FreeBSD/MPD+IPF+IPNAT
MPD+IPF+IPNAT †
mpdのインストール †
# cd /usr/ports/net/mpd # make install
/usr/local/etc/mpd/mpd.conf編集 †
$ cat /usr/local/etc/mpd/mpd.conf
default:
load SAKURA
SAKURA:
new -i ng0 SAKURA PPPoE
set iface addrs 1.1.1.1 2.2.2.2
set iface route default
set iface disable on-demand
set iface idle 0
set iface mtu 1454
set iface up-script /usr/local/etc/mpd/script-SAKURA.sh
set bundle disable multilink
set bundle authname [ユーザ名]
set bundle password [パスワード]
set link no acfcomp protocomp
set link disable pap chap
set link accept chap
set link mtu 1454
set link mru 1454
set ipcp yes vjcomp
set ipcp ranges 0.0.0.0/0 0.0.0.0/0
open iface
/usr/local/etc/mpd/script-SAKURA.sh作成 †
$ cat /usr/local/etc/mpd/script-SAKURA.sh #!/bin/sh /sbin/ipf -y /sbin/ipnat -CF -f /etc/ipnat.rules
/usr/local/etc/mpd/mpd.links作成 †
PPPoE:
set link type pppoe
set pppoe iface fxp0
set pppoe service "whatever"
set pppoe disable incoming
set pppoe enable originate
mpdの起動スクリプト作成 †
$ cat /usr/local/etc/rc.d/mpd.sh
#!/bin/sh
mpd_command="/usr/local/sbin/mpd"
mpd_conf_file="/usr/local/etc/mpd/mpd.conf"
case "$1" in
start)
if [ -x ${mpd_command} -a -f ${mpd_conf_file} ]; then
${mpd_command} -b
echo "mpd start pppoe connection"
fi
sleep 5
/sbin/ipf -FA -Z -f /etc/ipf.rules
#/sbin/ipf -y
/sbin/ipnat -CF -f /etc/ipnat.rules
;;
stop)
echo "mpd stop pppoe connection"
/usr/bin/killall mpd
;;
*)
echo "Usage: mpd.sh {start|stop}"
exit 1
esac
exit 0
カーネル再構築 †
カーネル再構築 ⇒ FreeBSD/カーネル再構築
下記を追加してカーネル再構築
# for net/mpd options NETGRAPH options NETGRAPH_BPF options NETGRAPH_ETHER options NETGRAPH_IFACE options NETGRAPH_PPP options NETGRAPH_PPPOE options NETGRAPH_SOCKET options NETGRAPH_VJC # for IPFilter options IPFILTER options IPFILTER_LOG options IPFILTER_DEFAULT_BLOCK options TCP_DROP_SYNFIN
/etc/rc.confの編集 †
ipfilter_enable="YES" ipfilter_rules="/etc/ipf.rules" ipfilter_flags="" ipmon_enable="YES" ipmon_flags="-D /var/log/ipflog" ipnat_enable="YES" ipnat_rules="/etc/ipnat.rules" gateway_enable="YES" portmap_enable="NO" tcp_drop_synfin="YES"
IPF †
とりあえず ipf.rules を作るという場合
# cat /etc/ipf.rules pass in all pass out all
編集済み/etc/ipf.rules †
$ cat /etc/ipf.rules #--- ipf.rules --- block in log quick from any to any with ipopts frag block in log quick proto tcp from any to any with short ## group 100 # pass in on ng0 all head 100 block in from 127.0.0.0/8 to any group 100 block in from 192.168.10.0/24 to any group 100 block in from 10.0.0.0/8 to any group 100 block in from 172.16.0.0/12 to any group 100 block in from 192.168.0.0/16 to any group 100 block in from 192.168.0.0/24 to any group 100 block in from 0.0.0.0/8 to any group 100 block in from 169.254.0.0/16 to any group 100 block in from 192.0.2.0/24 to any group 100 block in from 224.0.0.0/4 to any group 100 block in from 240.0.0.0/4 to any group 100 #NetBIOS block in quick proto tcp/udp from any port 136 >< 140 to any group 100 block in quick proto tcp/udp from any to any port 136 >< 140 group 100 block in proto udp all group 100 pass in quick proto tcp all flags A/A group 100 #ssh pass in quick proto tcp from any to any port = 22 flags S/SA group 100 #FTP pass in proto tcp from any port = 20 to any flags S/SA group 100 pass in quick proto tcp from any to any port = 20 flags A/A group 100 pass in proto tcp from any port = 21 to any flags A/A group 100 pass in quick proto tcp from any to any port = 21 flags S/SA group 100 #smtp pass in quick proto tcp from any to any port = 25 flags S/SA group 100 #deny IDENT block return-rst in quick proto tcp from any to any port = 113 group 100 #DNS pass in quick proto tcp from any to any port = 53 flags S/SA group 100 pass in quick proto udp from any to any port = 53 group 100 #WWW pass in quick proto tcp from any to any port = 80 flags S/SA group 100 #pass in quick proto tcp from any to any port = 443 flags S/SA group 100 block in log quick proto tcp all flags S/SA group 100 #return NTP pass in proto udp from any port = 123 to any group 100 #ping icmp pass in proto icmp all group 100 ## RFC2979 #pass in proto icmp all icmp-types 3 group 150 ##group200 # pass out on ng0 all head 200 pass out quick proto icmp from any to any keep state group 200 pass out quick proto udp from any to any keep state group 200 pass out quick proto tcp from any to any flags S/SAFR keep state group 200 pass out proto tcp from any to any port = 53 group 200 pass out proto tcp from any to any port = 53 flags S/SA group 200 pass out proto udp from any to any port = 53 group 200 pass out proto udp from any to any port = 123 group 200 block out proto icmp all group 200 pass out proto icmp all icmp-type 3 group 200 #NetBIOS block out quick proto tcp/udp from any port 136 >< 140 to any group 200 block out quick proto tcp/udp from any to any port 136 >< 140 group 200 ##group250 # pass out on ng1 all head 250 pass out quick proto icmp from any to any keep state group 250 pass out quick proto udp from any to any keep state group 250 pass out quick proto tcp from any to any flags S/SAFR keep state group 250 pass out proto tcp all flags A/A group 250 pass out proto tcp from any to any port = 53 group 250 pass out proto udp from any to any port = 123 group 250 block out proto icmp all group 250 pass out proto icmp all icmp-type 3 group 250 #NetBIOS block out quick proto tcp/udp from any port 136 >< 140 to any group 250 block out quick proto tcp/udp from any to any port 136 >< 140 group 250 ##group 300 # pass in on rl1 all head 300 pass in quick proto icmp from any to any group 300 pass in quick proto udp from any to any group 300 pass in quick proto tcp from any to any flags S/SAFR group 300 ##group 400 # pass out on rl1 all head 400 pass out quick proto icmp from any to any group 400 pass out quick proto udp from any to any group 400 pass out quick proto tcp from any to any flags S/SAFR group 400 ##group 0 # pass in quick on lo0 all pass out quick on lo0 all #--- ipf.rules end ---
IPFのルール追加 †
# echo "@1 block in quick from 192.168.1.20 to any" | /sbin/ipf -f -
ルールの削除 †
# echo "block in quick from 192.168.1.20 to any" | /usr/sbin/ipf -r -f -
設定の保存 現在の設定をファイルに書き込む †
# ipfstat -io > /etc/ipf.rules
IPNAT †
# cat /etc/ipnat.rules map ng0 192.168.0.0/24 -> 0/32 proxy port ftp ftp/tcp mssclamp 1414 map ng0 192.168.0.0/24 -> 0/32 portmap tcp/udp auto mssclamp 1414 map ng0 192.168.0.0/24 -> 0/32 mssclamp 1414
IPNATでリダイレクト(透過的に送る機能) †
rdr ng0 0.0.0.0/0 port 80 -> 192.168.1.7 port 80
IPNATでの負荷分散 †
この例では、202.11.97.29 の Web に来たパケットは最初は 192.168.0.2 に送り、次に来たコネクションは 192.168.0.3 に、その次は 192.168.0.4 にと巡回的に送ります。
パケットを振り分ける(round robin)
rdr ng0 202.11.97.29/32 port 80 -> 192.168.0.2 port 80 tcp round-robin rdr ng0 202.11.97.29/32 port 80 -> 192.168.0.3 port 80 tcp round-robin rdr ng0 202.11.97.29/32 port 80 -> 192.168.0.4 port 80 tcp round-robin
IPF・IPNATの新しいルールの反映、確認のコマンド †
ipf -Fa -Z -f /etc/ipf.rules ipf.rulesに書き換えたルールを反映させるコマンド ipfstat -i IPFilterのイン側の設定を見るコマンド ipfstat -o IPFilterのアウト側の設定を見るコマンド ipnat -l natの設定を確認するコマンド ipnat -CF -f /etc/ipnat.rules ipnat.rulesに書き換えた内容を反映させるコマンド
http://x68k.net/nagai/pukiwiki/index.php?FreeBSD%2Frouter
