стоит на работе фря (шестёрка) в качестве шлюза. Squid настроен. Необходимо, чтобы пакеты перебрасывались с 80-го и (желательно) 21-го порта на 3128. Попробовал настроить это всё с помощью pf:
[color=darkred]ext_if="rl0"
int_if="sis0"
internal_net="192.168.1.0/24"
external_addr="83.221.211.202"
lo0="127.0.0.1"
tcp_services = "{ 5999, 110, 53, 443, 25, 8080, 5190, 1521, 6001 }" #
# "{ ftp-data, cvsup, smtp, domain, http, https, pop3, aol }"
#udp_services = "{ 53, 123 }"
udp_services = "{ domain, ntp }"
priv_nets = "{ 127.0.0.0/8, 192.168.1.0/24 }"
zenit_main = "{ ... }"
scrub in all
nat on $ext_if from $int_if:network to any -> ($ext_if)
#nat on $ext_if from $internal_net to any -> ($ext_if)
#rdr pass on $ext_if proto tcp from any to $ext_if port $oracle_port -> $oracle_server port $oracle_port
#rdr pass on $ext_if proto tcp from any to $ext_if port 2022 -> $oracle_server port ssh
# squid forwarding
rdr pass on $int_if proto tcp from $internal_net to any port { 21, 80, 8080 } -> lo0 port 3128
pass in quick on $int_if inet proto tcp from any to lo0 port 3128 keep state
pass out quick on $ext_if inet proto tcp from any to any port 80 keep state
#DNS
pass out proto tcp to any port domain keep state
pass proto udp to any port domain keep state
#set optimization normal
#set block-policy drop
#set loginterface $ext_if
pass quick on lo0 all
block quick log from any os NMAP
block log all
block in quick on $ext_if from $internal_net to any
block out quick on $ext_if from any to $internal_net
antispoof for $ext_if
# terminal access support
#pass in proto tcp from $terminal_source to any port $terminal_port #flags S/SA keep state
#pass out proto tcp from $internal_net to $terminal_source port $terminal_port #flags S/SA keep state
# ftp support
#pass in proto { tcp, udp } from any to any port { 20, 21 } keep state
#pass out proto { tcp, udp } from any to any port { 20, 21 } keep state
# ssh support
pass in proto tcp from any to any port 22 flags S/SA keep state
pass out proto tcp from any to any port 22 flags S/SA keep state
# allow tcp services
pass in quick proto tcp from any to any port $tcp_services flags S/SA keep state
pass out proto tcp from any to any port $tcp_services flags S/SA keep state
# allow upd services
pass quick inet proto udp to any port $udp_services keep state
pass out proto udp to any port $udp_services keep state
# in/out ping requets support
pass in proto icmp from any to any keep state
pass out proto icmp from any to any keep state
# allow requests to/from web server
pass in log on $int_if proto tcp from $internal_net to $int_if port 80 flags S/SA
pass out log on $int_if proto tcp from any to $internal_net port 80 flags S/SA
pass in on $ext_if proto tcp from any to $ext_if port 80 keep state flags S/SA
pass out on $ext_if proto tcp from $ext_if to any port 80 keep state flags S/SA
pass in log all
pass out log all[/color]
===================================================
Вот. При '/etc/rc.d/pf start' через прокси пушает, а напрямую -- нет :( Пишет:
[color=darkred]ОШИБКА
Запрошенный URL не может быть доставлен. [/color]
и тд
хотя напрямую из консоли пингуется внешняя сеть:
[color=darkred]$ ping linux.org.ru
PING linux.org.ru (217.76.32.61) 56(84) bytes of data.
64 bytes from linux.org.ru (217.76.32.61): icmp_seq=1 ttl=51 time=38.8 ms
64 bytes from linux.org.ru (217.76.32.61): icmp_seq=2 ttl=51 time=36.6 ms[/color]
[color=darkred]# pfctl -sa
No ALTQ support in kernel
ALTQ related functions disabled
TRANSLATION RULES:
nat on rl0 inet from 192.168.1.0/24 to any -> (rl0) round-robin
rdr pass on sis0 inet proto tcp from 192.168.1.0/24 to any port = ftp -> 127.0.0.1 port 3128
rdr pass on sis0 inet proto tcp from 192.168.1.0/24 to any port = http -> 127.0.0.1 port 3128
rdr pass on sis0 inet proto tcp from 192.168.1.0/24 to any port = 8080 -> 127.0.0.1 port 3128
(...)
self tcp 127.0.0.1:3128 <- 85.249.23.38:80 <- 192.168.1.113:1442 TIME_WAIT:TIME_WAIT
self tcp 127.0.0.1:3128 <- 85.249.23.38:80 <- 192.168.1.113:1443 TIME_WAIT:TIME_WAIT
self tcp 192.168.1.1:110 <- 192.168.1.118:1338 FIN_WAIT_2:FIN_WAIT_2
self tcp 83.221.211.202:56628 -> 194.67.45.123:80 FIN_WAIT_2:FIN_WAIT_2
self tcp 83.221.211.202:56642 -> 194.67.45.123:80 FIN_WAIT_2:FIN_WAIT_2
self tcp 83.221.211.202:63851 -> 194.67.45.123:80 SYN_SENT:CLOSED
self tcp 83.221.211.202:51320 -> 194.67.45.123:80 FIN_WAIT_2:FIN_WAIT_2
self tcp 83.221.211.202:52960 -> 64.233.183.103:80 ESTABLISHED:ESTABLISHED
self tcp 83.221.211.202:56610 -> 66.249.93.104:80 ESTABLISHED:ESTABLISHED
self tcp 205.188.1.120:5190 <- 192.168.1.110:1402 ESTABLISHED:ESTABLISHED[/color]
Куда копать?
<span class='smallblacktext'>[ Редактирование ]</span>
Последние комментарии
9 лет 49 недель назад
10 лет 15 недель назад
10 лет 25 недель назад
10 лет 26 недель назад
11 лет 15 недель назад
11 лет 15 недель назад
11 лет 15 недель назад
11 лет 16 недель назад
11 лет 16 недель назад
11 лет 17 недель назад