From owner-freebsd-net@freebsd.org Sat May 19 01:10:26 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1798AEE2CD7 for ; Sat, 19 May 2018 01:10:26 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from hz.grosbein.net (unknown [IPv6:2a01:4f8:d12:604::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 7175072B8F for ; Sat, 19 May 2018 01:10:25 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (root@eg.sd.rdtc.ru [62.231.161.221] (may be forged)) by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id w4J1AHUg094492 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 19 May 2018 03:10:18 +0200 (CEST) (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: ml@netfence.it Received: from [10.58.0.4] ([10.58.0.4]) by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTPS id w4J1ADvM009894 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Sat, 19 May 2018 08:10:13 +0700 (+07) (envelope-from eugen@grosbein.net) Subject: Re: Proxy a TCP connection To: Andrea Venturoli , freebsd-net@freebsd.org References: <2346bc5f-1ca3-3b6a-ac1a-c496e94eb969@netfence.it> From: Eugene Grosbein Message-ID: <5AFF7970.2090206@grosbein.net> Date: Sat, 19 May 2018 08:10:08 +0700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 MIME-Version: 1.0 In-Reply-To: <2346bc5f-1ca3-3b6a-ac1a-c496e94eb969@netfence.it> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=2.2 required=5.0 tests=BAYES_00, LOCAL_FROM, RDNS_NONE, SPF_PASS autolearn=no autolearn_force=no version=3.4.1 X-Spam-Report: * -0.0 SPF_PASS SPF: sender matches SPF record * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * 2.6 LOCAL_FROM From my domains * 1.9 RDNS_NONE Delivered to internal network by a host with no rDNS X-Spam-Level: ** X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on hz.grosbein.net X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 May 2018 01:10:26 -0000 19.05.2018 4:29, Andrea Venturoli wrote: > Let's say I have a router connected to the Internet on one side and to a LAN with private IPs on the other. > I want some clients from outside to be able to connect to a TCP service on a machine on the LAN: they should connect to port X on the firewall's public IP and reach port Y on the internal box. > > I've used net/socket in the past, but stopped when, in some corner case, it would "ruin" the data; besides it has been removed from the port tree. > > I happily switched to net/tcpproxy, but lately it's dying every few days and must be restarted; I could drop its rc.d script and use sysutils/daemontools' svscan instead, but if there's a simpler solution... > > Does anyone have a good suggestion for a program similar to the above ones? > I require nothing fancy, I just want it to be reliable. You don't need any additional software at all. Just instruct FreeBSD kernel to do what you need, it will do that just fine. In /etc/rc.conf: gateway_enable="YES" firewall_enable="YES" firewall_type="open" firewall_nat_enable="YES" firewall_nat_interface="em0" # your external interface with public IP firewall_nat_flags="same_ports" firewall_coscripts="/etc/rc.firewall.local" And create executable script /etc/rc.firewall.local to configure port redirections: #!/bin/sh . /etc/rc.conf fwcmd="/sbin/ipfw -q" # redirect connections to external port 8000 to specified internal host and port 80 # redirect connections to external port 8443 to specified internal host and port 443 redirects="\ redirect_port tcp 192.168.0.100:80 8000 \ redirect_port tcp 192.168.0.200:443 8443 \ " ${fwcmd} nat 123 config if $firewall_nat_interface $firewall_nat_flags $redirects # EOF That's all. You can apply these changes without reboot using command like service ipfw start >& /tmp/ipfw.log # for tcsh or service ipfw start > /tmp/ipfw.log 2>&1 # for sh/bash/zsh No extra daemons needed. Additional advantage of this approach is that internal hosts will see real public IP address of connecting external host instead of your own.