From owner-freebsd-net@freebsd.org Sun Feb 21 15:01:21 2016 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3C9A8AB05BA for ; Sun, 21 Feb 2016 15:01:21 +0000 (UTC) (envelope-from kp@vega.codepro.be) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 089E61231 for ; Sun, 21 Feb 2016 15:01:20 +0000 (UTC) (envelope-from kp@vega.codepro.be) Received: from vega.codepro.be (unknown [172.16.1.3]) by venus.codepro.be (Postfix) with ESMTP id 407EF19D95; Sun, 21 Feb 2016 16:01:18 +0100 (CET) Received: by vega.codepro.be (Postfix, from userid 1001) id 2D48220A9A; Sun, 21 Feb 2016 16:01:18 +0100 (CET) Date: Sun, 21 Feb 2016 16:01:18 +0100 From: Kristof Provost To: Valeri Galtsev Cc: freebsd-net@freebsd.org Subject: Re: gateway machine port redirect question Message-ID: <20160221150117.GB3003@vega.codepro.be> References: <43887.128.135.52.6.1456021321.squirrel@cosmo.uchicago.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <43887.128.135.52.6.1456021321.squirrel@cosmo.uchicago.edu> X-Checked-By-NSA: Probably User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Feb 2016 15:01:21 -0000 On 2016-02-20 20:22:01 (-0600), Valeri Galtsev wrote: > Dear Experts, > > I'm one of Linux refugees who several years ago migrated majority of > servers from Linux to FreeBSD and is happy since. When recently I needed > to set up gateway (Firewall + NAT) machine, I set up FreeBSD 10.2 on it, > used ipwf and natd, and all works well, machines behind gateway on LAN can > happily reach real network. I hit one snag later though: When I tried to > redirect TCP traffic on some port to machine on internal private network > behind gateway, whatever I do doesn't work. > > Could somebody point to simple example (it doesn't matter which components > are involved, I don't feel married to ipfw and natd) for FreeBSD 10.2 that > makes the machine gateway, and one of the ports of traffic coming from > public network is redirected to machine on private network behind gateway. > Something I can reproduce that works, which I then will gradually convert > into what I need. Other way around: adding redirection to already working > (and a bit sophisticated) gateway I set up appears to be beyond my mental > abilities: a couple of weeks of frustration confirm it to me. > I used to run ipfw with in-kernel NAT with the following settings: % cat /etc/ipfw.conf #!/bin/sh #set -e set -x WAN_INTF=em0 LAN_INTF=bge0 VIRT_INTF=bridge0 add() { ipfw -q add $@ } ipfw -q flush add pass all from any to any via lo0 add deny all from any to 127.0.0.0/8 add deny all from any to ::1/128 add deny ip from 127.0.0.0/8 to any add deny ip6 from ::1/128 to any add pass all from any to me via ${LAN_INTF} add pass all from any to me via ${VIRT_INTF} ## NAT ipfw -q nat 1 config if $WAN_INTF log reset unreg_only \ redirect_port tcp 172.16.1.5:2200 2200 \ redirect_port tcp 172.16.1.5:2200 9418 \ redirect_port udp 172.16.1.5:60001 60001 # NAT add nat 1 ip4 from any to any via $WAN_INTF ## Catch all add allow ip from any to any % cat /etc/rc.conf firewall_enable="YES" firewall_logging_enable="YES" firewall_quiet="NO" firewall_type="open" firewall_script="/etc/ipfw.conf" firewall_nat_enable="YES" # Enable kernel NAT (if irewall_enable == YES) Also look at the handbook: https://www.freebsd.org/doc/handbook/firewalls-ipfw.html Regards, Kristof