Date: Mon, 24 Sep 2007 00:29:56 +0000 From: "mr. phreak" <nollan@phreaker.net> To: freebsd-questions@freebsd.org, nollan@phreaker.net Subject: IPFW + NATD FORWARDING Message-ID: <46F70504.9050709@phreaker.net>
next in thread | raw e-mail | index | archive | help
Hi, I am having trouble with my IPFW+NATD forwarding. I know a lot of
people have
and I've googled my ass off. Still I can't get it right. I'm trying to
forward port 1213 in/out for dc++ usage.
this is my setup:
__WAN router (192.168.1.1)
|
|
(FreeBSD gateway/fw NIC1:ath0 (public) NIC2:rl0 (LAN) )
|
|__
LAN (10.10.10.0/24)
I use stateful rules and I'd like to forward port 1213 both ways using
natd. I know NATD should take care of this as long as i allow port 1213
in/out from the firewall. I've tried this at almost every position in
the ipfw.rules and now i ask where i should put it?? i.e it's not there
right now.
I've tried:
$cmd [num] allow all from any to any 1213 (at various positions in
ipfw.rules) still doesn't work.
$cmd [num] divert natd all from any to any 1213.
Can someone help me?
J
Here is my files:
my natd.conf:
use_sockets yes
same_ports yes
dynamic yes
redirect_port tcp 10.10.10.2:1213 1213
redirect_port udp 10.10.10.2:1213 1213
ipfw.rules:
############### start ipfw rules #############
##############################################
ipfw -q -f flush # Delete all
# INIT #########
################
oif="ath0" # out NIC
cmd="ipfw -q add " # quiet
skip="skipto 4000" # skipto NATD.
# BEGIN RULES #
#################################
# LAN NO RESTRICTIONS ###########
#################################
$cmd 00300 allow all from any to any via rl0
# LOOPBACK NO RESTRICTIONS ######
#################################
$cmd 00400 allow all from any to any via lo0
# NATD IN? THEN TRANSLATE ###
#################################
$cmd 00450 divert natd ip from any to any in via $oif
# CHECK-STATE ###################
#################################
$cmd 00500 check-state
####### ( OUTBOUND ) #######################
############################################
# DNS ######################################
$cmd 00600 $skip tcp from any to 195.67.199.39 53 out via $oif setup
keep-state
$cmd 00610 $skip udp from any to 195.67.199.39 53 out via $oif keep-state
# DHCP #####################################
$cmd 00700 $skip udp from any to any 67 out via $oif keep-state
# HTTP #####################################
$cmd 00800 $skip tcp from any to any 80 out via $oif setup keep-state
# HTTPS ####################################
$cmd 00810 $skip tcp from any to any 443 out via $oif setup keep-state
# POP & SMTP ###############################
$cmd 00900 $skip tcp from any to any 25 out via $oif setup keep-state
$cmd 00910 $skip tcp from any to any 110 out via $oif setup keep-state
# FREEBSD CVS ##############################
$cmd 01000 $skip tcp from me to any out via $oif setup keep-state uid root
# ALLOW PING OUT ###########################
$cmd 01100 $skip icmp from any to any out via $oif keep-state
# SSH ######################################
$cmd 01200 $skip tcp from any to any 22 out via $oif setup keep-state
# WHOIS ####################################
$cmd 01300 $skip tcp from any to any 43 out via $oif setup keep-state
# FTP ######################################
$cmd 01400 $skip tcp from any to any 21 out via $oif setup keep-state
# IRC ######################################
$cmd 01500 $skip tcp from any to any 6667 out via $oif setup keep-state
$cmd 01510 $skip tcp from any to any 8888 out via $oif setup keep-state
$cmd 01520 $skip tcp from any to any 5020 out via $oif setup keep-state
# SHOUTCAST ################################
############################################
$cmd 01600 $skip tcp from any to any 9000 out via $oif setup keep-state
####### ( INBOUND ) ########################
############################################
# Deny all inbound from non-routable #######
$cmd 02000 deny all from 192.168.0.0/16 to any in via $oif
$cmd 02010 deny all from 172.16.0.0/12 to any in via $oif
$cmd 02020 deny all from 10.0.0.0/8 to any in via $oif
$cmd 02030 deny all from 127.0.0.0/8 to any in via $oif
$cmd 02040 deny all from 0.0.0.0/8 to any in via $oif
$cmd 02050 deny all from 169.254.0.0/16 to any in via $oif
$cmd 02060 deny all from 192.0.2.0/24 to any in via $oif
$cmd 02070 deny all from 204.152.64.0/23 to any in via $oif
$cmd 02080 deny all from 224.0.0.0/3 to any in via $oif
# DENY PING INBOUND ########################
$cmd 02100 deny icmp from any to any in via $oif
# DENY IDENT ###############################
$cmd 02200 deny tcp from any to any 113 in via $oif
# DENY NETBIOS #############################
$cmd 02300 deny tcp from any to any 137 in via $oif
$cmd 02310 deny tcp from any to any 138 in via $oif
$cmd 02320 deny tcp from any to any 139 in via $oif
$cmd 02330 deny tcp from any to any 81 in via $oif
# DHCP #####################################
$cmd 02400 allow udp from any to 192.168.1.1 68 in via $oif keep-state
# HTTP #####################################
$cmd 02500 allow tcp from any to me 80 in via $oif setup limit src-addr 2
# HTTPS ####################################
$cmd 02600 allow tcp from any to me 443 in via $oif setup limit src-addr 2
# SSH ######################################
$cmd 02700 allow tcp from any to me 22 in via $oif setup limit src-addr 2
# REJECT IN/OUT ############################
############################################
$cmd 3000 deny all from any to any in via $oif
$cmd 3100 deny all from any to any out via $oif
# SKIPTO ###################################
############################################
$cmd 4000 divert natd ip from any to any out via $oif
$cmd 4010 allow ip from any to any
# DENY ALL #################################
############################################
$cmd 9999 deny all from any to any
################### End ipfw rules ############
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46F70504.9050709>