Date: Sun, 26 Jan 2003 10:35:43 +0200 From: "Vikash Badal" <vikashb@mweb.co.za> To: "Nick Rogness" <nick@rogness.net> Cc: <freebsd-questions@FreeBSD.ORG> Subject: Re: Source nat question (ipfw and natd) Message-ID: <002001c2c515$f5b72200$4b0a0a0a@my.domain> References: <20030125165456.T60949-100000@skywalker.rogness.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Nick, ----- Original Message ----- From: "Nick Rogness" <nick@rogness.net> To: "Vikash Badal" <vikashb@mweb.co.za> Cc: <freebsd-questions@FreeBSD.ORG> Sent: Sunday, January 26, 2003 2:01 AM Subject: Re: Source nat question (ipfw and natd) > On Sat, 25 Jan 2003, Vikash Badal wrote: > > > Greetings, > > > > I currently have a box (4.7p3) that i want to connect to four different > > networks According to the man page i can only nat on one interface using > > natd. > > > > My current natd.conf is as follows : > > -------------------------------------------------------------------------- > > redirect_address 10.136.236.18 192.168.28.61 > > redirect_address 10.136.236.20 192.168.20.47 > > redirect_address 10.136.236.19 192.167.11.47 > > -------------------------------------------------------------------------- > > > > When i add the following maping : > > redirect_address 10.136.236.18 192.168.15.47 > > > > the source address for connections to 192.168.15.0/24 is 192.168.25.61 > > is there any way i can setup natd and ipfw so that if packets are > > destined for 192.168.15.0/24 then the source address should be > > 192.168.15.47 > > > > Yes, it is possible...just a pain in the butt. I am not clear > exactly what your mean. If you wish to pursue this, you need to > send the output of: > > # cat /etc/rc.conf > # ipfw -a l > # netstat -rn > # ps -aux |grep nat > > > And any additional nat configuration files or settings. That > would greatly improve the chances of your questions getting > answered. > > > Nick Rogness <nick@rogness.net> I made a typo in the original mail : ===> redirect_address 10.136.236.19 192.167.11.47 should be redirect_address 10.136.236.19 192.168.21.47 configs: rc.conf: ============ kern_securelevel_enable="NO" nfs_reserved_port_only="YES" sendmail_enable="NONE" sshd_enable="YES" inetd_enable="NO" portmap_enable="NO" gateway_enable="YES" ntpdate_flags="10.131.156.5" ntpdate_enable="YES" natd_enable="YES" natd_interface="vx0" natd_flags="-config /etc/natd.conf" hostname="nwest-fw.natis.natis" ifconfig_xl0="inet 10.136.236.5 netmask 255.255.255.0" ifconfig_vx0="inet 192.168.28.61 netmask 255.255.240.0" ifconfig_vx0_alias0="inet 192.168.15.57 netmask 255.255.255.0 defaultrouter="10.136.236.1" firewall_enable="YES" firewall_type="natis" firewall_quiet="YES" ==================== nwest-fw# ipfw -a l 00050 0 0 divert 8668 ip from any to any via vx0 00100 32 2000 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 0 0 check-state 00500 0 0 deny tcp from any to any established 00600 0 0 deny log logamount 256 ip from any to any ipopt ssrr 00700 0 0 deny log logamount 256 ip from any to any ipopt lsrr 00800 0 0 deny ip from 10.136.236.0/24 to any in recv vx0 00900 0 0 deny ip from 192.168.16.0/20 to any in recv xl0 01000 0 0 allow tcp from any to 10.136.236.5 22 keep-state setup 01200 0 0 allow tcp from any to 192.168.28.61 5507 keep-state setup 01300 0 0 allow tcp from any to 192.168.20.47 8080 keep-state setup 01400 0 0 allow tcp from any to 192.168.21.47 5150 keep-state setup 01500 0 0 allow tcp from any to 192.168.15.57 5507 keep-state setup 01600 0 0 allow tcp from any to 10.136.236.18 5507 keep-state setup 01700 0 0 allow tcp from any to 10.136.236.20 8080 keep-state setup 01800 0 0 allow tcp from any to 10.136.236.19 5150 keep-state setup 01900 0 0 deny log logamount 256 tcp from any to any in recv vx0 02000 0 0 deny log logamount 256 icmp from any to any frag 02100 0 0 allow udp from any to any 33434-33443 keep-state 02200 0 0 allow icmp from any to any keep-state icmptype 3,11 02300 0 0 allow icmp from any to any keep-state icmptype 0,8 02400 0 0 allow udp from 10.136.236.5 to 10.131.156.5 123 keep-state 02500 0 0 allow tcp from 10.136.236.5 to 10.131.156.5 5999,80 keep-state setup 65535 0 0 deny ip from any to any ================== nwest-fw# netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 10.136.236.1 UGSc 1 0 xl0 10.10.10/24 link#2 UC 1 0 xl0 10.10.10.1 00:c0:df:e3:da:a9 UHLW 1 506 xl0 937 10.136.236/24 link#2 UC 1 0 xl0 10.136.236.1 link#2 UHLW 2 0 xl0 127.0.0.1 127.0.0.1 UH 0 0 lo0 192.168.15.57/32 link#1 UC 0 0 vx0 192.168.16/20 link#1 UC 1 0 vx0 192.168.28.61 00:60:97:08:07:d4 UHLW 0 16 lo0 ================== nwest-fw# ps auwx | grep natd root 152 0.0 0.3 1084 652 p0 S+ 8:42AM 0:00.00 grep natd root 84 0.0 0.1 448 296 ?? Is 8:37AM 0:00.00 /sbin/natd -config /etc/natd.conf -n vx0 ================ nwest-fw# cat /etc/natd.conf redirect_address 10.136.236.18 192.168.28.61 redirect_address 10.136.236.20 192.168.20.47 redirect_address 10.136.236.19 192.168.21.47 redirect_address 10.136.236.18 192.168.15.47 ====== nwest-fw# ifconfig -a vx0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 192.168.28.61 netmask 0xfffff000 broadcast 192.168.31.255 inet 192.168.15.57 netmask 0xffffff00 broadcast 192.168.15.255 ether 00:60:97:08:07:d4 status: active xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=3<rxcsum,txcsum> inet 10.136.236.5 netmask 0xffffff00 broadcast 10.136.236.255 ether 00:10:4b:11:f2:de media: Ethernet autoselect (10baseT/UTP) status: active ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500 sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet 127.0.0.1 netmask 0xff000000 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002001c2c515$f5b72200$4b0a0a0a>