From owner-freebsd-net@FreeBSD.ORG Wed Aug 10 06:52:49 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2F1C9106566C for ; Wed, 10 Aug 2011 06:52:49 +0000 (UTC) (envelope-from marek_sal@wp.pl) Received: from mx4.wp.pl (mx4.wp.pl [212.77.101.8]) by mx1.freebsd.org (Postfix) with ESMTP id A1B0D8FC1A for ; Wed, 10 Aug 2011 06:52:47 +0000 (UTC) Received: (wp-smtpd smtp.wp.pl 10463 invoked from network); 10 Aug 2011 08:52:46 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wp.pl; s=1024a; t=1312959166; bh=aPGOgZuNuPzBjhvfE/NESfJn6sNkeyrivneh/Ne0+do=; h=From:To:Subject; b=qOqLH9Er5+umQukxVk6TUqxs9Au//6Ls4Qh8eAQtf5if+FvMLZDYa3QsyZAXc9795 qrt+h1//3aqzNJEmCULmwfMvbM7/DOR39u0S/91BHvWakypmDFsUFbODn7bwW7YkSG 7N2PBoxdtp2PKN6jghpm/L3G0F0ep3h21ZBhVlXw= Received: from cwx170.internetdsl.tpnet.pl (HELO [10.0.0.15]) (marek_sal@[83.19.131.170]) (envelope-sender ) by smtp.wp.pl (WP-SMTPD) with SMTP for ; 10 Aug 2011 08:52:46 +0200 Message-ID: <4E422A74.3090601@wp.pl> Date: Wed, 10 Aug 2011 08:51:32 +0200 From: Marek Salwerowicz User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20110624 Thunderbird/5.0 MIME-Version: 1.0 To: Freddie Cash , freebsd-net@freebsd.org References: <4E412116.1070305@wp.pl> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-WP-AV: skaner antywirusowy poczty Wirtualnej Polski S. A. X-WP-SPAM: NO 0000000 [wVPE] Cc: Subject: Re: ipfw - accessing DMZ from LAN X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Aug 2011 06:52:49 -0000 W dniu 2011-08-09 18:04, Freddie Cash pisze: > On Tue, Aug 9, 2011 at 4:59 AM, Marek Salwerowicz wrote: > >> I have set up a new router for my network, with separated DMZ zone for my >> internet servers. I'd like computers from my LAN to be able to connect to >> DMZ zone. >> >> My ISP provided me some public IP's, so right now configuration looks like >> this: >> >> Router with 4 NICs: >> #public ISP >> ifconfig_vr3="inet xx.yy.zz.171 netmask 255.255.255.248" >> ifconfig_vr3_alias0="inet xx.yy.zz.170 netmask 255.255.255.255" >> ifconfig_vr3_alias1="inet xx.yy.zz.172 netmask 255.255.255.255" >> ifconfig_vr3_alias2="inet xx.yy.zz.173 netmask 255.255.255.255" >> >> The first IP, with suffix .171 I want to be used as real router's IP, and >> public IP for computers in my LAN. >> All 3 aliases I want to be redirected to DMZ (one public IP for each server >> in DMZ) >> >> #DMZ >> ifconfig_vr2="inet 192.168.0.1 netmask 255.255.255.0" >> >> #LAN >> ifconfig_vr0="inet 10.0.0.1 netmask 255.255.255.0" >> >> I've set up in natd.conf: >> >> use_sockets yes >> same_ports yes >> interface vr3 >> dynamic yes >> unregistered_only yes >> redirect_address 192.168.0.10 xx.yy.zz.170 #DMZ host 1 >> redirect_address 192.168.0.20 xx.yy.zz.172 #DMZ host 2 >> redirect_address 192.168.0.30 xx.yy.zz.173 #DMZ host 3 >> >> Right now everything works from the Internet - if I do ssh to xx.yy.zz.170, >> I really can connect to host 192.168.0.10 etc. >> >> The problem is that when I want to connect from my 10.0.0.0/24 network >> (and even from router) to any DMZ host, using it's public address (any of >> xx.yy.zz.{170,172,173} ), I can't connect and in fact I am connecting to the >> router.. >> So I am unable to access my web, mta, ftp servers that are located in DMZ >> >> My ipfw firewall script looks as follows: >> >> #!/bin/sh >> >> cmd="ipfw -q" >> >> DMZ="192.168.0.0/24" >> LAN="10.0.0.0/24" >> >> kldstat -q -m dummynet || kldload dummynet >> $cmd flush >> >> $cmd add 80 divert natd ip from any to any via vr3 >> $cmd add 90 allow ip from any to any via lo0 >> >> $cmd add 100 allow ip from any to me >> $cmd add 101 allow ip from me to any >> >> $cmd add 500 deny ip from $DMZ to $LAN >> $cmd add 510 deny ip from $LAN to $DMZ >> >> >> $cmd add 10000 allow ip from any to any >> >> I know I've blcoked traffic between DMZ and LAN, but I wanted them to >> contact via public IPs.. but now I'm not sure if it's possible... >> >> Can you give me some hints on how to properly configure my router? >> > There are two ways to do this, depending on whether or not you want to > "leak" you private LAN IPs into the DMz. > > The simplest method, where LAN clients connect to the public IP of the DMZ > servers, and where the DMZ servers see the private IPs of the clients, is > like so: > > # Configure the natd process to NAT from x.x.x.170 to 192.168.0.10 using > some port > natd -port $port -same_ports -use_sockets -alias_address x.x.x.170 > -redirect_address x.x.x.170 192.168.0.10 > > # NAT the traffic coming from the LAN to x.x.x.170 > ipfw add divert $port ip from $LAN to x.x.x.170 in recv vr0 > ipfw add allow ip from $LAN to 192.168.0.10 in recv vr0 > > ipfw add allow ip from $LAN to 192.168.0.10 out xmit vr2 > ipfw add allow ip from 192.168.0.10 to $LAN in recv vr2 > > ipfw add divert ip from 192.168.0.10 to $LAN out xmit vr0 > ipfw add allow ip from x.x.x.170 to $LAN out xmit vr0 > > Repeat the above for each of the servers in the DMZ, using separate natd > processes for each, with separate divert port numbers. > > The general flow of the rules above is (src --> dest) > 10.0.0.x --> x.x.x.170 > 10.0.0.x --> 192.168.0.10 > > 192.168.0.10 --> 10.0.0.x > x.x.x.170 --> 10.0.0.x > > > The more correct method is to double-NAT the traffic, such that the LAN > clients connect to public IPs, and the DMZ servers see connections from > public IPs. It's more complicated to wrap your head around the first time, > but it prevents private IPs from "leaking" between the LAN, the Internet, > and the DMZ. (It took me 10 years of using IPFW to figure this one out.) > > # Configure the general natd process for the LAN > natd -port $port2 -same_ports -use_sockets -alias_address x.x.x.171 > > # Configure the natd process to NAT from x.x.x.170 to 192.168.0.10 using > some port > natd -port $port1 -same_ports -use_sockets -alias_address x.x.x.170 > -redirect_address x.x.x.170 192.168.0.10 > > # NAT the traffic coming from the LAN to x.x.x.170 > ipfw add divert $port1 ip from $LAN to x.x.x.170 in recv vr0 > ipfw add allow ip from $LAN to 192.168.0.10 in recv vr0 > > # NAT the traffic going to x.x.x.170 from the LAN > ipfw add divert $port2 ip from $LAN to 192.168.0.10 out xmit vr2 > ipfw add allow ip from x.x.x.171 to 192.168.0.10 out xmit vr2 > > # NAT the traffic coming from x.x.x.170 to the LAN > ipfw add divert $port1 ip from 192.168.0.10 to x.x.x.171 in recv vr2 > ipfw add allow ip from 192.168.0.10 to $LAN in recv vr2 > > # NAT the traffic going to the LAN from x.x.x.170 > ipfw add divert ip from 192.168.0.10 to $LAN out xmit vr0 > ipfw add allow ip from x.x.x.170 t0 $LAN out xmit vr0 > > The general flow of the rules above is (src --> dest) > 10.0.0.x --> x.x.x.170 > 10.0.0.x --> 192.168.0.10 (after first NAT) > x.x.x.171 --> 192.168.0.10 (after second NAT) > > 192.168.0.10 --> x.x.x.171 > 192.168.0.10 --> 10.0.0.x (after first NAT) > x.x.x.170 --> 10.0.0.x (after second NAT) > > Notice how vr3 is never used in any of the rules above, as the packets never > touch the public interface of the router. > Thanks for that hints. Do you mean $port viariables as particular port numbers? So for each service in DMZ I want to be available I have to create such set of rules? Regards, -- Marek Salwerowicz