FreeBSD8.1+IPFW+NATD RDP из внешки

Помогите открыть доступ из внешки по RDP в локалку, на машину 172.16.0.254. Пошла 3 неделя как я эту проблему решить пытаюсь, все бесполезно .

============Конфиг /etc/rc.firewall================
#!/bin/sh
FwCMD="/sbin/ipfw"
lanout="fxp0"
lanin="em0"
ipout="82.x.x.x"
ipin="172.16.0.1"
netin="172.16.0.0/22"
# Sbrasyvaem vse pravila:
${FwCMD} -f flush
#
${FwCMD} add allow ip from any to 127.0.0.1
${FwCMD} add allow ip from 127.0.0.1 to any
${FwCMD} add fwd 127.0.0.1,3128 tcp from ${netin} to any 80 via ${lanout}
${FwCMD} add allow all from any to any via lo0
${FwCMD} add check-state
#!!! ROUTING
#${FwCMD} add divert 199 ip from any to any out xmit ${lanin}
#${FwCMD} add divert 199 ip from any to any in recv ${lanin}
#${FwCMD} add divert 199 ip from any to any out xmit ${lanout}
${FwCMD} add divert natd ip from any to any out via ${lanout}
${FwCMD} add divert natd ip from any to me in via ${lanout}
${FwCMD} add allow tcp from any to any established
${FwCMD} add allow ip from ${ipout} to any out xmit ${lanout}
#FTP из локалки
${FwCMD} -q add divert natd from 172.16.0.0/24 to any 20, 21 out via ${lanout}
${FwCMD} -q add divert natd from any 20, 21 to ${ipout} in via ${lanout}
${FwCMD} -q add allow tcp from any to any established
${FwCMD} -q add allow tcp from any to any setup
#RDP
${FwCMD} add divert natd ip from any to any 3389 out via ${lanout}
${FwCMD} add divert natd ip from any 3389 to me in via ${lanout}
${FwCMD} add allow tcp from any to any established
${FwCMD} add allow tcp from any to any setup
# DNS udp zaprosy po 53 portu
${FwCMD} add allow udp from any 53 to any via ${lanout}
${FwCMD} add allow udp from any to any 53 via ${lanout}
#!!! RAZRESHENO
#HTTP WEB SERVER iz vnutrenney seti y vneshnei
${FwCMD} add allow tcp from any to ${ipout} 80 in via ${lanout} setup
${FwCMD} add allow tcp from any to ${ipin} 80 in via ${lanin} setup
# PING
${FwCMD} add allow icmp from any to any out via ${lanout} keep-state
${FwCMD} add allow icmp from any to any in via ${lanout}
# Mail POP SMTP
${FwCMD} add allow tcp from any to any 110 via ${lanin}
${FwCMD} add allow tcp from any to any 110 via ${lanout}
${FwCMD} add allow tcp from any to any 25 via ${lanin}
${FwCMD} add allow tcp from any to any 25 via ${lanout}
#LDAP
${FwCMD} add allow tcp from any to any 389 via ${lanin}
# WWW
${FwCMD} add allow tcp from any to any 80 via ${lanin}
${FwCMD} add allow tcp from any to any 443 via ${lanin}
#FTP
${FwCMD} add pass tcp form any 21 to any
${FwCMD} add pass tcp from any to any 21
${FwCMD} add pass tcp from any 20 to any
${FwCMD} add pass tcp from any to any 20
#Пассивный режим FTP
${FwCMD} add pass tcp from any 50100-50200 to any
${FwCMD} add pass tcp from any to any 50100-50200
#RDP
${FwCMD} add pass tcp form any 3389 to any
${FwCMD} add pass tcp from any to any 3389
${FwCMD} add pass tcp form any 3390 to any
${FwCMD} add pass tcp from any to any 3390
${FwCMD} add allow tcp from any to any dst-port 3389 setup
${FwCMD} add allow tcp from any to any 25490 via ${lanout}
${FwCMD} add allow tcp from any to any 25491 via ${lanout}
#NOD32
${FwCMD} add allow tcp from any to any 2221 via ${lanin}
${FwCMD} add allow tcp from any to any 2221 via ${lanout}
${FwCMD} add allow tcp from any to any 49801 via ${lanout}
${FwCMD} add allow tcp from any to any 49801 via ${lanin}
#SAMBA
${FwCMD} add allow tcp from any to any 135,137,138,139,445 via ${lanin}
${FwCMD} add allow udp from any to any 135,137,138,139,445 via ${lanin}
#DHCP
${FwCMD} add allow udp from any to any 67,68 via ${lanin}
#DNS
${FwCMD} add allow udp from any to any via ${lanin}
${FwCMD} add allow udp from any to any via ${lanout}
#SHH
${FwCMD} add allow tcp from any to any 22 via ${lanin}
#uVNC
${FwCMD} add allow tcp from any to any 5900,5500 via ${lanin}
#Log IPFW
${FwCMD} add deny log from any to any
${FwCMD} add deny log ip from any to any
#!!! Zapreshaem vsio ostalnoe
${FwCMD} add deny all from any to any

================Конфиг /etc/natd.conf=======================
interface fxp0
redirect_port tcp 172.16.0.4:2221 49801
redirect_port tcp 172.16.0.4:3389 25490
redirect_port tcp 172.16.0.254:3389 25491
redirect_port tcp 172.16.0.254:21 21

================Конфиг /etc/rc.conf=======================
# -- sysinstall generated deltas -- # Tue Jan 31 20:20:47 2012
# Created: Tue Jan 31 20:20:47 2012
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
defaultrouter="82.x.x.x"
gateway_enable="YES"
hostname="Server.BROZEX"
ifconfig_fxp0="inet 82.x.x.x netmask 255.255.252.0"
ifconfig_em0="inet 172.16.0.1 netmask 255.255.252.0"
keymap="ru.koi8-r"
sshd_enable="YES"
#FIREWALL
firewall_enable="YES"2
firewall_type="open"
#firewall_type="/etc/rc.firewall"
firewall_logging="YES"
#NAT
natd_enable="YES"
#natd_interface="fxp0"
natd_flags="-f /etc/natd.conf"
#ipnat_enable="YES"
#ipnat_program="/sbin/ipnat -CF -f"
#ipnat_rules="/etc/ipnat.rules"
#ipnat_flags=""
#DNS
named_enable="YES"
named_program="/usr/sbin/named"
named_flags="-u bind -c /etc/namedb/named.conf"
#DHCP
#dhcpd_enable="YES"
#dhcpd_flags="-q"
#dhcpd_ifaces="em0"
#dhcpd_conf="/usr/local/etc/dhcpd.conf"
#MYSQL
mysql_enable="YES"
#APACHE
apache22_enable="YES"
#SQUID
squid_enable="YES"
squid_pidfile="/var/run/squid/squid.pid"
#SAMS
sams_enable="YES"
#SENDMAIL
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
#POSTFIX
postfix_enable="YES"
#DOVECOT
dovecot_enable="YES"
#FTP
proftpd_enable="YES"
#Samba
smbd_enable="YES"
nmbd_enable="YES"

================ipfw show=======================
# ipfw show
00100 39501 5664430 allow ip from any to 127.0.0.1
00200 298973834 16742537250 allow ip from 127.0.0.1 to any
00300 463120 124253621 fwd 127.0.0.1,3128 tcp from 172.16.0.0/22 to any dst-port 80 via fxp0
00400 192 21592 allow ip from any to any via lo0
00500 0 0 check-state
00600 151016653 441881612633 divert 8668 ip from any to any out via fxp0
00700 2488534 2879803751 divert 8668 ip from any to me in via fxp0
00800 152764572 443664296103 allow tcp from any to any established
00900 819473 61927800 allow ip from 82.x.x.x to any out xmit fxp0
01000 0 0 allow tcp from any to any established
01100 52638 2627212 allow tcp from any to any setup
01200 0 0 divert 8668 ip from any to any dst-port 3389 out via fxp0
01300 0 0 divert 8668 ip from any 3389 to me in via fxp0
01400 0 0 allow tcp from any to any established
01500 0 0 allow tcp from any to any setup
01600 16737 5074148 allow udp from any 53 to any via fxp0
01700 0 0 allow udp from any to any dst-port 53 via fxp0
01800 0 0 allow tcp from any to 82.x.x.x dst-port 80 in via fxp0 setup
01900 0 0 allow tcp from any to 172.16.0.1 dst-port 80 in via em0 setup
02000 38 2544 allow icmp from any to any out via fxp0 keep-state
02100 7377 499479 allow icmp from any to any in via fxp0
02200 0 0 allow tcp from any to any dst-port 110 via em0
02300 0 0 allow tcp from any to any dst-port 110 via fxp0
02400 0 0 allow tcp from any to any dst-port 25 via em0
02500 0 0 allow tcp from any to any dst-port 25 via fxp0
02600 0 0 allow tcp from any to any dst-port 389 via em0
02700 0 0 allow tcp from any to any dst-port 80 via em0
02800 0 0 allow tcp from any to any dst-port 443 via em0
02900 0 0 allow tcp from any to any dst-port 21
03000 0 0 allow tcp from any 20 to any
03100 0 0 allow tcp from any to any dst-port 20
03200 0 0 allow tcp from any 50100-50200 to any
03300 0 0 allow tcp from any to any dst-port 50100-50200
03400 0 0 allow tcp from any to any dst-port 3389
03500 0 0 allow tcp from any to any dst-port 3390
03600 0 0 allow tcp from any to any dst-port 3389 setup
03700 0 0 allow tcp from any to any dst-port 25490 via em0
03800 0 0 allow tcp from any to any dst-port 25490 via fxp0
03900 0 0 allow tcp from any to any dst-port 25491 via em0
04000 0 0 allow tcp from any to any dst-port 25491 via fxp0
04100 0 0 allow tcp from any to any dst-port 2221 via em0
04200 0 0 allow tcp from any to any dst-port 2221 via fxp0
04300 0 0 allow tcp from any to any dst-port 49801 via fxp0
04400 0 0 allow tcp from any to any dst-port 49801 via em0
04500 0 0 allow tcp from any to any dst-port 1004 via em0
04600 362 41139 allow udp from any to any dst-port 87 via em0
04700 0 0 allow tcp from any to any dst-port 1111 via em0
04800 0 0 allow tcp from any to any dst-port 1119 via em0
04900 0 0 allow tcp from any to any dst-port 1239 via em0
05000 0 0 allow tcp from any to any dst-port 1389 via em0
05100 0 0 allow tcp from any to any dst-port 1494 via em0
05200 0 0 allow tcp from any to any dst-port 2041 via em0
05300 0 0 allow tcp from any to any dst-port 2042 via em0
05400 0 0 allow tcp from any to any dst-port 2106 via em0
05500 0 0 allow tcp from any to any dst-port 2225 via em0
05600 0 0 allow tcp from any to any dst-port 2226 via em0
05700 0 0 allow tcp from any to any dst-port 22273 via em0
05800 0 0 allow tcp from any to any dst-port 2512 via em0
05900 0 0 allow tcp from any to any dst-port 2513 via em0
06000 0 0 allow tcp from any to any dst-port 2593 via em0
06100 0 0 allow tcp from any to any dst-port 2802 via em0
06200 0 0 allow tcp from any to any dst-port 2897 via em0
06300 0 0 allow tcp from any to any dst-port 30025 via em0
06400 0 0 allow tcp from any to any dst-port 30110 via em0
06500 0 0 allow tcp from any to any dst-port 3279 via em0
06600 0 0 allow tcp from any to any dst-port 3306 via em0
06700 0 0 allow tcp from any to any dst-port 33333 via em0
06800 0 0 allow tcp from any to any dst-port 3345 via em0
06900 0 0 allow tcp from any to any dst-port 3345 via fxp0
07000 0 0 allow tcp from any to any dst-port 3724 via em0
07100 0 0 allow tcp from any to any dst-port 3732 via em0
07200 0 0 allow tcp from any to any dst-port 4080 via em0
07300 0 0 allow tcp from any to any dst-port 4081 via em0
07400 0 0 allow tcp from any to any dst-port 4455 via em0
07500 0 0 allow tcp from any to any dst-port 4455 via fxp0
07600 0 0 allow tcp from any to any dst-port 4466 via em0
07700 0 0 allow tcp from any to any dst-port 4477 via em0
07800 0 0 allow tcp from any to any dst-port 4480 via em0
07900 0 0 allow tcp from any to any dst-port 465 via em0
08000 0 0 allow tcp from any to any dst-port 5222 via em0
08100 0 0 allow tcp from any to any dst-port 55154 via em0
08200 0 0 allow tcp from any to any dst-port 5670 via em0
08300 0 0 allow tcp from any to any dst-port 5680 via em0
08400 0 0 allow tcp from any to any dst-port 5690 via em0
08500 0 0 allow tcp from any to any dst-port 5690 via fxp0
08600 0 0 allow tcp from any to any dst-port 587 via em0
08700 0 0 allow tcp from any to any dst-port 6112 via em0
08800 0 0 allow tcp from any to any dst-port 6667 via em0
08900 0 0 allow tcp from any to any dst-port 6881 via em0
09000 0 0 allow tcp from any to any dst-port 6999 via em0
09100 0 0 allow tcp from any to any dst-port 7001 via em0
09200 0 0 allow tcp from any to any dst-port 7007 via em0
09300 0 0 allow tcp from any to any dst-port 7777 via em0
09400 0 0 allow tcp from any to any dst-port 8080 via em0
09500 0 0 allow tcp from any to any dst-port 8081 via em0
09600 0 0 allow tcp from any to any dst-port 8093 via em0
09700 0 0 allow tcp from any to any dst-port 8129 via em0
09800 0 0 allow tcp from any to any dst-port 8420 via em0
09900 0 0 allow tcp from any to any dst-port 8888 via em0
10000 0 0 allow tcp from any to any dst-port 8889 via em0
10100 0 0 allow tcp from any to any dst-port 9014 via em0
10200 7257 483831 allow icmp from any to any via em0
10300 0 0 allow tcp from any to any dst-port 135,137,138,139,445 via em0
10400 29410 2664116 allow udp from any to any dst-port 135,137,138,139,445 via em0
10500 2537 831884 allow udp from any to any dst-port 67,68 via em0
10600 2243510 2138831500 allow udp from any to any via em0
10700 1478552 2076979327 allow udp from any to any via fxp0
10800 0 0 allow tcp from any to any dst-port 22 via em0
10900 0 0 allow tcp from any to any dst-port 5900,5500 via em0
11000 0 0 deny log logamount 50 ip from any to any
11100 0 0 deny ip from any to any
65535 0 0 allow ip from any to any

 

Конфиг /etc/ipnat.rules покажите.

 

У меня не поднят ipnat, редирект при помощи natd

 

Нужно сделать редирект пакетов, которые приходят на вашу freebsd по порту 3389 на машинку 172.16.0.254. Для этого открываем конфиг ipnat.rules и добавляем правило:

rdr fxp0 from any to 82.x.x.x port=3389 -> 172.16.0.254 port 3389 tcp
где х это внешний ip.

 

как же не поднят, если поднят, судя по конфигу rc.conf

Добавлено: вижу комментарий, ок. Поднимите его.

 

tcpdump что пишит при попытке подключения из вне ?
Вообщем, очистите лог фарйвола, попробйте подключится из вне по RDP и скопируйте содержимое лога суда.

 

Вот лог ipfw, про rdp ничего нет

Feb 21 09:44:37 Server kernel: ipfw: 10200 Deny TCP 91.191.227.2:49169 82.195.2.61:49800 in via fxp0
Feb 21 09:44:37 Server kernel: ipfw: 10200 Deny TCP 172.16.1.172:1386 192.168.0.4:2222 in via em0
Feb 21 09:44:38 Server kernel: ipfw: 10200 Deny TCP 172.16.1.163:1253 192.168.0.4:2222 in via em0
Feb 21 09:44:38 Server kernel: ipfw: 10200 Deny TCP 172.16.1.176:3266 205.188.27.205:5190 in via em0
Feb 21 09:44:41 Server kernel: ipfw: 10200 Deny TCP 172.16.1.176:3266 205.188.27.205:5190 in via em0
Feb 21 09:44:42 Server kernel: ipfw: 10200 Deny TCP 172.16.1.191:2192 192.168.0.4:2222 in via em0
Feb 21 09:44:43 Server kernel: ipfw: 10200 Deny TCP 91.191.227.2:49169 82.195.2.61:49800 in via fxp0
Feb 21 09:44:43 Server kernel: ipfw: 10200 Deny TCP 172.16.1.172:1386 192.168.0.4:2222 in via em0
Feb 21 09:44:44 Server kernel: ipfw: 10200 Deny TCP 172.16.1.163:1253 192.168.0.4:2222 in via em0
Feb 21 09:44:47 Server kernel: ipfw: 10200 Deny TCP 172.16.1.176:3266 205.188.27.205:5190 in via em0
Feb 21 09:44:48 Server kernel: ipfw: 10200 Deny TCP 172.16.1.107:1564 192.168.0.4:2222 in via em0
Feb 21 09:44:49 Server kernel: ipfw: 10200 Deny TCP 172.16.1.65:4771 91.213.144.132:8585 in via em0
Feb 21 09:44:51 Server kernel: ipfw: 10200 Deny TCP 172.16.1.107:1564 192.168.0.4:2222 in via em0
Feb 21 09:44:52 Server kernel: ipfw: 10200 Deny TCP 172.16.1.65:4771 91.213.144.132:8585 in via em0
Feb 21 09:44:52 Server kernel: ipfw: 10200 Deny TCP 172.16.1.176:3293 205.188.27.205:5190 in via em0
Feb 21 09:44:54 Server kernel: ipfw: 10200 Deny TCP 172.16.1.22:4032 192.168.0.4:2222 in via em0
Feb 21 09:44:55 Server kernel: ipfw: 10200 Deny TCP 172.16.1.176:3293 205.188.27.205:5190 in via em0
Feb 21 09:44:57 Server kernel: ipfw: 10200 Deny TCP 172.16.1.22:4032 192.168.0.4:2222 in via em0
Feb 21 09:44:57 Server kernel: ipfw: 10200 Deny TCP 172.16.1.107:1564 192.168.0.4:2222 in via em0
Feb 21 09:44:58 Server kernel: ipfw: 10200 Deny TCP 172.16.1.65:4771 91.213.144.132:8585 in via em0
Feb 21 09:45:01 Server kernel: ipfw: 10200 Deny TCP 172.16.1.104:1732 192.168.0.4:2222 in via em0
Feb 21 09:45:01 Server kernel: ipfw: 10200 Deny TCP 172.16.1.176:3293 205.188.27.205:5190 in via em0
Feb 21 09:45:03 Server kernel: ipfw: 10200 Deny TCP 172.16.1.22:4032 192.168.0.4:2222 in via em0
Feb 21 09:45:03 Server kernel: ipfw: 10200 Deny TCP 172.16.1.189:1634 192.168.0.4:2222 in via em0
Feb 21 09:45:04 Server kernel: ipfw: 10200 Deny TCP 172.16.1.104:1732 192.168.0.4:2222 in via em0
Feb 21 09:45:06 Server kernel: ipfw: 10200 Deny TCP 172.16.1.176:3319 64.12.249.113:5190 in via em0
Feb 21 09:45:06 Server kernel: ipfw: 10200 Deny TCP 172.16.1.189:1634 192.168.0.4:2222 in via em0
Feb 21 09:45:06 Server kernel: ipfw: 10200 Deny TCP 172.16.1.34:1613 192.168.0.4:2222 in via em0
Feb 21 09:45:07 Server kernel: ipfw: 10200 Deny TCP 172.16.1.23:1523 192.168.0.4:2222 in via em0
Feb 21 09:45:09 Server kernel: ipfw: 10200 Deny TCP 172.16.1.176:3319 64.12.249.113:5190 in via em0
Feb 21 09:45:09 Server kernel: ipfw: 10200 Deny TCP 172.16.1.34:1613 192.168.0.4:2222 in via em0
Feb 21 09:45:10 Server kernel: ipfw: 10200 Deny TCP 172.16.1.104:1732 192.168.0.4:2222 in via em0
Feb 21 09:45:10 Server kernel: ipfw: 10200 Deny TCP 172.16.1.65:4772 85.158.55.7:8585 in via em0
Feb 21 09:45:10 Server kernel: ipfw: 10200 Deny TCP 172.16.1.146:1652 192.168.0.4:2222 in via em0
Feb 21 09:45:10 Server kernel: ipfw: 10200 Deny TCP 172.16.1.76:1435 192.168.0.4:2222 in via em0
Feb 21 09:45:10 Server kernel: ipfw: 10200 Deny TCP 172.16.1.201:1129 192.168.0.4:2222 in via em0
Feb 21 09:45:10 Server kernel: ipfw: 10200 Deny TCP 172.16.1.23:1523 192.168.0.4:2222 in via em0
Feb 21 09:45:11 Server kernel: ipfw: 10200 Deny TCP 172.16.0.204:56322 206.246.122.250:13 in via em0
Feb 21 09:45:12 Server kernel: ipfw: 10200 Deny TCP 172.16.1.189:1634 192.168.0.4:2222 in via em0
Feb 21 09:45:13 Server kernel: ipfw: 10200 Deny TCP 172.16.1.76:1435 192.168.0.4:2222 in via em0
Feb 21 09:45:13 Server kernel: ipfw: 10200 Deny TCP 172.16.1.146:1652 192.168.0.4:2222 in via em0
Feb 21 09:45:13 Server kernel: ipfw: 10200 Deny TCP 172.16.1.65:4772 85.158.55.7:8585 in via em0
Feb 21 09:45:13 Server kernel: ipfw: 10200 Deny TCP 172.16.1.201:1129 192.168.0.4:2222 in via em0
Feb 21 09:45:15 Server kernel: ipfw: 10200 Deny TCP 172.16.1.176:3319 64.12.249.113:5190 in via em0

 

Пробывал ipnat в место natd, результат тот же . У меня еще есть редирект для ftp, и антивируса, они работают нормально.
Пробую tcpdump, не успеваю отследить подключения, все мелькает))

 

Важно понять, заносится ли информация в лог ipfw, а точнее IP адрес с которого идет попытка подключения на ваш внешний ip. Он фигурирует в ранее предоставленной логе?

точнее можно?

 

Всем спасибо, проблема решилась.

 

Где грабли были?

 

Да вообщем я просил знакомого подключатся из внешки на мой внешний ip по rdp, он говорил что не может. Еще я сам пробывал так же подключившись к компу по рдп который находиться тоже во внешке, подключаться по рдп на мой внешний ip, но не получалось, даже telnetom. Вчера попробовал с телефона зайти, и вуаля)) Я думаю что у знакомого и у компа к которому я подключался просто нет доступа из локалки во внешнюю сеть по портам 3389 и тех которые я назначал ридеректом. Фуф, кое как сформулировал)))