Date: Sat, 22 Jan 2000 15:05:31 +0200 From: Michael Bartlett <cataract@eye2eye.net> To: "'questions@freebsd.org'" <questions@freebsd.org> Subject: FW: internet gateway setup using NATD Message-ID: <F16C1C3F6AB8D311998F00C0DF266AE7E21E@OPTIC>
next in thread | raw e-mail | index | archive | help
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01BF64D9.5D125760
Content-Type: text/plain;
charset="iso-8859-1"
Thought I'd throw this @ the list as well...
-----Original Message-----
From: Michael Bartlett
Sent: Saturday, January 22, 2000 2:56 PM
To: 'Burke Gallagher'
Subject: RE: internet gateway setup using NATD
Hey Burke,
Sorry to bug you again, but I'm having another problem and it could be
related to what you told me to do and could also prove interesting...
On one of my other boxes I run this script in /usr/local/etc/rc.d
/sbin/natd -n fxp0 -redirect_port tcp 196.38.133.194:110 196.38.133.198:80
/sbin/ipfw add divert natd all from any to any via fxp0
If you are confused, the reason is that we needed to get around a firewall
problem (one of our consultants other company close 110 access on their
firewall - this way he can pickup his mail from us with port 80!! ;) ).
Anyway,
I tried the identical thing on my box with your settings and take a look...
[eyeland] # /sbin/natd -n rl0 -redirect_port tcp 196.31.83.226:25
196.31.83.227:80
[eyeland] # telnet 196.31.83.227 80
Trying 196.31.83.227...
telnet: Unable to connect to remote host: Connection refused
Now the .227 ip is an alias on rl0, so it should just be passed along the
same NIC and have no problems. I also tried the destination being on rl1
(192.168.62.150:25) which is an smtp server on my local network and that
didn't work either.
Any thoughts?
Cheers
Mike
-----Original Message-----
From: Burke Gallagher [mailto:burke@gallagher.chicago.il.us]
Sent: Wednesday, January 19, 2000 5:29 AM
To: Michael Bartlett
Subject: Re: internet gateway setup using NATD
RE: internet gateway setup using NATDMike,
you are sooo close.
1. Network is basically on a 192.168.62.0 class. I've got a cisco router
(196.31.83.225) plugged straight into the BSD box (196.31.83.226) on rl0 and
the BSD box is plugged into the server hub on rl1 (192.168.62.1).
INTERNET CISCO BSD GATEWAY
LOCAL NET
+------------------------------------------------+
196.31.83.225 ------| 196.31.83.226 (rl0)
(rl1) 192.168.62.1 | -------------- 192.168.62.xxx
+-----------------------------------------------+
2. Let's simply the rc.conf file a liitle (sysinstall is nice but not too
friendly to the rc.* files)
nothing has really changed here just easier to read and find like items
---------- rc.conf --------------------------------------------
hostname="eyeland.eye2eye.net"
network_interfaces="rl0 rl1 lo0"
ifconfig_rl0="inet 196.31.83.226 netmask 255.255.255.224"
ifconfig_rl1="inet 192.168.62.1 netmask 255.255.255.0"
defaultrouter="196.31.83.225"
gateway_enable="YES"
natd_enable="YES"
natd_interface="rl0"
natd_flags="-f /etc/natd.conf"
firewall_enable="YES"
firewall_type="open"
---------- end rc.conf -----------------------------------------
3. agreed on the no firewall at start (I always debug with the firewall
open)
rename /etc/rc.firewall to rc.firewall.orig and let's build a new one
---------- rc.firewall -------------------------------------------
/sbin/ipfw -f flush
/sbin/ipfw add 1000 pass all from any to any via lo0
/sbin/ipfw add 1100 deny all from 127.0.0.0/8 to 127.0.0.0/8
/sbin/ipfw add 1500 divert natd all from any to any via rl0
/sbin/ipfw add 65000 pass all from any to any
---------- end rc.firewall ---------------------------------------
At the moment I've renamed rc.firewall to rc.firewall.bak because I thought
it was causing a problem. Whats happening at the moment is when I come out
of a boot, I can't ping the box or anything as its so firewalled its scary!
I can't even ping other machines on the box console as it tells me Access
Denied or something along those lines. So I renamed rc.firewall as I thought
it could be causing the problem, but it doesn't look like it is.
Footnote here, when I come out the reboot I have to execute the following
for the machine to be "unfirewalled" :
/sbin/ipfw -f flush
<=== you need the lo0 interface lines here
/sbin/ipfw add divert natd all from any to any via ed0 <=== problem should
be rl0 not ed0 (name of natd interface)
/sbin/ipfw add pass all from any to any
4. the /etc/natd.conf file is fine
interface rl0
use_sockets yes
same_ports yes
dynamic yes <=== this is not required but should not hurt.
Setup the rc.conf and rc.firewall files on your gateway then reboot (23
years of microsoft is showing).
log on to your gateway and you should be able to surf the internet and your
local net (try pinging hosts on both net interfaces)
now try log on to one of your local hosts
ping local interface (this is a given)
ping 192.168.62.1 (if this does not work, you said it did but always
check, then you have a local net problem)
ping 196.31.83.226 (outbound side on gateway)
ping 196.31.83.225 (the cisco)
ping your ISP's DNS servers
ping www.yourprovider.com
let me know if this has helped. I will be editing and rewriting up a
tutorial on IPFW/NATD shortly and will send you the URL. I would appreciate
it if you would send me your comments.
burke
------_=_NextPart_001_01BF64D9.5D125760
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2448.0">
<TITLE>FW: internet gateway setup using NATD</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=3D2>Thought I'd throw this @ the list as well...</FONT>
</P>
<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: Michael Bartlett </FONT>
<BR><FONT SIZE=3D2>Sent: Saturday, January 22, 2000 2:56 PM</FONT>
<BR><FONT SIZE=3D2>To: 'Burke Gallagher'</FONT>
<BR><FONT SIZE=3D2>Subject: RE: internet gateway setup using =
NATD</FONT>
</P>
<BR>
<P><FONT SIZE=3D2>Hey Burke,</FONT>
</P>
<P><FONT SIZE=3D2>Sorry to bug you again, but I'm having another =
problem and it could be related to what you told me to do and could =
also prove interesting...</FONT></P>
<P><FONT SIZE=3D2>On one of my other boxes I run this script in =
/usr/local/etc/rc.d</FONT>
</P>
<P><FONT SIZE=3D2>/sbin/natd -n fxp0 -redirect_port tcp =
196.38.133.194:110 196.38.133.198:80</FONT>
<BR><FONT SIZE=3D2>/sbin/ipfw add divert natd all from any to any via =
fxp0</FONT>
</P>
<P><FONT SIZE=3D2>If you are confused, the reason is that we needed to =
get around a firewall problem (one of our consultants other company =
close 110 access on their firewall - this way he can pickup his mail =
from us with port 80!! ;) ).</FONT></P>
<P><FONT SIZE=3D2>Anyway,</FONT>
</P>
<P><FONT SIZE=3D2>I tried the identical thing on my box with your =
settings and take a look...</FONT>
</P>
<P><FONT SIZE=3D2>[eyeland] # /sbin/natd -n rl0 -redirect_port tcp =
196.31.83.226:25 196.31.83.227:80</FONT>
<BR><FONT SIZE=3D2>[eyeland] # telnet 196.31.83.227 80</FONT>
<BR><FONT SIZE=3D2>Trying 196.31.83.227...</FONT>
<BR><FONT SIZE=3D2>telnet: Unable to connect to remote host: Connection =
refused</FONT>
</P>
<P><FONT SIZE=3D2>Now the .227 ip is an alias on rl0, so it should just =
be passed along the same NIC and have no problems. I also tried the =
destination being on rl1 (192.168.62.150:25) which is an smtp server on =
my local network and that didn't work either.</FONT></P>
<P><FONT SIZE=3D2>Any thoughts?</FONT>
</P>
<P><FONT SIZE=3D2>Cheers</FONT>
</P>
<P><FONT SIZE=3D2>Mike</FONT>
</P>
<BR>
<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: Burke Gallagher [<A =
HREF=3D"mailto:burke@gallagher.chicago.il.us">mailto:burke@gallagher.chi=
cago.il.us</A>]</FONT>
<BR><FONT SIZE=3D2>Sent: Wednesday, January 19, 2000 5:29 AM</FONT>
<BR><FONT SIZE=3D2>To: Michael Bartlett</FONT>
<BR><FONT SIZE=3D2>Subject: Re: internet gateway setup using =
NATD</FONT>
</P>
<BR>
<P><FONT SIZE=3D2>RE: internet gateway setup using NATDMike,</FONT>
</P>
<P><FONT SIZE=3D2>you are sooo close.</FONT>
</P>
<BR>
<BR>
<P><FONT SIZE=3D2>1. Network is basically on a 192.168.62.0 class. I've =
got a cisco router</FONT>
<BR><FONT SIZE=3D2>(196.31.83.225) plugged straight into the BSD box =
(196.31.83.226) on rl0 and</FONT>
<BR><FONT SIZE=3D2>the BSD box is plugged into the server hub on rl1 =
(192.168.62.1).</FONT>
</P>
<P><FONT SIZE=3D2>INTERNET =
CISCO &=
nbsp; &=
nbsp; &=
nbsp; BSD GATEWAY</FONT>
<BR><FONT SIZE=3D2>LOCAL NET</FONT>
</P>
<P><FONT =
SIZE=3D2>+------------------------------------------------+</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; 196.31.83.225 =
------| 196.31.83.226 (rl0)</FONT>
<BR><FONT SIZE=3D2>(rl1) 192.168.62.1 | -------------- =
192.168.62.xxx</FONT>
</P>
<P><FONT SIZE=3D2>+-----------------------------------------------+</FON=
T>
</P>
<P><FONT SIZE=3D2>2. Let's simply the rc.conf file a liitle (sysinstall =
is nice but not too</FONT>
<BR><FONT SIZE=3D2>friendly to the rc.* files)</FONT>
<BR><FONT SIZE=3D2> nothing has really changed here =
just easier to read and find like items</FONT>
</P>
<P><FONT SIZE=3D2>---------- rc.conf =
--------------------------------------------</FONT>
<BR><FONT SIZE=3D2>hostname=3D"eyeland.eye2eye.net"</FONT>
</P>
<P><FONT SIZE=3D2>network_interfaces=3D"rl0 rl1 lo0"</FONT>
<BR><FONT SIZE=3D2>ifconfig_rl0=3D"inet 196.31.83.226 =
netmask 255.255.255.224"</FONT>
<BR><FONT SIZE=3D2>ifconfig_rl1=3D"inet 192.168.62.1 netmask =
255.255.255.0"</FONT>
</P>
<P><FONT SIZE=3D2>defaultrouter=3D"196.31.83.225"</FONT>
</P>
<P><FONT SIZE=3D2>gateway_enable=3D"YES"</FONT>
</P>
<P><FONT SIZE=3D2>natd_enable=3D"YES"</FONT>
<BR><FONT SIZE=3D2>natd_interface=3D"rl0"</FONT>
<BR><FONT SIZE=3D2>natd_flags=3D"-f /etc/natd.conf"</FONT>
</P>
<P><FONT SIZE=3D2>firewall_enable=3D"YES"</FONT>
<BR><FONT SIZE=3D2>firewall_type=3D"open"</FONT>
<BR><FONT SIZE=3D2>---------- end rc.conf =
-----------------------------------------</FONT>
</P>
<P><FONT SIZE=3D2>3. agreed on the no firewall at start (I always debug =
with the firewall</FONT>
<BR><FONT SIZE=3D2>open)</FONT>
<BR><FONT SIZE=3D2>rename /etc/rc.firewall to rc.firewall.orig and =
let's build a new one</FONT>
</P>
<P><FONT SIZE=3D2>---------- rc.firewall =
-------------------------------------------</FONT>
<BR><FONT SIZE=3D2>/sbin/ipfw -f flush</FONT>
</P>
<P><FONT SIZE=3D2>/sbin/ipfw add 1000 pass all from any to any =
via lo0</FONT>
<BR><FONT SIZE=3D2>/sbin/ipfw add 1100 deny all from 127.0.0.0/8 =
to 127.0.0.0/8</FONT>
</P>
<P><FONT SIZE=3D2>/sbin/ipfw add 1500 divert natd all from any to =
any via rl0</FONT>
<BR><FONT SIZE=3D2>/sbin/ipfw add 65000 pass all from any to any</FONT>
<BR><FONT SIZE=3D2>---------- end rc.firewall =
---------------------------------------</FONT>
</P>
<P><FONT SIZE=3D2> At the moment I've renamed rc.firewall to =
rc.firewall.bak because I thought</FONT>
<BR><FONT SIZE=3D2>it was causing a problem. Whats happening at the =
moment is when I come out</FONT>
<BR><FONT SIZE=3D2>of a boot, I can't ping the box or anything as its =
so firewalled its scary!</FONT>
<BR><FONT SIZE=3D2>I can't even ping other machines on the box console =
as it tells me Access</FONT>
<BR><FONT SIZE=3D2>Denied or something along those lines. So I renamed =
rc.firewall as I thought</FONT>
<BR><FONT SIZE=3D2>it could be causing the problem, but it doesn't look =
like it is.</FONT>
<BR><FONT SIZE=3D2>Footnote here, when I come out the reboot I have to =
execute the following</FONT>
<BR><FONT SIZE=3D2>for the machine to be "unfirewalled" =
:</FONT>
<BR><FONT SIZE=3D2>/sbin/ipfw -f flush</FONT>
</P>
<P><FONT SIZE=3D2><=3D=3D=3D you need the lo0 interface lines =
here</FONT>
<BR><FONT SIZE=3D2>/sbin/ipfw add divert natd all from any to any via =
ed0 <=3D=3D=3D problem should</FONT>
<BR><FONT SIZE=3D2>be rl0 not ed0 (name of natd interface)</FONT>
<BR><FONT SIZE=3D2>/sbin/ipfw add pass all from any to any</FONT>
</P>
<BR>
<P><FONT SIZE=3D2>4. the /etc/natd.conf file is fine</FONT>
</P>
<P><FONT SIZE=3D2>interface rl0</FONT>
<BR><FONT SIZE=3D2>use_sockets yes</FONT>
<BR><FONT SIZE=3D2>same_ports yes</FONT>
<BR><FONT SIZE=3D2>dynamic yes <=3D=3D=3D =
this is not required but should not hurt.</FONT>
</P>
<BR>
<P><FONT SIZE=3D2>Setup the rc.conf and rc.firewall files on your =
gateway then reboot (23</FONT>
<BR><FONT SIZE=3D2>years of microsoft is showing).</FONT>
<BR><FONT SIZE=3D2>log on to your gateway and you should be able to =
surf the internet and your</FONT>
<BR><FONT SIZE=3D2>local net (try pinging hosts on both net =
interfaces)</FONT>
<BR><FONT SIZE=3D2>now try log on to one of your local hosts</FONT>
<BR><FONT SIZE=3D2> ping local interface (this =
is a given)</FONT>
<BR><FONT SIZE=3D2> ping 192.168.62.1 (if this does =
not work, you said it did but always</FONT>
<BR><FONT SIZE=3D2>check, then you have a local net problem)</FONT>
<BR><FONT SIZE=3D2> ping 196.31.83.226 (outbound side =
on gateway)</FONT>
<BR><FONT SIZE=3D2> ping 196.31.83.225 (the =
cisco)</FONT>
<BR><FONT SIZE=3D2> ping your ISP's DNS =
servers</FONT>
<BR><FONT SIZE=3D2> ping =
www.yourprovider.com</FONT>
</P>
<P><FONT SIZE=3D2>let me know if this has helped. I will be =
editing and rewriting up a</FONT>
<BR><FONT SIZE=3D2>tutorial on IPFW/NATD shortly and will send you the =
URL. I would appreciate</FONT>
<BR><FONT SIZE=3D2>it if you would send me your comments.</FONT>
</P>
<P><FONT SIZE=3D2>burke</FONT>
</P>
<BR>
<BR>
</BODY>
</HTML>
------_=_NextPart_001_01BF64D9.5D125760--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F16C1C3F6AB8D311998F00C0DF266AE7E21E>