ipfw / natd port forwarding.

by Tony » Sat, 27 May 2000 04:00:00

Hey

I've been working on this for two weeks now... I'm trying to setup
natd/ipfw to forward ssh packets from anywhere external to one of my
internal boxes.

Here's my setup:

ladyjane# ipfw list
00100 divert 8668 ip from any to any via fxp1
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 allow ip from any to any
00400 allow tcp from any to any
00500 allow udp from any to any
00600 allow icmp from any to any
65535 deny ip from any to any

natd -p 8668 -n fxp1 -redirect_port tcp 209.157.28.3:22 172.16.0.250:22

This seems to alias incoming connections, but natd wont alias the outgoing
connections. Anybody done this before and have a good direction to point
me?

Thanks

Tony

Top

1. HELP - IPFW with NATD for port forwarding

I am having a problem getting my FreeBSD 4.3 IPFW firewall to forward
incoming FTP requests to a server on a private network. I have scoured
dejanews and the like and all the previous post seem to say the same thing.
NATD redirect_port entries in NATD.CONF and a ADD ALLOW statement in the
firewall script as noted in the script below.

Natd.conf entries ar as follows:

use_sockets yes
redirect_port tcp 192.168.1.3:21 21
redirect_port udp 192.168.1.3:21 21

natd.conf is of course called in rc.conf via natd_flags="-f /etc/natd.conf"

And here is my firewall script:

fwcmd="/sbin/ipfw" #leave as is if using ipfw
oif="oifx" #set to outside interface name
onwr="a.b.c.d/24" #set to outside network range
oip="a.b.c.d" #set to outside ip address

iif="ifx" #set to internal interface name
inwr="x.y.z.x/24" #set to internal network range
iip="x.y.z.x" #set to internal ip address

ns1="e.f.g.h" #set to primary name server best if = oif
#ntp="i.j.k.l" #set to ip of NTP server or leave as is

$fwcmd -f flush

$fwcmd add allow all from any to any via lo0
$fwcmd add deny log all from any to 127.0.0.0/8

$fwcmd add deny log ip from $inwr to any in via $oif

$fwcmd add deny log ip from not $inwr to any in via $iif

$fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif
$fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif
$fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif
$fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif
$fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif
$fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif

$fwcmd add deny all from 0.0.0.0/8 to any in via $oif
$fwcmd add deny all from 169.254.0.0/16 to any in via $oif
$fwcmd add deny all from 192.0.2.0/24 to any in via $oif
$fwcmd add deny all from 224.0.0.0/4 to any in via $oif
$fwcmd add deny all from 240.0.0.0/4 to any in via $oif
$fwcmd add deny all from any to 0.0.0.0/8 in via $oif
$fwcmd add deny all from any to 169.254.0.0/16 in via $oif
$fwcmd add deny all from any to 192.0.2.0/24 in via $oif
$fwcmd add deny all from any to 224.0.0.0/4 in via $oif
$fwcmd add deny all from any to 240.0.0.0/4 in via $oif

$fwcmd add divert natd all from any to any via $oif

$fwcmd add allow tcp from any to any established
$fwcmd add allow tcp from any to $oip 22 setup
$fwcmd add allow log tcp from any to <publicaddress> 21 via $oif
<---------------Add Allow statement

$fwcmd add allow icmp from any to any icmptypes 3,4,11,12
$fwcmd add allow udp from any 53 to $ns1 53
$fwcmd add check-state
$fwcmd add allow ip from $oip to any keep-state out via $oif
$fwcmd add allow ip from $inwr to any keep-state via $iif

$fwcmd add 65435 deny log ip from any to any <---------------------Is this
line cancelling out my Add Allow above?

Any help would be appriciated.

TIA

Rob

2. Video Cards ...

3. Port Forwarding, ipfw + natd

4. Large ramdisk crashes system

5. port forwarding with ipfw/natd

6. trouble with Glimpse 3.0

7. ipfw, freebsd 4.6, natd redirected ports (NOT)

8. Sharing Folders

9. ipfw + natd; port redirection problem