From owner-freebsd-net@FreeBSD.ORG Sun Jun 30 09:16:02 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id C88C05CA; Sun, 30 Jun 2013 09:16:02 +0000 (UTC) (envelope-from pprocacci@datapipe.com) Received: from EXFESMQ04.datapipe-corp.net (exfesmq04.datapipe.com [64.27.120.68]) by mx1.freebsd.org (Postfix) with ESMTP id 77A7A189E; Sun, 30 Jun 2013 09:16:01 +0000 (UTC) Received: from nat.myhome (192.168.128.103) by EXFESMQ04.datapipe-corp.net (192.168.128.29) with Microsoft SMTP Server (TLS) id 14.2.318.4; Sun, 30 Jun 2013 05:14:50 -0400 Date: Sun, 30 Jun 2013 04:15:11 -0500 From: "Paul A. Procacci" To: Sami Halabi Subject: Re: DNAT in freebsd Message-ID: <20130630091511.GC20376@nat.myhome> References: <20130629002959.GB20376@nat.myhome> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-Originating-IP: [192.168.128.103] Content-Transfer-Encoding: quoted-printable Cc: freebsd-net@freebsd.org, freebsd-ipfw X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Jun 2013 09:16:02 -0000 On Sat, Jun 29, 2013 at 09:50:15AM +0300, Sami Halabi wrote: > I think I was misunderstood... > Here is the situation i want to handle: > My box is a router that handles several /24 behind. > One of my links (em0) is connected to a private network 192.168.0.1 is me= , > my neighbour is 192.168.0.2. > I want to make that any connection comes to 192.168.0.1 to go to ip > 193.xxx.yyy.2 using specific public ip 84.xx.yy.1 > And packets comming to my public 84.xx.yy.1 ip to be trsnslated as came > from 192.168.0.1 and sent to 192.168.0.2/or ant other ips > behind(192.168.1.xx/24). > > Hope that makes it clearer, and I appreciate any help. > > Sami > ???????????? 29 ???????? 2013 03:30, ?????? "Paul A. Procacci" : The answer I provided you does exactly what you want it to do. Not to ment= ion the man page goes over other things as well if the answer I provided you wasn't accurate. Here is my config that I use for my home setup. The config: - binds a nat instance on the primary interface - denies all inbound syn's among other things - Forward packets originating on the internal network interface through nat - and returns packets (ack's) back to the original sender. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! #!/bin/sh ###################### Start of IPFW Configuration #################### # Set rules command prefix :: Rule numbering cannot exceed 900 cmd=3D"/sbin/ipfw -q" pif=3D"de0" # Public NIC iif=3D"bridge0" # Internal NIC ############################################## # Flush current rules and do config. $cmd -f flush $cmd enable one_pass ############################################## ${cmd} add 00001 allow all from any to any via lo0 ${cmd} add 00002 deny all from any to 127.0.0.0/8 ${cmd} add 00003 deny ip from 127.0.0.0/8 to any ${cmd} nat 1 config if ${pif} log deny_in reset unreg_only same_ports ${cmd} add 00020 nat 1 all from any to any via ${pif} ${cmd} add 00050 allow all from any to any via ${iif} ${cmd} add 65534 deny log all from any to any !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Again, this information is found in `man ipfw(8)` and does what you are asking. ~Paul ________________________________ This message may contain confidential or privileged information. If you are= not the intended recipient, please advise us immediately and delete this m= essage. See http://www.datapipe.com/legal/email_disclaimer/ for further inf= ormation on confidentiality and the risks of non-secure electronic communic= ation. If you cannot access these links, please notify us by reply message = and we will send the contents to you.