Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 26 Jan 2003 10:35:43 +0200
From:      "Vikash Badal" <vikashb@mweb.co.za>
To:        "Nick Rogness" <nick@rogness.net>
Cc:        <freebsd-questions@FreeBSD.ORG>
Subject:   Re: Source nat question (ipfw and natd)
Message-ID:  <002001c2c515$f5b72200$4b0a0a0a@my.domain>
References:  <20030125165456.T60949-100000@skywalker.rogness.net>

next in thread | previous in thread | raw e-mail | index | archive | help
Hi Nick,

----- Original Message -----
From: "Nick Rogness" <nick@rogness.net>
To: "Vikash Badal" <vikashb@mweb.co.za>
Cc: <freebsd-questions@FreeBSD.ORG>
Sent: Sunday, January 26, 2003 2:01 AM
Subject: Re: Source nat question (ipfw and natd)


> On Sat, 25 Jan 2003, Vikash Badal wrote:
>
> > Greetings,
> >
> > I currently have a box (4.7p3) that i want to connect to four different
> > networks According to the man page i can only nat on one interface using
> > natd.
> >
> > My current natd.conf is as follows :
> > --------------------------------------------------------------------------
> > redirect_address 10.136.236.18 192.168.28.61
> > redirect_address 10.136.236.20 192.168.20.47
> > redirect_address 10.136.236.19 192.167.11.47
> > --------------------------------------------------------------------------
> >
> > When i add the following maping :
> > redirect_address 10.136.236.18 192.168.15.47
> >
> > the source address for connections to 192.168.15.0/24 is 192.168.25.61
> > is there any way i can setup natd and ipfw so that if packets are
> > destined for 192.168.15.0/24 then the source address should be
> > 192.168.15.47
> >
>
> Yes, it is possible...just a pain in the butt.  I am not clear
> exactly what your mean.  If you wish to pursue this, you need to
> send the output of:
>
> # cat /etc/rc.conf
> # ipfw -a l
> # netstat -rn
> # ps -aux |grep nat
>
>
> And any additional nat configuration files or settings.  That
> would greatly improve the chances of your questions getting
> answered.
>
>
> Nick Rogness <nick@rogness.net>

I made a typo in the original mail :
===> redirect_address 10.136.236.19 192.167.11.47
should be redirect_address 10.136.236.19 192.168.21.47

configs:

rc.conf:
============
kern_securelevel_enable="NO"
nfs_reserved_port_only="YES"
sendmail_enable="NONE"
sshd_enable="YES"
inetd_enable="NO"
portmap_enable="NO"
gateway_enable="YES"
ntpdate_flags="10.131.156.5"
ntpdate_enable="YES"
natd_enable="YES"
natd_interface="vx0"
natd_flags="-config /etc/natd.conf"
hostname="nwest-fw.natis.natis"
ifconfig_xl0="inet 10.136.236.5  netmask 255.255.255.0"
ifconfig_vx0="inet 192.168.28.61 netmask 255.255.240.0"
ifconfig_vx0_alias0="inet 192.168.15.57 netmask 255.255.255.0
defaultrouter="10.136.236.1"
firewall_enable="YES"
firewall_type="natis"
firewall_quiet="YES"
====================

nwest-fw# ipfw -a l
00050   0     0 divert 8668 ip from any to any via vx0
00100  32  2000 allow ip from any to any via lo0
00200   0     0 deny ip from any to 127.0.0.0/8
00300   0     0 deny ip from 127.0.0.0/8 to any
00400   0     0 check-state
00500   0     0 deny tcp from any to any established
00600   0     0 deny log logamount 256 ip from any to any ipopt ssrr
00700   0     0 deny log logamount 256 ip from any to any ipopt lsrr
00800   0     0 deny ip from 10.136.236.0/24 to any in recv vx0
00900   0     0 deny ip from 192.168.16.0/20 to any in recv xl0
01000   0     0 allow tcp from any to 10.136.236.5 22 keep-state setup
01200   0     0 allow tcp from any to 192.168.28.61 5507 keep-state setup
01300   0     0 allow tcp from any to 192.168.20.47 8080 keep-state setup
01400   0     0 allow tcp from any to 192.168.21.47 5150 keep-state setup
01500   0     0 allow tcp from any to 192.168.15.57 5507 keep-state setup
01600   0     0 allow tcp from any to 10.136.236.18 5507 keep-state setup
01700   0     0 allow tcp from any to 10.136.236.20 8080 keep-state setup
01800   0     0 allow tcp from any to 10.136.236.19 5150 keep-state setup
01900   0     0 deny log logamount 256 tcp from any to any in recv vx0
02000   0     0 deny log logamount 256 icmp from any to any frag
02100   0     0 allow udp from any to any 33434-33443 keep-state
02200   0     0 allow icmp from any to any keep-state icmptype 3,11
02300   0     0 allow icmp from any to any keep-state icmptype 0,8
02400   0     0 allow udp from 10.136.236.5 to 10.131.156.5 123 keep-state
02500   0     0 allow tcp from 10.136.236.5 to 10.131.156.5 5999,80 keep-state
setup
65535   0     0 deny ip from any to any

==================

nwest-fw# netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            10.136.236.1       UGSc        1        0    xl0
10.10.10/24        link#2             UC          1        0    xl0
10.10.10.1         00:c0:df:e3:da:a9  UHLW        1      506    xl0    937
10.136.236/24      link#2             UC          1        0    xl0
10.136.236.1       link#2             UHLW        2        0    xl0
127.0.0.1          127.0.0.1          UH          0        0    lo0
192.168.15.57/32   link#1             UC          0        0    vx0
192.168.16/20      link#1             UC          1        0    vx0
192.168.28.61      00:60:97:08:07:d4  UHLW        0       16    lo0

==================

nwest-fw# ps auwx | grep natd
root   152  0.0  0.3  1084  652  p0  S+    8:42AM   0:00.00 grep natd
root    84  0.0  0.1   448  296  ??  Is    8:37AM   0:00.00 /sbin/natd -config
/etc/natd.conf -n vx0

================
nwest-fw# cat /etc/natd.conf
redirect_address 10.136.236.18 192.168.28.61
redirect_address 10.136.236.20 192.168.20.47
redirect_address 10.136.236.19 192.168.21.47
redirect_address 10.136.236.18 192.168.15.47

======
nwest-fw# ifconfig -a
vx0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 192.168.28.61 netmask 0xfffff000 broadcast 192.168.31.255
        inet 192.168.15.57 netmask 0xffffff00 broadcast 192.168.15.255
        ether 00:60:97:08:07:d4
        status: active
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=3<rxcsum,txcsum>
        inet 10.136.236.5 netmask 0xffffff00 broadcast 10.136.236.255
        ether 00:10:4b:11:f2:de
        media: Ethernet autoselect (10baseT/UTP)
        status: active
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet 127.0.0.1 netmask 0xff000000



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002001c2c515$f5b72200$4b0a0a0a>