zelo
04-09-2012, 10:21
Добрый день!
У роутера Juniper два порта. На одном сеть 192.168.5.118/24, на втором 192.168.6.118/24. Требуется все входящие запросы на адрес .6.118, порт 21 пробрасывать на адрес .5.6
Сделал такой вот конфиг, но не работает. Подскажите где у меня ошибка, не могу понять...
root@sb-gate# show
## Last changed: 2012-09-04 06:03:37 UTC
version 10.0R2.10;
system {
host-name sb-gate;
domain-name npsb.ru;
root-authentication {
encrypted-password "$1$Dmlx94nA$uAZaMvH1ZZ1UjRowHiytd."; ## SECRET-DATA
}
name-server {
192.168.5.6;
8.8.8.8;
}
services {
ssh;
telnet;
web-management {
http;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 192.168.5.118/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 192.168.6.118/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.5.6;
}
}
security {
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool ftp-pool {
address 192.168.5.6/32 port 21;
}
inactive: pool squid-pool {
address 192.168.5.6/32 port 3128;
}
rule-set door {
from zone untrust;
rule ftp {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
destination-port 21;
}
then {
destination-nat pool ftp-pool;
}
}
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
zones {
security-zone a333 {
host-inbound-traffic {
system-services {
all;
}
}
}
security-zone trust {
address-book {
address serv.5.6 192.168.5.6/32;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0;
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy untrust-trust {
match {
source-address any;
destination-address serv.5.6;
application any;
}
then {
permit;
}
}
}
}
}
[edit]
root@sb-gate#
У роутера Juniper два порта. На одном сеть 192.168.5.118/24, на втором 192.168.6.118/24. Требуется все входящие запросы на адрес .6.118, порт 21 пробрасывать на адрес .5.6
Сделал такой вот конфиг, но не работает. Подскажите где у меня ошибка, не могу понять...
root@sb-gate# show
## Last changed: 2012-09-04 06:03:37 UTC
version 10.0R2.10;
system {
host-name sb-gate;
domain-name npsb.ru;
root-authentication {
encrypted-password "$1$Dmlx94nA$uAZaMvH1ZZ1UjRowHiytd."; ## SECRET-DATA
}
name-server {
192.168.5.6;
8.8.8.8;
}
services {
ssh;
telnet;
web-management {
http;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 192.168.5.118/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 192.168.6.118/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.5.6;
}
}
security {
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool ftp-pool {
address 192.168.5.6/32 port 21;
}
inactive: pool squid-pool {
address 192.168.5.6/32 port 3128;
}
rule-set door {
from zone untrust;
rule ftp {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
destination-port 21;
}
then {
destination-nat pool ftp-pool;
}
}
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
zones {
security-zone a333 {
host-inbound-traffic {
system-services {
all;
}
}
}
security-zone trust {
address-book {
address serv.5.6 192.168.5.6/32;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0;
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy untrust-trust {
match {
source-address any;
destination-address serv.5.6;
application any;
}
then {
permit;
}
}
}
}
}
[edit]
root@sb-gate#