Date: Tue, 17 Oct 2006 23:42:31 +0100 From: Chris <phatfish@gmail.com> To: freebsd-questions@freebsd.org Subject: Port redirection troubles with natd/ipwf Message-ID: <718eeb340610171542i2ffa99e5jbf3df8f8406a2093@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello,
I have set myself up a nice FreeBSD router, but im having trouble getting my
firewall and NAT configured. I have a basic setup at the moment that is
working well, using IPFW for a firewall and also running natd because i have
a few computers here on my LAN that want Internet access.
However i cannot seem to work out how to get port redirection through NAT
working correctly. Currently i have it setup (as i hope my configs bellow
show) that all incoming traffic from the web is blocked, unless it was
initiated by a host on the LAN; then the check-state and keep-state rules
allow the traffic through for that session.
My problem comes when i want to so say, "its ok for traffic to pass through
this port to a target on the LAN". As far as i can make out that is done
with the "redirect_port" setting in natd.conf -- my conf has ports 113 and
3002 redirected to 10.0.0.11. 113 for IDENT, and 3002 as a custom port for a
windows ftp server.
Take an IDENT request for example, i can see the traffic coming in on port
113, getting nat'd to the correct LAN ip, and even mIRC registering the
IDENT request. But it never gets back out. The same with FTP on 3002, if
someone attempts to connect they get a message in their client that the
request timed out, but i can see a login attempt in the server logs.
I have a feeling there is a simple answer to this, but im stuck. Any help is
appreciated. My config is bellow, i can provide logs of the behavior if a
fix is not obvious.
Thank you.
>> ifconfig
re0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
options=18<VLAN_MTU,VLAN_HWTAGGING>
inet6 fe80::214:*** prefixlen 64 scopeid 0x1
ether 00:14:bf:59:be:84
media: Ethernet autoselect (none)
status: no carrier
re1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
options=18<VLAN_MTU,VLAN_HWTAGGING>
inet6 fe80::214:*** prefixlen 64 scopeid 0x2
ether 00:14:bf:59:be:8b
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
re2: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
options=18<VLAN_MTU,VLAN_HWTAGGING>
inet6 fe80::214:*** prefixlen 64 scopeid 0x3
ether 00:14:bf:59:c1:26
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::211:*** prefixlen 64 scopeid 0x4
inet ***.***.***.*** netmask 0xfffffc00 broadcast 255.255.255.255
ether 00:11:d8:a1:22:13
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
inet 127.0.0.1 netmask 0xff000000
bridge0: flags=8043<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
ether ac:de:48:30:8d:de
priority 32768 hellotime 2 fwddelay 15 maxage 20
member: re2 flags=7<LEARNING,DISCOVER,STP>
port 3 priority 128 path cost 55 forwarding
member: re1 flags=7<LEARNING,DISCOVER,STP>
port 2 priority 128 path cost 55 forwarding
member: re0 flags=7<LEARNING,DISCOVER,STP>
port 1 priority 128 path cost 55 disabled
>> cat /etc/natd.conf
dynamic yes
use_sockets yes
same_ports yes
unregistered_only
redirect_port tcp 10.0.0.11:113 113
redirect_port udp 10.0.0.11:113 113
redirect_port tcp 10.0.0.11:3002 3002
redirect_port udp 10.0.0.11:3002 3002
>> cat /etc/rc.firewall.test
(these rules were made mainly using the NAT stateful ruleset here
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html
)
#!/bin/sh
######
# Default variables
######
cmd="ipfw -q add" # Rule prefix
wan="vr0" # Inbound interface (Public WAN)
lan="bridge0" # Outbound interfaces (Private LAN)
nat="skipto 600" # "Skipto" location for outgoing packets that need NAT
ks="keep-state" # Adds rule to dynamic rules table
######
# Ruleset
######
ipfw -q -f flush
###
# Allowed Loopback and LAN traffic
###
$cmd 00005 allow all from any to any via $lan
$cmd 00006 allow all from any to any via lo0
###
# NAT inbound traffic and check all traffic against rules in dynamic rules
table
###
$cmd 00010 divert natd ip from any to any in via $wan
$cmd 00011 check-state
###
# Rejected outbound traffic
###
###
# Allowed outbound traffic
###
# Allow all outbound traffic
$cmd 00205 $nat icmp from any to any out via $wan $ks
$cmd 00210 $nat tcp from any to any out via $wan setup $ks
$cmd 00211 $nat udp from any to any out via $wan $ks
###
# Rejected inbound traffic
###
# Late arriving packets
$cmd 00315 deny all from any to any frag in via $wan
# ACK packets that did not match the dynamic rule table
$cmd 00320 deny tcp from any to any established in via $wan
###
# Allowed inbound traffic
###
# ISP's DNS and DHCP
$cmd 00404 allow all from ***.***.4.100 to any 53 in via $wan $ks
$cmd 00405 allow all from ***.***.8.100 to any 53 in via $wan $ks
$cmd 00406 allow all from 10.247.20.1 to any 68 in via $wan $ks
# Test rules
$cmd 00410 allow log logamount 50 tcp from any to any 113 in via $wan $ks
$cmd 00411 allow log logamount 50 udp from any to any 113 in via $wan $ks
$cmd 00420 allow log logamount 50 tcp from any to any 3002 in via $wan $ks
$cmd 00421 allow log logamount 50 udp from any to any 3002 in via $wan $ks
###
# Log and deny unauthorized traffic
###
$cmd 00505 deny log all from any to any in via $wan
$cmd 00506 deny log all from any to any out via $wan
###
# This is skipto location for outbound stateful rules
###
$cmd 00600 divert natd ip from any to any out via $wan
$cmd 00601 allow ip from any to any
######
# EOF;
#####
>> ipfw -d show
00005 341874 226401838 allow ip from any to any via bridge0
00006 0 0 allow ip from any to any via lo0
00010 159810 102549336 divert 8668 ip from any to any in via vr0
00011 0 0 check-state
00205 8 480 skipto 600 icmp from any to any out via vr0
keep-state
00210 317839 222819674 skipto 600 tcp from any to any out via vr0 setup
keep-state
00211 9208 1513077 skipto 600 udp from any to any out via vr0 keep-state
00315 0 0 deny ip from any to any frag in via vr0
00320 937 72516 deny tcp from any to any established in via vr0
00404 0 0 allow ip from ***.***.4.100 to any dst-port 53 in via
vr0 keep-state
00405 0 0 allow ip from ***.***.8.100 to any dst-port 53 in via
vr0 keep-state
00406 116 38068 allow ip from 10.247.20.1 to any dst-port 68 in via
vr0 keep-state
00410 2 120 allow log logamount 50 tcp from any to any dst-port
113 in via vr0 keep-state
00411 0 0 allow log logamount 50 udp from any to any dst-port
113 in via vr0 keep-state
00420 17 776 allow log logamount 50 tcp from any to any dst-port
3002 in via vr0 keep-state
00421 0 0 allow log logamount 50 udp from any to any dst-port
3002 in via vr0 keep-state
00422 0 0 allow log logamount 50 ip from any to any dst-port
3002 in via vr0 keep-state
00505 4656 409960 deny log logamount 6 ip from any to any in via vr0
00506 1664 80112 deny log logamount 6 ip from any to any out via vr0
00600 172967 122305174 divert 8668 ip from any to any out via vr0
00601 328900 224576731 allow ip from any to any
65535 86 62670 deny ip from any to any
## Dynamic rules (158):
00210 6 1848 (294s) STATE tcp 10.0.0.11 1575 <-> ***.249.91.18 80
00210 582 39177 (292s) STATE tcp 10.0.0.11 1205 <-> ***.12.25.125
5190
00211 42 3215 (2s) STATE udp 10.0.0.11 1158 <-> ***.142.64.162
27014
00210 725 41173 (263s) STATE tcp 10.0.0.11 1206 <-> ***.46.110.86
1863
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?718eeb340610171542i2ffa99e5jbf3df8f8406a2093>