Здравствуйте. Имеется фаервол. Все нормально работает, включая NAT. Необходимо перенаправлять все запросы с локальной сети на порт UDP/53 на внешний DNS.
Правила IPFW
$cmd 010 allow all from any to any via lo0
$cmd 011 deny all from 127.0.0.1/8 to any
$cmd 012 deny all from any to 127.0.0.1/8
$cmd 020 check-state
$cmd 025 reass all from any to any in
### in/out internal if
$cmd 100 allow ip4 from 192.168.10.0/24 to me in via em1
$cmd 110 allow ip4 from me to 192.168.10.0/24 out via em1
$cmd 111 fwd 8.8.4.4 log udp from $lan to not me 53 in via em1
$cmd 211 skipto 320 ip4 from 192.168.10.0/24 to not me
### out external if
$cmd 220 allow tcp from me to any out via em0 setup keep-state
$cmd 221 allow udp from me to any out via em0 keep-state
$cmd 223 allow icmp from me to any out via em0 keep-state
### in external if
$cmd 230 allow tcp from any to me 22 in via em0 setup keep-state
$cmd 240 allow icmp from any to me icmptypes 3,4,8,11 in via em0 keep-state
# nat-back-to-lan
$cmd 245 nat 2 ip4 from any to me in recv em0
$cmd 286 allow ip4 from not me to 192.168.10.0/24 in via em0
$cmd 295 allow ip4 from not me to 192.168.10.0/24 out via em1
$cmd 300 deny all from any to any
#nat
ipfw nat 2 config if em0 log deny_in same_ports reset \
redirect_port tcp 192.168.10.12:3389 3389
$cmd 320 nat 2 ip4 from 192.168.10.0/24 to not me out via em0
$cmd 400 allow ip4 from any to any
$cmd 65534 deny all from any to any
ipfw -d show в момент ping'a какого-либо сервера по имени из локальной сети:
00010 0 0 allow ip from any to any via lo0
00011 0 0 deny ip from 127.0.0.0/8 to any
00012 0 0 deny ip from any to 127.0.0.0/8
00020 0 0 check-state
00025 8 484 reass ip from any to any in
00100 0 0 allow ip4 from 192.168.10.0/24 to me in via em1
00110 0 0 allow ip4 from me to 192.168.10.0/24 out via em1
00111 5 250 fwd 8.8.4.4 log logamount 1000 udp from 192.168.10.0/24 to not me dst-port 53 in via em1
00211 8 484 skipto 320 ip4 from 192.168.10.0/24 to not me
00220 0 0 allow tcp from me to any out via em0 setup keep-state
00221 0 0 allow udp from me to any out via em0 keep-state
00223 0 0 allow icmp from me to any out via em0 keep-state
00230 0 0 allow tcp from any to me dst-port 22 in via em0 setup keep-state
00240 0 0 allow icmp from any to me icmptypes 3,4,8,11 in via em0 keep-state
00245 0 0 nat 2 ip4 from any to me in recv em0
00286 0 0 allow ip4 from not me to 192.168.10.0/24 in via em0
00295 0 0 allow ip4 from not me to 192.168.10.0/24 out via em1
00300 0 0 deny ip from any to any
00320 5 250 nat 2 ip4 from 192.168.10.0/24 to not me out via em0
00400 8 484 allow ip4 from any to any
65534 0 0 deny ip from any to any
65535 0 0 allow ip from any to any
Т.е. странно, вроде правила страбатывают. Но форвардинга нет.
tcpdump на внешнем интерфейсе
2012-06-02 09:06:30.078706 IP 192.168.100.9.54895 > 8.8.8.8.53: UDP, length 23
2012-06-02 09:06:30.129702 IP 8.8.8.8.53 > 192.168.100.9.54895: UDP, length 151
192.168.100.9 - Внешний IP роутера
У клиента в локальной сети прописан только один DNS 8.8.8.8. Как видно из tcpdump форвардинга на 8.8.4.4 не происходит.
В чем проблема?
Вариант для распечатки
