ipnat and rdr

ipnat and rdr

Post by Emmanuel Dreyf » Tue, 03 Oct 2000 04:00:00



Hi!

I can't find in the documentation if the rdr statement redirects packets
depending on source adresses or destination adresses. All examples are
used with 0.0.0.0/0, whitout more explanation.

And does it work for tcp, udp or both?

--
Emmanuel Dreyfus

 
 
 

ipnat and rdr

Post by A farmer using BSD, eh » Tue, 03 Oct 2000 04:00:00



> Hi!

> I can't find in the documentation if the rdr statement redirects packets
> depending on source adresses or destination adresses. All examples are
> used with 0.0.0.0/0, whitout more explanation.

> And does it work for tcp, udp or both?

Alors, 0/0 is to use any existing external ip in the NAT box.  You can
do either 0/0 or YourExternalIP/32.  Hope your question has been
answered.

Below is taken from faq 6.3.2  Links down there point to extensive
explanations.

Redirecting Traffic

   At times you may need to redirect incoming or outgoing traffic for a
   certain protocol or port. A good example of this is if there were a
   server residing inside the LAN running a web server. Incoming
   connections to your valid Internet IP will find that unless your NAT
   box is running a web server, no connection can be made. For this
   purpose we use the NAT 'rdr' directive in the rules file to instruct
   where to redirect (or route) a particular connection to.

   For our example, lets say a web server resides on the LAN with IP
   address of 192.168.1.80. The NAT rules file needs a new directive to
   handle this. Add a line similar to the following one to your
   ipnat.conf:
rdr pn0 24.5.0.5/32 port 80 -> 192.168.1.80 port 80

   The reason for each line is this:
   "rdr"
       This is the command you are giving ipnat. It is telling ipnat
that
       this entry is an entry to redirect a connection.

   "pn0"
       This is the network interface that is connected to the Internet.

   "24.5.0.5/32"
       This means an incoming connection to this IP address (only on
pn0,
       as above)

   "port 80"
       This is the port (80) that should be redirected. The number "80"
       didn't have to be used. You can use "port www" also to specify a
       redirection of port 80. If you would like to use a name instead
of
       a number, the service name and corresponding port, must exist in
       the file /etc/services.

   "192.168.1.80"
       The IP address and netmask of the LAN machine which the packets
       are redirected to. The netmask is always "/32" (and therefore not
       needed to be specified) so the packets can be redirected to a
       particular machine.

   When the addition is complete reload the NAT rules, and the
   redirection will start immediately.
   NAT versus Proxy

   The difference between NAT and an application-based proxy is that the
   proxy software acts as a middle-man between the Internet and the
   machines connected on the LAN. This is fine, however each application
   you want to run on your machine and connect to the Internet through
   the proxy server MUST be proxy-aware (be able to use a proxy server).
   Not all applications are able to do this (especially games).
   Furthermore, there simply are not proxy server applications for all
of
   the Internet services out there. NAT transparently maps your internal
   network so that it may connect to the Internet. The only security
   advantage to using a proxy software over NAT is that the proxy
   software may have been made security aware, and can filter based on
   content, to keep your Windows machine from getting a macro virus, it
   can protect against buffer overflows to your client software, and
   more. To maintain these filters is often a high-maintenance job.
   6.3.4 Links and X-References

   OpenBSD files:
     * /etc/ipnat.rules - NAT rules file
     * /etc/rc.conf - need to edit to start up ipnat and ipf at boot
time
     * /etc/sysctl.conf - need to edit to enable IP forwarding
     * /usr/share/ipf/nat.1 - samples of ipnat.rules

   NAT Internet Links:
     * [61]http://www.openbsd.org/cgi-bin/man.cgi?query=ipnat&sektion=8
     * [62]Man page showing correct ipnat.rules syntax
     * [63]http://coombs.anu.edu.au/~avalon/
     * [64]http://www.geektools.com/rfc/rfc1631.txt

 
 
 

ipnat and rdr

Post by Emmanuel Dreyf » Wed, 04 Oct 2000 04:00:00



Quote:>    At times you may need to redirect incoming or outgoing traffic for a
>    certain protocol or port. A good example of this is if there were a
>    server residing inside the LAN running a web server.
> rdr pn0 24.5.0.5/32 port 80 -> 192.168.1.80 port 80

Ok, that partially answer to my question. I now know I can redirect to
an inside box an incoming TCP packet. What about UDP? Does rdr redirect
TCP, or TCP and UDP? Is there a way to redirect only UDP?

--
Emmanuel Dreyfus

 
 
 

ipnat and rdr

Post by Loic Tort » Wed, 04 Oct 2000 04:00:00



[...]
Quote:

> Ok, that partially answer to my question. I now know I can redirect to
> an inside box an incoming TCP packet. What about UDP? Does rdr redirect
> TCP, or TCP and UDP? Is there a way to redirect only UDP?

Redirection can work with both TCP and UDP.
Default is TCP, you just have to add "udp" at the end of your rule to
support UDP only (add "tcp/udp" for both protocols at the same time),
as in:
 rdr pn0 24.5.0.5/32 port 80 -> 192.168.1.80 port 80 udp

If you want your rules to be more readable, you can also append "tcp"
to your rules to support TCP only, instead of relying on the default
behaviour.

Lo?c.

 
 
 

ipnat and rdr

Post by Emmanuel Dreyf » Wed, 04 Oct 2000 04:00:00



> Redirection can work with both TCP and UDP.
> Default is TCP, you just have to add "udp" at the end of your rule to
> support UDP only (add "tcp/udp" for both protocols at the same time),
> as in:
>  rdr pn0 24.5.0.5/32 port 80 -> 192.168.1.80 port 80 udp

Thanks! Was that information in the documentation anywhere? (I mean: how
did you know that?)

--
Emmanuel Dreyfus

 
 
 

ipnat and rdr

Post by Loic Tort » Wed, 04 Oct 2000 04:00:00



[...]
Quote:

> Thanks! Was that information in the documentation anywhere? (I mean: how
> did you know that?)

I red the source ? ;-)

You can find lots of information in the IPFilter Howto (available at
<URL:http://www.obfuscation.org/ipf/>), there is also a BNF grammar in
ipnat(5) man page.

Lo?c.

 
 
 

ipnat and rdr

Post by A farmer using BSD, eh » Wed, 04 Oct 2000 04:00:00




> >    At times you may need to redirect incoming or outgoing traffic for a
> >    certain protocol or port. A good example of this is if there were a
> >    server residing inside the LAN running a web server.

> > rdr pn0 24.5.0.5/32 port 80 -> 192.168.1.80 port 80

> Ok, that partially answer to my question. I now know I can redirect to
> an inside box an incoming TCP packet. What about UDP? Does rdr redirect
> TCP, or TCP and UDP? Is there a way to redirect only UDP?

Yes.  Please see IP Filter home at www.obfuscation.org/ipf/ for detailed
explanations.

Just out of curiosity, what sorts of UDP packets you'd like to rdr
in/out private LANs?

Here we only allow dns udp out but generic mapping is enough to handle.
Rdr is not needed.
Related ipf rules are as below:
pass out quick on YourExternalNIC proto udp from any to any port = 53
keep state
block in quick on YourExternalNIC proto udp from any to any

--
Don't login as root, use sudo

 
 
 

ipnat and rdr

Post by Emmanuel Dreyf » Wed, 04 Oct 2000 04:00:00



Quote:> Just out of curiosity, what sorts of UDP packets you'd like to rdr
> in/out private LANs?

DNS.

--
Emmanuel Dreyfus

 
 
 

1. ipfilter block return-rst and ipnat rdr

I have a problem
In my lan there are few computers. OpenBSD 2.9 is the main router. All
computers are NAT'ed. One of them contains a server for something. I used
ipnat to assign a port for redirections:

rdr tun0 0.0.0.0/0 port 10200 -> 192.168.2.6 port 10200 tcp/udp

for security reasons i used ipf to block few ports:

# netbios
block return-rst in log quick on tun0 proto tcp from any to any port = 139
# sunrpc
block return-rst in log quick on tun0 proto tcp from any to any port = 111

i used the return-rst option for maximum security (without that the port is
still visible by most port scanners).
I wanted also to block that redirected port:

block return-rst in log quick on tun0 proto tcp from any to any port = 10200

but the return-rst doesn't work here.

any ideas? is it possible to make it working as I described?

sincerely
Lukasz Biegaj

2. Help please- recompiled 1.3.18 k wont boot

3. ipnat/rdr with port range?

4. Problems compiling XFree86 LinkKit

5. ipnat rdr

6. Difference between = and := in Makefile

7. IPF, IPNAT, Port 80 RDR problem

8. EMC Clariion IP4700 as SAN device

9. ipnat rdr

10. IPNAT rdr from inside to static IPs???

11. ipnat & rdr smtp?

12. ipnat's rdr

13. rdr with ipnat & ipf