Доброе время суток! Возникла проблема....Никак не получается настроить роутер с поддержкой NATD или IPNAT на базе ipfw. Помогите, может просто тупо чего не замечаю...
При использовании обоих конфигураций NAT пинг идёт только до вышестоящего роутера, на остальные машины он не доходит, даже на те, которые находятся в одной сетке с вышестоящим роутером. Также не работает не одна служба: ДНС, прокся, NTP и т.д. В локальной сети всё робит.Листинг rc.conf
gateway_enable="YES"
defaultrouter="x.x.x.x2"
firewall_enable="YES"
firewall_script="/etc/rules"
либо
natd_enable="YES"
natd_interface="rl1"
natd_flags="/etc/natd.rules"
либо
ipnat_enable="YES"
ipnat_program="/sbin/ipnat -CF -f"
ipnat_rules="/etc/ipnat"
ipnat_flags=""
Конфиг правил для IPFW
#!/bin/sh
############Script For IpFw
#1.
int_if="rl0"
ext_if="rl1"
int_ip="192.168.0.52"
ext_ip="x.x.x.x"
web_ip="192.168.0.60"
ftp_ip="192.168.0.41"
otr_ip="x.x.x.x1"
lan_ip="192.168.0.0/24"
######################IpFW Rules
/sbin/ipfw -f flush
/sbin/ipfw add check-state
#2. Block Bad traffic (frag)
/sbin/ipfw add deny log all from any to any in recv rl1 frag
#/sbin/ipfw add deny log all from any to ${ext_ip} in recv rl1 ipoptions ssrr
#/sbin/ipfw add deny log all from any to ${ext_ip} in recv rl1 ipoptions lsrr
#/sbin/ipfw add deny log all from any to ${ext_ip} in recv rl1 ipoptions rr
#/sbin/ipfw add deny log all from any to ${ext_ip} in recv rl1 ipoptions ts
#3.
#/sbin/ipfw add deny log tcp from any to ${ext_ip} in recv rl1 tcpflags syn,fin,!ack
#/sbin/ipfw add deny log tcp from any to ${ext_ip} in recv rl1 cpflag ssyn,fin,urg,psh,!ack
#/sbin/ipfw add deny log tcp from any to ${ext_ip} in recv rl1 tcpflags fin,urg,psh,!ack
#/sbin/ipfw add deny log tcp from any to ${ext_ip} in recv rl1 tcpflags fin,!ack
#/sbin/ipfw add deny log tcp from any to ${ext_ip} in recv rl1 tcpflags urg,!ack
#/sbin/ipfw add deny log tcp from any to ${ext_ip} in recv rl1 tcpflags psh,!ack
#4.
#/sbin/ipfw add deny log tcp from any to any tcpoptions !mss tcpflags syn,!ack
#5.
#/sbin/ipfw add deny log all from 127.0.0.0/8 to ${ext_ip} in recv rl1
#/sbin/ipfw add deny log all from 192.168.0.0/16 to ${ext_ip} in recv rl1
#/sbin/ipfw add deny log all from 172.16.0.0/12 to ${ext_ip} in recv rl1
#/sbin/ipfw add deny log all from 10.0.0.0/8 to ${ext_ip} in recv rl1
#/sbin/ipfw add deny log all from 0.0.0.0/8 to ${ext_ip} in recv rl1
#/sbin/ipfw add deny log all from 169.254.0.0/16 to ${ext_ip} in recv rl1
#/sbin/ipfw add deny log all from 192.0.2.0/24 to ${ext_ip} in recv rl1
#/sbin/ipfw add deny log all from 204.152.64.0/23 to ${ext_ip} in recv rl1
#/sbin/ipfw add deny log all from 224.0.0.0/3 to ${ext_ip} in recv rl1
#/sbin/ipfw add deny log all from 20.20.20.0/24 to ${ext_ip} in recv rl1
/sbin/ipfw add deny log all from 192.168.0.0/24 to 192.168.0.0/24 via rl1
#6.
/sbin/ipfw add allow icmp from any to any via rl1
/sbin/ipfw add allow all from any to any via lo0
/sbin/ipfw add allow all from 192.168.0.0/24 to me in recv rl0
/sbin/ipfw add allow all from me to 192.168.0.0/24 out xmit rl0
/sbin/ipfw add allow all from me to any keep-state out xmit rl1
/sbin/ipfw add allow tcp from any to any established via any
#7.
/sbin/ipfw add deny tcp from 192.168.0.0/24 to any 80 out xmit rl1
/sbin/ipfw add deny tcp from 192.168.0.0/24 to any 443 out xmit rl1
/sbin/ipfw add deny tcp from 192.168.0.0/24 to any 21 out xmit rl1
#8.
/sbin/ipfw add allow all from 192.168.0.0/24 to any keep-state out xmit rl1
#9.
#/sbin/ipfw add divert nat all from 192.168.0.0/24 to any out xmit rl1
#10.
/sbin/ipfw add allow tcp from any to any keep-state out xmit rl1
/sbin/ipfw add allow all from any to any out xmit rl1
#11.
#/sbin/ipfw add allow tcp from any to x.x.x.x 83 in recv rl1 tcpflags syn,!psh,!ack,!fin,!urg,!rst
#/sbin/ipfw add allow tcp from any to x.x.x.x 83 in recv rl1 tcpflags ack,!syn,!psh,!fin,!urg,!rst
#/sbin/ipfw add allow tcp from any to x.x.x.x 83 in recv rl1 tcpflags ack,psh,!syn,!fin,!urg,!rst
#/sbin/ipfw add allow tcp from any to x.x.x.x 83 in recv rl1 tcpflags ack,fin,!syn,!psh,!urg,!rst
#/sbin/ipfw add allow tcp from any to x.x.x.x 83 in recv rl1 tcpflags ack,syn,!psh,!fin,!urg,!rst
#/sbin/ipfw add allow tcp from any to x.x.x.x 83 in recv rl1 tcpflags rst,!ack,!syn,!psh,!fin,!urg
#/sbin/ipfw add allow tcp from any to x.x.x.x 21 in recv rl1 tcpflags ack,!syn,!psh,!fin,!urg,!rst
#/sbin/ipfw add allow tcp from any to x.x.x.x 21 in recv rl1 tcpflags syn,!psh,!ack,!fin,!urg,!rst
#/sbin/ipfw add allow tcp from any to x.x.x.x 21 in recv rl1 tcpflags ack,fin,!syn,!psh,!urg,!rst
#/sbin/ipfw add allow tcp from any to x.x.x.x 21 in recv rl1 tcpflags ack,psh,!syn,!fin,!urg,!rst
#/sbin/ipfw add allow tcp from any to x.x.x.x 21 in recv rl1 tcpflags rst,!ack,!syn,!psh,!fin,!urg
Конфиг Ip_nat
map rl1 192.168.0.0/24 -> x.x.x.x/255.255.255.252
rdr rl1 x.x.x.x/255.255.255.252 port 83 -> 192.168.0.60 port 83
rdr rl1 x.x.x.x/255.255.255.252 port 8080 -> 192.168.0.60 port 8080
rdr rl1 x.x.x.x/255.255.255.252 port 21 -> 192.168.0.100 port 21
Конфиг NATD
log yes
deny_incomming no
use_sockets yes
same_ports yes
verbose no
port natd
unregistered_only yes
log_ipfw_denied yes
redirect_adress tcp x.x.x.x:83 192.168.0.60:83
redirect_adress tcp x.x.x.x:8080 192.168.0.60:8080
redirext_adress tcp x.x.x.x:21 192.168.0.60:21