Date: Sun, 21 Feb 2016 16:01:18 +0100 From: Kristof Provost <kp@FreeBSD.org> To: Valeri Galtsev <galtsev@kicp.uchicago.edu> Cc: freebsd-net@freebsd.org Subject: Re: gateway machine port redirect question Message-ID: <20160221150117.GB3003@vega.codepro.be> In-Reply-To: <43887.128.135.52.6.1456021321.squirrel@cosmo.uchicago.edu> References: <43887.128.135.52.6.1456021321.squirrel@cosmo.uchicago.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2016-02-20 20:22:01 (-0600), Valeri Galtsev <galtsev@kicp.uchicago.edu> wrote:
> Dear Experts,
>
> I'm one of Linux refugees who several years ago migrated majority of
> servers from Linux to FreeBSD and is happy since. When recently I needed
> to set up gateway (Firewall + NAT) machine, I set up FreeBSD 10.2 on it,
> used ipwf and natd, and all works well, machines behind gateway on LAN can
> happily reach real network. I hit one snag later though: When I tried to
> redirect TCP traffic on some port to machine on internal private network
> behind gateway, whatever I do doesn't work.
>
> Could somebody point to simple example (it doesn't matter which components
> are involved, I don't feel married to ipfw and natd) for FreeBSD 10.2 that
> makes the machine gateway, and one of the ports of traffic coming from
> public network is redirected to machine on private network behind gateway.
> Something I can reproduce that works, which I then will gradually convert
> into what I need. Other way around: adding redirection to already working
> (and a bit sophisticated) gateway I set up appears to be beyond my mental
> abilities: a couple of weeks of frustration confirm it to me.
>
I used to run ipfw with in-kernel NAT with the following settings:
% cat /etc/ipfw.conf
#!/bin/sh
#set -e
set -x
WAN_INTF=em0
LAN_INTF=bge0
VIRT_INTF=bridge0
add() {
ipfw -q add $@
}
ipfw -q flush
add pass all from any to any via lo0
add deny all from any to 127.0.0.0/8
add deny all from any to ::1/128
add deny ip from 127.0.0.0/8 to any
add deny ip6 from ::1/128 to any
add pass all from any to me via ${LAN_INTF}
add pass all from any to me via ${VIRT_INTF}
## NAT
ipfw -q nat 1 config if $WAN_INTF log reset unreg_only \
redirect_port tcp 172.16.1.5:2200 2200 \
redirect_port tcp 172.16.1.5:2200 9418 \
redirect_port udp 172.16.1.5:60001 60001
# NAT
add nat 1 ip4 from any to any via $WAN_INTF
## Catch all
add allow ip from any to any
% cat /etc/rc.conf
firewall_enable="YES"
firewall_logging_enable="YES"
firewall_quiet="NO"
firewall_type="open"
firewall_script="/etc/ipfw.conf"
firewall_nat_enable="YES" # Enable kernel NAT (if irewall_enable == YES)
Also look at the handbook:
https://www.freebsd.org/doc/handbook/firewalls-ipfw.html
Regards,
Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160221150117.GB3003>