pf и трансляция адресов на двух интерфейсах |
[исправить] |
Решение оптимизировано для шлюза на флешке (не используется perl и другие "тяжелые" решения)
-------------------------
/usr/local/etc/rc.d/openvpn.sh
-------------------------
#!/bin/sh
. /etc/rc.subr
name=openvpn
rcvar=`set_rcvar`
prefix="/usr/local"
openvpn_precmd()
{
for i in $openvpn_if ; do
# FreeBSD <= 5.4 does not know kldstat's -m option
# FreeBSD >= 6.0 does not add debug.* sysctl information
# in the default build - we check both to keep things simple
if ! sysctl debug.if_${i}_debug >/dev/null 2>&1 \
&& ! kldstat -m if_${i} >/dev/null 2>&1 ; then
if ! kldload if_${i} ; then
warn "Could not load $i module."
return 1
fi
fi
done
return 0
}
start_postcmd()
{
`/bin/cat /var/db/ukr_nets| /usr/bin/awk '{ if ($1) {system("route add "$1" 193.201.61.65 >/dev/null")} }'`
/bin/sleep 10 && pfctl -F all -f /etc/pf.conf_openvpn
}
stop_postcmd()
{
`/bin/cat /var/db/ukr_nets| /usr/bin/awk '{ if ($1) {system("route delete "$1" 193.201.61.65 >/dev/null")} }'`
pfctl -F all -f /etc/pf.conf
rm -f "$pidfile" || warn "Could not remove $pidfile."
}
extra_commands="reload"
pidfile="/var/run/${name}.pid"
command="/usr/local/sbin/${name}"
start_precmd="openvpn_precmd"
start_postcmd="start_postcmd"
stop_postcmd="stop_postcmd"
load_rc_config ${name}
: ${openvpn_enable="NO"}
: ${openvpn_flags=""}
: ${openvpn_if=""}
: ${openvpn_configfile="${prefix}/etc/openvpn/openvpn.conf"}
: ${openvpn_dir="${prefix}/etc/openvpn"}
required_files="${openvpn_configfile}"
command_args="--cd ${openvpn_dir} --daemon --config ${openvpn_configfile} --writepid ${pidfile}"
run_rc_command "$1"
-------------------------
/etc/pf.conf
-------------------------
ext_if_t="rl0"
int_if="rl1"
table <users> persist { 192.168.1.0/24 }
nat on $ext_if_t inet from <users> to any -> $ext_if_t
pass on $ext_if_t all
pass on $int_if all
-------------------------
/etc/pf.conf_openvpn
-------------------------
ext_if_o="tap0"
ext_if_t="rl0"
int_if="rl1"
table <users> persist { 192.168.1.0/24 }
table <ukr> persist file "/var/db/ukr_nets"
nat on $ext_if_t inet from <users> to <ukr> -> $ext_if_t
nat on $ext_if_o inet from <users> to !<ukr> -> $ext_if_o
pass on $ext_if_o all
pass on $ext_if_t all
pass on $int_if all
-------------------------
cron:
-------------------------
0 0 * * * /usr/bin/fetch -q -o "/var/db/ukr_nets" 'http://www.colocall.net/ua/?list'
|
|
|
|
Раздел: Корень / Администратору / Сетевая подсистема, маршрутизация / Пакетные фильтры и фаерволы / Пакетный фильтр в FreeBSD: ipfw, IP-Filter |