Date: Sun, 30 Jun 2013 04:15:11 -0500 From: "Paul A. Procacci" <pprocacci@datapipe.com> To: Sami Halabi <sodynet1@gmail.com> Cc: freebsd-net@freebsd.org, freebsd-ipfw <freebsd-ipfw@freebsd.org> Subject: Re: DNAT in freebsd Message-ID: <20130630091511.GC20376@nat.myhome> In-Reply-To: <CAEW%2BogZ=a6LZavOtcb_egNWFQ8bJP0gzP6pc90tu1dcWC9K80A@mail.gmail.com> References: <CAEW%2BogYp61U2zjicksYekSdfmLLZh5g9QM3GUg4n16ZbudVZtg@mail.gmail.com> <20130629002959.GB20376@nat.myhome> <CAEW%2BogZ=a6LZavOtcb_egNWFQ8bJP0gzP6pc90tu1dcWC9K80A@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jun 29, 2013 at 09:50:15AM +0300, Sami Halabi wrote:
> I think I was misunderstood...
> Here is the situation i want to handle:
> My box is a router that handles several /24 behind.
> One of my links (em0) is connected to a private network 192.168.0.1 is me=
,
> my neighbour is 192.168.0.2.
> I want to make that any connection comes to 192.168.0.1 to go to ip
> 193.xxx.yyy.2 using specific public ip 84.xx.yy.1
> And packets comming to my public 84.xx.yy.1 ip to be trsnslated as came
> from 192.168.0.1 and sent to 192.168.0.2/or ant other ips
> behind(192.168.1.xx/24).
>
> Hope that makes it clearer, and I appreciate any help.
>
> Sami
> ???????????? 29 ???????? 2013 03:30, ?????? "Paul A. Procacci" <pprocacci=
@datapipe.com>:
The answer I provided you does exactly what you want it to do. Not to ment=
ion
the man page goes over other things as well if the answer I provided you
wasn't accurate. Here is my config that I use for my home setup.
The config:
- binds a nat instance on the primary interface
- denies all inbound syn's among other things
- Forward packets originating on the internal network interface through nat
- and returns packets (ack's) back to the original sender.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#!/bin/sh
###################### Start of IPFW Configuration ####################
# Set rules command prefix :: Rule numbering cannot exceed 900
cmd=3D"/sbin/ipfw -q"
pif=3D"de0" # Public NIC
iif=3D"bridge0" # Internal NIC
##############################################
# Flush current rules and do config.
$cmd -f flush
$cmd enable one_pass
##############################################
${cmd} add 00001 allow all from any to any via lo0
${cmd} add 00002 deny all from any to 127.0.0.0/8
${cmd} add 00003 deny ip from 127.0.0.0/8 to any
${cmd} nat 1 config if ${pif} log deny_in reset unreg_only same_ports
${cmd} add 00020 nat 1 all from any to any via ${pif}
${cmd} add 00050 allow all from any to any via ${iif}
${cmd} add 65534 deny log all from any to any
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Again, this information is found in `man ipfw(8)` and does what you are
asking.
~Paul
________________________________
This message may contain confidential or privileged information. If you are=
not the intended recipient, please advise us immediately and delete this m=
essage. See http://www.datapipe.com/legal/email_disclaimer/ for further inf=
ormation on confidentiality and the risks of non-secure electronic communic=
ation. If you cannot access these links, please notify us by reply message =
and we will send the contents to you.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130630091511.GC20376>