>> При переходе на другого провайдера твориться непонятно что. До меня система настраивалась
>> кем то другим. В общем что происходит, у клиентов есть интернет,
> + squid - работает
>> но через консоль нет пинга в инет. Так же перестаёт работать
>> nylon. куда копать?
> Сюда -
> ipf + ipnat используется FreeBSD 10.3
rc.conf
hostname="gw.net"
background_fsck="NO"
fsck_y_enable="YES"
ifconfig_bce1="up"
ifconfig_bce1="DHCP"
ifconfig_bce0="inet 192.168.188.2 netmask 255.255.255.252"
static_routes="net188 net189 net190 net191 net192 net252 ascue de donen glonas ofd"
route_net188=" -net 192.168.188.0/24 192.168.188.1"
route_net189=" -net 192.168.189.0/24 192.168.188.1"
route_net190=" -net 192.168.190.0/24 192.168.188.1"
route_net191=" -net 192.168.191.0/24 192.168.188.1"
route_net192=" -net 192.168.192.0/24 192.168.188.1"
route_net252=" -net 192.168.190.252/30 192.168.188.1"
route_ascue=" -net 10.10.90.0/24 192.168.188.1"
route_de=" -net 192.168.70.0/24 192.168.188.1"
route_donen=" -net 192.168.10.0/24 192.168.188.1"
#старый провайдер
route_glonas=" -net 87.117.31.0/24 83.221.*.*"
#route_glonas=" -net 87.117.31.0/24 91.230.*.*"
gateway_enable="YES"
router_enable="NO"
ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.rules"
ipnat_enable="YES"
ipnat_program="/sbin/ipnat -CF -f"
ipnat_rules="/etc/ipnat.rules"
syslogd_enable="YES"
syslogd_flags="-b 192.168.188.2 -c -n -s"
sshd_enable="YES"
ntpd_enable="YES"
ntpdate_program="/usr/local/bin/ntpdate"
apache24_enable="NO"
squid_enable="YES" #Anton
usbd_enable="YES"
mpd_enable="YES"
ppp_enable="NO"
ppp_mode="ddial"
ppp_nat="YES"
ppp_profile="papchap"
openvpn_enable="NO"
openvpn_if="tun"
openvpn_flags=""
openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"
openvpn_dir="/usr/local/etc/openvpn"
sendmail_enable="NO"
webmin_enable="YES"
mysql_enable="NO"
samsd_enable="NO"
local_unbound_enable="YES"
nylon_enable="YES"
ipnat.rules
map ng0 192.168.188.0/24 -> 192.168.188.2/32 portmap tcp/udp auto
map ng0 192.168.188.0/24 -> 192.168.188.2/32
map ng0 192.168.189.0/24 -> 192.168.188.2/32 portmap tcp/udp auto
map ng0 192.168.189.0/24 -> 192.168.188.2/32
map ng0 192.168.190.0/24 -> 192.168.188.2/32 portmap tcp/udp auto
map ng0 192.168.190.0/24 -> 192.168.188.2/32
map ng0 192.168.191.0/24 -> 192.168.188.2/32 portmap tcp/udp auto
map ng0 192.168.191.0/24 -> 192.168.188.2/32
map ng0 192.168.192.0/24 -> 192.168.188.2/32 portmap tcp/udp auto
map ng0 192.168.192.0/24 -> 192.168.188.2/32
###############################################################
rdr ng0 192.168.188.0/24 -> 192.168.188.2 3128
rdr ng0 192.168.189.0/24 -> 192.168.188.2 3128
rdr ng0 192.168.190.0/24 -> 192.168.188.2 3128
rdr ng0 192.168.191.0/24 -> 192.168.188.2 3128
rdr ng0 192.168.192.0/24 -> 192.168.188.2 3128
#
rdr ng0 0/0 port 5432 -> 192.168.188.2 port 5432
ipf.rules
pass in quick on lo0 all
pass out quick on lo0 all
#######################
block out quick on ng0 from any to 192.168.0.0/16
block out quick on ng0 from any to 172.16.0.0/12
block out quick on ng0 from any to 127.0.0.0/8
block out quick on ng0 from any to 10.10.0.0/16
block out quick on ng0 from any to 10.8.0.0/16
block out quick on ng0 from any to 0.0.0.0/8
block out quick on ng0 from any to 169.254.0.0/16
block out quick on ng0 from any to 192.0.2.0/24
block out quick on ng0 from any to 204.152.64.0/23
block out quick on ng0 from any to 224.0.0.0/3
block in quick on ng0 from 192.168.0.0/16 to any
block in quick on ng0 from 172.16.0.0/12 to any
block in quick on ng0 from 127.0.0.0/8 to any
block in quick on ng0 from 10.10.0.0/16 to any
block in quick on ng0 from 10.8.0.0/16 to any
block in quick on ng0 from 0.0.0.0/8 to any
block in quick on ng0 from 169.254.0.0/16 to any
block in quick on ng0 from 192.0.2.0/24 to any
block in quick on ng0 from 204.152.64.0/23 to any
block in quick on ng0 from 224.0.0.0/3 to any
#################################################
block in log first quick on ng0 proto tcp/udp from any to any port = 135
block in log first quick on ng0 proto tcp/udp from any to any port = 136
block in log first quick on ng0 proto tcp/udp from any to any port = 137
block in log first quick on ng0 proto tcp/udp from any to any port = 138
block in log first quick on ng0 proto tcp/udp from any to any port = 139
block in log first quick on ng0 proto tcp/udp from any to any port = 445
#block in quick on bce0 proto udp from any to 8.8.8.8 port = 53
block in log first quick on bce0 proto tcp/udp from any to any port = 135
block in log first quick on bce0 proto tcp/udp from any to any port = 136
block in log first quick on bce0 proto tcp/udp from any to any port = 137
block in log first quick on bce0 proto tcp/udp from any to any port = 138
block in log first quick on bce0 proto tcp/udp from any to any port = 139
block in log first quick on bce0 proto tcp/udp from any to any port = 445
#################################################
pass in quick on bce0 proto tcp from 192.168.0.0/16 to 192.168.0.0/16 port = 80
block in quick on bce0 proto tcp from 192.168.0.0/16 to any port = 80
block in quick on ng0 from 192.168.189.2/32 to any port = 25
block in quick on bce0 from 192.168.189.2/32 to any port = 25
block in quick on ng0 from any to any port = 22273
block out quick on ng0 from any to any port = 22273
block in quick on ng0 from any to any port = 2915
block out quick on ng0 from any to any port = 2915
block in quick on ng0 from any to 213.252.*.*
block out quick on ng0 from 213.252.*.* to any
pass out quick on ng0 proto tcp from any to any port = 53 flags S keep state
pass out quick on ng0 proto udp from any to any port = 53 keep state
pass out quick on ng0 proto tcp from any to any port = 110 flags S keep state
pass out quick on ng0 proto tcp from any to any port = 143 flags S keep state
pass out quick on ng0 proto tcp from any to any port = 25 flags S keep state
pass out quick on ng0 proto tcp from any to any port = 5222 flags S keep state
pass in quick on bce0 proto tcp from any to any port = 5222 flags S keep state
pass in quick on ng0 proto tcp from any to any port = 1194 flags S keep state
pass out quick on ng0 proto tcp from any to any port = 1194 flags S keep state
pass in quick on tun1 proto tcp from any to 10.10.90.1 port = 1433 flags S keep state
pass out quick on tun1 proto tcp from 10.10.90.1 to any port = 1433 flags S keep state
pass out quick on ng0 proto tcp from 192.168.192.2 to any port = 5190 flags S keep state
#pass in quick on ng0 proto tcp/udp from 46.137.83.240 to 91.230.*.*
pass in quick on ng0 proto tcp/udp from 46.137.83.240 to 83.221.*.*
#pass out quick on ng0 proto tcp/udp from 91.230.*.* to 46.137.83.240
pass out quick on ng0 proto tcp/udp from 83.221.*.* to 46.137.83.240
#---- SQUID
pass in quick on bce0 proto tcp/udp from 192.168.188.0/24 to 192.168.188.2/32 port = 3128
pass in quick on bce0 proto tcp/udp from 192.168.189.0/24 to 192.168.188.2/32 port = 3128
#####
pass in quick on bce0 proto tcp/udp from 192.168.190.0/24 to 192.168.188.2/32 port = 3128
#####
pass in quick on bce0 proto tcp/udp from 192.168.191.0/24 to 192.168.188.2/32 port = 3128
pass in quick on bce0 proto tcp/udp from 192.168.192.0/24 to 192.168.188.2/32 port = 3128
pass out quick on bce0 proto tcp/udp from any to any port = 123
pass in quick on bce0 proto tcp/udp from any to any port = 123
pass out quick on ng0 proto udp from any to any port = 123 keep state
pass out quick on ng0 proto tcp from any to any port = 3000 flags S keep state
pass in quick on bce0 proto tcp from any to any port = 3000 flags S keep state
pass in quick on bce0 proto tcp from any to 83.221.*.* port = 8080
pass out quick on ng0 proto tcp from 83.221.*.* to any port = 8080
pass out quick on bce0 proto tcp from any to www.donenergo.ru port = 88 flags S/FSRPAU keep state
pass in quick on bce0 proto tcp from any to any port = 88
pass out quick on ng0 proto tcp from any to any port = 88
pass out quick on bce0 proto tcp from any to any port = 6911
pass in quick on ng0 proto tcp from any to any port = 6911
pass out quick on bce0 proto tcp from any to any port = 6003
pass in quick on ng0 proto tcp from any to any port = 6003
pass in log quick on tun1 proto icmp from any to any
pass out log quick on tun1 proto icmp from any to any
pass out quick on tun1 proto tcp from 192.168.192.2 to any port = 5900 flags S keep state
pass out quick on tun1 proto tcp from 10.8.67.0/24 to any flags S keep state
##### END #####
pass in quick all
pass out quick all
nylon.conf
# sample configuration # marius aamodt eriksen (marius@umich.edu)
# $Id: nylon.conf,v 1.11 2002/03/27 07:39:53 beriksen Exp $
# general settings
[General]
# number of simultaneous connections allowed
No-Simultaneous-Conn=10
# log connections and other information to syslog? 1: on, 0: off
Log=1
# be verbose on the console? 1: on, 0: off
Verbose=1
# store pid file
PIDfile=/var/run/nylon.pid
# server settings
[Server]
# interface to listen to connections
#Binding-Interface=fxp1
Binding-Interface=bce0
# interface to bind outgoing connections to
#Connecting-Interface=fxp0
Connecting-Interface=ng0
# listening port to bind to
Port=1080
# allowed is processed first, then deny
# allowable connect ips/ranges
#Allow-IP=141.0.0.0/8 127.0.0.1 10.0.0.0/24
#Allow IPs 192.168.192.6, 192.168.192.7 and 192.168.189.25 for GLONASS_GPS_Client:
Allow-IP=127.0.0.1/32 192.168.192.6 192.168.192.7 192.168.189.25 192.168.189.26 192.168.190.34 192.168.190.163 192.168.190.50 192.168.190.180 192.168.190.182 192.168.190.153 192.168.190.132 192.168.190.114 192.168.190.83 192.168.189.15 192.168.190.131 192.168.190.98 192.168.190.180 192.168.190.66 192.168.191.3 192.168.190.182 192.168.190.188
# denied connect ips/ranges
#Deny-IP=10.0.0.0/24
unbound.conf
# This file was generated by local-unbound-setup.
# Modifications will be overwritten.
server:
#+Anton 12.10.2017
# Log level - 0 (errors only)
verbosity: 0
# Listen port
port: 53
# Listen interface (LAN, local network)
interface: 127.0.0.1
interface: 192.168.188.2
# Outgoing inteface (WAN, Internet)
outgoing-interface: 83.221.*.*
#outgoing-interface: 91.230.*.*
# Allow networks
access-control: 192.169.188.0/24 allow
access-control: 192.169.189.0/24 allow
access-control: 192.169.190.0/24 allow
access-control: 192.169.191.0/24 allow
access-control: 192.169.192.0/24 allow
# "On" ip4, tcp, udp support and "off" ipv6
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
# Set logfile name and swithoff using syslog
logfile: "unbound.log"
use-syslog: no
# "Hide" version (for security;))
hide-version: yes
#~Anton 12.10.2017
username: unbound
directory: /var/unbound
chroot: /var/unbound
pidfile: /var/run/local_unbound.pid
auto-trust-anchor-file: /var/unbound/root.key
include: /var/unbound/forward.conf
include: /var/unbound/lan-zones.conf
include: /var/unbound/control.conf
include: /var/unbound/conf.d/*.conf
squid.conf
visible_hostname gw.f67.donenergo.net
http_port 192.168.188.2:3128
coredump_dir /var/log/squid
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
logfile_rotate 10
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
dns_v4_first on
cache_mem 256 MB
maximum_object_size 8192 KB
minimum_object_size 4 KB
cache_dir ufs /var/cache/squid 5120 16 256
refresh_pattern -i \.gif$ 3600 100% 3600 override-lastmod override-expire
refresh_pattern -i \.png$ 3600 100% 3600 override-lastmod override-expire
refresh_pattern -i \.jpg$ 3600 100% 3600 override-lastmod override-expire
refresh_pattern -i \.jpeg$ 3600 100% 3600 override-lastmod override-expire
refresh_pattern -i \.swf$ 3600 100% 3600 override-lastmod override-expire
refresh_pattern -i \.zip$ 3600 100% 3600 override-lastmod override-expire
refresh_pattern -i \.rar$ 3600 100% 3600 override-lastmod override-expire
refresh_pattern -i \.pdf$ 3600 100% 3600 override-lastmod override-expire
refresh_pattern -i \.mp3$ 3600 100% 3600 override-lastmod override-expire
acl manager proto cache_object
acl localnet src 10.8.67.0/24 # RFC1918 possible internal network
acl localnet src 192.168.188.0/24 # RFC1918 possible internal network
acl localnet src 192.168.189.0/24 # RFC1918 possible internal network
acl localnet src 192.168.190.0/24 # RFC1918 possible internal network
acl localnet src 192.168.191.0/24 # RFC1918 possible internal network
acl localnet src 192.168.192.0/24 # RFC1918 possible internal network
acl corp-srv dst "/usr/local/etc/squid/xallow/srv-corp"
acl ftp-ports port "/usr/local/etc/squid/xallow/port-ftp"
acl http-ports port "/usr/local/etc/squid/xallow/port-http"
acl ssl-ports port "/usr/local/etc/squid/xallow/port-ssl"
acl FTP proto FTP
acl HTTP proto HTTP
acl CONNECT method CONNECT
acl http-method-good method GET POST HEAD
acl servers-list src списки кому куда можно
delay_pools 2 # Set two delay pools (numbered 1 and 2)
delay_class 1 2 # Set class 2 for delay pool 1
delay_parameters 1 512000/128000 128000/64000
delay_access 1 allow servers-list
delay_access 1 allow adm-list
delay_access 1 deny all # "Off" traffic limit delay pool 1 for all
delay_class 2 2 # Set class 2 for delay pool 2
delay_parameters 2 384000/128000 96000/48000
delay_access 2 allow *-list
delay_access 2 deny all # "Off" traffic limit delay pool 2 for all
acl uch_white url_regex "/usr/local/etc/squid/xallow/site-uch"
acl otp_white url_regex "/usr/local/etc/squid/xallow/site-otp"
acl smit_white url_regex "/usr/local/etc/squid/xallow/site-smit"
acl corp_white url_regex "/usr/local/etc/squid/xallow/site-corp"
acl pto_white url_regex "/usr/local/etc/squid/xallow/site-pto"
http_access allow uch-list uch_white
http_access allow otp-list otp_white
http_access allow smit-list smit_white
http_access allow all corp_white
acl porn-sites url_regex -i "/usr/local/etc/squid/xdeny/site-porno"
http_access deny porn-sites # Block list of porn sites for all
acl torrent_mime rep_mime_type -i ^application/x-bittorrent$
acl torrent_mime rep_mime_type -i application/x-bittorrent
http_reply_access deny torrent_mime
acl torrent urlpath_regex -i \.torrent$
http_access deny torrent
http_access deny FTP !ftp-ports
http_access deny HTTP !http-ports
http_access deny CONNECT !ssl-ports
http_access deny HTTP !http-method-good
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost
http_access deny all
via off
forwarded_for off
request_header_access From deny all
request_header_access Server deny all
request_header_access WWW-Authenticate deny all
request_header_access Link deny all
request_header_access Cache-Control deny all
request_header_access Proxy-Connection deny all
request_header_access X-Cache deny all
request_header_access X-Cache-Lookup deny all
request_header_access Via deny all
request_header_access X-Forwarded-For deny all
request_header_access Pragma deny all
request_header_access Keep-Alive deny all
со шлюза.
traceroute to 8.8.8.8 (8.8.8.8), 64 hops max, 40 byte packets
1 91.230.138.1 (91.230.138.1) 0.332 ms 0.250 ms 0.240 ms
2 10.61.10.222 (10.61.10.222) 2.995 ms 2.966 ms 2.986 ms
3 10.61.10.202 (10.61.10.202) 3.129 ms 2.984 ms 2.969 ms
4 10.61.10.201 (10.61.10.201) 3.107 ms 3.533 ms 3.078 ms
5 87.229.247.189 (87.229.247.189) 3.633 ms 3.687 ms 3.469 ms
6 pe26.Moscow.gldn.net (79.104.225.59) 21.493 ms
pe16.Moscow.gldn.net (79.104.235.205) 21.315 ms 21.309 ms
7 195.68.176.50 (195.68.176.50) 21.340 ms
72.14.198.48 (72.14.198.48) 21.054 ms
194.186.131.42 (194.186.131.42) 20.807 ms
8 108.170.250.83 (108.170.250.83) 21.430 ms
108.170.250.34 (108.170.250.34) 22.038 ms 22.110 ms
9 216.239.50.132 (216.239.50.132) 34.300 ms
209.85.255.136 (209.85.255.136) 35.613 ms 35.733 ms
10 216.239.43.20 (216.239.43.20) 33.407 ms
216.239.54.50 (216.239.54.50) 35.767 ms
216.239.47.137 (216.239.47.137) 34.815 ms
11 172.253.51.219 (172.253.51.219) 39.762 ms
172.253.51.243 (172.253.51.243) 35.746 ms^C
с клиента
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 _gateway (192.168.192.1) 0.240 ms 0.206 ms 0.179 ms
2 192.168.188.2 (192.168.188.2) 0.262 ms 0.235 ms 0.303 ms
3 * * *
4 * * *
5 * * *
trace co 188.1
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 192.168.188.2 (192.168.188.2) 0.185 ms 0.164 ms 0.153 ms
2 * * *
3 * * *
4 * * *
5 * * *
вот такое на новом провайдере
ng0: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1500
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
НА СТАРОМ ПРОВАЙДЕРЕ
ng0: flags=88d1<POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST>METRIC 0
inet 83.221.*.* --> 178.34.128.* netmask 0fffffff
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
а ещё закомментировал ipnat.rules и всё равно всё работает... ipnat -FC -f /etc/ipnat.rules выполнил всё почистилось и всё работает мать его... я н**** не пойму как тут всё так сконфигурировано
0 entries flushed from NAT table
6 entries flushed from NAT list