The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

форумы  помощь  поиск  регистрация  майллист  вход/выход  слежка  RSS
"pf nat openbsd 4.7 неработает"
Вариант для распечатки  
Пред. тема | След. тема 
Форум Информационная безопасность (OpenBSD PF / OpenBSD)
Изначальное сообщение [ Отслеживать ]

"pf nat openbsd 4.7 неработает"  +/
Сообщение от radjiv email on 20-Окт-10, 18:08 
Проблема следующая. Инет от прова статика. шлюз прекрасно все пингует. Задача дать доступ рабочим станциям в инет. Вот мой конфиг.

# Описываем интерфейсы
ext_if="re0"
int_if="vr0"

match out on $ext_if from 192.168.1.0/24 nat-to ($ext_if)

Таблица маршрутизации.
Routing tables

Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default 84.253.86.153 GS 8 4179 - 8 re0
84.253.86.152/30 link#1 C 2 0 - 4 re0
84.253.86.153 00:0f:23:93:0f:1b HLc 1 0 - 4 re0
84.253.86.155 link#1 HLc 1 48 - 4 re0
127/8 127.0.0.1 UGRS 0 0 33200 8 lo0
127.0.0.1 127.0.0.1 UH 2 165 33200 4 lo0
192.168.1/24 link#2 UC 3 0 - 4 vr0
192.168.1.1 00:26:5a:06:2f:65 UHLc 1 56 - 4 lo0
192.168.1.11 00:1f:d0:c9:02:8f UHLc 2 238 - 4 vr0
192.168.1.255 link#2 UHLc 2 47 - 4 vr0
192.168.2/24 link#3 C 1 0 - 4 vr1
192.168.2.255 link#3 HLc 2 47 - 4 vr1
224/4 127.0.0.1 URS 0 0 33200 8 lo0

Internet6:
Destination Gateway Flags Refs Use Mtu Prio Iface
::/104 ::1 UGRS 0 0 - 8 lo0
::/96 ::1 UGRS 0 0 - 8 lo0
::1 ::1 UH 14 0 33200 4 lo0
::127.0.0.0/104 ::1 UGRS 0 0 - 8 lo0
::224.0.0.0/100 ::1 UGRS 0 0 - 8 lo0
::255.0.0.0/104 ::1 UGRS 0 0 - 8 lo0
::ffff:0.0.0.0/96 ::1 UGRS 0 0 - 8 lo0
2002::/24 ::1 UGRS 0 0 - 8 lo0
2002:7f00::/24 ::1 UGRS 0 0 - 8 lo0
2002:e000::/20 ::1 UGRS 0 0 - 8 lo0
2002:ff00::/24 ::1 UGRS 0 0 - 8 lo0
fe80::/10 ::1 UGRS 0 0 - 8 lo0
fe80::%re0/64 link#1 C 0 0 - 4 re0
fe80::226:18ff:fed3:9c1a%re0 00:26:18:d3:9c:1a UHL 0 0 - 4 lo0
fe80::%vr0/64 link#2 UC 0 0 - 4 vr0
fe80::226:5aff:fe06:2f65%vr0 00:26:5a:06:2f:65 UHL 0 0 - 4 lo0
fe80::%vr1/64 link#3 C 0 0 - 4 vr1
fe80::226:5aff:fe06:2dee%vr1 00:26:5a:06:2d:ee HL 0 0 - 4 lo0
fe80::%lo0/64 fe80::1%lo0 U 0 0 - 4 lo0
fe80::1%lo0 link#5 UHL 0 0 - 4 lo0
fec0::/10 ::1 UGRS 0 0 - 8 lo0
ff01::/16 ::1 UGRS 0 0 - 8 lo0
ff01::%re0/32 link#1 C 0 0 - 4 re0
ff01::%vr0/32 link#2 UC 0 0 - 4 vr0
ff01::%vr1/32 link#3 C 0 0 - 4 vr1
ff01::%lo0/32 ::1 UC 0 0 - 4 lo0
ff02::/16 ::1 UGRS 0 0 - 8 lo0
ff02::%re0/32 link#1 C 0 0 - 4 re0
ff02::%vr0/32 link#2 UC 0 0 - 4 vr0
ff02::%vr1/32 link#3 C 0 0 - 4 vr1
ff02::%lo0/32 ::1 UC 0 0 - 4 lo0

форвардинг пакетов.
sysctl net.inet.ip.forwarding
net.inet.ip.forwarding=1
вывод комманд.
bash-4.0# pfctl -f /etc/pf.conf
bash-4.0# ping ya.ru
PING ya.ru (93.158.134.3): 56 data bytes
64 bytes from 93.158.134.3: icmp_seq=0 ttl=61 time=3.282 ms
64 bytes from 93.158.134.3: icmp_seq=1 ttl=61 time=3.275 ms
--- ya.ru ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 3.275/3.278/3.282/0.057 ms
bash-4.0# tcpdump -i re0
tcpdump: listening on re0, link-type EN10MB
18:12:18.929882 192.168.1.11 > 195.128.60.37: icmp: echo request
18:12:19.056186 c154-86.ntt.ru > 77.88.21.3: icmp: echo request
18:12:19.059109 77.88.21.3 > c154-86.ntt.ru: icmp: echo reply
18:12:19.898560 c154-86.ntt.ru.36250 > 195.28.32.3.domain: 61753+ PTR? 37.60.128.195.in-addr.arpa. (44)
18:12:20.068325 c154-86.ntt.ru > 77.88.21.3: icmp: echo request
18:12:20.072131 77.88.21.3 > c154-86.ntt.ru: icmp: echo reply
18:12:20.116597 c154-86.ntt.ru.16279 > 195.28.32.3.domain: 49724+ AAAA? 127.0.0.1. (27)
18:12:20.118990 195.28.32.3.domain > c154-86.ntt.ru.16279: 49724 NXDomain* 0/1/0 (102)
18:12:20.119211 c154-86.ntt.ru.4614 > 195.28.32.3.domain: 55809+ AAAA? 127.0.0.1.fullstreets.ru. (42)
18:12:20.121258 195.28.32.3.domain > c154-86.ntt.ru.4614: 55809 NXDomain* 0/1/0 (100)
18:12:20.121440 c154-86.ntt.ru.29804 > 195.28.32.3.domain: 52576+ AAAA? 127.0.0.1. (27)
18:12:20.123605 195.28.32.3.domain > c154-86.ntt.ru.29804: 52576 NXDomain* 0/1/0 (102)
18:12:20.123678 c154-86.ntt.ru.13374 > 195.28.32.3.domain: 48840+ AAAA? 127.0.0.1.fullstreets.ru. (42)
18:12:20.125740 195.28.32.3.domain > c154-86.ntt.ru.13374: 48840 NXDomain* 0/1/0 (100)
18:12:20.405203 195.28.32.3.domain > c154-86.ntt.ru.36250: 61753 NXDomain* 0/1/0 (94)
18:12:20.405566 c154-86.ntt.ru.7269 > 195.28.32.3.domain: 54835+ PTR? 154.86.253.84.in-addr.arpa. (44)
18:12:20.407742 195.28.32.3.domain > c154-86.ntt.ru.7269: 54835* 1/2/2 PTR c154-86.ntt.ru. (139)
18:12:21.080532 c154-86.ntt.ru > 77.88.21.3: icmp: echo request
18:12:21.083540 77.88.21.3 > c154-86.ntt.ru: icmp: echo reply
18:12:22.093822 c154-86.ntt.ru > 77.88.21.3: icmp: echo request
18:12:22.097747 77.88.21.3 > c154-86.ntt.ru: icmp: echo reply
18:12:22.428435 76.11.126.99.61975 > c154-86.ntt.ru.18939: udp 103
18:12:22.428466 c154-86.ntt.ru > 76.11.126.99: icmp: c154-86.ntt.ru udp port 18939 unreachable
18:12:23.104841 c154-86.ntt.ru > 77.88.21.3: icmp: echo request
18:12:23.107875 77.88.21.3 > c154-86.ntt.ru: icmp: echo reply
18:12:24.117000 c154-86.ntt.ru > 77.88.21.3: icmp: echo request
18:12:24.120363 77.88.21.3 > c154-86.ntt.ru: icmp: echo reply
18:12:24.430097 192.168.1.11 > 195.128.60.37: icmp: echo request
18:12:25.129255 c154-86.ntt.ru > 77.88.21.3: icmp: echo request
18:12:25.132382 77.88.21.3 > c154-86.ntt.ru: icmp: echo reply
18:12:26.141054 c154-86.ntt.ru > 77.88.21.3: icmp: echo request
18:12:26.144477 77.88.21.3 > c154-86.ntt.ru: icmp: echo reply
^C
32 packets received by filter
0 packets dropped by kernel
You have new mail in /var/mail/root
bash-4.0# tcpdump -i vr0
tcpdump: listening on vr0, link-type EN10MB
18:12:37.230061 192.168.1.1.ssh > 192.168.1.11.1089: P 424954369:424954453(84) ack 1838470197 win 17520 (DF) [tos 0x10]
18:12:37.230641 192.168.1.11.1089 > 192.168.1.1.ssh: . ack 84 win 65535 (DF)
18:12:37.277337 192.168.1.1.ssh > 192.168.1.11.1079: P 2158184528:2158184628(100) ack 2080860177 win 17520 (DF) [tos 0x8]
18:12:37.397694 192.168.1.11.1079 > 192.168.1.1.ssh: . ack 100 win 64835 (DF)
18:12:38.289382 192.168.1.1.ssh > 192.168.1.11.1079: P 100:200(100) ack 1 win 17520 (DF) [tos 0x8]
18:12:38.299438 192.168.1.1.ssh > 192.168.1.11.1089: P 84:248(164) ack 1 win 17520 (DF) [tos 0x10]
18:12:38.299473 192.168.1.1.ssh > 192.168.1.11.1089: P 248:492(244) ack 1 win 17520 (DF) [tos 0x10]
18:12:38.299501 192.168.1.1.ssh > 192.168.1.11.1089: P 492:720(228) ack 1 win 17520 (DF) [tos 0x10]
18:12:38.300079 192.168.1.11.1089 > 192.168.1.1.ssh: . ack 492 win 65127 (DF)
18:12:38.491471 192.168.1.11.1079 > 192.168.1.1.ssh: . ack 200 win 64735 (DF)
18:12:38.491485 192.168.1.11.1089 > 192.168.1.1.ssh: . ack 720 win 64899 (DF)
18:12:39.298546 192.168.1.1.ssh > 192.168.1.11.1089: P 720:1300(580) ack 1 win 17520 (DF) [tos 0x10]
18:12:39.301586 192.168.1.1.ssh > 192.168.1.11.1079: P 200:300(100) ack 1 win 17520 (DF) [tos 0x8]
18:12:39.475872 192.168.1.11.1089 > 192.168.1.1.ssh: . ack 1300 win 64319 (DF)
18:12:39.475886 192.168.1.11.1079 > 192.168.1.1.ssh: . ack 300 win 64635 (DF)
18:12:40.300552 192.168.1.1.ssh > 192.168.1.11.1089: P 1300:1544(244) ack 1 win 17520 (DF) [tos 0x10]
18:12:40.300608 192.168.1.1.ssh > 192.168.1.11.1089: P 1544:1756(212) ack 1 win 17520 (DF) [tos 0x10]
18:12:40.301214 192.168.1.11.1089 > 192.168.1.1.ssh: . ack 1756 win 65535 (DF)
18:12:40.313441 192.168.1.1.ssh > 192.168.1.11.1079: P 300:400(100) ack 1 win 17520 (DF) [tos 0x8]
18:12:40.460271 192.168.1.11.1079 > 192.168.1.1.ssh: . ack 400 win 64535 (DF)
18:12:40.929074 192.168.1.11 > 195.128.60.37: icmp: echo request
18:12:41.302696 192.168.1.1.ssh > 192.168.1.11.1089: P 1756:2000(244) ack 1 win 17520 (DF) [tos 0x10]
18:12:41.302761 192.168.1.1.ssh > 192.168.1.11.1089: P 2000:2308(308) ack 1 win 17520 (DF) [tos 0x10]
18:12:41.303376 192.168.1.11.1089 > 192.168.1.1.ssh: . ack 2308 win 64983 (DF)
18:12:41.305158 192.168.1.1.ssh > 192.168.1.11.1089: P 2308:2424(116) ack 1 win 17520 (DF) [tos 0x10]
18:12:41.325984 192.168.1.1.ssh > 192.168.1.11.1079: P 400:500(100) ack 1 win 17520 (DF) [tos 0x8]
18:12:41.444669 192.168.1.11.1079 > 192.168.1.1.ssh: . ack 500 win 64435 (DF)
18:12:41.444684 192.168.1.11.1089 > 192.168.1.1.ssh: . ack 2424 win 64867 (DF)
18:12:42.304824 192.168.1.1.ssh > 192.168.1.11.1089: P 2424:2572(148) ack 1 win 17520 (DF) [tos 0x10]
18:12:42.304885 192.168.1.1.ssh > 192.168.1.11.1089: P 2572:2896(324) ack 1 win 17520 (DF) [tos 0x10]
18:12:42.304916 192.168.1.1.ssh > 192.168.1.11.1089: P 2896:3124(228) ack 1 win 17520 (DF) [tos 0x10]
18:12:42.304942 192.168.1.1.ssh > 192.168.1.11.1089: P 3124:3256(132) ack 1 win 17520 (DF) [tos 0x10]
18:12:42.305460 192.168.1.11.1089 > 192.168.1.1.ssh: . ack 2896 win 64395 (DF)
18:12:42.305481 192.168.1.11.1089 > 192.168.1.1.ssh: . ack 3256 win 65535 (DF)
18:12:42.338224 192.168.1.1.ssh > 192.168.1.11.1079: P 500:600(100) ack 1 win 17520 (DF) [tos 0x8]
18:12:42.538442 192.168.1.11.1079 > 192.168.1.1.ssh: . ack 600 win 64335 (DF)
^C
46 packets received by filter
0 packets dropped by kernel
bash-4.0# pfctl -s rules
match out on re0 inet from 192.168.1.0/24 to any nat-to (re0) round-robin
bash-4.0# ^C
bash-4.0# ping 195.128.60.37
PING 195.128.60.37 (195.128.60.37): 56 data bytes
64 bytes from 195.128.60.37: icmp_seq=0 ttl=60 time=3.777 ms
64 bytes from 195.128.60.37: icmp_seq=1 ttl=60 time=5.983 ms
64 bytes from 195.128.60.37: icmp_seq=2 ttl=60 time=3.657 ms
--- 195.128.60.37 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 3.657/4.472/5.983/1.070 ms

Высказать мнение | Ответить | Правка | Cообщить модератору

Оглавление

Сообщения по теме [Сортировка по времени | RSS]


1. "pf nat openbsd 4.7 неработает"  +/
Сообщение от Aquarius (ok) on 20-Окт-10, 20:53 
а DNS?
Высказать мнение | Ответить | Правка | ^ | Наверх | Cообщить модератору

2. "pf nat openbsd 4.7 неработает"  +/
Сообщение от radjiv email on 20-Окт-10, 22:11 
> а DNS?

днс свой, он просто автоматом не стартует. днс прова не пингуется.

Высказать мнение | Ответить | Правка | ^ | Наверх | Cообщить модератору

3. "pf nat openbsd 4.7 неработает"  +/
Сообщение от guest email(??) on 22-Окт-10, 15:18 
>[оверквотинг удален]
> int_if="vr0"
> match out on $ext_if from 192.168.1.0/24 nat-to ($ext_if)
> Таблица маршрутизации.
> Routing tables
> Internet:
> Destination Gateway Flags Refs Use Mtu Prio Iface
> default 84.253.86.153 GS 8 4179 - 8 re0
> 84.253.86.152/30 link#1 C 2 0 - 4 re0
> 84.253.86.153 00:0f:23:93:0f:1b HLc 1 0 - 4 re0
> 84.253.86.155 link#1 HLc 1 48 - 4 re0

А попробуйте натить именно в .153 без alias'ов.
match out on $ext_if from 192.168.1.0/24 nat-to ($ext_if:0)

Высказать мнение | Ответить | Правка | ^ | Наверх | Cообщить модератору

4. "pf nat openbsd 4.7 неработает"  +/
Сообщение от radjiv email on 22-Окт-10, 19:21 
>[оверквотинг удален]
>> Таблица маршрутизации.
>> Routing tables
>> Internet:
>> Destination Gateway Flags Refs Use Mtu Prio Iface
>> default 84.253.86.153 GS 8 4179 - 8 re0
>> 84.253.86.152/30 link#1 C 2 0 - 4 re0
>> 84.253.86.153 00:0f:23:93:0f:1b HLc 1 0 - 4 re0
>> 84.253.86.155 link#1 HLc 1 48 - 4 re0
> А попробуйте натить именно в .153 без alias'ов.
> match out on $ext_if from 192.168.1.0/24 nat-to ($ext_if:0)

нат неработает. в любых вариантах.
tcpdump -n -t -vv -i re0 icmp
tcpdump: listening on re0, link-type EN10MB
192.168.1.11 > 195.128.60.37: icmp: echo request (id:0200 seq:1024) (ttl 127, id 2321, len 60, bad cksum 0! differs by 7157)
192.168.1.11 > 195.128.60.37: icmp: echo request (id:0200 seq:1280) (ttl 127, id 2323, len 60, bad cksum 0! differs by 7155)
192.168.1.11 > 195.128.60.37: icmp: echo request (id:0200 seq:1536) (ttl 127, id 2325, len 60, bad cksum 0! differs by 7153)
192.168.1.11 > 195.128.60.37: icmp: echo request (id:0200 seq:1792) (ttl 127, id 2327, len 60, bad cksum 0! differs by 7151)
192.168.1.11 > 195.128.60.37: icmp: echo request (id:0200 seq:2048) (ttl 127, id 2329, len 60, bad cksum 0! differs by 714f)
192.168.1.11 > 195.128.60.37: icmp: echo request (id:0200 seq:2304) (ttl 127, id 2331, len 60, bad cksum 0! differs by 714d)
192.168.1.11 > 195.128.60.37: icmp: echo request (id:0200 seq:2560) (ttl 127, id 2333, len 60, bad cksum 0! differs by 714b)
192.168.1.11 > 195.128.60.37: icmp: echo request (id:0200 seq:2816) (ttl 127, id 2335, len 60, bad cksum 0! differs by 7149)
192.168.1.11 > 195.128.60.37: icmp: echo request (id:0200 seq:3072) (ttl 127, id 2337, len 60, bad cksum 0! differs by 7147)
192.168.1.11 > 195.128.60.37: icmp: echo request (id:0200 seq:3328) (ttl 127, id 2339, len 60, bad cksum 0! differs by 7145)
84.253.86.154 > 90.44.128.66: icmp: 84.253.86.154 udp port 53253 unreachable for 90.44.128.66.8325 > 84.253.86.154.53253: udp 62 (ttl 115, id 21228, len 90) (ttl 255, id 45412, len 56, bad cksum 0! differs by 845a)
192.168.1.11 > 195.128.60.37: icmp: echo request (id:0200 seq:3584) (ttl 127, id 2342, len 60, bad cksum 0! differs by 7142)
192.168.1.11 > 195.128.60.37: icmp: echo request (id:0200 seq:3840) (ttl 127, id 2344, len 60, bad cksum 0! differs by 7140)
192.168.1.11 > 195.128.60.37: icmp: echo request (id:0200 seq:4096) (ttl 127, id 2346, len 60, bad cksum 0! differs by 713e)
192.168.1.11 > 195.128.60.37: icmp: echo request (id:0200 seq:4352) (ttl 127, id 2348, len 60, bad cksum 0! differs by 713c)
192.168.1.11 > 195.128.60.37: icmp: echo request (id:0200 seq:4608) (ttl 127, id 2350, len 60, bad cksum 0! differs by 713a)
192.168.1.11 > 195.128.60.37: icmp: echo request (id:0200 seq:4864) (ttl 127, id 2352, len 60, bad cksum 0! differs by 7138)
192.168.1.11 > 195.128.60.37: icmp: echo request (id:0200 seq:5120) (ttl 127, id 2354, len 60, bad cksum 0! differs by 7136)
192.168.1.11 > 195.128.60.37: icmp: echo request (id:0200 seq:5376) (ttl 127, id 2356, len 60, bad cksum 0! differs by 7134)
192.168.1.11 > 195.128.60.37: icmp: echo request (id:0200 seq:5632) (ttl 127, id 2358, len 60, bad cksum 0! differs by 7132)
84.253.86.154 > 95.104.109.213: icmp: 84.253.86.154 udp port 12716 unreachable for 95.104.109.213.36901 > 84.253.86.154.12716: udp 30 (ttl 118, id 32645, len 58) (ttl 255, id 57695, len 56, bad cksum 0! differs by 6190)
^C
23 packets received by filter
0 packets dropped by kernel

Высказать мнение | Ответить | Правка | ^ | Наверх | Cообщить модератору

Архив | Удалить

Рекомендовать для помещения в FAQ | Индекс форумов | Темы | Пред. тема | След. тема




Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей 		Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру