Home »

ipf + ipnat + squid нет пинга у клиентов, а интернет есть  

Страница 2 / 4

Max999
Сообщения: 31
(@max999)
Сисадмин
Присоединился: 1 год назад

ipnat.rules

map ng0 192.168.188.0/24 -> 192.168.188.2/32 portmap tcp/udp auto
map ng0 192.168.188.0/24 -> 192.168.188.2/32

map ng0 192.168.189.0/24 -> 192.168.188.2/32 portmap tcp/udp auto
map ng0 192.168.189.0/24 -> 192.168.188.2/32

map ng0 192.168.190.0/24 -> 192.168.188.2/32 portmap tcp/udp auto
map ng0 192.168.190.0/24 -> 192.168.188.2/32

map ng0 192.168.191.0/24 -> 192.168.188.2/32 portmap tcp/udp auto
map ng0 192.168.191.0/24 -> 192.168.188.2/32

map ng0 192.168.192.0/24 -> 192.168.188.2/32 portmap tcp/udp auto
map ng0 192.168.192.0/24 -> 192.168.188.2/32

###############################################################
rdr ng0 192.168.188.0/24 -> 192.168.188.2 3128

rdr ng0 192.168.189.0/24 -> 192.168.188.2 3128
rdr ng0 192.168.190.0/24 -> 192.168.188.2 3128
rdr ng0 192.168.191.0/24 -> 192.168.188.2 3128
rdr ng0 192.168.192.0/24 -> 192.168.188.2 3128
#
rdr ng0 0/0 port 5432 -> 192.168.188.2 port 5432

Ответить
Max999
Сообщения: 31
(@max999)
Сисадмин
Присоединился: 1 год назад

ipf.rules

pass in quick on lo0 all
pass out quick on lo0 all
#######################

block out quick on ng0 from any to 192.168.0.0/16
block out quick on ng0 from any to 172.16.0.0/12
block out quick on ng0 from any to 127.0.0.0/8

block out quick on ng0 from any to 10.10.0.0/16
block out quick on ng0 from any to 10.8.0.0/16

block out quick on ng0 from any to 0.0.0.0/8
block out quick on ng0 from any to 169.254.0.0/16
block out quick on ng0 from any to 192.0.2.0/24
block out quick on ng0 from any to 204.152.64.0/23

block out quick on ng0 from any to 224.0.0.0/3

block in quick on ng0 from 192.168.0.0/16 to any
block in quick on ng0 from 172.16.0.0/12 to any
block in quick on ng0 from 127.0.0.0/8 to any

block in quick on ng0 from 10.10.0.0/16 to any
block in quick on ng0 from 10.8.0.0/16 to any

block in quick on ng0 from 0.0.0.0/8 to any
block in quick on ng0 from 169.254.0.0/16 to any
block in quick on ng0 from 192.0.2.0/24 to any
block in quick on ng0 from 204.152.64.0/23 to any

block in quick on ng0 from 224.0.0.0/3 to any

#################################################
block in log first quick on ng0 proto tcp/udp from any to any port = 135
block in log first quick on ng0 proto tcp/udp from any to any port = 136
block in log first quick on ng0 proto tcp/udp from any to any port = 137
block in log first quick on ng0 proto tcp/udp from any to any port = 138
block in log first quick on ng0 proto tcp/udp from any to any port = 139
block in log first quick on ng0 proto tcp/udp from any to any port = 445

#block in quick on bce0 proto udp from any to 8.8.8.8 port = 53

block in log first quick on bce0 proto tcp/udp from any to any port = 135
block in log first quick on bce0 proto tcp/udp from any to any port = 136
block in log first quick on bce0 proto tcp/udp from any to any port = 137
block in log first quick on bce0 proto tcp/udp from any to any port = 138
block in log first quick on bce0 proto tcp/udp from any to any port = 139
block in log first quick on bce0 proto tcp/udp from any to any port = 445

#################################################

pass in quick on bce0 proto tcp from 192.168.0.0/16 to 192.168.0.0/16 port = 80
block in quick on bce0 proto tcp from 192.168.0.0/16 to any port = 80

block in quick on ng0 from 192.168.189.2/32 to any port = 25
block in quick on bce0 from 192.168.189.2/32 to any port = 25

block in quick on ng0 from any to any port = 22273
block out quick on ng0 from any to any port = 22273

block in quick on ng0 from any to any port = 2915
block out quick on ng0 from any to any port = 2915

block in quick on ng0 from any to 213.252.*.*
block out quick on ng0 from 213.252.*.* to any

pass out quick on ng0 proto tcp from any to any port = 53 flags S keep state
pass out quick on ng0 proto udp from any to any port = 53 keep state

pass out quick on ng0 proto tcp from any to any port = 110 flags S keep state
pass out quick on ng0 proto tcp from any to any port = 143 flags S keep state
pass out quick on ng0 proto tcp from any to any port = 25 flags S keep state

pass out quick on ng0 proto tcp from any to any port = 5222 flags S keep state
pass in quick on bce0 proto tcp from any to any port = 5222 flags S keep state

pass in quick on ng0 proto tcp from any to any port = 1194 flags S keep state
pass out quick on ng0 proto tcp from any to any port = 1194 flags S keep state

pass in quick on tun1 proto tcp from any to 10.10.90.1 port = 1433 flags S keep state
pass out quick on tun1 proto tcp from 10.10.90.1 to any port = 1433 flags S keep state

pass out quick on ng0 proto tcp from 192.168.192.2 to any port = 5190 flags S keep state

#pass in quick on ng0 proto tcp/udp from 46.137.83.240 to 91.230.*.*
pass in quick on ng0 proto tcp/udp from 46.137.83.240 to 83.221.*.*
#pass out quick on ng0 proto tcp/udp from 91.230.*.* to 46.137.83.240
pass out quick on ng0 proto tcp/udp from 83.221.*.* to 46.137.83.240

#---- SQUID
pass in quick on bce0 proto tcp/udp from 192.168.188.0/24 to 192.168.188.2/32 port = 3128
pass in quick on bce0 proto tcp/udp from 192.168.189.0/24 to 192.168.188.2/32 port = 3128
#####
pass in quick on bce0 proto tcp/udp from 192.168.190.0/24 to 192.168.188.2/32 port = 3128
#####
pass in quick on bce0 proto tcp/udp from 192.168.191.0/24 to 192.168.188.2/32 port = 3128
pass in quick on bce0 proto tcp/udp from 192.168.192.0/24 to 192.168.188.2/32 port = 3128

pass out quick on bce0 proto tcp/udp from any to any port = 123
pass in quick on bce0 proto tcp/udp from any to any port = 123
pass out quick on ng0 proto udp from any to any port = 123 keep state

pass out quick on ng0 proto tcp from any to any port = 3000 flags S keep state
pass in quick on bce0 proto tcp from any to any port = 3000 flags S keep state

pass in quick on bce0 proto tcp from any to 83.221.*.* port = 8080
pass out quick on ng0 proto tcp from 83.221.*.* to any port = 8080
pass out quick on bce0 proto tcp from any to www.donenergo.ru port = 88 flags S/FSRPAU keep state

pass in quick on bce0 proto tcp from any to any port = 88
pass out quick on ng0 proto tcp from any to any port = 88

pass out quick on bce0 proto tcp from any to any port = 6911
pass in quick on ng0 proto tcp from any to any port = 6911
pass out quick on bce0 proto tcp from any to any port = 6003
pass in quick on ng0 proto tcp from any to any port = 6003

pass in log quick on tun1 proto icmp from any to any
pass out log quick on tun1 proto icmp from any to any
pass out quick on tun1 proto tcp from 192.168.192.2 to any port = 5900 flags S keep state
pass out quick on tun1 proto tcp from 10.8.67.0/24 to any flags S keep state

##### END #####

pass in quick all
pass out quick all

Ответить
Max999
Сообщения: 31
(@max999)
Сисадмин
Присоединился: 1 год назад

nylon.conf

# sample configuration # marius aamodt eriksen (marius@umich.edu)
# $Id: nylon.conf,v 1.11 2002/03/27 07:39:53 beriksen Exp $
# general settings
[General]

# number of simultaneous connections allowed
No-Simultaneous-Conn=10

# log connections and other information to syslog? 1: on, 0: off
Log=1

# be verbose on the console? 1: on, 0: off
Verbose=1

# store pid file
PIDfile=/var/run/nylon.pid

# server settings
[Server]

# interface to listen to connections
#Binding-Interface=fxp1
Binding-Interface=bce0

# interface to bind outgoing connections to
#Connecting-Interface=fxp0
Connecting-Interface=ng0

# listening port to bind to
Port=1080

# allowed is processed first, then deny

# allowable connect ips/ranges
#Allow-IP=141.0.0.0/8 127.0.0.1 10.0.0.0/24
#Allow IPs 192.168.192.6, 192.168.192.7 and 192.168.189.25 for GLONASS_GPS_Client:
Allow-IP=127.0.0.1/32 192.168.192.6 192.168.192.7 192.168.189.25 192.168.189.26 192.168.190.34 192.168.190.163 192.168.190.50 192.168.190.180 192.168.190.182 192.168.190.153 192.168.190.132 192.168.190.114 192.168.190.83 192.168.189.15 192.168.190.131 192.168.190.98 192.168.190.180 192.168.190.66 192.168.191.3 192.168.190.182 192.168.190.188
# denied connect ips/ranges
#Deny-IP=10.0.0.0/24

Ответить
Max999
Сообщения: 31
(@max999)
Сисадмин
Присоединился: 1 год назад

unbound.conf

# This file was generated by local-unbound-setup.
# Modifications will be overwritten.
server:

#+Anton 12.10.2017
# Log level - 0 (errors only)
verbosity: 0
# Listen port
port: 53
# Listen interface (LAN, local network)
interface: 127.0.0.1
interface: 192.168.188.2
# Outgoing inteface (WAN, Internet)
outgoing-interface: 83.221.*.*
#outgoing-interface: 91.230.*.*
# Allow networks
access-control: 192.169.188.0/24 allow
access-control: 192.169.189.0/24 allow
access-control: 192.169.190.0/24 allow
access-control: 192.169.191.0/24 allow
access-control: 192.169.192.0/24 allow
# "On" ip4, tcp, udp support and "off" ipv6
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
# Set logfile name and swithoff using syslog
logfile: "unbound.log"
use-syslog: no
# "Hide" version (for security;))
hide-version: yes
#~Anton 12.10.2017

username: unbound
directory: /var/unbound
chroot: /var/unbound
pidfile: /var/run/local_unbound.pid
auto-trust-anchor-file: /var/unbound/root.key

include: /var/unbound/forward.conf
include: /var/unbound/lan-zones.conf
include: /var/unbound/control.conf
include: /var/unbound/conf.d/*.conf

Ответить
Max999
Сообщения: 31
(@max999)
Сисадмин
Присоединился: 1 год назад

squid.conf

visible_hostname gw.f67.donenergo.net
http_port 192.168.188.2:3128

coredump_dir /var/log/squid
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log

logfile_rotate 10

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

dns_v4_first on

cache_mem 256 MB
maximum_object_size 8192 KB
minimum_object_size 4 KB
cache_dir ufs /var/cache/squid 5120 16 256

refresh_pattern -i \.gif$ 3600 100% 3600 override-lastmod override-expire
refresh_pattern -i \.png$ 3600 100% 3600 override-lastmod override-expire
refresh_pattern -i \.jpg$ 3600 100% 3600 override-lastmod override-expire
refresh_pattern -i \.jpeg$ 3600 100% 3600 override-lastmod override-expire
refresh_pattern -i \.swf$ 3600 100% 3600 override-lastmod override-expire
refresh_pattern -i \.zip$ 3600 100% 3600 override-lastmod override-expire
refresh_pattern -i \.rar$ 3600 100% 3600 override-lastmod override-expire
refresh_pattern -i \.pdf$ 3600 100% 3600 override-lastmod override-expire
refresh_pattern -i \.mp3$ 3600 100% 3600 override-lastmod override-expire

acl manager proto cache_object

acl localnet src 10.8.67.0/24 # RFC1918 possible internal network
acl localnet src 192.168.188.0/24 # RFC1918 possible internal network
acl localnet src 192.168.189.0/24 # RFC1918 possible internal network
acl localnet src 192.168.190.0/24 # RFC1918 possible internal network
acl localnet src 192.168.191.0/24 # RFC1918 possible internal network
acl localnet src 192.168.192.0/24 # RFC1918 possible internal network

acl corp-srv dst "/usr/local/etc/squid/xallow/srv-corp"

acl ftp-ports port "/usr/local/etc/squid/xallow/port-ftp"
acl http-ports port "/usr/local/etc/squid/xallow/port-http"
acl ssl-ports port "/usr/local/etc/squid/xallow/port-ssl"

acl FTP proto FTP
acl HTTP proto HTTP
acl CONNECT method CONNECT
acl http-method-good method GET POST HEAD

acl servers-list src списки кому куда можно

delay_pools 2 # Set two delay pools (numbered 1 and 2)
delay_class 1 2 # Set class 2 for delay pool 1
delay_parameters 1 512000/128000 128000/64000
delay_access 1 allow servers-list
delay_access 1 allow adm-list
delay_access 1 deny all # "Off" traffic limit delay pool 1 for all
delay_class 2 2 # Set class 2 for delay pool 2
delay_parameters 2 384000/128000 96000/48000
delay_access 2 allow *-list
delay_access 2 deny all # "Off" traffic limit delay pool 2 for all

acl uch_white url_regex "/usr/local/etc/squid/xallow/site-uch"
acl otp_white url_regex "/usr/local/etc/squid/xallow/site-otp"
acl smit_white url_regex "/usr/local/etc/squid/xallow/site-smit"

acl corp_white url_regex "/usr/local/etc/squid/xallow/site-corp"

acl pto_white url_regex "/usr/local/etc/squid/xallow/site-pto"

http_access allow uch-list uch_white
http_access allow otp-list otp_white
http_access allow smit-list smit_white

http_access allow all corp_white

acl porn-sites url_regex -i "/usr/local/etc/squid/xdeny/site-porno"
http_access deny porn-sites # Block list of porn sites for all

acl torrent_mime rep_mime_type -i ^application/x-bittorrent$
acl torrent_mime rep_mime_type -i application/x-bittorrent
http_reply_access deny torrent_mime

acl torrent urlpath_regex -i \.torrent$
http_access deny torrent

http_access deny FTP !ftp-ports
http_access deny HTTP !http-ports
http_access deny CONNECT !ssl-ports
http_access deny HTTP !http-method-good
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost

http_access deny all

via off
forwarded_for off
request_header_access From deny all
request_header_access Server deny all
request_header_access WWW-Authenticate deny all
request_header_access Link deny all
request_header_access Cache-Control deny all
request_header_access Proxy-Connection deny all
request_header_access X-Cache deny all
request_header_access X-Cache-Lookup deny all
request_header_access Via deny all
request_header_access X-Forwarded-For deny all
request_header_access Pragma deny all
request_header_access Keep-Alive deny all

Ответить
Страница 2 / 4