From owner-freebsd-questions Wed Jun 27 11:22: 8 2001 Delivered-To: freebsd-questions@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id 21A9737B406 for ; Wed, 27 Jun 2001 11:22:02 -0700 (PDT) (envelope-from nick@rogness.net) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id f5RJjsC59334; Wed, 27 Jun 2001 14:45:54 -0500 (CDT) (envelope-from nick@rogness.net) Date: Wed, 27 Jun 2001 14:45:53 -0500 (CDT) From: Nick Rogness X-Sender: nick@cody.jharris.com To: Doug Poland Cc: questions@FreeBSD.ORG Subject: Re: ipfw/natd - howto divert based on source IP? In-Reply-To: <20010627114010.A19216@polands.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, 27 Jun 2001, Doug Poland wrote: > Hello, > > I'm trying to configure a 4.3-STABLE box to divert packets based on > the source IP address. The result should be the packet looks like > it's coming from a given address based on it's source. > > i.e., > > MyHost as 3 public IPs: > > ifconfig xl0 inet xxx.xxx.xxx.113 netmask 255.255.255.224 > ifconfig xl0 inet xxx.xxx.xxx.126 netmask 255.255.255.224 alias > ifconfig xl0 inet xxx.xxx.xxx.99 netmask 255.255.255.224 alias > > Any packets originating from the machine itself (.113) should look > like it came from .99 > > Any packets originating from hosts .100-.112, should not have their IP > address translated > > Any packets originating from my private network (192.168.0/24) should > have their IP's translated to look like it came from .126. > > I've successfully configured natd/ipfw to nat and use .126 as the > alias_address. This is what I'm thinking about doing... > > 1. Remove: alias_address xxx.xxx.xxx.126 from natd.conf > 2. Remove: divert natd ip from any to any via xl0 from rc.firewall > 3. Add: > > divert natd ip from xxx.xxx.xxx.113 to xxx.xxx.xxx.99 via xl0 > divert natd ip from xxx.xxx.xxx.100 to xxx.xxx.xxx.100 via xl0 > divert natd ip from xxx.xxx.xxx.101 to xxx.xxx.xxx.101 via xl0 > etc., etc., etc., > divert natd ip from xxx.xxx.xxx.112 to xxx.xxx.xxx.112 via xl0 > divert natd ip from 192.168.3.0/24 to xxx.xxx.xxx.126 via xl0 > > Does this make sense? Is there a better/easier way to achieve what > I'm after. Setup natd with following options: redirect_address X.X.X.113 aaa.aaa.aaa.99 alias_address bbb.bbb.bbb.126 IPFW options: allow ip from XXX.XXX.XXX.110 to any allow ip from any to XXX.XXX.XXX.110 allow ip from XXX.XXX.XXX.112 to any allow ip from any to XXX.XXX.XXX.112 divert natd ip from any to any via xl0 The redirect statement takes care of .113, the ipfw rules above the divert rule will allow traffic to and from 110 & 112 without any divertion. The alias_address will take care of the 192.168 network translation. If you need to be more specific you will have to provide more details. Nick Rogness - Keep on Routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message