Date: Wed, 19 Sep 2001 14:22:16 -0700 (PDT) From: Dylan Carlson <damage_z@yahoo.com> To: freebsd-questions@freebsd.org Subject: natd issues... Message-ID: <20010919212216.18508.qmail@web10402.mail.yahoo.com>
next in thread | raw e-mail | index | archive | help
Hello, I'll throw in $20 or so via PayPal for anyone who takes the time to help me with this. I'm feeling dense today and it's probably something simple. I have a new box on 4.4-RC3 set to be a simple firewall doing NAT on a /26 netblock. The kernel has been rebuilt with IPFIREWALL and DIVERT, etc. * I want it to statically translate everything I have defined in /etc/natd.cf (see below) * I want it to hide all other internal addresses out the external interface IP. Everything to the outside world works from the firewall, but anything inside the network can't translate out, and I can't get incoming connections in. natd doesn't report any problems in the logs, or when I run it in verbose mode. Basically, the one service I want to have open at this point is ssh. The rule is there, but natd isn’t working. Configs are below. TIA, ----- /etc/rc.conf defaultrouter="65.55.55.65" hostname="skylab" ifconfig_fxp0="inet 192.168.100.1 netmask 255.255.255.0" ifconfig_fxp1="inet 65.55.55.66 netmask 255.255.255.192" inetd_enable="YES" kern_securelevel_enable="NO" linux_enable="YES" sshd_enable="YES" gateway_enable="YES" firewall_enable="YES" firewall_type="/etc/fw.conf" natd_enable="YES" natd_interface="fxp1" natd_flags="-f /etc/natd.cf" ------- /etc/natd.cf port 8668 interface fxp1 log yes log_denied yes redirect_address 192.168.100.5 65.55.55.67 redirect_address 192.168.100.20 65.55.55.69 redirect_address 192.168.100.21 65.55.55.71 redirect_address 192.168.100.25 65.55.55.73 redirect_address 192.168.100.30 65.55.55.68 redirect_address 192.168.100.35 65.55.55.72 redirect_address 192.168.100.40 65.55.55.74 redirect_address 192.168.100.42 65.55.55.70 ------- /etc/fw.conf fwcmd="/sbin/ipfw" ${fwcmd} -f flush oif="fxp1" onet="65.55.55.0" omask="255.255.255.192" oip="65.55.55.66" iif="fxp0" inet="192.168.100.0" imask="255.255.255.0" iip="192.168.100.1" ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} ${fwcmd} add divert natd all from any to any via fxp1 ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} ${fwcmd} add pass tcp from any to any established ${fwcmd} add pass all from any to any frag ${fwcmd} add pass tcp from any to ${oip} 25 setup ${fwcmd} add pass tcp from any to ${oip} 53 setup ${fwcmd} add pass udp from any to ${oip} 53 ${fwcmd} add pass udp from ${oip} 53 to any #${fwcmd} add pass tcp from any to ${oip} 80 setup # Allow SSH everywhere ${fwcmd} add pass tcp from any to any 22 setup ${fwcmd} add pass tcp from any to any setup ${fwcmd} add pass udp from ${oip} to any 53 keep-state ${fwcmd} add pass udp from ${oip} to any 123 keep-state ${fwcmd} add deny log tcp from any to any in via ${oif} setup __________________________________________________ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010919212216.18508.qmail>