Date: Sun, 26 Jan 2003 10:35:43 +0200 From: "Vikash Badal" <vikashb@mweb.co.za> To: "Nick Rogness" <nick@rogness.net> Cc: <freebsd-questions@FreeBSD.ORG> Subject: Re: Source nat question (ipfw and natd) Message-ID: <002001c2c515$f5b72200$4b0a0a0a@my.domain> References: <20030125165456.T60949-100000@skywalker.rogness.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Nick,
----- Original Message -----
From: "Nick Rogness" <nick@rogness.net>
To: "Vikash Badal" <vikashb@mweb.co.za>
Cc: <freebsd-questions@FreeBSD.ORG>
Sent: Sunday, January 26, 2003 2:01 AM
Subject: Re: Source nat question (ipfw and natd)
> On Sat, 25 Jan 2003, Vikash Badal wrote:
>
> > Greetings,
> >
> > I currently have a box (4.7p3) that i want to connect to four different
> > networks According to the man page i can only nat on one interface using
> > natd.
> >
> > My current natd.conf is as follows :
> > --------------------------------------------------------------------------
> > redirect_address 10.136.236.18 192.168.28.61
> > redirect_address 10.136.236.20 192.168.20.47
> > redirect_address 10.136.236.19 192.167.11.47
> > --------------------------------------------------------------------------
> >
> > When i add the following maping :
> > redirect_address 10.136.236.18 192.168.15.47
> >
> > the source address for connections to 192.168.15.0/24 is 192.168.25.61
> > is there any way i can setup natd and ipfw so that if packets are
> > destined for 192.168.15.0/24 then the source address should be
> > 192.168.15.47
> >
>
> Yes, it is possible...just a pain in the butt. I am not clear
> exactly what your mean. If you wish to pursue this, you need to
> send the output of:
>
> # cat /etc/rc.conf
> # ipfw -a l
> # netstat -rn
> # ps -aux |grep nat
>
>
> And any additional nat configuration files or settings. That
> would greatly improve the chances of your questions getting
> answered.
>
>
> Nick Rogness <nick@rogness.net>
I made a typo in the original mail :
===> redirect_address 10.136.236.19 192.167.11.47
should be redirect_address 10.136.236.19 192.168.21.47
configs:
rc.conf:
============
kern_securelevel_enable="NO"
nfs_reserved_port_only="YES"
sendmail_enable="NONE"
sshd_enable="YES"
inetd_enable="NO"
portmap_enable="NO"
gateway_enable="YES"
ntpdate_flags="10.131.156.5"
ntpdate_enable="YES"
natd_enable="YES"
natd_interface="vx0"
natd_flags="-config /etc/natd.conf"
hostname="nwest-fw.natis.natis"
ifconfig_xl0="inet 10.136.236.5 netmask 255.255.255.0"
ifconfig_vx0="inet 192.168.28.61 netmask 255.255.240.0"
ifconfig_vx0_alias0="inet 192.168.15.57 netmask 255.255.255.0
defaultrouter="10.136.236.1"
firewall_enable="YES"
firewall_type="natis"
firewall_quiet="YES"
====================
nwest-fw# ipfw -a l
00050 0 0 divert 8668 ip from any to any via vx0
00100 32 2000 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00400 0 0 check-state
00500 0 0 deny tcp from any to any established
00600 0 0 deny log logamount 256 ip from any to any ipopt ssrr
00700 0 0 deny log logamount 256 ip from any to any ipopt lsrr
00800 0 0 deny ip from 10.136.236.0/24 to any in recv vx0
00900 0 0 deny ip from 192.168.16.0/20 to any in recv xl0
01000 0 0 allow tcp from any to 10.136.236.5 22 keep-state setup
01200 0 0 allow tcp from any to 192.168.28.61 5507 keep-state setup
01300 0 0 allow tcp from any to 192.168.20.47 8080 keep-state setup
01400 0 0 allow tcp from any to 192.168.21.47 5150 keep-state setup
01500 0 0 allow tcp from any to 192.168.15.57 5507 keep-state setup
01600 0 0 allow tcp from any to 10.136.236.18 5507 keep-state setup
01700 0 0 allow tcp from any to 10.136.236.20 8080 keep-state setup
01800 0 0 allow tcp from any to 10.136.236.19 5150 keep-state setup
01900 0 0 deny log logamount 256 tcp from any to any in recv vx0
02000 0 0 deny log logamount 256 icmp from any to any frag
02100 0 0 allow udp from any to any 33434-33443 keep-state
02200 0 0 allow icmp from any to any keep-state icmptype 3,11
02300 0 0 allow icmp from any to any keep-state icmptype 0,8
02400 0 0 allow udp from 10.136.236.5 to 10.131.156.5 123 keep-state
02500 0 0 allow tcp from 10.136.236.5 to 10.131.156.5 5999,80 keep-state
setup
65535 0 0 deny ip from any to any
==================
nwest-fw# netstat -rn
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 10.136.236.1 UGSc 1 0 xl0
10.10.10/24 link#2 UC 1 0 xl0
10.10.10.1 00:c0:df:e3:da:a9 UHLW 1 506 xl0 937
10.136.236/24 link#2 UC 1 0 xl0
10.136.236.1 link#2 UHLW 2 0 xl0
127.0.0.1 127.0.0.1 UH 0 0 lo0
192.168.15.57/32 link#1 UC 0 0 vx0
192.168.16/20 link#1 UC 1 0 vx0
192.168.28.61 00:60:97:08:07:d4 UHLW 0 16 lo0
==================
nwest-fw# ps auwx | grep natd
root 152 0.0 0.3 1084 652 p0 S+ 8:42AM 0:00.00 grep natd
root 84 0.0 0.1 448 296 ?? Is 8:37AM 0:00.00 /sbin/natd -config
/etc/natd.conf -n vx0
================
nwest-fw# cat /etc/natd.conf
redirect_address 10.136.236.18 192.168.28.61
redirect_address 10.136.236.20 192.168.20.47
redirect_address 10.136.236.19 192.168.21.47
redirect_address 10.136.236.18 192.168.15.47
======
nwest-fw# ifconfig -a
vx0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 192.168.28.61 netmask 0xfffff000 broadcast 192.168.31.255
inet 192.168.15.57 netmask 0xffffff00 broadcast 192.168.15.255
ether 00:60:97:08:07:d4
status: active
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=3<rxcsum,txcsum>
inet 10.136.236.5 netmask 0xffffff00 broadcast 10.136.236.255
ether 00:10:4b:11:f2:de
media: Ethernet autoselect (10baseT/UTP)
status: active
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002001c2c515$f5b72200$4b0a0a0a>