欢迎光临自己的路个人博客站!

自己的路个人网站-自己的路个人博客

自己的路个人博客网站

关注在二实小学习、生活、运动的个人博客

您当前的位置:主页 > 开源无价 >

FREEBSD双网卡nat+防火墙+内网端口转发实验

发布时间:2015-09-06 11:33 点击: 编辑:admin

FREEBSD双网卡nat+防火墙+内网端口转发实验

两台机:一台FREEBSD6.1(双网卡rl0接外网dhcpIp 172.168.0.110;rl1接内网rl1="inet 192.168.1.1 netmask 255.255.255.0") 一台XPIP:192.168.1.8 网关192.168.1.1 交换机一台

使用FreeBSD系统构建NAT及防火墙,首先要对内核进行修订。

以root身份登录,进行如下操作:

# cd /usr/src/sys/i386/conf
# cp GENERIC /root/MYKERNEL
# ln –s /root/MYKERNEL
# ee MYKERNEL
 
编辑MYKERNEL配置文件,加入如下4行内容:
options IPFIREWALL
options IPDIVERT
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_VERBOSE
device pf mL@7,G D  
device pflog 4 tt=u]:  
device pfsync &3~R-$P  
options ALTQ >BMtR0  
options ALTQ_CBQ i8/"|+Z
编译并启用新的内核:
# cd /usr/src
# make buildkernel KERNCONF=MYKERNEL
# make installkernel KERNCONF=MYKERNEL
# reboot
编辑/etc/rc.conf aTLr%D:Ka  
ifconfig_rl0="DHCP" )B^T7{  
hostname="localhost" (bogA i3<F  
ifconfig_rl1="inet 192.168.1.1 netmask 255.255.255.0" BLo=@C%w5  
gateway_enable="YES" %G]WOq=q  
inetd_enable="YES" y(r(q  
pf_enable="YES" B{Lzgw u;  
pf_rules="/etc/pf.conf" qS[nf>"  
pf_flags="" }4*~*NoQ  
pflog_enable="YES" `[4{]jX+<  
pflog_logfile="/var/log/pflog" s9?H#^Y5u  
sshd_enable="YES" qP[jtRIN
打开ip转发 dMH}%f5;1  
在/etc/sysctl.conf中添加如下内容 (DKQHL;
net.inet.ip.forwarding=1
实现共享上网,最简单的pf设置
ee /etc/pf.conf
加入
wan_if="rl0" yKOC1( ~  
lan_if="rl1" O ;B[ZMV  
inter_net="192.168.1.1/24" E"Y[k8-:2/  
web_server="192.168.1.8" RMxFo\TK;  
ftp_server="192.168.1.8" {cAGOxwd  
scrub in all $[*<e~?  
nat on $wan_if from $inter_net to any -> rl0
 rdr on rl0 proto tcp from any to any port 80 -> 192.168.1.8    (转发192.68.1.8的80端口)

 

rdr on rl1 proto tcp from $lan_if to any port 80 -> $lan_if port 80

rdr on rl1 proto tcp from any to any port 21 -> 127.0.0.1 port 8021 B P0*`TY  
#rdr on rl0 proto tcp from any to $wan_if port 80 ->$web_server port 8080 UJQGwTA W  
#rdr on rl1 proto tcp from $lan_if to $wan_if port 80 ->$web_server port 8080

rdr on $wan_if proto tcp from any to any port 21 -> $ftp_server port 21 w:[\G%yQ  
rdr on $wan_if proto tcp from any to any port 49152:65535 -> $ftp_server port 49152:65535

# in on $wan_if 10e~Yc  
pass in quick on $wan_if proto tcp from any to $ftp_server port 21 keep state T [2l32  
pass in quick on $wan_if proto tcp from any to $ftp_server port > 49151 keep state

# out on $lan_if _B^Q;54c  
pass out quick on $lan_if proto tcp from any to $ftp_server port 21 keep state  Z {*<G x  
pass out quick on $lan_if proto tcp from any to $ftp_server port > 49151 keep state

#Disable danger port 6^"Spf]  
#Danger_Port="{445 135 139 593 5554 9995 9996}" &X OFc.u  
#block quick on $wan_if inet proto tcp from any to any port $Danger_Port 59M\uVWR  
#block quick on $wan_if inet proto tcp from any to any port $Danger_Port (<xl _L:*.  
pass in all ~k'SP(6#C  
pass out all v_e3ZA:%

reboot

XP的机器设置IP

IP:192.168.1.8

子网掩码255.255.255.0

网关192.168.1.1

DNS:221.228.255.1

XP的机器能上网了,NET OK~

XP的80端口开了IIS,访问172.168.0.110能访问到192.168.1.8:80的IIS信息,端口转向OK~

到此实验成功~~~

                                                                                   2007-01-30 10:10

                                                                                      角落男孩

 

最近访客

    热评文章

      Powered by FREEBSD NGINX PHP MYSQL FREEBSD NGINX PHP MYSQL