ipfw + natd; port redirection problem

ipfw + natd; port redirection problem

Post by Jolo » Thu, 06 Mar 2003 03:46:54



Hello

I run ipfw + natd on a FreeBSD 4.7p6-release gateway.  I wish to redirect
ports
for ssh, vnc, web, and mail to boxes inside the LAN.  SSH connections are
being
redirected properly, but vnc and web are not.  httpd is running and
listening on
10.0.0.10:8080, and TightVNC is configured correctly.
I'd like to know what I need to tweak, either in my ruleset or conf files.

Thanks in advance.

-------------------------------------------
from /etc/rc.conf

network_interfaces="lo0 ed1 rl0"
hostname="churgeon.joshualokken.com"
ifconfig_ed1="DHCP"
ifconfig_rl0="inet 10.0.0.1  netmask 255.0.0.0"

[snip]

gateway_enable="YES"
firewall_enable="YES"
natd_enable="YES"
natd_interface="ed1"
natd_flags="-f /etc/natd.conf"
firewall_script="/etc/firewall.conf"

tcp_extensions="YES"
icmp_drop_redirect="YES"
-----------------------------------------------
from /etc/natd.conf
# natd.conf
# flags

interface ed1
dynamic yes
unregistered_only yes
same_ports yes
use_sockets yes

# Web and mail

redirect_port tcp 10.0.0.10:8080 80
redirect_port udp 10.0.0.10:8080 80
redirect_port tcp 10.0.0.10:443 443
redirect_port udp 10.0.0.10:443 443

redirect_port tcp 10.0.0.2:22 22002
redirect_port udp 10.0.0.2:22 22002
redirect_port tcp 10.0.0.3:22 22003
redirect_port udp 10.0.0.3:22 22003
redirect_port tcp 10.0.0.10:22 22010
redirect_port udp 10.0.0.10:22 22010

redirect_port tcp 10.0.0.2:5900-5910 5900-5910
redirect_port udp 10.0.0.2:5900-5910 5900-5910
-------------------------------------------------------
from /etc/firewall.conf

fwcmd="/sbin/ipfw"
oif="ed1"
oip="me"

iif="rl0"
inwr="10.0.0.0/8"
iip="10.0.0.1"

# ISPs name servers
ns1="204.127.198.4"
ns2="216.148.227.68"

# zoneedit name servers
ns3="207.228.252.107"
ns4="64.246.26.64"

$fwcmd -q flush

$fwcmd add allow all from any to any via lo0
$fwcmd add deny ip from any to 127.0.0.0/8

$fwcmd add divert natd all from any to any via $oif

$fwcmd add allow icmp from any to any icmptypes 3,4,11,12

$fwcmd add allow udp from $ns1 53 to any in via $oif
$fwcmd add allow udp from $ns2 53 to any in via $oif
$fwcmd add allow udp from $ns3 to any in via $oif
$fwcmd add allow udp from any to any out

$fwcmd add check-state

$fwcmd add allow tcp from any to any
22,25,80,110,443,5901,5902,6346,22002,22003,22010 setup via $oif keep-state

$fwcmd add allow ip from $oip to any keep-state out via $oif

$fwcmd add allow ip from $inwr to any keep-state via $iif

$fwcmd add 65435 deny log ip from any to any

--
Best Regards,

Joshua Lokken
OMIC Portland Branch

503 807 6538

 
 
 

ipfw + natd; port redirection problem

Post by vso » Sat, 08 Mar 2003 22:46:19



> Hello

> I run ipfw + natd on a FreeBSD 4.7p6-release gateway.  I wish to redirect
> ports
> for ssh, vnc, web, and mail to boxes inside the LAN.  SSH connections are
> being
> redirected properly, but vnc and web are not.  httpd is running and
> listening on
> 10.0.0.10:8080, and TightVNC is configured correctly.
> I'd like to know what I need to tweak, either in my ruleset or conf files.

> Thanks in advance.

> -------------------------------------------
> from /etc/rc.conf

> network_interfaces="lo0 ed1 rl0"
> hostname="churgeon.joshualokken.com"
> ifconfig_ed1="DHCP"
> ifconfig_rl0="inet 10.0.0.1  netmask 255.0.0.0"

> [snip]

> gateway_enable="YES"
> firewall_enable="YES"
> natd_enable="YES"
> natd_interface="ed1"
> natd_flags="-f /etc/natd.conf"
> firewall_script="/etc/firewall.conf"

> tcp_extensions="YES"
> icmp_drop_redirect="YES"
> -----------------------------------------------
> from /etc/natd.conf
> # natd.conf
> # flags

> interface ed1
> dynamic yes
> unregistered_only yes
> same_ports yes
> use_sockets yes

> # Web and mail

> redirect_port tcp 10.0.0.10:8080 80
> redirect_port udp 10.0.0.10:8080 80
> redirect_port tcp 10.0.0.10:443 443
> redirect_port udp 10.0.0.10:443 443

> redirect_port tcp 10.0.0.2:22 22002
> redirect_port udp 10.0.0.2:22 22002
> redirect_port tcp 10.0.0.3:22 22003
> redirect_port udp 10.0.0.3:22 22003
> redirect_port tcp 10.0.0.10:22 22010
> redirect_port udp 10.0.0.10:22 22010

> redirect_port tcp 10.0.0.2:5900-5910 5900-5910
> redirect_port udp 10.0.0.2:5900-5910 5900-5910
> -------------------------------------------------------
> from /etc/firewall.conf

> fwcmd="/sbin/ipfw"
> oif="ed1"
> oip="me"

> iif="rl0"
> inwr="10.0.0.0/8"
> iip="10.0.0.1"

> # ISPs name servers
> ns1="204.127.198.4"
> ns2="216.148.227.68"

> # zoneedit name servers
> ns3="207.228.252.107"
> ns4="64.246.26.64"

> $fwcmd -q flush

> $fwcmd add allow all from any to any via lo0
> $fwcmd add deny ip from any to 127.0.0.0/8

> $fwcmd add divert natd all from any to any via $oif

> $fwcmd add allow icmp from any to any icmptypes 3,4,11,12

> $fwcmd add allow udp from $ns1 53 to any in via $oif
> $fwcmd add allow udp from $ns2 53 to any in via $oif
> $fwcmd add allow udp from $ns3 to any in via $oif
> $fwcmd add allow udp from any to any out

> $fwcmd add check-state

> $fwcmd add allow tcp from any to any
> 22,25,80,110,443,5901,5902,6346,22002,22003,22010 setup via $oif
keep-state

> $fwcmd add allow ip from $oip to any keep-state out via $oif

> $fwcmd add allow ip from $inwr to any keep-state via $iif

> $fwcmd add 65435 deny log ip from any to any

> --
> Best Regards,

> Joshua Lokken
> OMIC Portland Branch

> 503 807 6538

with your natd.conf and rc.conf in mind I put in a shell script the
following lines:
---------------script----------------------------------
/sbin/ipfw add divert natd all from any to any via ed1
/sbin/ipwf add pass all from any to any
---------------script----------------------------------

---------------rc.conf----------------------------------
defaultrouter=""  #gateway from your ISP
natd_flags="-m -s -f /etc/natd.conf
sysctrl -w net.inet.ip.forwarding=1
---------------rc.conf----------------------------------

for defaultrouter in rc.conf is wise IMHO

Greetz
$$Victor