv ${LAN_IF}

ipfw add 01000 skipto 02000 all from any to any in recv ${ISP1_IF}
ipfw add 01100 skipto 03000 all from any to any in recv ${ISP2_IF}
ipfw add 01200 skipto 02000 all from any to any out xmit ${ISP1_IF}
ipfw add 01300 skipto 03000 all from any to any out xmit ${ISP2_IF}
ipfw add 01400 skipto 04000 all from any to any 

# 2000 - 2999 : isp1
# nat
ipfw add 02000 nat 1 all from any to any in recv ${ISP1_IF}
ipfw add 02100 skipto 02200 all from any to any keep-state :isp1
ipfw add 02200 setfib 0 all from any to any in recv ${LAN_IF}
ipfw add 02300 setfib 0 all from 127.0.0.1 to any out
# nat
ipfw add 02400 nat 1 all from any to any out xmit ${ISP1_IF}
ipfw add 02500 skipto 04000 all from any to any out xmit ${ISP1_IF}
# nat
ipfw add 02600 nat 1 all from 127.0.0.1 to any out
ipfw add 02999 skipto 04000 all from any to any

# 3000 - 3999 : isp2
# nat
ipfw add 03000 nat 2 all from any to any in recv ${ISP2_IF}
ipfw add 03100 skipto 03200 all from any to any keep-state :isp2
ipfw add 03200 setfib 1 all from any to any in recv ${LAN_IF}
ipfw add 03300 setfib 1 all from 127.0.0.1 to any
# nat
ipfw add 03400 nat 2 all from any to any out xmit ${ISP2_IF}
ipfw add 03500 skipto 04000 all from any to any out xmit ${ISP2_IF}
# nat
ipfw add 03600 nat 2 all from 127.0.0.1 to any out
ipfw add 03999 skipto 04000 all from any to any

ipfw add 60000 allow all from any to 127.0.0.1 8088
ipfw add 60000 allow all from any to 127.0.0.1 8089

ipfw add 61000 allow ip from any to any via lo0
ipfw add 61010 deny ip from any to 127.0.0.0/8
ipfw add 61020 deny ip from 127.0.0.0/8 to any
ipfw add 61030 deny ip from any to ::1
ipfw add 61040 deny ip from ::1 to any
ipfw add 61050 allow ipv6-icmp from :: to ff02::/16
ipfw add 61060 allow ipv6-icmp from fe80::/10 to fe80::/10
ipfw add 61070 allow ipv6-icmp from fe80::/10 to ff02::/16
ipfw add 61080 allow ipv6-icmp from any to any ip6 icmp6types 1
ipfw add 61090 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
ipfw add 65000 allow ip from any to any

/etc/sysctl.conf

net.inet.ip.fw.one_pass=0

我还需要运行两个 traefik 实例

setfib 0 traefik

在端口 8088 上

setfib 1 traefik

在端口 8089 上

因为当 ppp 守护进程关闭时(在接口 tun0 上),来自两个提供商的流量都会停止

当我切换到其他提供商时,我也将 fib 换成了 dnsmasq

要切换到第二个提供商,我会

ipfw set disable 1

相关内容