DELSTARTDELEND
-
【新客网FreeB.SD教程】用ipfilt.er在动态ip环境下做重定向 健康
欢迎斧正,.转载必须保留版权信息 .
在ipfilter的n.at规则中,假如出口ip地址是动态ip,比如PPPoE拨号或DHCP,那么可以.使用类似 美容
map tun0 192.16.8.0.0/24 -> 0.0.0.0/32 的语法进行地址(端口)映射;可.是类似 (广告)
rdr tun0. 0/32 port rtsp -> .192.168.2.100 port rtsp tcp/udp这样的语法却是不对的,因为rdr 杀毒
规则要求第三个域是ip包的目的地址,通常是.该出口网卡的地址,显然,当别人访问你的机器的时候tcp/udp包的目的地址是你的当前地址,而不是0/32,所以,rdr tun0 0/32 ...这样的规.则是不会.生效的,你必须以该网卡的当前ip地址来做这个规则;ipfi.lter本身没有提供这样的定义使得我们可以方便的做这样的规则,下面是我做的脚本,用来动态的获得当前.出口网卡地址,并一次刷新ipfilter规则。 乙肝
1。内核中编译ipfilter的支持.,不能让ipfilter.以模块的形式载入; .
因为我没有在/etc/rc.conf中指定.ipfilter_ena.ble="yes"; 外汇
2。.编制如下shell script; --------------彩票
#!/bin/sh
#vi /usr/.local./sbin/ipf.sh 服务器
#此脚本用来刷新ipf规则; . 建材
#注重/etc/ipf.rules是根据/etc/ipf.rules.template.这个模板自动生成.的; CSUBOY综合社区
#所以,.假如你要改规则,应该改/etc/ipf.rul.es.template这个模板; .
#For dynam.ic. ip ipf rules CSUBOY
#$EXT_NIC i.s the internet connecte.d NIC 美容
#$.EXT_ADDR is the internet connected NIC AD.DRESS. 汽车
#get dynamic n.ic. 虚拟主机
#获得默认路由经过的网卡,.即所谓的外网网卡; 学习
EXT_NIC=`netsta.t -.arn | grep "default\>" | awk '{print $6 }'` 建材
if [ -z $EXT_.NIC ]; .
then
echo "ERROR d.efault ga.teway NO found !!!" .
exit 1
else
export EXT._NIC --------------彩票
#get dy.namic nic and ip. (广告)
#获得外网卡地址;
EXT_ADDR=.`ifconfig $EXT_NIC | grep "inet\>" | awk .'{print $2}'` .
i.f [ -z $EXT_ADDR ]; .
then
echo "..ERROR:EXT_ADDR NO found !!!" [成人用品]
exit 1
else
e.xport EXT_ADDR --------------彩票
#根据上述信息参照模板生成规.则; .
ech.o "#NOTE:" .>/etc/ipf.rules .
echo "#DON'T modify /etc/ipf.r.ules for your ipf rules ,Just .modify /etc/ipf.rules.template instance !!!." >>/etc/ipf.rules 婚庆
echo "#Read /usr../local/sbin/ipf.sh for detail." >>/etc/ipf.rules 服务器
echo "#." >>/etc/ipf...rules 虚拟主机
echo ".#Reflashed date:`.date`." >>/etc/ipf.rules <性病>
sed s/\$EXT_NIC/$EX.T_NIC/g /etc/ipf.rules.template >/etc/ipf.rules.nic . 外汇
sed s/\$EXT_ADDR/$EXT_ADDR/g /e.tc/ipf.rules.nic >>/etc/ip.f.rules 教育
#刷新规则;
/sbin/ipf -Fa
/sbin/ipf -y -f /etc/ipf.r.u.les 杀毒
fi
fi
#end /usr/lo.cal/sbin/ip.f.sh 学习
#!/bin/sh
#.vi /usr/local/sbin/ipnat..sh 外汇
#此脚本用来刷.新ipnat规则; ( 游戏 )
#注重/etc/ipnat.rules是根据/etc./ipnat.rules.template.这个模板自动生成的; 建材
#所以,假如你要改规则.,应该改/etc/ipnat.rules.template这.个模板; 学习
#For dynami.c ip ip.nat rules 鲜花
#.$EXT_NIC is t.he internet connected NIC 健康
#$EXT_ADDR is the internet connec.ted NIC ADDRE.SS. <性病>
#get. dynamic nic. 鲜花
#获得默认路由经.过的网卡,即所谓的外网网卡; (广告)
EXT_NIC=`netstat -arn | gre.p. "default\>" | awk '{print $6 }'` CSUBOY综合社区
if [ .-z $EXT_NIC ]; CSUBOY
then
echo "ERROR default g.ateway NO fo.und !!!" .
exit 1
else
export .EXT_NIC 健康
#.get dynamic nic and ip. .
#获得外网卡地址;
E.XT_ADDR=`ifconfig $EXT_NIC | grep "inet\>" | .awk '{print $2}'` 鲜花
i.f [ -z $EXT_ADDR ]; --------------彩票
then
echo ."ERROR:E.XT_ADDR NO found !!!" 鲜花
exit 1
else
expo.rt EXT_ADDR 虚拟主机
#根据上述.信息参照模板生成规则; 婚庆
echo "#NOTE:" >/etc/ipn.at.rules. 美容
echo "#DON'T modify /etc/ipn.at.rules for your .nat rules ,Just. modify /etc/ipnat.rules.template instance !!!" >>./etc/ipnat.rules 婚庆
echo "#Read /us.r/local/sbin/ipnat.sh for detail." >>/etc/ipnat..rules 电影
e.cho "#.." >>/etc/ipnat.rules 投资
ec.ho "#Reflashed date:.`date`." >>/etc/ipnat.rules 外汇
sed s/\$EXT_NIC/$EXT_NIC/g /etc/ipnat.rules.template >/etc/ipnat.r.ules.nic . 婚庆
sed s/\$EXT_ADDR/$EXT_ADDR/g ./etc./ipnat.rules.nic >>/etc/ipnat.rules 汽车
#刷新规则;
/sbin./ipnat -C (广告)
/sbin./ipnat -v -f /etc/ipnat..rules 虚拟主机
fi
fi
#end /usr/local./sbin/ipnat..sh .
#!/bin/sh
#vi /usr/.local/sbin/.ipfrenew 建材
#调用预先编制的脚本刷新ip.f以及ipnat规则.; .
/usr/local/sb.in/ipf.sh .
/.usr/local/sbin/ipnat.sh 学习
#显示当前状况;
/sbin/i.pnat -l |grep -v '<- -> ' ..
echo List of active sessions have been cut.te.d. .
/sbin/.ipfstat -if --- 印刷
/sbin/i.pfstat -of 健康
#end .of /usr/loca.l/sbin/ipfrenew 乙肝
#设置可执行;
chmod 700 ./usr/local/sbin./* .
3。在会更换ip的程序中调用/usr/local./sb.in/ipfrenew 乙肝
PPPoE:
#vi /etc/ppp/ppp.linkup. 电子
default:
pppoe:
shell. "/usr/local/s.bin/ipfrenew" ( 游戏 )
#end of /etc/p..pp/ppp.linkup 虚拟主机
#假设你的PPP.oE配置名称叫pppoe; 乙肝
DHCP(Cable modem):. 学习
#!/bin/sh
#vi ./etc/dhclient-exit-hook.s .
/usr/local/sbin/ipfren.ew --- 印刷
#end of /etc/dhclient.-exit-hooks. .
#至于说调..用的语法,自己查man,都说的很清楚了; --- 印刷
#罗嗦一句,假如你不怕麻烦,这个方法用在固定ip的环境也是可以的,就是.要在/etc/rc..local中调用/usr/local/sbin/ipfrenew,不能.依靠 CSUBOY
#/etc/rc.conf中的i.pfilter_enable设置;因.为当系统处理ipfilter_e.nable设置时,还没有设置default gateway; 教育
#begin o.f /etc/ipnat.r.ules.template .
rdr $EXT_NIC $EXT_ADDR/32 port 5..022 -> 192.168.1.82 port 22 电子
rdr $EXT_NIC $EXT._ADDR/32 port 5023 -> 1.92.168.1.82 port 23 .
rdr $EXT_.NIC $EXT_ADDR/32 port 9900 .-> 192.168.1.82 port 9900 虚拟主机
# For 19.2.168.0.0/24 女人
# -------------------------------------------------------.--.--- 鲜花
# Use ipfilte.r FTP proxy for hosts behi.nd NAT doing transfer 域名
# mode a.ctive. .
# ----------------------------------------.------------------.-- 投资
map $EXT_NIC 192.168.0.0/24 -> $EX.T_ADDR/3.2 proxy port ftp ftp/tcp --- 印刷
# ---------------------.-----------------.--------------------- 外贸
# Use. ipfilter IKE proxy for ESP packets for. hosts behind NAT [成人用品]
# .IP Filter 3.4.21 and beyond on.ly. ( 游戏 )
# -.-------------------------------------------.--------------- 电子
map $EXT_NIC 192.168.0.0/24 -> $EXT_ADDR/32 proxy port 500 ipsec/ud.p. 鲜花
# -----.-----------------------------------------------------.- 婚庆
# Use ipfilter RealAudio proxy. for hosts behin.d NAT 外汇
# -----------------.------------.------------------------------ .
map $E.XT_NIC 192.168.0.0/24 .-> $EXT_ADDR/32 proxy port 7070 raudio/tcp 杀毒
# -----------------------------------.------------.------------ 电影
# Use ipfi.lter. H323 proxy for hosts behind NAT .
# ------------------------------.---------------------------.-- ( 游戏 )
map $EXT_NIC 19.2.168.0.0/24 -> $E.XT_ADDR/32 proxy port 1720 h323/tcp .
#. --------------------------------------------------.--------- .
# Map a.ll int.ernal UDP and TCP traffic to the external IP address 教育
# --------------.--------------------------------------.------- .
map .$EXT_NIC 192.168.0.0/24 ->. $EXT_ADDR/32 portmap tcp/udp 40000:60000 服务器
# ----------------------------------.----------------------.--- 教育
# Map all. other traffic e.g. .ICMP to the external IP address 电子
# ------.--------.--------------------------------------------- 杀毒
map $EXT_NIC 192.168.0..0/24 ->. $EXT_ADDR/32 --- 印刷
#en.d of /etc/ipnat..rules.template .
#begin of /etc/i.pf.rule.s.template 乙肝
#ipfilter default to pass..; ( 游戏 )
bloc.k in log quick .all with ipopts 学习
block in log quick al.l with short. 教育
block in. log quick all with fra.g ( 游戏 )
b.lock in log on $EXT_NIC al.l .
block ou.t log. on $EXT_NIC all .
block. in quick. on $EXT_NIC from 10.0.0.0/8 to any 女人
block. in log quick on $EXT_NIC from 192.168.0.0/16 to .any
block in log quick on $EX.T_NIC from. 172.16.0.0/12 to any --- 印刷
block in log quick on $EXT._NI.C from 127.0.0.0/8 to any 教育
block in log quick on $EXT_NIC from 169.254..0.0/1.6 to any .
pass .in on $EXT_NIC proto icmp fro.m any to any icmp-type echo CSUBOY
pass in on $EXT_NIC proto icmp from any. to any i.cmp-type echorep 乙肝
#.for http and https .
pass in q.uick on $EXT_NIC proto tcp from any to any port = 80 k.eep state 电子
pass in quick on $EXT_NIC proto tcp .from any to any port = 443 k.eep state .
#for mail
pass in quick on $EXT_NIC proto. tcp from an.y to any port = 25 keep state .
pass in quick on $EXT_N.IC proto tcp from any to any port = 110 keep state. 鲜花
p.ass out quick on $EXT_NIC proto tc.p/udp from any to any keep state 教育
pass out quick on $EXT_NIC proto icmp from any to .any keep s.tate .
block return-rst in log on $EXT._NIC proto tcp from any to a.ny 投资
block re.turn-icmp-as-dest(port-unr) in .log on $EXT._NIC proto udp from any to any ( 游戏 )
#end of /etc/.ipf.rules.template. 外汇
-
