日本免费全黄少妇一区二区三区-高清无码一区二区三区四区-欧美中文字幕日韩在线观看-国产福利诱惑在线网站-国产中文字幕一区在线-亚洲欧美精品日韩一区-久久国产精品国产精品国产-国产精久久久久久一区二区三区-欧美亚洲国产精品久久久久

  1. 首頁(yè) > 云知道 > >

用ipfilter實(shí)現(xiàn)透明代理( 二 )

云知道







firewall_enable="NO"





增加如下配置









gateway_enable="YES"
# enable gateway


named_enable=YES"
# enable naming service


ipfilter_enable="YES"
# Stateful firewall


ipfilter_program="/sbin/ipf"



ipfilter_rules="/etc/ipf.conf"
# 新增加的規(guī)則文件, 有人習(xí)慣文件名 .rule



ipfilter_flag=""



ipnat_enable="YES"
# Network Address Translation



ipnat_program="/sbin/ipnat"



ipnat_rules="/etc/ipnat.conf"
# 新增加的規(guī)則文件, 有人習(xí)慣文件名 .rule



ipmon_enable="NO"
# Firewall logging, 我沒(méi)有開(kāi)放, 如果是重要的服務(wù)器, 應(yīng)該開(kāi)放.



ipmon_program="/sbin/ipmon"



ipmon_flag="-Ds"







/etc/ipf.conf


該文件為防火墻配置文件, 本文主要介紹實(shí)現(xiàn)透明代理, 從網(wǎng)絡(luò)的角度講是代理Client, 因此關(guān)閉了Internet方向的Server
In的所有端口. 這個(gè)配置, 允許內(nèi)網(wǎng)dc0的所有操作, 允許對(duì)外Internet的所有請(qǐng)求, 但外網(wǎng)Internet只允許對(duì)內(nèi)網(wǎng)請(qǐng)求的回應(yīng), 其他包一律丟棄.





# 默認(rèn)規(guī)則, 關(guān)閉阻止所有的包, 關(guān)閉所有的通路, 再一步一步打開(kāi)允許的通道.

# 如果內(nèi)核設(shè)置了 IPFILTER_DEFAULT_BLOCK, 可以省略.

block in all
block out all



# 允許內(nèi)網(wǎng)的信息自由通過(guò).

pass in quick on dc0 from 192.168.0.0/24 to any

pass out quick on dc0 from any to 192.168.0.0/24



# 允許本機(jī)的信息自由通過(guò).

pass in quick on lo0 all

pass out quick on lo0 all



# 禁止外網(wǎng)的無(wú)效地址通過(guò)

block in quick on tun0 from 192.168.0.0/16 to any

block in quick on tun0 from 10.0.0.0/8 to any

block in quick on tun0 from 172.16.0.0/12 to any

block in quick on tun0 from 127.0.0.0/8 to any

block in quick on tun0 from 0.0.0.0/8 to any

block in quick on tun0 from 192.0.2.0/14 to any

block in quick on tun0 from 204.152.64.0/23 to any

block in quick on tun0 from 224.0.0.0/3 to any



# 對(duì)外網(wǎng)信息的處理, 允許內(nèi)網(wǎng)包發(fā)送到外網(wǎng), 并且允許外網(wǎng)對(duì)這些包的回應(yīng)信息通過(guò)

pass out quick on tun0 proto tcp from any to any flags S/SAFR keep state keep frags

pass out quick on tun0 proto udp from any to any keep state keep frags

pass out quick on tun0 proto icmp from any to any keep state keep frags





/etc/ipnat.conf


該文件為NAT配置文件.
本文中pppoe通過(guò)DHCP方式獲得地址, 因此無(wú)法在規(guī)則中給出外網(wǎng)的地址, 先用0代替.





# ftp proxy, 為 active 方式的FTP使用, 稍后再作介紹. 請(qǐng)注意, proxy的設(shè)置一定要在portmap之前.

#map tun0 192.168.0.0/24 -> 0/32 proxy port ftp ftp/tcp



# IKE proxy, 為ESP (Encapsulating Security Protocol) 使用

# map tun0 192.168.0.0/24 -> 0/32 proxy port 500 ipsec/udp



# RealAudio proxy, 只可用于PNM模式, RealPlayer G2已經(jīng)使用RTSP.

#map tun0 192.168.0.0/24 -> 0/32 proxy port 7070 raudio/tcp



# 允許內(nèi)部的UDP/TCP包通過(guò),并且允許外網(wǎng)回應(yīng)包通過(guò)

# 到外網(wǎng)采用指定范圍的端口

# map tun0 192.168.0.0/24 -> 0/32 portmap tcp/udp 40000:60000

# 到外網(wǎng)由系統(tǒng)自動(dòng)分配端口

map tun0 192.168.0.0/24 -> 0/32 portmap tcp/udp auto



# 允許內(nèi)部ICMP通過(guò),并且允許回應(yīng)包通過(guò)

map tun0 192.168.0.0/24 -> 0/32



# 允許net2phone, 將呼入的呼叫轉(zhuǎn)到指定機(jī)器

# rdr tun0 0/0 port 6801 -> 192.168.0.4 port 6801 udp



# 允許squid

# rdr dc0 0/0 port 80 -> 127.0.0.1 port 3128 tcp






/etc/sysctl.conf




net.inet.ip.forwarding=1
net.inet.ip.sourceroute=0

推薦閱讀