LINUX.ORG.RU

Сообщения minzdravv

 

Переодически не пробрасывает порт

Всем привет! Структура на сегодня Интернет->PF OpenBSD 6(gate)->dns W2012->пользователь

Проблема: Периодически с gate не проходит телнет 80 или 443 на определенный ip.(Если поделючиться на прямую проблемы нет.)

pf.conf: 

        # Interfaces
        int_if                  =       rl0                     #Local Interface
        ext_if                  =       re0                     # External Interface
        vpn_if                  =       tun0                    # VPN Interface
        # Networks
        int_net                 =       $int_if:network         # Local Network
        vpn_net                 =       $vpn_if:network         # VPN NET
        # Services & Ports
        services_ssh            =       22
        services_voip           =       "{5060,7070:7089}"
        services_rdp            =       3389
        service_vpn             =       1195
        # Local Stations
        local_sa           	=       "sa.hq.domain.ru"
        local_pes           	=      "pes.hq.domain.ru"
        local_si           	=       "owl.hq.domain.ru"
        local_isp               =       "isp.hq.domain.ru"
        local_zabbix            =       "zabbix.hq.domain.ru"
        vpn_gw                  =       10.50.0.5
        #Remote Locations
        remote_iptelefon        =       "158.15.23.63"
        #VPN_clients
        vpnclients              =       "10.50.0.0/24"
        #VoIP Provider
        #s/sa
        udpstate                =       "keep state"

        # Essential config
        block in proto tcp from any to $ext_if port ssh
        set skip on lo
        set skip on $vpn_if
        block return in on $int_if
        block return in on $ext_if
        pass out all
        antispoof for {$int_if,$ext_if}
        pass out on $ext_if inet from $int_net nat-to $ext_if
        pass in quick inet proto icmp to self
        pass in quick inet proto icmp from {$int_net}
        pass in quick inet proto tcp from any to self port $services_ssh
        pass in on $ext_if proto udp from any to ext_if port $service_vpn $udpstate
        # Basic config
        pass in inet from $int_net to any
        # VoIP
        pass in inet proto udp from $remote_iptelefon to $ext_if port $services_voip
        # RDP Passthrough (TEMPORARY!)
        pass in inet proto tcp from any to $ext_if port 33389 \
        rdr-to $local_sa port $services_rdp
#       pass in inet proto tcp from any to $ext_if port 34389 \
#       rdr-to $local_pes port $services_rdp
        pass in inet proto tcp from any to $ext_if port 35389 \
        rdr-to $local_s port $services_rdp
        pass in inet proto tcp from any to $ext_if port 22222 \
        rdr-to $local_p port 22
        pass in inet proto tcp from any to $ext_if port 1500 \
        rdr-to $local_p port 1500
        #vpn
        pass in on $vpn_if from $vpnclients to any
        pass in on $vpn_if inet proto {tcp,udp} from $vpn_gw to any flags S/SA modulate state
        pass out on $int_if to $int_net received-on $vpn_if nat-to $int_if
        pass in on $vpn_if from any to any
        #VPN_TCP
        pass out on $vpn_if inet proto { tcp, udp } from $int_net to any flags S/SA modulate state nat-to ($int_if) round-robin

На пользователе Телнет не проходит вообще.

 , , , ,

minzdravv
()
5 комментариев

OpenVPN сервер

Здравствуйте! Настраиваю OpenVPN сервер на OpenBsd(шлюз) сертификаты, подключение - все отлично. Но! При подключение абсолютно весь трафика идёт через VPN ( хотелось бы давать клиентам только доступ в лан (10.10.1.0 255.0.0.0).

Пробовал добавлять def1 и net_gateway - результат не работает ни сеть ни web.

Вот конфиг сервера: 

ca "/etc/openvpn/easy-rsa/keys/ca.crt"
cert "/etc/openvpn/easy-rsa/keys/server.crt"
dh "/etc/openvpn/easy-rsa/keys/dh1024.pem"
key "/etc/openvpn/easy-rsa/keys/server.key"
#tls-auth "/etc/openvpn/easy-rsa/keys/ta.key" 0
cipher AES-256-CBC # AES 256 bits

proto udp

port 1195
dev tun0

log-append /var/log/openvpn/openvpn.log
status /var/log/openvpn/openvpn-status.log

server 10.50.0.0 255.255.255.0

keepalive 10 120

comp-lzo

user _openvpn

group _openvpn

daemon openvpn

persist-key
persist-tun

client-to-client

push "route 10.50.0.0 255.255.255.0"
push "route 10.10.1.0 255.0.0.0"

route 10.50.0.0 255.255.255.0
route 10.10.1.0 255.0.0.0

push "redirect-gateway"
#push "dhcp-option DNS 8.8.8.8"
client-config-dir /etc/openvpn/ccd/

 , , ,

minzdravv
()
40 комментариев

OPENBSD 5.8 RDR FTP

есть шлюз на openbsd и есть внутри сети ftp на который нужно перенаправлять вот pf.conf: 

#FTP
#adress
ext_ip = 1.1.1.8
ftp_ip = 2.2.2.243
#open 21
pass in on $ext_if inet proto tcp to $ext_ip port 21 flags S/SA keep state
#NAT
pass out on $ext_if from 2.2.2.0/8 to any nat-to $ext_ip
pass in on $ext_if proto tcp from any to any port 21 rdr-to $ftp_ip
pass out on $int_if inet proto tcp to $ftp_ip port 21 user proxy
#nat-anchor "ftp-proxy/*"
#nat on $ext_if inet from 2.2.2.14 rdr-to ($ext_if) port 21
#rdr-anchor "ftp-proxy/*"
#pass in on $ext_if inet proto tcp to $ext_ip port 21 flags S/SA keep state
#pass out on 2.2.2.14 inet proto tcp to $ftp_ip port 21 flags S/SA keep state
#anchor "ftp-proxy/*"

#pass in on $ext_if proto tcp from any to $ext_ip port 21 divert-to $ftp_ip port 21
#pass out on $int_if proto tcp to 2.2.2.243 port 21 received-on $int_if nat-to $ext_if
внутренний фтп не доступен( пробовал настраивать по схеме: 
ext_ip = "192.168.0.1"
ftp_ip = "10.10.10.1"

match out on $ext_if inet from $int_if nat-to ($ext_if)

anchor "ftp-proxy/*"
pass in on $ext_if inet proto tcp to $ext_ip port 21
pass out on $int_if inet proto tcp to $ftp_ip port 21 user proxy
результат аналогичен

 , , ,

minzdravv
()
4 комментария

Postfix SMTP 2 домена 2 пользователя

Уже 4 дня не могу найти необходимого решения. Задача тривиальная 2 домена каждый со своим логином и паролем. При этом адрес отправителя любое имя@mydomain.ru. smtp авторизация через sasldb вот main.cf

smtpd_banner = $myhostname ESMTP $mail_name $mydestination (RedHat/$hostname) #biff = no #append_dot_mydomain = no #readme_directory = no myhostname = ****.ru mynetworks = 127.0.0.0/8 185.12.29.0/24 inet_interfaces = all inet_protokols = ipv4 broken_sasl_auth_clients = yes virtual_alias_domains = ***.****.ru, ****.ru

mydestination = localhost #relay_domains = $mydestination #virtual_alias_map = hash:/etc/postfix/virtual #virtual_mailbox_domains = ***.*****.ru, ****.ru virtual_mailbox_base = /var/spool/mail #virtual_mailbox_domains = /etc/postfix/virtual_domains #virtual_minimum_uid = 1000 #virtual_uid_maps = static:5002 #virtual_gid_maps = static:5000 local_recipient_maps = virtual_recipient_maps =

#AUTH #smtp_sender_dependet_authentication = yes smtpd_sasl_authentificated_header = yes #smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_relay_domains smtpd_sasl_auth_enable = yes smtp_sasl_auth_enable = yes smtpd_sasl_type = cyrus #smtp_sasl_mechanism_filter = plain, login smtpd_sasl_path = smtpd #smtp_sasl_password_maps = hash:/etc/postfix/passwd smtp_client_restrictions = permit_sasl_authenticated broken_sasl_auth_clients = no smtpd_sasl_security_options = noanonymous #smtpd_sasl_local_domain = $virtual_alias_domain #smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_relay_domains #smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

при отправке ответ relay access denied 554.

Прошу помощи.

 ,

minzdravv
()
2 комментария

RSS подписка на новые темы