>Какой используется файрволл и где правила? Покажи /etc/ipnat.rules.. Возможно 80 порт завернут
>на squid, а у него насколько я помню свой ACL есть
>по ip адресам.
firewall_enable="YES"
firewall_script="/etc/fw.rules"
содержание:
#!/bin/sh
#########################################################
##
## ipfw rules for gateway PC
## written by yur (to_u-ra@mail.ru)
##
#########################################################
PREFIX="/etc/ipfw"
fwcmd="/sbin/ipfw"
pvnet="192.168.200.176/28"
tcnet="192.168.200.0/24"
clnet="192.168.2.0/24"
tcvpn="10.5.3.64/26"
clvpn="10.5.3.32/28"
extip="217.115.81.19"
nocip="192.168.200.200"
cliip="192.168.2.1"
trusted="10.5.3.10"
natnet="10.5.3.0/24"
prox="10.5.3.1"
websrv="192.168.200.200"
vpnsrv="192.168.200.202"
#ssu="62.165.34.98"
smbprts="135-139,445"
###########################################
###########################################
# Let's flush all rules first
$fwcmd -f flush
#############################################
# ---Static Rules ---
# loopback
$fwcmd add 20 pass ip from any to any via lo0
#############################################
###########################################
# Dynamically numered rules
###########################################
#------------------------------------------
# Step to change rules' number
step=5
# Start num
N=50
#------------------------------------------
# --- Statefull firewall
$fwcmd add $N $(N=$(($N+$step))) check-state // enables statefill firewall
# me
$fwcmd add $N $(N=$(($N+$step))) pass ip from me to any keep-state // allow me to go anywhere
# public services
$fwcmd add $N $(N=$(($N+$step))) pass ip from any to me 53 keep-state // allow external dns queries
#$fwcmd add $N $(N=$(($N+$step))) pass tcp from $ssu to me 20,21,22,80,443,8000 keep-state
#$fwcmd add $N $(N=$(($N+$step))) pass udp from any to me 67 keep-state // allow to get dhcp-adresses
#$fwcmd add $N $(N=$(($N+$step))) pass udp from any to me 525 keep-state // allow everybody to sync time
# vpn-server
$fwcmd add $N $(N=$(($N+$step))) pass ip from any to $vpnsrv keep-state // allow clients to connect to vpn server
$fwcmd add $N $(N=$(($N+$step))) pass ip from $vpnsrv to any keep-state // allow clients to connect to vpn server
# deny ssh from enemies
$fwcmd add $N $(N=$(($N+$step))) deny log ip from { $clnet or $clvpn } to me 22 // deny ssh from somebody
# deny smb-traffic from tc-net only
$fwcmd add $N $(N=$(($N+$step))) deny ip from not $tcnet to me $smbprts // deny smb-traffic from not except tc-net
# deny mail-relaying from everybody except tc-net
$fwcmd add $N $(N=$(($N+$step))) deny tcp from not $pvnet to me 25 // deny smb-traffic from not except tc-net
# pass any other traffic to us from tc-net
$fwcmd add $N $(N=$(($N+$step))) pass ip from $tcnet to me keep-state // pass any other traffic to us from tc-net
# pass any traffic from pv-net
$fwcmd add $N $(N=$(($N+$step))) pass tcp from $pvnet to any keep-state
# pass any traffic for vpn-users
#$fwcmd add $N $(N=$(($N+$step))) pass tcp from $clvpn to any keep-state // pass vpn-users to any
$fwcmd add $N $(N=$(($N+$step))) pass tcp from $clvpn to any 110 keep-state // pass vpn-users to any POP3
$fwcmd add $N $(N=$(($N+$step))) pass tcp from $clvpn to any 25 keep-state // pass vpn-users to any SMTP
$fwcmd add $N $(N=$(($N+$step))) pass udp from $clvpn to me 67 keep-state // pass vpn-users to me DHCP
$fwcmd add $N $(N=$(($N+$step))) pass tcp from $clvpn to me 3128 keep-state // pass vpn-users to me SQUID
$fwcmd add $N $(N=$(($N+$step))) pass tcp from $clvpn to any 5190 keep-state // pass vpn-users to IBANK
# pass any traffic for 192.168.2.0
#$fwcmd add $N $(N=$(($N+$step))) pass tcp from $clnet to any keep-state // pass vpn-users to any
$fwcmd add $N $(N=$(($N+$step))) pass tcp from $clnet to any 110 keep-state // pass vpn-users to any POP3
$fwcmd add $N $(N=$(($N+$step))) pass tcp from $clnet to any 25 keep-state // pass vpn-users to any SMTP
$fwcmd add $N $(N=$(($N+$step))) pass udp from $clnet to me 67 keep-state // pass vpn-users to me DHCP
$fwcmd add $N $(N=$(($N+$step))) pass tcp from $clnet to me 3128 keep-state // pass vpn-users to me SQUID
$fwcmd add $N $(N=$(($N+$step))) pass tcp from $clnen to any 5190 keep-state // pass vpn-users to IBANK
# !!! temporary [ client doesnt wanna go via vpn ] !!!
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#$fwcmd add $N $(N=$(($N+$step))) pass ip from 192.168.2.12 to any keep-state
# pass icmps
$fwcmd add $N $(N=$(($N+$step))) pass icmp from any to any keep-state // allow anybody to ping any
# trusted host's rules
#$fwcmd add $N $(N=$(($N+$step))) pass ip from $trusted to any keep-state // allow trusted hosts
$fwcmd add $N $(N=$(($N+$step))) deny log ip from any to any // deny all other traffic
содержание ipnat.rules:
# IPFILTER ipnat rules
# --- Transparent proxying
#rdr xl0 217.115.81.19/32 port 80 -> 217.115.81.19 port 80
#rdr xl0 0/0 port 80 -> 192.168.200.200 port 3128
# --- NAT
map dc0 from 10.5.3.0/24 ! to 10.5.3.0/24 -> 217.115.81.19/32
map dc0 from 192.168.200.0/24 ! to 192.168.200.0/24 -> 217.115.81.19/32
map dc0 from 192.168.2.12/32 ! to 192.168.2.0/24 -> 217.115.81.19/32
#rdr dc0 217.115.82.74/32 -> 10.5.3.39
Где смотреть конфиги squid-а не знаю...