need help with port redirects using natd/ipfw

need help with port redirects using natd/ipfw

Post by Trey Schisse » Thu, 10 Jan 2002 04:54:03

History:   I am trying to convert from a service provider that gave me five
IP addresses to a new service provider that only gives one. So I need to
hide my mail server and two web servers behind one firewall machine running
some sort of gateway/routing/masquarading application, I am attempting to
use the NAT application included as part of FreeBSD at this time.

Note: All file snippets and error messages where my public IP is viewable
the last to octets have been replace to provide limited server anonimity.
Also, for now I am only working on getting the smtp port working. Once I
have a working example I should be able to complete the configuration for my
web services.

Problem:   NAT works flawlessly with my configuration to allow internal
users to browse the web or transfer files. It also loads without giving me
any error messages concerning my redirect_port directives in my natd.conf.
However, if everything was working I should be able to telnet to port 25 on
my gateway machine and get a response from my mail server. This does not
happen, instead I get the error message...
    "Trying 65.186.X.X...
    telnet: connect to address 65.186.X.X: Connection refused
    telnet: Unable to connect to remote host"
I think there may be a problem with my firewall rules in ipfw, but I have
not found a source with good examples of the rules that should be in place.
And yes, before you mention it, I have looked at the handbook but the
examples did not explain this clearly to me.

Question:   Could someone please review my config below and let me know what
I am doing wrong.

I have included a snippet from my "/etc/rc.conf", output from `ifconfig -a`
and `ipfw list`, and my complete "/usr/local/etc/natd.conf" file.

### network related lines from /etc/rc.conf ###
ifconfig_xl0="inet  netmask"
ifconfig_dc0="inet 65.186.X.X  netmask"
natd_flags="-f /usr/local/etc/natd.conf"

### `ifconfig -a` ###
        inet netmask 0xffffff00 broadcast
        inet6 fe80::260:8ff:fe5a:5670%xl0 prefixlen 64 scopeid 0x1
        ether 00:60:08:5a:56:70
        media: autoselect (100baseTX <full-duplex>) status: active
        supported media: autoselect 100baseTX <full-duplex> 100baseTX
10baseT/UTP <full-duplex> 10baseT/UTP 100baseTX <hw-loopback>
        inet 65.186.X.X netmask 0xfffffffc broadcast 65.186.X.X
        inet6 fe80::2a0:ccff:fedb:9689%dc0 prefixlen 64 scopeid 0x3
        ether 00:a0:cc:db:96:89
        media: autoselect (10baseT/UTP) status: active
        supported media: autoselect 100baseTX <full-duplex> 100baseTX
10baseT/UTP <full-duplex> 10baseT/UTP none
lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
        inet netmask 0xff000000

### `ipfw list` ###
00050 divert 8668 ip from any to any via dc0
00100 allow ip from any to any via lo0
65000 allow ip from any to any
65535 allow ip from any to any

### /usr/local/etc/natd.conf ###
use_sockets yes
same_ports yes
interface dc0
redirect_port tcp 25
redirect_port udp 25




1. ipfw, freebsd 4.6, natd redirected ports (NOT)

OK, the first time i tried this was on a 4.3 freebsd some last year..
this time its on a 4.6 machine. The man pages and the articles i have
seen on the net and in the usenet groups all seem to be saying some
simple task of  "-redirect_port tcp 80" to get the ball

I'm sorry.. but that just doesnt cut it for me. I'm not exactly sure
WHAT the magic is that everyone else seems to have.. but this is what
i get when doing this.

My setup:  Freebsd 4.6, Firewall/Gateway Running ipfw  rules and natd
Command output:

0wn3d# natd -redirect_port tcp 80
natd: aliasing address not given

(reading through man page) I decieded to change the command line a
0wn3d# natd -interface fxp0 -redirect_port tcp 80
natd: Unable to bind divert socket.: Address already in use


I know for a FACT that i have nothing on 80 running on this machine:
(output of netstat -atn omitted)

In fact.. no matter WHAT port i use.. it still gives me the same

(for shitz and grins)

0wn3d# natd -alias_address <myexternip>  -redirect_port tcp 8080
natd: Unable to bind divert socket.: Address already in use

So, i'm asking anyone.. WHAT IS THE MAGIC?

(relavent rc.conf entries)
natd_flags="-m "


2. network job search

3. Do I need port redirection in my box running IPFW and NATD?

4. serial port communication

5. natd and redirecting ports using a config file

6. Dynamic DNS config: how?

7. HELP - IPFW with NATD for port forwarding

8. Installation problems with mdk8.2

9. Help: Using ipfw/natd to connect+control an unregistered net to the Internet

10. MS PPTP / ipfw / natd redirect

11. natd/ipfw/redirect question

12. ipfw + natd; port redirection problem

13. Port Forwarding, ipfw + natd