Сеть – ИТ тетрадь

1. Маршрутизатор на FreeBSD

Железо: Мини-роутер Intel N100 Celeron N5105/N5100 без вентилятора, 4 х4 дюйма, 16GB RAM 256GB NVMe

gate, 2023 FreeBSD 192.168.37.1
Наполнение: squid, DHCP сервер, DNS сервер, fail2ban
IPFW с ядерным натом и редиректами на сервер внутри сети

Дорожная карта:

3G резервный канал
Резерв питания
HomeAssistance
torrent
IP камера

Журнал выполненных работ:
01.12.23 Добавил вентилятор внутрь и 120мм снаружи, радиатор на дно поставил, SSD m.2 добавил радиатор и прокладки до дна, чтобы доставал
04.12.23 перенес данные с SATA на M2. DigmaPro 1Tb + 1G DRAM

Схема подключения Ethernet портов:

Инет************---------------LAN мост------------ ETH3************ETH2**********ETH1*************ETH0 |igc3************|igc2*********|igc1************|igc0 |_bridge(PPPoE)**|*************|****************| *****************|*************|****************| *****************|_Xiaomi 3G***|****************| *******************************|_Mikrotik мачта | ************************************************|_SWITCH 24 портовый

rc.conf(мост):

hostname="gate.samarka.ru"
keymap="ru.kbd"

#ifconfig_igc0="inet 192.168.37.1/24"
#ifconfig_igc1="inet 192.168.37.2/24"
#ifconfig_igc2="inet 192.168.37.3/24"
cloned_interfaces="bridge0"  #create bridge
ifconfig_bridge0="addm igc0 addm igc1 addm igc2 up"
ifconfig_igc0="up"
ifconfig_igc1="up"
ifconfig_igc2="up"
ifconfig_igc0="inet 192.168.37.1/24"
defaultrouter=""

local_unbound_enable="YES"
sshd_enable="YES"
moused_enable="YES"
ntpdate_enable="YES"
ntpd_enable="YES"
powerd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
zfs_enable="YES"

ppp_enable="YES"
ppp_mode="ddial"
#ppp_nat="YES" # if you want to enable nat for your local network, otherwise NO
ppp_profile="samaratelecom"


firewall_enable="YES"
# в полночь запускаем 
#firewall_script="/usr/local/etc/gate37ipfw.sh"
firewall_logging="YES"
# включаем нат
gateway_enable="YES"
firewall_nat_enable="YES"

squid_enable="YES"
fail2ban_enable="YES"
proftpd_enable="YES"
mysql_enable="YES"
apache24_enable="YES"
cbsd_workdir="/usr/jails"
cbsdrsyncd_enable="YES"
cbsdrsyncd_flags="--config=/usr/jails/etc/rsyncd.conf"
cbsdd_enable="YES"
rcshutdown_timeout="900"
kld_list="vmm if_tuntap if_bridge nmdm"

# DHCP сервер 11.05.2023 #####################################################
            dhcpd_enable="YES"                          # dhcpd enabled?
            dhcpd_flags="-q"                            # command option(s)
            dhcpd_conf="/usr/local/etc/dhcpd.conf"      # configuration file
            dhcpd_ifaces="igc0"                         # ethernet interface(s)
            dhcpd_withumask="022"                       # file creation mask
##############################################################################
atop_enable="YES"

hostname="gate.samarka.ru"

keymap="ru.kbd"

#ifconfig_igc0="inet 192.168.37.1/24"

#ifconfig_igc1="inet 192.168.37.2/24"

#ifconfig_igc2="inet 192.168.37.3/24"

cloned_interfaces="bridge0" #create bridge

ifconfig_bridge0="addm igc0 addm igc1 addm igc2 up"

ifconfig_igc0="up"

ifconfig_igc1="up"

ifconfig_igc2="up"

ifconfig_igc0="inet 192.168.37.1/24"

defaultrouter=""

local_unbound_enable="YES"

sshd_enable="YES"

moused_enable="YES"

ntpdate_enable="YES"

ntpd_enable="YES"

powerd_enable="YES"

# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable

dumpdev="AUTO"

zfs_enable="YES"

ppp_enable="YES"

ppp_mode="ddial"

#ppp_nat="YES" # if you want to enable nat for your local network, otherwise NO

ppp_profile="samaratelecom"

firewall_enable="YES"

# в полночь запускаем

#firewall_script="/usr/local/etc/gate37ipfw.sh"

firewall_logging="YES"

# включаем нат

gateway_enable="YES"

firewall_nat_enable="YES"

squid_enable="YES"

fail2ban_enable="YES"

proftpd_enable="YES"

mysql_enable="YES"

apache24_enable="YES"

cbsd_workdir="/usr/jails"

cbsdrsyncd_enable="YES"

cbsdrsyncd_flags="--config=/usr/jails/etc/rsyncd.conf"

cbsdd_enable="YES"

rcshutdown_timeout="900"

kld_list="vmm if_tuntap if_bridge nmdm"

# DHCP сервер 11.05.2023 #####################################################

dhcpd_enable="YES" # dhcpd enabled?

dhcpd_flags="-q" # command option(s)

dhcpd_conf="/usr/local/etc/dhcpd.conf" # configuration file

dhcpd_ifaces="igc0" # ethernet interface(s)

dhcpd_withumask="022" # file creation mask

##############################################################################

atop_enable="YES"

Пример rc.firewall(нат и редиректы):

#!/bin/sh

ipfw -q -f flush
cmd="ipfw -q add"

# Interfaces setup
WAN=tun0
LAN=bridge0
LOCAL=igc0
SERVER=igc1
LANWIFI=igc2
PROVIDER=igc3

# setup
skip="skipto 10000"
wan_ip=83.220.87.193
lan_ip=192.168.37.1
ks="keep-state"
good_tcpo="21,22,80,443,8096"
good_udppo="53,137,161,1195"

# списки fail2ban
sshd_ban_table="table(50)"
proftpd_ban_table="table(51)"
postfix_ban_table="table(52)"
wordpress_ban_table="table(53)"

#Allow ip addresses
ALLOW_IP_INT="192.168.0.0/16,10.63.0.0/16"
ipfw table 10 flush
cat /usr/local/etc/gate37/allowed_nets | while read ip; do
ipfw table 10 add $ip
done
ALLOW_IP_ADD="table(10)"

#Deny ip addresses
ipfw table 20 flush
cat /usr/local/etc/gate37/deny_nets | while read ip; do
ipfw table 20 add $ip
done
DENY_IP_ADD="table(20)"


# выход для jail-ов
#$cmd 003 divert natd ip4 from any to any via ${LAN} in
#$cmd 005 check-state

# заворачиваем http трафик на squid
$cmd 0002 allow tcp from 192.168.0.0/16 to me dst-port 3128
$cmd 0003 fwd 127.0.0.1,3128 tcp from 192.168.0.0/16 to any 80 out via $wan_ip $ks

$cmd 0025 allow all from any to any via $LAN # exclude LAN traffic
$cmd 0026 allow all from any to any via $LOCAL # exclude LAN traffic
$cmd 0027 allow all from any to any via $SERVER # exclude LAN traffic
$cmd 0028 allow all from any to any via $LANWIFI # exclude LAN traffic
$cmd 0029 allow all from any to any via lo0 # exclude loopback traffic

# Постоянный список разрешенных адресов и подсетей
#$cmd 0050 allow all from ${ALLOW_IP_ADD} to any keep-state
#$cmd 0051 allow udp from 46.38.98.141 to any

# Постоянные запрещенные адреса и сети
$cmd 0060 deny all from ${DENY_IP_ADD} to any
$cmd 0061 deny all from any to ${DENY_IP_ADD}

# запрет по fail2ban списку
$cmd 0100 deny log ip from "table(1)" to any
$cmd 0110 deny tcp from ${proftpd_ban_table} to me 21 via ${WAN}
$cmd 0120 deny tcp from ${sshd_ban_table} to me 22 via ${WAN}
$cmd 0130 deny tcp from ${postfix_ban_table} to me 25 via ${WAN}
$cmd 0140 deny tcp from ${wordpress_ban_table} to me 80 via ${WAN}

#$cmd 0990 reass all from any to any in # reassemble inbound packets
#$cmd 1000 nat 1 ip from any to any in via $WAN # NAT any inbound packets
# настройка ната ###################################################################################
#$cmd 00410 reass all from any to any in
# опции перенаправления портов ####
ipfw -q nat 1 config if $WAN same_ports unreg_only reset \
redirect_port tcp 192.168.37.11:8096 8096 \
redirect_port tcp 192.168.37.11:8080 8080
# заворачиваем все что проходит через внешний интерфейс в нат
####$cmd 00400 nat 123 ip from 192.168.0.0/16,10.63.0.0/16 to not 192.168.0.0/16,10.63.0.0/16 via ${WAN}
$cmd 00420 nat 1 ip from any to any via $WAN
########################################################################################################

# Allow the packet through if it has an existing entry in the dynamic rules table
$cmd 1010 check-state

# разрешенные исходящие пакеты
$cmd 1200 $skip udp from any to 77.88.8.3 53 out via $WAN $ks
$cmd 1210 $skip udp from any to 77.88.8.7 53 out via $WAN $ks
$cmd 1250 $skip tcp from any to any $good_tcpo out via $WAN setup $ks
$cmd 1260 $skip tcp from any to any $good_udppo out via $WAN setup $ks
$cmd 1300 $skip icmp from any to any out via $WAN $ks

# разрешенные входящие пакеты
$cmd 2200 $skip udp from 77.88.8.3 to any $ks
$cmd 2210 $skip udp from 77.88.8.7 to any $ks
$cmd 2250 $skip tcp from any $good_tcpo to any in via $WAN setup $ks
$cmd 2260 $skip tcp from any $good_udppo to any in via $WAN setup $ks
$cmd 2300 $skip icmp from any to me via $WAN $ks

$cmd 09990 deny log all from any to any
$cmd 10000 nat 1 ip from any to any out via $WAN # skipto location for outbound stateful rules
$cmd 10001 allow ip from any to any

100

101

102

103

104

105

#!/bin/sh

ipfw -q -f flush

cmd="ipfw -q add"

# Interfaces setup

WAN=tun0

LAN=bridge0

LOCAL=igc0

SERVER=igc1

LANWIFI=igc2

PROVIDER=igc3

# setup

skip="skipto 10000"

wan_ip=83.220.87.193

lan_ip=192.168.37.1

ks="keep-state"

good_tcpo="21,22,80,443,8096"

good_udppo="53,137,161,1195"

# списки fail2ban

sshd_ban_table="table(50)"

proftpd_ban_table="table(51)"

postfix_ban_table="table(52)"

wordpress_ban_table="table(53)"

#Allow ip addresses

ALLOW_IP_INT="192.168.0.0/16,10.63.0.0/16"

ipfw table 10 flush

cat /usr/local/etc/gate37/allowed_nets | while read ip; do

ipfw table 10 add $ip

done

ALLOW_IP_ADD="table(10)"

#Deny ip addresses

ipfw table 20 flush

cat /usr/local/etc/gate37/deny_nets | while read ip; do

ipfw table 20 add $ip

done

DENY_IP_ADD="table(20)"

# выход для jail-ов

#$cmd 003 divert natd ip4 from any to any via ${LAN} in

#$cmd 005 check-state

# заворачиваем http трафик на squid

$cmd 0002 allow tcp from 192.168.0.0/16 to me dst-port 3128

$cmd 0003 fwd 127.0.0.1,3128 tcp from 192.168.0.0/16 to any 80 out via $wan_ip $ks

$cmd 0025 allow all from any to any via $LAN # exclude LAN traffic

$cmd 0026 allow all from any to any via $LOCAL # exclude LAN traffic

$cmd 0027 allow all from any to any via $SERVER # exclude LAN traffic

$cmd 0028 allow all from any to any via $LANWIFI # exclude LAN traffic

$cmd 0029 allow all from any to any via lo0 # exclude loopback traffic

# Постоянный список разрешенных адресов и подсетей

#$cmd 0050 allow all from ${ALLOW_IP_ADD} to any keep-state

#$cmd 0051 allow udp from 46.38.98.141 to any

# Постоянные запрещенные адреса и сети

$cmd 0060 deny all from ${DENY_IP_ADD} to any

$cmd 0061 deny all from any to ${DENY_IP_ADD}

# запрет по fail2ban списку

$cmd 0100 deny log ip from "table(1)" to any

$cmd 0110 deny tcp from ${proftpd_ban_table} to me 21 via ${WAN}

$cmd 0120 deny tcp from ${sshd_ban_table} to me 22 via ${WAN}

$cmd 0130 deny tcp from ${postfix_ban_table} to me 25 via ${WAN}

$cmd 0140 deny tcp from ${wordpress_ban_table} to me 80 via ${WAN}

#$cmd 0990 reass all from any to any in # reassemble inbound packets

#$cmd 1000 nat 1 ip from any to any in via $WAN # NAT any inbound packets

# настройка ната ###################################################################################

#$cmd 00410 reass all from any to any in

# опции перенаправления портов ####

ipfw -q nat 1 config if $WAN same_ports unreg_only reset \

redirect_port tcp 192.168.37.11:8096 8096 \

redirect_port tcp 192.168.37.11:8080 8080

# заворачиваем все что проходит через внешний интерфейс в нат

####$cmd 00400 nat 123 ip from 192.168.0.0/16,10.63.0.0/16 to not 192.168.0.0/16,10.63.0.0/16 via ${WAN}

$cmd 00420 nat 1 ip from any to any via $WAN

########################################################################################################

# Allow the packet through if it has an existing entry in the dynamic rules table

$cmd 1010 check-state

# разрешенные исходящие пакеты

$cmd 1200 $skip udp from any to 77.88.8.3 53 out via $WAN $ks

$cmd 1210 $skip udp from any to 77.88.8.7 53 out via $WAN $ks

$cmd 1250 $skip tcp from any to any $good_tcpo out via $WAN setup $ks

$cmd 1260 $skip tcp from any to any $good_udppo out via $WAN setup $ks

$cmd 1300 $skip icmp from any to any out via $WAN $ks

# разрешенные входящие пакеты

$cmd 2200 $skip udp from 77.88.8.3 to any $ks

$cmd 2210 $skip udp from 77.88.8.7 to any $ks

$cmd 2250 $skip tcp from any $good_tcpo to any in via $WAN setup $ks

$cmd 2260 $skip tcp from any $good_udppo to any in via $WAN setup $ks

$cmd 2300 $skip icmp from any to me via $WAN $ks

$cmd 09990 deny log all from any to any

$cmd 10000 nat 1 ip from any to any out via $WAN # skipto location for outbound stateful rules

$cmd 10001 allow ip from any to any

Источники:

Руководство официальное IPFW: https://docs.freebsd.org/en/books/handbook/firewalls/#firewalls-ipfw

Руководство официальное, мост: https://docs.freebsd.org/en/books/handbook/advanced-networking/#network-bridging

Роутер на FreeBSD и проброс портов с примером: https://dondub.com/2021/04/router-na-freebsd-probros-portov/

Пример Лисяры с натом: https://www.lissyara.su/articles/freebsd/tuning/ipfw_nat/

2. Файловый сервер

srv2023, FreeBSD, 192.168.37.200

ProfTPD 21 <— < 7721

Emby 8096 < — < 8096

rsync 873 < — < 873

Довольны?

[Оценок: 0 средняя: 0]