Re: Question about ipfw, natd and port forwarding.
From: Lowell Gilbert (freebsd-questions-local_at_be-well.ilk.org)
Date: 02/28/05
- Previous message: Luke Kearney: "Re: how long does it takes you to do a make buildworld"
- In reply to: Deling Ren: "Question about ipfw, natd and port forwarding."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: Deling Ren <lg+freebsd@home.homeunix.org> Date: 28 Feb 2005 09:29:13 -0500
Deling Ren <lg+freebsd@home.homeunix.org> writes:
> Hi all, I am trying to setup a NAT box for my home network on freebsd 5.3.
> I am using ipfw and natd. I already got nat running but I am having
> problem with port forwarding. I am trying to forward port 80 on the nat
> box to an internal machine (192.168.0.7). I have the following as part of
> natd_flags:
>
> -redirect_port tcp 192.168.0.7:80 xx.xx.xx.xx:80
>
> where xx.xx.xx.xx is the external IP of the nat box.
>
> Using the following ipfw rules:
>
> 00050 divert 8668 ip from any to any via sis0
> 65535 allow ip from any to any
>
> I have no problem connecting port 80 on the nat box from outside. But as I
> added stateful ipfw rules, it stops working. Running nmap from outside
> says port 80 is filtered. I am not sure how to configure the rules to
> enable port forwarding. Any help will be appreciated. Thanks.
>
> Deling
>
> Here are my ipfw rules:
>
> 00005 allow ip from any to any via $iif
> 00010 allow ip from any to any via lo0
> 00014 divert 8668 ip from any to any in via $oif
>
> 00015 check-state
>
> 00060 skipto 800 tcp from any to any out via $oif setup keep-state
> 00080 skipto 800 icmp from any to any out via $oif keep-state
> 00130 skipto 800 udp from any to any out via $oif keep-state
>
> 00340 allow icmp from any to me in via $oif keep-state
>
> 00360 allow tcp from any to any dst-port 80 in via $oif setup keep-state
> 00380 allow tcp from any to me dst-port 22 in via $oif setup limit
> src-addr 5
>
> 00400 deny log logamount 5 ip from any to any in via $oif
> 00450 deny log logamount 5 ip from any to any out via $oif
>
> 00800 divert 8668 ip from any to any out via $oif
> 00801 allow ip from any to any
> 00999 deny log logamount 5 ip from any to any
Stateful rules are quite tricky in combination with address rewriting,
because the state being saved won't match the packet after it's passed
through the rewriting. This rule set seems to handle that by
splitting the redirect rule into one for each direction, but I'd still
look in that direction for the trouble. Try removing the log limits
and seeing what happens when an HTTP packet gets dropped.
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
- Previous message: Luke Kearney: "Re: how long does it takes you to do a make buildworld"
- In reply to: Deling Ren: "Question about ipfw, natd and port forwarding."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
