FW: internet gateway setup using NATD

From owner-freebsd-questions Sat Jan 22 5:22: 8 2000 Delivered-To: freebsd-questions@freebsd.org Received: from mail.eye2eye.co.za (mail.eye2eye.co.za [196.31.83.226]) by hub.freebsd.org (Postfix) with ESMTP id DDBCC14D78 for ; Sat, 22 Jan 2000 05:21:55 -0800 (PST) (envelope-from cataract@eye2eye.net) Received: from [192.168.62.150] (helo=optic.eye2eye.net) by eyeland.eye2eye.net with esmtp (Exim 3.12 #1) id 12C25X-000077-00 for questions@freebsd.org; Sat, 22 Jan 2000 15:04:31 +0000 Received: by OPTIC with Internet Mail Service (5.5.2448.0) id ; Sat, 22 Jan 2000 15:02:52 +0200 Message-ID: From: Michael Bartlett To: "'questions@freebsd.org'" Subject: FW: internet gateway setup using NATD Date: Sat, 22 Jan 2000 15:02:51 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01BF64D8.FD494D90" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BF64D8.FD494D90 Content-Type: text/plain; charset="iso-8859-1" Thought I'd throw this @ the list as well... -----Original Message----- From: Michael Bartlett Sent: Saturday, January 22, 2000 2:56 PM To: 'Burke Gallagher' Subject: RE: internet gateway setup using NATD Hey Burke, Sorry to bug you again, but I'm having another problem and it could be related to what you told me to do and could also prove interesting... On one of my other boxes I run this script in /usr/local/etc/rc.d /sbin/natd -n fxp0 -redirect_port tcp 196.38.133.194:110 196.38.133.198:80 /sbin/ipfw add divert natd all from any to any via fxp0 If you are confused, the reason is that we needed to get around a firewall problem (one of our consultants other company close 110 access on their firewall - this way he can pickup his mail from us with port 80!! ;) ). Anyway, I tried the identical thing on my box with your settings and take a look... [eyeland] # /sbin/natd -n rl0 -redirect_port tcp 196.31.83.226:25 196.31.83.227:80 [eyeland] # telnet 196.31.83.227 80 Trying 196.31.83.227... telnet: Unable to connect to remote host: Connection refused Now the .227 ip is an alias on rl0, so it should just be passed along the same NIC and have no problems. I also tried the destination being on rl1 (192.168.62.150:25) which is an smtp server on my local network and that didn't work either. Any thoughts? Cheers Mike -----Original Message----- From: Burke Gallagher [mailto:burke@gallagher.chicago.il.us] Sent: Wednesday, January 19, 2000 5:29 AM To: Michael Bartlett Subject: Re: internet gateway setup using NATD RE: internet gateway setup using NATDMike, you are sooo close. 1. Network is basically on a 192.168.62.0 class. I've got a cisco router (196.31.83.225) plugged straight into the BSD box (196.31.83.226) on rl0 and the BSD box is plugged into the server hub on rl1 (192.168.62.1). INTERNET CISCO BSD GATEWAY LOCAL NET +------------------------------------------------+ 196.31.83.225 ------| 196.31.83.226 (rl0) (rl1) 192.168.62.1 | -------------- 192.168.62.xxx +-----------------------------------------------+ 2. Let's simply the rc.conf file a liitle (sysinstall is nice but not too friendly to the rc.* files) nothing has really changed here just easier to read and find like items ---------- rc.conf -------------------------------------------- hostname="eyeland.eye2eye.net" network_interfaces="rl0 rl1 lo0" ifconfig_rl0="inet 196.31.83.226 netmask 255.255.255.224" ifconfig_rl1="inet 192.168.62.1 netmask 255.255.255.0" defaultrouter="196.31.83.225" gateway_enable="YES" natd_enable="YES" natd_interface="rl0" natd_flags="-f /etc/natd.conf" firewall_enable="YES" firewall_type="open" ---------- end rc.conf ----------------------------------------- 3. agreed on the no firewall at start (I always debug with the firewall open) rename /etc/rc.firewall to rc.firewall.orig and let's build a new one ---------- rc.firewall ------------------------------------------- /sbin/ipfw -f flush /sbin/ipfw add 1000 pass all from any to any via lo0 /sbin/ipfw add 1100 deny all from 127.0.0.0/8 to 127.0.0.0/8 /sbin/ipfw add 1500 divert natd all from any to any via rl0 /sbin/ipfw add 65000 pass all from any to any ---------- end rc.firewall --------------------------------------- At the moment I've renamed rc.firewall to rc.firewall.bak because I thought it was causing a problem. Whats happening at the moment is when I come out of a boot, I can't ping the box or anything as its so firewalled its scary! I can't even ping other machines on the box console as it tells me Access Denied or something along those lines. So I renamed rc.firewall as I thought it could be causing the problem, but it doesn't look like it is. Footnote here, when I come out the reboot I have to execute the following for the machine to be "unfirewalled" : /sbin/ipfw -f flush <=== you need the lo0 interface lines here /sbin/ipfw add divert natd all from any to any via ed0 <=== problem should be rl0 not ed0 (name of natd interface) /sbin/ipfw add pass all from any to any 4. the /etc/natd.conf file is fine interface rl0 use_sockets yes same_ports yes dynamic yes <=== this is not required but should not hurt. Setup the rc.conf and rc.firewall files on your gateway then reboot (23 years of microsoft is showing). log on to your gateway and you should be able to surf the internet and your local net (try pinging hosts on both net interfaces) now try log on to one of your local hosts ping local interface (this is a given) ping 192.168.62.1 (if this does not work, you said it did but always check, then you have a local net problem) ping 196.31.83.226 (outbound side on gateway) ping 196.31.83.225 (the cisco) ping your ISP's DNS servers ping www.yourprovider.com let me know if this has helped. I will be editing and rewriting up a tutorial on IPFW/NATD shortly and will send you the URL. I would appreciate it if you would send me your comments. burke ------_=_NextPart_001_01BF64D8.FD494D90 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable FW: internet gateway setup using NATD

Thought I'd throw this @ the list as well...

-----Original Message-----
From: Michael Bartlett
Sent: Saturday, January 22, 2000 2:56 PM
To: 'Burke Gallagher'
Subject: RE: internet gateway setup using = NATD

Hey Burke,

Sorry to bug you again, but I'm having another = problem and it could be related to what you told me to do and could = also prove interesting...

On one of my other boxes I run this script in = /usr/local/etc/rc.d

/sbin/natd -n fxp0 -redirect_port tcp = 196.38.133.194:110 196.38.133.198:80
/sbin/ipfw add divert natd all from any to any via = fxp0

If you are confused, the reason is that we needed to = get around a firewall problem (one of our consultants other company = close 110 access on their firewall - this way he can pickup his mail = from us with port 80!! ;) ).

Anyway,

I tried the identical thing on my box with your = settings and take a look...

[eyeland] # /sbin/natd -n rl0 -redirect_port tcp = 196.31.83.226:25 196.31.83.227:80
[eyeland] # telnet 196.31.83.227 80
Trying 196.31.83.227...
telnet: Unable to connect to remote host: Connection = refused

Now the .227 ip is an alias on rl0, so it should just = be passed along the same NIC and have no problems. I also tried the = destination being on rl1 (192.168.62.150:25) which is an smtp server on = my local network and that didn't work either.

Any thoughts?

Cheers

Mike

-----Original Message-----
From: Burke Gallagher [mailto:burke@gallagher.chi= cago.il.us]
Sent: Wednesday, January 19, 2000 5:29 AM
To: Michael Bartlett
Subject: Re: internet gateway setup using = NATD

RE: internet gateway setup using NATDMike,

you are sooo close.

1. Network is basically on a 192.168.62.0 class. I've = got a cisco router
(196.31.83.225) plugged straight into the BSD box = (196.31.83.226) on rl0 and
the BSD box is plugged into the server hub on rl1 = (192.168.62.1).

INTERNET = CISCO &= nbsp; &= nbsp; &= nbsp; BSD GATEWAY
LOCAL NET

+------------------------------------------------+
&nb= sp; 196.31.83.225 = ------| 196.31.83.226 (rl0)
(rl1) 192.168.62.1 | -------------- = 192.168.62.xxx

+-----------------------------------------------+

2. Let's simply the rc.conf file a liitle (sysinstall = is nice but not too
friendly to the rc.* files)
nothing has really changed here = just easier to read and find like items

---------- rc.conf = --------------------------------------------
hostname=3D"eyeland.eye2eye.net"

network_interfaces=3D"rl0 rl1 lo0"
ifconfig_rl0=3D"inet 196.31.83.226 = netmask 255.255.255.224"
ifconfig_rl1=3D"inet 192.168.62.1 netmask = 255.255.255.0"

defaultrouter=3D"196.31.83.225"

gateway_enable=3D"YES"

natd_enable=3D"YES"
natd_interface=3D"rl0"
natd_flags=3D"-f /etc/natd.conf"

firewall_enable=3D"YES"
firewall_type=3D"open"
---------- end rc.conf = -----------------------------------------

3. agreed on the no firewall at start (I always debug = with the firewall
open)
rename /etc/rc.firewall to rc.firewall.orig and = let's build a new one

---------- rc.firewall = -------------------------------------------
/sbin/ipfw -f flush

/sbin/ipfw add 1000 pass all from any to any = via lo0
/sbin/ipfw add 1100 deny all from 127.0.0.0/8 = to 127.0.0.0/8

/sbin/ipfw add 1500 divert natd all from any to = any via rl0
/sbin/ipfw add 65000 pass all from any to any
---------- end rc.firewall = ---------------------------------------

At the moment I've renamed rc.firewall to = rc.firewall.bak because I thought
it was causing a problem. Whats happening at the = moment is when I come out
of a boot, I can't ping the box or anything as its = so firewalled its scary!
I can't even ping other machines on the box console = as it tells me Access
Denied or something along those lines. So I renamed = rc.firewall as I thought
it could be causing the problem, but it doesn't look = like it is.
Footnote here, when I come out the reboot I have to = execute the following
for the machine to be "unfirewalled" = :
/sbin/ipfw -f flush

<=3D=3D=3D you need the lo0 interface lines = here
/sbin/ipfw add divert natd all from any to any via = ed0 <=3D=3D=3D problem should
be rl0 not ed0 (name of natd interface)
/sbin/ipfw add pass all from any to any

4. the /etc/natd.conf file is fine

interface rl0
use_sockets yes
same_ports yes
dynamic yes <=3D=3D=3D = this is not required but should not hurt.

Setup the rc.conf and rc.firewall files on your = gateway then reboot (23
years of microsoft is showing).
log on to your gateway and you should be able to = surf the internet and your
local net (try pinging hosts on both net = interfaces)
now try log on to one of your local hosts
    ping local interface (this = is a given)
    ping 192.168.62.1 (if this does = not work, you said it did but always
check, then you have a local net problem)
    ping 196.31.83.226 (outbound side = on gateway)
    ping 196.31.83.225 (the = cisco)
    ping your ISP's DNS = servers
    ping = www.yourprovider.com

let me know if this has helped. I will be = editing and rewriting up a
tutorial on IPFW/NATD shortly and will send you the = URL. I would appreciate
it if you would send me your comments.

burke

------_=_NextPart_001_01BF64D8.FD494D90-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message