FreeBSD/MPD+IPF+IPNAT の変更点
*MPD+IPF+IPNAT [#pc2f7826]
#contents
**mpdのインストール [#cb4d511b]
# cd /usr/ports/net/mpd
# make install
***/usr/local/etc/mpd/mpd.conf編集 [#tbd3d57b]
$ cat /usr/local/etc/mpd/mpd.conf
default:
load SAKURA
SAKURA:
new -i ng0 SAKURA PPPoE
set iface addrs 1.1.1.1 2.2.2.2
set iface route default
set iface disable on-demand
set iface idle 0
set iface mtu 1454
set iface up-script /usr/local/etc/mpd/script-SAKURA.sh
set bundle disable multilink
set bundle authname [ユーザ名]
set bundle password [パスワード]
set link no acfcomp protocomp
set link disable pap chap
set link accept chap
set link mtu 1454
set link mru 1454
set ipcp yes vjcomp
set ipcp ranges 0.0.0.0/0 0.0.0.0/0
open iface
***/usr/local/etc/mpd/script-SAKURA.sh作成 [#t74cc853]
$ cat /usr/local/etc/mpd/script-SAKURA.sh
#!/bin/sh
/sbin/ipf -y
/sbin/ipnat -CF -f /etc/ipnat.rules
***/usr/local/etc/mpd/mpd.links作成 [#s6b20e48]
PPPoE:
set link type pppoe
set pppoe iface fxp0
set pppoe service "whatever"
set pppoe disable incoming
set pppoe enable originate
***mpdの起動スクリプト作成 [#hfb95cdf]
$ cat /usr/local/etc/rc.d/mpd.sh
#!/bin/sh
mpd_command="/usr/local/sbin/mpd"
mpd_conf_file="/usr/local/etc/mpd/mpd.conf"
case "$1" in
start)
if [ -x ${mpd_command} -a -f ${mpd_conf_file} ]; then
${mpd_command} -b
echo "mpd start pppoe connection"
fi
sleep 5
/sbin/ipf -FA -Z -f /etc/ipf.rules
#/sbin/ipf -y
/sbin/ipnat -CF -f /etc/ipnat.rules
;;
stop)
echo "mpd stop pppoe connection"
/usr/bin/killall mpd
;;
*)
echo "Usage: mpd.sh {start|stop}"
exit 1
esac
exit 0
**カーネル再構築 [#l99c72bc]
カーネル再構築 ⇒ [[FreeBSD/カーネル再構築>FreeBSD/カーネル再構築]]~
下記を追加してカーネル再構築
# for net/mpd
options NETGRAPH
options NETGRAPH_BPF
options NETGRAPH_ETHER
options NETGRAPH_IFACE
options NETGRAPH_PPP
options NETGRAPH_PPPOE
options NETGRAPH_SOCKET
options NETGRAPH_VJC
# for IPFilter
options IPFILTER
options IPFILTER_LOG
options IPFILTER_DEFAULT_BLOCK
options TCP_DROP_SYNFIN
**/etc/rc.confの編集 [#t28ce05c]
ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.rules"
ipfilter_flags=""
ipmon_enable="YES"
ipmon_flags="-D /var/log/ipflog"
ipnat_enable="YES"
ipnat_rules="/etc/ipnat.rules"
gateway_enable="YES"
portmap_enable="NO"
tcp_drop_synfin="YES"
**IPF [#vc8439b3]
とりあえず ipf.rules を作るという場合
# cat /etc/ipf.rules
pass in all
pass out all
***編集済み/etc/ipf.rules [#ac01c88d]
$ cat /etc/ipf.rules
#--- ipf.rules ---
block in log quick from any to any with ipopts frag
block in log quick proto tcp from any to any with short
## group 100
#
pass in on ng0 all head 100
block in from 127.0.0.0/8 to any group 100
block in from 192.168.10.0/24 to any group 100
block in from 10.0.0.0/8 to any group 100
block in from 172.16.0.0/12 to any group 100
block in from 192.168.0.0/16 to any group 100
block in from 192.168.0.0/24 to any group 100
block in from 0.0.0.0/8 to any group 100
block in from 169.254.0.0/16 to any group 100
block in from 192.0.2.0/24 to any group 100
block in from 224.0.0.0/4 to any group 100
block in from 240.0.0.0/4 to any group 100
#NetBIOS
block in quick proto tcp/udp from any port 136 >< 140 to any group 100
block in quick proto tcp/udp from any to any port 136 >< 140 group 100
block in proto udp all group 100
pass in quick proto tcp all flags A/A group 100
#ssh
pass in quick proto tcp from any to any port = 22 flags S/SA group 100
#FTP
pass in proto tcp from any port = 20 to any flags S/SA group 100
pass in quick proto tcp from any to any port = 20 flags A/A group 100
pass in proto tcp from any port = 21 to any flags A/A group 100
pass in quick proto tcp from any to any port = 21 flags S/SA group 100
#smtp
pass in quick proto tcp from any to any port = 25 flags S/SA group 100
#deny IDENT
block return-rst in quick proto tcp from any to any port = 113 group 100
#DNS
pass in quick proto tcp from any to any port = 53 flags S/SA group 100
pass in quick proto udp from any to any port = 53 group 100
#WWW
pass in quick proto tcp from any to any port = 80 flags S/SA group 100
#pass in quick proto tcp from any to any port = 443 flags S/SA group 100
block in log quick proto tcp all flags S/SA group 100
#return NTP
pass in proto udp from any port = 123 to any group 100
#ping icmp
pass in proto icmp all group 100
## RFC2979
#pass in proto icmp all icmp-types 3 group 150
##group200
#
pass out on ng0 all head 200
pass out quick proto icmp from any to any keep state group 200
pass out quick proto udp from any to any keep state group 200
pass out quick proto tcp from any to any flags S/SAFR keep state group 200
pass out proto tcp from any to any port = 53 group 200
pass out proto tcp from any to any port = 53 flags S/SA group 200
pass out proto udp from any to any port = 53 group 200
pass out proto udp from any to any port = 123 group 200
block out proto icmp all group 200
pass out proto icmp all icmp-type 3 group 200
#NetBIOS
block out quick proto tcp/udp from any port 136 >< 140 to any group 200
block out quick proto tcp/udp from any to any port 136 >< 140 group 200
##group250
#
pass out on ng1 all head 250
pass out quick proto icmp from any to any keep state group 250
pass out quick proto udp from any to any keep state group 250
pass out quick proto tcp from any to any flags S/SAFR keep state group 250
pass out proto tcp all flags A/A group 250
pass out proto tcp from any to any port = 53 group 250
pass out proto udp from any to any port = 123 group 250
block out proto icmp all group 250
pass out proto icmp all icmp-type 3 group 250
#NetBIOS
block out quick proto tcp/udp from any port 136 >< 140 to any group 250
block out quick proto tcp/udp from any to any port 136 >< 140 group 250
##group 300
#
pass in on rl1 all head 300
pass in quick proto icmp from any to any group 300
pass in quick proto udp from any to any group 300
pass in quick proto tcp from any to any flags S/SAFR group 300
##group 400
#
pass out on rl1 all head 400
pass out quick proto icmp from any to any group 400
pass out quick proto udp from any to any group 400
pass out quick proto tcp from any to any flags S/SAFR group 400
##group 0
#
pass in quick on lo0 all
pass out quick on lo0 all
#--- ipf.rules end ---
***IPFのルール追加 [#s99cd284]
# echo "@1 block in quick from 192.168.1.20 to any" | /sbin/ipf -f -
***ルールの削除 [#o03ae484]
# echo "block in quick from 192.168.1.20 to any" | /usr/sbin/ipf -r -f -
***設定の保存 現在の設定をファイルに書き込む [#b70ec9f2]
# ipfstat -io > /etc/ipf.rules
**IPNAT [#xabddc8b]
# cat /etc/ipnat.rules
map ng0 192.168.0.0/24 -> 0/32 proxy port ftp ftp/tcp mssclamp 1414
map ng0 192.168.0.0/24 -> 0/32 portmap tcp/udp auto mssclamp 1414
map ng0 192.168.0.0/24 -> 0/32 mssclamp 1414
***IPNATでリダイレクト(透過的に送る機能) [#o9950eaf]
rdr ng0 0.0.0.0/0 port 80 -> 192.168.1.7 port 80
***IPNATでの負荷分散 [#g9194d0b]
この例では、202.11.97.29 の Web に来たパケットは最初は 192.168.0.2 に送り、次に来たコネクションは 192.168.0.3 に、その次は 192.168.0.4 にと巡回的に送ります。~
パケットを振り分ける(round robin)
rdr ng0 202.11.97.29/32 port 80 -> 192.168.0.2 port 80 tcp round-robin
rdr ng0 202.11.97.29/32 port 80 -> 192.168.0.3 port 80 tcp round-robin
rdr ng0 202.11.97.29/32 port 80 -> 192.168.0.4 port 80 tcp round-robin
***IPF・IPNATの新しいルールの反映、確認のコマンド [#w441c1fa]
ipf -Fa -Z -f /etc/ipf.rules ipf.rulesに書き換えたルールを反映させるコマンド
ipfstat -i IPFilterのイン側の設定を見るコマンド
ipfstat -o IPFilterのアウト側の設定を見るコマンド
ipnat -l natの設定を確認するコマンド
ipnat -CF -f /etc/ipnat.rules ipnat.rulesに書き換えた内容を反映させるコマンド
http://x68k.net/nagai/pukiwiki/index.php?FreeBSD%2Frouter
http://x68k.net/diary/?200310b#200310200
http://www.fujie.jp/freebsd/freebsd_router_ipfilter.html
