Date: Wed, 18 Oct 2006 08:40:31 +0800 From: "jan gestre" <freebsd.ph@gmail.com> To: Chris <phatfish@gmail.com>, "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: Re: Port redirection troubles with natd/ipwf Message-ID: <a25afc300610171740qa608a99wb11173432214fe@mail.gmail.com> In-Reply-To: <718eeb340610171542i2ffa99e5jbf3df8f8406a2093@mail.gmail.com> References: <718eeb340610171542i2ffa99e5jbf3df8f8406a2093@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10/18/06, Chris <phatfish@gmail.com> wrote: > > Hello, > > I have set myself up a nice FreeBSD router, but im having trouble getting > my > firewall and NAT configured. I have a basic setup at the moment that is > working well, using IPFW for a firewall and also running natd because i > have > a few computers here on my LAN that want Internet access. > > However i cannot seem to work out how to get port redirection through NAT > working correctly. Currently i have it setup (as i hope my configs bellow > show) that all incoming traffic from the web is blocked, unless it was > initiated by a host on the LAN; then the check-state and keep-state rules > allow the traffic through for that session. > > My problem comes when i want to so say, "its ok for traffic to pass > through > this port to a target on the LAN". As far as i can make out that is done > with the "redirect_port" setting in natd.conf -- my conf has ports 113 and > 3002 redirected to 10.0.0.11. 113 for IDENT, and 3002 as a custom port for > a > windows ftp server. > > Take an IDENT request for example, i can see the traffic coming in on port > 113, getting nat'd to the correct LAN ip, and even mIRC registering the > IDENT request. But it never gets back out. The same with FTP on 3002, if > someone attempts to connect they get a message in their client that the > request timed out, but i can see a login attempt in the server logs. > > I have a feeling there is a simple answer to this, but im stuck. Any help > is > appreciated. My config is bellow, i can provide logs of the behavior if a > fix is not obvious. > > Thank you. > > >> ifconfig > re0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 > options=18<VLAN_MTU,VLAN_HWTAGGING> > inet6 fe80::214:*** prefixlen 64 scopeid 0x1 > ether 00:14:bf:59:be:84 > media: Ethernet autoselect (none) > status: no carrier > re1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 > options=18<VLAN_MTU,VLAN_HWTAGGING> > inet6 fe80::214:*** prefixlen 64 scopeid 0x2 > ether 00:14:bf:59:be:8b > media: Ethernet autoselect (100baseTX <full-duplex>) > status: active > re2: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 > options=18<VLAN_MTU,VLAN_HWTAGGING> > inet6 fe80::214:*** prefixlen 64 scopeid 0x3 > ether 00:14:bf:59:c1:26 > media: Ethernet autoselect (100baseTX <full-duplex>) > status: active > vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > inet6 fe80::211:*** prefixlen 64 scopeid 0x4 > inet ***.***.***.*** netmask 0xfffffc00 broadcast 255.255.255.255 > ether 00:11:d8:a1:22:13 > media: Ethernet autoselect (100baseTX <full-duplex>) > status: active > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 > inet 127.0.0.1 netmask 0xff000000 > bridge0: flags=8043<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 > inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255 > ether ac:de:48:30:8d:de > priority 32768 hellotime 2 fwddelay 15 maxage 20 > member: re2 flags=7<LEARNING,DISCOVER,STP> > port 3 priority 128 path cost 55 forwarding > member: re1 flags=7<LEARNING,DISCOVER,STP> > port 2 priority 128 path cost 55 forwarding > member: re0 flags=7<LEARNING,DISCOVER,STP> > port 1 priority 128 path cost 55 disabled > > >> cat /etc/natd.conf > dynamic yes > use_sockets yes > same_ports yes > unregistered_only > > redirect_port tcp 10.0.0.11:113 113 > redirect_port udp 10.0.0.11:113 113 > redirect_port tcp 10.0.0.11:3002 3002 > redirect_port udp 10.0.0.11:3002 3002 > > >> cat /etc/rc.firewall.test > (these rules were made mainly using the NAT stateful ruleset here > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html > ) > #!/bin/sh > > ###### > # Default variables > ###### > cmd="ipfw -q add" # Rule prefix > wan="vr0" # Inbound interface (Public WAN) > lan="bridge0" # Outbound interfaces (Private LAN) > nat="skipto 600" # "Skipto" location for outgoing packets that need NAT > ks="keep-state" # Adds rule to dynamic rules table > > ###### > # Ruleset > ###### > > ipfw -q -f flush > > ### > # Allowed Loopback and LAN traffic > ### > > $cmd 00005 allow all from any to any via $lan > $cmd 00006 allow all from any to any via lo0 > > ### > # NAT inbound traffic and check all traffic against rules in dynamic rules > table > ### > > $cmd 00010 divert natd ip from any to any in via $wan > $cmd 00011 check-state > > ### > # Rejected outbound traffic > ### > > ### > # Allowed outbound traffic > ### > > # Allow all outbound traffic > $cmd 00205 $nat icmp from any to any out via $wan $ks > $cmd 00210 $nat tcp from any to any out via $wan setup $ks > $cmd 00211 $nat udp from any to any out via $wan $ks > > ### > # Rejected inbound traffic > ### > > # Late arriving packets > $cmd 00315 deny all from any to any frag in via $wan > > # ACK packets that did not match the dynamic rule table > $cmd 00320 deny tcp from any to any established in via $wan > > ### > # Allowed inbound traffic > ### > > # ISP's DNS and DHCP > $cmd 00404 allow all from ***.***.4.100 to any 53 in via $wan $ks > $cmd 00405 allow all from ***.***.8.100 to any 53 in via $wan $ks > $cmd 00406 allow all from 10.247.20.1 to any 68 in via $wan $ks > > # Test rules > $cmd 00410 allow log logamount 50 tcp from any to any 113 in via $wan $ks > $cmd 00411 allow log logamount 50 udp from any to any 113 in via $wan $ks > > $cmd 00420 allow log logamount 50 tcp from any to any 3002 in via $wan $ks > $cmd 00421 allow log logamount 50 udp from any to any 3002 in via $wan $ks > > ### > # Log and deny unauthorized traffic > ### > > $cmd 00505 deny log all from any to any in via $wan > $cmd 00506 deny log all from any to any out via $wan > > ### > # This is skipto location for outbound stateful rules > ### > > $cmd 00600 divert natd ip from any to any out via $wan > $cmd 00601 allow ip from any to any > > ###### > # EOF; > ##### > > >> ipfw -d show > 00005 341874 226401838 allow ip from any to any via bridge0 > 00006 0 0 allow ip from any to any via lo0 > 00010 159810 102549336 divert 8668 ip from any to any in via vr0 > 00011 0 0 check-state > 00205 8 480 skipto 600 icmp from any to any out via vr0 > keep-state > 00210 317839 222819674 skipto 600 tcp from any to any out via vr0 setup > keep-state > 00211 9208 1513077 skipto 600 udp from any to any out via vr0 > keep-state > 00315 0 0 deny ip from any to any frag in via vr0 > 00320 937 72516 deny tcp from any to any established in via vr0 > 00404 0 0 allow ip from ***.***.4.100 to any dst-port 53 in > via > vr0 keep-state > 00405 0 0 allow ip from ***.***.8.100 to any dst-port 53 in > via > vr0 keep-state > 00406 116 38068 allow ip from 10.247.20.1 to any dst-port 68 in via > vr0 keep-state > 00410 2 120 allow log logamount 50 tcp from any to any dst-port > 113 in via vr0 keep-state > 00411 0 0 allow log logamount 50 udp from any to any dst-port > 113 in via vr0 keep-state > 00420 17 776 allow log logamount 50 tcp from any to any dst-port > 3002 in via vr0 keep-state > 00421 0 0 allow log logamount 50 udp from any to any dst-port > 3002 in via vr0 keep-state > 00422 0 0 allow log logamount 50 ip from any to any dst-port > 3002 in via vr0 keep-state > 00505 4656 409960 deny log logamount 6 ip from any to any in via vr0 > 00506 1664 80112 deny log logamount 6 ip from any to any out via vr0 > 00600 172967 122305174 divert 8668 ip from any to any out via vr0 > 00601 328900 224576731 allow ip from any to any > 65535 86 62670 deny ip from any to any > ## Dynamic rules (158): > 00210 6 1848 (294s) STATE tcp 10.0.0.11 1575 <-> ***.249.91.18 > 80 > 00210 582 39177 (292s) STATE tcp 10.0.0.11 1205 <-> ***.12.25.125 > 5190 > 00211 42 3215 (2s) STATE udp 10.0.0.11 1158 <-> ***.142.64.162 > 27014 > 00210 725 41173 (263s) STATE tcp 10.0.0.11 1206 <-> ***.46.110.86 > 1863 > chris, why not use pfsense or monowall for your firewall/NAT needs, it's based on FreeBSD and very easy to configure via its webGUI. cheers.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?a25afc300610171740qa608a99wb11173432214fe>