我正在尝试(但没有成功)在 FreeBSD 8.2 下配置 ipnat/ipf 框,场景如下:
outside inside
+----+
ADSL 1.2.3.0/29 -------(re0)- | | -(re2)-- 172.16.16.0/254 DMZ
| |
HDSL 101.102.103.0/29 -(re1)- | | -(re3)-- 192.168.10.0/254 LAN
+----+
到目前为止,我只有 ADSL,我能够从 LAN 导航并将传入的请求重定向到 DMZ 中的各种服务,
该盒子的默认网关是 1.2.3.4,所有分配的 IP 地址都别名为相应的接口
这是我的 ipnat.conf
# -------------------------------
# navigation from inside
map re0 192.168.10.0/24 -> 1.2.3.4/32 proxy port ftp ftp/tcp
map re0 192.168.10.0/24 -> 1.2.3.4/32 portmap tcp/udp 11000:39999
map re0 192.168.10.0/24 -> 1.2.3.4/32
map re0 172.16.16.0/24 -> 1.2.3.4/32 proxy port ftp ftp/tcp
map re0 172.16.16.0/24 -> 1.2.3.4/32 portmap tcp/udp 40000:59999
map re0 172.16.16.0/24 -> 1.2.3.4/32
# some services
rdr re0 1.2.3.2/32 port 80 -> 172.16.16.100 port 80 tcp/udp
rdr re0 1.2.3.3/32 port 25 -> 172.16.16.200 port 25 tcp/udp
rdr re0 1.2.3.3/32 port 110 -> 172.16.16.200 port 110 tcp/udp
rdr re0 1.2.3.5/32 port 3389 -> 192.168.10.10 port 3389 tcp/udp
# -------------------------------
现在我将配置该盒子,以便可以通过新的 HDSL 连接访问某些服务,例如:
# -------------------------------
# navigation from inside
map re0 192.168.10.0/24 -> 1.2.3.4/32 proxy port ftp ftp/tcp
map re0 192.168.10.0/24 -> 1.2.3.4/32 portmap tcp/udp 11000:39999
map re0 192.168.10.0/24 -> 1.2.3.4/32
map re0 172.16.16.0/24 -> 1.2.3.4/32 proxy port ftp ftp/tcp
map re0 172.16.16.0/24 -> 1.2.3.4/32 portmap tcp/udp 40000:59999
map re0 172.16.16.0/24 -> 1.2.3.4/32
# some services via ADSL and some via HDSL
rdr re0 1.2.3.2/32 port 80 -> 172.16.16.100 port 80 tcp/udp
rdr re1 101.102.103.103/32 port 25 -> 172.16.16.200 port 25 tcp/udp
rdr re1 101.102.103.103/32 port 110 -> 172.16.16.200 port 110 tcp/udp
rdr re0 1.2.3.5/32 port 3389 -> 192.168.10.10 port 3389 tcp/udp
# -------------------------------
但我无法按我想要的方式设置...传入的数据包被路由到正确的目的地,但回复却发往其他地方,我也尝试使用地图和双图,结果相同(如果不是最坏的;-)...)。
抱歉,帖子太长了,非常感谢所有能提供帮助的人!
答案1
虽然我不能确切地说出你如何用 freeBSD 做到这一点(因为我从来没有认真使用过它),但我认为你应该花一些时间阅读普法手册页,并注意路由部分,特别是这两个部分:
route-to
The route-to option routes the packet to the specified interface
with an optional address for the next hop. When a route-to rule
creates state, only packets that pass in the same direction as the
filter rule specifies will be routed in this way. Packets passing
in the opposite direction (replies) are not affected and are routed
normally.
和
reply-to
The reply-to option is similar to route-to, but routes packets that
pass in the opposite direction (replies) to the specified inter-
face. Opposite direction is only defined in the context of a state
entry, and reply-to is useful only in rules that create state. It
can be used on systems with multiple external connections to route
all outgoing packets of a connection through the interface the
incoming connection arrived through (symmetric routing enforce-
ment).