Date: Tue, 02 Sep 2003 16:45:36 -0500 From: Philip Kizer <pckizer@nostrum.com> To: Donald Burr of Borg <dburr@borg-cube.com> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Need help with strange routing situation Message-ID: <200309022145.h82LjaPb047363@magus.nostrum.com> In-Reply-To: Your message of "Tue, 02 Sep 2003 12:36:29 PDT." <20030902123500.E23798@borg-cube.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Donald Burr of Borg <dburr@borg-cube.com> wrote:
[Description of:]
>Our gateway machine and server gets its own IP, IP A.
>My desktop machine is hooked up via ethernet. It should get IP B.
>Same thing as above for my roomie's desktop, except it gets IP C.
>[all else] Ideally I'd like them to be NAT'ted behind IP A
Not really that strange a routing situation, and definitely pretty easy,
here's one possible way:
# KERNCONF, make sure you have:
options IPFILTER #ipfilter support
# rc.conf settings:
ipfilter_enable="YES" # Set to YES to enable ipfilter functionality
ipnat_enable="YES" # Set to YES to enable ipnat functionality
# ipnat.rules example [change $variables to match your numbers]:
bimap $ext_eth $IP_B_INT/32 -> $IP_B/32 # your desktop
bimap $ext_eth $IP_C_INT/32 -> $IP_C/32 # roomie's desktop
map $ext_eth $INT_NET/16 -> 0/32 proxy port ftp ftp/tcp
map $ext_eth $INT_NET/16 -> 0/32 portmap tcp/udp auto
map $ext_eth $INT_NET/16 -> 0/32
# ipf.rules incomplete example [many $variables to change]:
### Put whatever default 'quick' blocks you want, RFC1918, anti-spoofing, etc.
### Hopefully your ISP has sane edge rules and would block them, but
### definitely put RFC1918 blocks in here too keep your private-address
### space from ever leaking out to your provider or the Internet.
block out log quick on $ext_eth from 192.168.0.0/16 to any
### etc...
### Then default to blocking:
block in log on $ext_eth
block return-rst in on $ext_et proto tcp from any to any
block return-icmp-as-dest(port-unr) in on $ext_et proto udp from any to any
block return-icmp-as-dest in on $ext_et proto icmp from any to any
### Allow out verything and keep state on it:
pass out quick on $ext_eth proto tcp from $EXT_NET/28 to any flags S keep state
pass out quick on $ext_eth proto udp from $EXT_NET/28 to any keep state
pass out quick on $ext_eth proto icmp from $EXT_NET/28 to any keep state
# Allow state-capable ICMP in, add/etc as needed:
pass in quick on $ext_eth proto icmp from any to any icmp-type echo keep state
### Allow services for desktop B
pass in quick on $ext_eth proto tcp from any to $IP_B port = 22 flags S keep state
pass in quick on $ext_eth proto tcp from any to $IP_B port = $YOUR_PROTOCOLS flags S keep state
### Ditto for C ...
### Put some rules to allow local-net to talk to the gateway and visa versa ...
There's a lot more examples to be found in:
/usr/share/examples/ipfilter
http://coombs.anu.edu.au/~avalon/
http://www.phildev.net/ipf/
http://www.obfuscation.org/ipf/
Once you get into it and begin working on your own rules to meet your needs,
tcpdump is your best friend; don't forget "-i" to be sure what is being
sent and received on each interface so you can compare it with the firewall
and NAT rules. Just use typical problem solving methods, Slowly building
it up from one working system to the whole set is the way to go, change as
few variables at a time as you can.
-p
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200309022145.h82LjaPb047363>