Date: Sun, 30 Jun 2013 04:15:11 -0500 From: "Paul A. Procacci" <pprocacci@datapipe.com> To: Sami Halabi <sodynet1@gmail.com> Cc: freebsd-net@freebsd.org, freebsd-ipfw <freebsd-ipfw@freebsd.org> Subject: Re: DNAT in freebsd Message-ID: <20130630091511.GC20376@nat.myhome> In-Reply-To: <CAEW%2BogZ=a6LZavOtcb_egNWFQ8bJP0gzP6pc90tu1dcWC9K80A@mail.gmail.com> References: <CAEW%2BogYp61U2zjicksYekSdfmLLZh5g9QM3GUg4n16ZbudVZtg@mail.gmail.com> <20130629002959.GB20376@nat.myhome> <CAEW%2BogZ=a6LZavOtcb_egNWFQ8bJP0gzP6pc90tu1dcWC9K80A@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jun 29, 2013 at 09:50:15AM +0300, Sami Halabi wrote:
> I think I was misunderstood...
> Here is the situation i want to handle:
> My box is a router that handles several /24 behind.
> One of my links (em0) is connected to a private network 192.168.0.1 is me,
> my neighbour is 192.168.0.2.
> I want to make that any connection comes to 192.168.0.1 to go to ip
> 193.xxx.yyy.2 using specific public ip 84.xx.yy.1
> And packets comming to my public 84.xx.yy.1 ip to be trsnslated as came
> from 192.168.0.1 and sent to 192.168.0.2/or ant other ips
> behind(192.168.1.xx/24).
>
> Hope that makes it clearer, and I appreciate any help.
>
> Sami
> ???????????? 29 ???????? 2013 03:30, ?????? "Paul A. Procacci" <pprocacci@datapipe.com>:
The answer I provided you does exactly what you want it to do. Not to mention
the man page goes over other things as well if the answer I provided you
wasn't accurate. Here is my config that I use for my home setup.
The config:
- binds a nat instance on the primary interface
- denies all inbound syn's among other things
- Forward packets originating on the internal network interface through nat
- and returns packets (ack's) back to the original sender.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#!/bin/sh
###################### Start of IPFW Configuration ####################
# Set rules command prefix :: Rule numbering cannot exceed 900
cmd="/sbin/ipfw -q"
pif="de0" # Public NIC
iif="bridge0" # Internal NIC
##############################################
# Flush current rules and do config.
$cmd -f flush
$cmd enable one_pass
##############################################
${cmd} add 00001 allow all from any to any via lo0
${cmd} add 00002 deny all from any to 127.0.0.0/8
${cmd} add 00003 deny ip from 127.0.0.0/8 to any
${cmd} nat 1 config if ${pif} log deny_in reset unreg_only same_ports
${cmd} add 00020 nat 1 all from any to any via ${pif}
${cmd} add 00050 allow all from any to any via ${iif}
${cmd} add 65534 deny log all from any to any
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Again, this information is found in `man ipfw(8)` and does what you are
asking.
~Paul
________________________________
This message may contain confidential or privileged information. If you are not the intended recipient, please advise us immediately and delete this message. See http://www.datapipe.com/legal/email_disclaimer/ for further information on confidentiality and the risks of non-secure electronic communication. If you cannot access these links, please notify us by reply message and we will send the contents to you.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130630091511.GC20376>