Banner
Komunitas FreeBSD Indonesia
           |  
Instalasi Webmin untuk Memudahkan Konfigurasi

Webmin ini gw kenal semenjak 2002, waktu itu temen gw yg ajarin, cuma pertama kali install gw pake RH 7.2, cobain di Fedora, slackware dan terakhir di CentOS. semuanya mulus, cuma ya itu tetap aja ada kekurangan untuk masalah module, yah mungkin tidak semua modules terinstall, paling tidak kita harus update modulenya terus.
Home General Networking Gateway Sederhana Menggunakan ipfw+ipnat

Gateway Sederhana Menggunakan ipfw+ipnat

Friday, 09 February 2007 12:21 administrator General
E-mail Print PDF
Article Index
Gateway Sederhana Menggunakan ipfw+ipnat
Page 2
Page 3
All Pages

by:ogeb ( This e-mail address is being protected from spambots. You need JavaScript enabled to view it )

Membangun Sebuah Gateway  merupakan hal yang tidak begitu sulit. Terlebih anda mempunyai sedikit

keinginan dan pengetahuan tentang browser anda sudah bisa menginstall gateway dengan mudah

tanpa menghadapi kesulitan yang berarti.

Banyak Tulisan atau catatan mengenai pembuatan Gateway router yang masing masing memiliki kelebihan

dan kekurangan yang bervariasi.

Pada kesempatan kali ini saya hadirkan tentang tata cara pembuatan gateway yang sederhana, untuk menghandel

sebuah network kecil. 

Untuk membangun sebuah gateway menggunakan IPFW dan IPNAT , maka diperlukan mengkompile kernel terlebih

dahulu. asumsi source kernel tercopy pada lokasi yang seperti biasa.

indofreebsd# cd /sys/i386/conf

indofreebsd#cp GENERIC INDOFREEBSD

 indofreebsd#pico INDOFREEBSD

hal hal yang saya edit adalah bagian ini

ident  indofreebsd

#options        INET6 # saya belum merasa perlu mengaktifkan in.

 dan menambahkan option ini

options         IPFILTER
options         IPFILTER_LOG
options         IPFIREWALL
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_VERBOSE_LIMIT=5
options         DUMMYNET
options         HZ=1000

setelah mengedit konfigurasi kernel lalu saya mengcompile kernel ulang.

indofreebsd# cd /usr/src

indofreebsd#make buildkernel KERNCONF=INDOFREEBSD

--------------------------------------------------------------
>>> Kernel build for INDOFREEBSD completed on Fri Feb  9 05:57:45 UTC 2007
--------------------------------------------------------------
 

indofreebsd# make installkernel KERNCONF=INDOFREEBSD

install -o root -g wheel -m 555   if_xe.ko /boot/kernel
===> xl (install)
install -o root -g wheel -m 555   if_xl.ko /boot/kernel
===> zlib (install)
install -o root -g wheel -m 555   zlib.ko /boot/kernel
kldxref /boot/kernel

indofreebsd#

setelah selesai  masukan beberapa parameter yang kita butuhkan pada rc.conf

router_flags="-q"
router="/sbin/routed"
router_enable="YES"
gateway_enable="YES"
sendmail_enable="NONE"
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
ipnat_enable="YES"                # Start ipnat function
ipnat_rules="/etc/ipnat.rules"    # rules definition file for ipnat

lalu save 

indofreebsd#


 

buat ipfw rules

indofreebsd#pico /etc/ipfw.rules

################ Start of IPFW rules file ###############################
# Flush out the list before we begin.
ipfw -q -f flush

ipfw pipe 1 config mask dst-ip 0x000000ff bw 256Kbit/s
ipfw pipe 2 config mask src-ip 0x000000ff bw 64Kbit/s
ipfw add 1 pipe 1 all from any to 192.168.1.0/24 in
ipfw add 2 pipe 2 all from 192.168.1.0/24 to any out
# Set rules command prefix
cmd="ipfw -q add"
pif="rl0"     # public interface name of NIC
              # facing the public Internet

#################################################################
# No restrictions on Inside LAN Interface for private network
# Not needed unless you have LAN.
# Change xl0 to your LAN NIC interface name
#################################################################
$cmd 00008 allow all from any to any via rl1
#################################################################
# No restrictions on Loopback Interface
#################################################################
$cmd 00010 allow all from any to any via lo0

#################################################################
# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by a allow keep-state statement.
#################################################################
$cmd 00015 check-state

#################################################################
# Interface facing Public Internet (Outbound Section)
# Interrogate session start requests originating from behind the
# firewall on the private network or from this gateway server
# destine for the public Internet.
#################################################################

# Get the IP addresses from /etc/resolv.conf file
$cmd 00114 allow tcp from any to any   53 out via $pif setup keep-state
$cmd 00115 allow udp from any to any   53 out via $pif keep-state
$cmd 00122 allow tcp from any to any   21 out via $pif setup keep-state
# Allow out non-secure standard www function
$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state

# Allow out secure www function https over TLS SSL
$cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state

# Allow out send & get email function
$cmd 00230 allow tcp from any to any 25 out via $pif setup keep-state
$cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state

# Allow out FBSD (make install & CVSUP) functions
# Basically give user root "GOD" privileges.
$cmd 00240 allow tcp from me to any out via $pif setup keep-state uid root

# Allow out ping
$cmd 00250 allow icmp from any to any out via $pif keep-state
$cmd 00251 allow udp from any to any 33434-33523
# Allow out Time
$cmd 00260 allow tcp from any to any 37 out via $pif setup keep-state

# Allow out nntp news (i.e. news groups)
$cmd 00270 allow tcp from any to any 460-30000  out via $pif setup keep-state

# Allow out secure FTP, Telnet, and SCP
# This function is using SSH (secure shell)
$cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state

# Allow out whois
$cmd 00290 allow tcp from any to any 43 out via $pif setup keep-state

# deny and log everything else that.s trying to get out.
$cmd 00299 deny log all from any to any out via $pif

#################################################################
# Interface facing Public Internet (Inbound Section)
# Interrogate packets originating from the public Internet
# destine for this gateway server or the private network.
#################################################################

# Deny all inbound traffic from non-routable reserved address spaces
$cmd 00300 deny all from 192.168.0.0/16 to any in via $pif  #RFC 1918 private IP
$cmd 00301 deny all from 172.16.0.0/12 to any in via $pif     #RFC 1918 private IP
$cmd 00302 deny all from 10.0.0.0/8 to any in via $pif          #RFC 1918 private IP
$cmd 00303 deny all from 127.0.0.0/8 to any in via $pif        #loopback
$cmd 00304 deny all from 0.0.0.0/8 to any in via $pif            #loopback
$cmd 00305 deny all from 169.254.0.0/16 to any in via $pif   #DHCP auto-config
$cmd 00306 deny all from 192.0.2.0/24 to any in via $pif       #reserved for docs
$cmd 00307 deny all from 204.152.64.0/23 to any in via $pif  #Sun cluster interconnect
$cmd 00308 deny all from 224.0.0.0/3 to any in via $pif         #Class D & E multicast
$cmd 00309 allow icmp from any to any icmptypes 11 in
###########allow me to ping out and receive response back
$cmd  00311 allow icmp from any to any icmptypes 0 in
# Deny public pings
#$cmd 00312 deny icmp from any to any in via $pif

# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
$cmd 00320 deny tcp from any to any 137 in via $pif
$cmd 00321 deny tcp from any to any 138 in via $pif
$cmd 00322 deny tcp from any to any 139 in via $pif
$cmd 00323 deny tcp from any to any 81 in via $pif

# Deny any late arriving packets
$cmd 00330 deny all from any to any frag in via $pif

# Deny ACK packets that did not match the dynamic rule table
$cmd 00332 deny tcp from any to any established in via $pif
# Allow traffic in from ISP's DHCP server. This rule must contain
# the IP address of your ISP.s DHCP server as it.s the only
# authorized source to send this packet type.
# Only necessary for cable or DSL configurations.
# This rule is not needed for .user ppp. type connection to
# the public Internet. This is the same IP address you captured
# and used in the outbound section.
#$cmd 00360 allow udp from any to x.x.x.x 67 in via $pif keep-state
$cmd 00361 allow tcp from any to any 1023-7000 in via $pif setup limit src-addr 2

# Allow in standard www function because I have apache server
$cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2

# Allow in secure FTP, Telnet, and SCP from public Internet
#$cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2
$cmd 00410 allow tcp from any to me 222 in via $pif setup limit src-addr 2
# Allow in non-secure Telnet session from public Internet
# labeled non-secure because ID & PW are passed over public
# Internet as clear text.
# Delete this sample group if you do not have telnet server enabled.
$cmd 00420 allow tcp from any to me 113 in via $pif setup limit src-addr 2

# Reject & Log all incoming connections from the outside
$cmd 00499 deny log all from any to any in via $pif

# Everything else is denied by default
# deny and log all packets that fell through to see what they are
$cmd 00999 deny log all from any to any
################ End of IPFW rules file ###############################


indofreebsd#

buat ipnat.rules

indofreebsd#pico /etc/ipnat.rules 

# ------------------------------------------------------------
# Use ipfilter FTP proxy for the firewall doing transfer mode
# active.
# ------------------------------------------------------------
map rl0  0.0.0.0/0 -> 0.0.0.0/32 proxy port ftp ftp/tcp
# ------------------------------------------------------------
# Use ipfilter FTP proxy for hosts behind NAT doing transfer
# mode active.
# ------------------------------------------------------------
map rl0  192.168.0.0/24 -> 0.0.0.0/32 proxy port ftp ftp/tcp
# -----------------------------------------------------------
# Map all internal UDP and TCP traffic to the external IP address
# -----------------------------------------------------------
map rl0  192.168.0.0/24 -> 0.0.0.0/32  portmap tcp/udp 40000:60000
# -----------------------------------------------------------
# Map all other traffic e.g. ICMP to the external IP address
# -----------------------------------------------------------
map rl0  192.168.0.0/24 -> 0.0.0.0/32

lalu save

langkah selanjut nya adalah me restart nya

indofreebsd#reboot

test gateway anda dengan menghubungkan pc client pada gateway tersebut

kalo packet tidak berhasil di lewatkan artinya anda kurang teliti.

demikian langkah langkah pembuatan gateway menggunakan ipfw + ipnat

semoga berhasil.

 

salam,

ogeb 


Digg This! Del.icio.us; Reddit Newsvine Ma.gnolia Furl BlinkList Yahoo MyWeb Google Diigo Stumble It! Mr. Wong Technorati Facebook

Comments

Show/Hide Comment form Please login to post comments or replies.
< Prev   Next >
 

Status Koneksi

Proxy Server

Optimasi Bandwidth dengan FreeBSD 7 + squid + Apache + videocache

Judul Asli  : Geber Youtube dkk  + save bandwidth dengan menggunakan videocache oleh         : ogeb ( ogb at indofreebsd.or.id )Ditulis      : Jimbaran Minggu 10 Mei 19:37:10 WITA 2009BismillahirrahmanirrahimTeknologi web yang...

Proxy Server | | Sunday, 10 May 2009

SELANJUTNYA...

Instalasi Squid, BannerFilter, dan Blocking Website

Sebelumnya akan saya jelaskan terlebih dahulu, instalansi squid di sini sangat mudah, karena hanya melalui simple ports dari FreeBSD. Untuk settingan lainnya bisa diatur melalui instalansi squid proxy yang lain...

Proxy Server | Tubagus G.P | Monday, 7 July 2008

SELANJUTNYA...

PF + Transparent Proxy dengan Squid

Rasanya tidak perlu lagi dijelaskan fungsi maupun kegunaan Squid karena sudah banyak situs-situs lain yang menguraikannya secara gamblang, baik berbahasa Indonesia maupun bahasa asing.Artikel ini terfokus secara teknisnya saja, bagaimana...

Proxy Server | mqueue | Tuesday, 25 March 2008

SELANJUTNYA...

Squid Pada Outgoing Load Balancing Connection

Squid merupakan sebuah proxy dan content cache yang memang sering diperlukan oleh kita tentunya dengan beragam alasan diantara nya untuk mempercepat pengiriman web yang sering di akses kepada client.sedangkan Outgoing...

Proxy Server | Ogeb | Sunday, 5 August 2007

SELANJUTNYA...

More in: Proxy Server

Tips & Trick

Enable Normal user untuk menggunakan Super User

Becoming super user (su) or enabling su access to userSuper user memiliki akses penuh kepada semua file dan Perintah. super user memiliki spesial UID (User ID) 0. Anda perlu menjadi...

Tips and Trick | denuxer | Thursday, 27 October 2011

SELANJUTNYA...

Merubah data directory pada mysql server FreeBSD Server

Secara default, jika kita install mysql server via port maka data-data dari database yang ada dalam mysql server akan tersimpan pada dir /var/db/mysqlAkan merepotkan kalau ternyata partisi /var kita terlalu...

Tips and Trick | Ainur Rahma | Friday, 1 July 2011

SELANJUTNYA...

Membuat iso DVD untuk FreeBSD 7.2

by : masdani Bagi yang suka melakukan instalasi sistem operasi FreeBSD kadang direpotkan pada proses instalasinya jika menggunakan media CD. Karena jumlah CD yang3 buah itu, kadang harus diganti-ganti setiap kali...

Tips and Trick | | Thursday, 25 June 2009

SELANJUTNYA...

Upgrade dari FreeBSD 6.x ke FreeBSD 7.x

This upgrades from FreeBSD 6.2-STABLE to 7.0-CURRENT.{xtypo_alert}ATTENTION: THIS UPGRADE PROCEDURE MIGHT NOT WORK FOR YOU AS YOUR ENVIRONMENT IS DIFFERENT. ALSO, THIS UPGRADE PROCEDURES MIGHT DESTROY OUR SYSTEM AND YOU...

Tips and Trick | Azhax | Monday, 17 March 2008

SELANJUTNYA...

More in: Tips and Trick

Anggota Baru

agung suryawan
kwgcv
banjow
banjow
agus widodo
kirun_w
raymond prabu
raymond
Muammar Renaldy
muren

Login Terakhir

agung suryawan
kwgcv
lutfi saiful nizal
fians
lamuerte
lamuerte
banjow
banjow
hendra syam
hendrasyam
bigie
bigie
moh rifai
kramotak
agus widodo
kirun_w
Dedi Sidauruk
takeiteazy
raymond prabu
raymond

WHO'S ONLINE

We have 4 guests online

Diskusi Terbaru

Komentar Terbaru