Date: Sun, 30 Sep 2001 12:49:56 -0400 (EDT) From: Rich Fox <rich@f2sys.net> To: freebsd-net@freebsd.org Subject: Natd Frustration! Message-ID: <Pine.BSF.4.21.0109301214090.48292-100000@iwishihadaname.crosslink.net>
next in thread | raw e-mail | index | archive | help
Hi, I know that the NATD stuff comes up all the time, however I have spent the last two days poring[sp?] over the archives searching for solution to my problem. This is the same problem everyone else has. I want to forward HTTP requests from my external machine to an internal one. Here is my setup: ------------\ /------------------------ 192.168.1.17 +--> 65.x.x.x/192.168.1.12 -> | @home network | DHCP | hub | |Internet | Static IP | 192.168.1.15 +--> 216.x.x.x/192.168.1.1 -> | Crosslink/covad/verizon ------------/ \------------------------ Yes, I have two internet connections. They can see each other without problems. The .17 machine's gateway is 192.168.1.12/65.x.x.x The .15 machine's gateway is 192.168.1.1/216.x.x.x The 216./.1 gateway is performing plain ol' Nat for whatever boxes on the internal network that is using it as a gateway. I can get anywhere on the 'net as needed from the internal machines, including to the 65.x.x.x machine without problems. (That is the firewall says, allow all from any to 65.x.x.x and vice versa.) The 65.x/.12 machine is also performing plain ol' natd for any machines using it as a gateway. I can get anywhere on the 'net as needed from the internal machines, including the 216.x.x.x machine without problems. (That is the firewall says, allow all from any to 216.x.x.x and vice versa.) I want any http requests showing up at the 65. box to be sent to and handled by the internal .17 machine. Here's what I have configured for the 65.x machine... rc.conf: # Adding NATD and IPFW stuff... gateway_enable="YES" firewall_enable="YES" firewall_type="OPEN" natd_enable="YES" natd_interface="ed0" natd_flags="-l -f /etc/natd.conf" natd.conf: interface ed0 same_ports yes dynamic yes use_sockets yes verbose redirect_port tcp 192.168.1.17:80 80 redirect_port udp 192.168.1.17:80 80 (I don't need udp for this but for the sake of thoroughness...) and my firewall (I run this script at the end of rc.conf): # de0 is internal network # ed0 is DHCP configured interface ipfw -q flush ipfw add divert 8668 ip from any to any via ed0 ipfw add allow all from any to 192.168.1.17 ipfw add allow all from 192.168.1.17 to any # Allow all data from my network card and localhost. ipfw add allow ip from any to any via lo0 ipfw add allow ip from any to any via de0 # Allow connections to and from my DSL connection... ipfw add allow all from any to 216.x.x.x ipfw add allow all from 216.x.x.x to any # Allow all connections that I initiate. # Once connections are made, allow them to stay open. ipfw add allow tcp from any to any out xmit ed0 setup ipfw add allow tcp from any to any via ed0 established # This sends a RESET to all ident packets. ipfw add reset log tcp from any to any 113 in recv ed0 # allow ntp from time sync... ipfw add allow udp from any 123 to any 123 ipfw add allow tcp from any 123 to any 123 # Allow outgoing DNS queries ONLY to the specified servers. [snip] # ping and traceroute ipfw add 65435 allow icmp from any to any # deny everything else... ipfw add 65435 deny log ip from any to any In spite of the DHCP interface, the IP address hasn't changed in the months that I have used this service. (Not that that makes any difference, I am just saying). I am using the Verbose option in NATD to try to understand what exactly is happening with the packets that are coming from the .15->216. machine. here's what it looks like when I try to connect from there... In [TCP] [TCP] 216.x.x.x:2961 -> 65.x.x.x:80 aliased to [TCP] 216.x.x.x:2961 -> 192.168.1.17:80 In [TCP] [TCP] 216.x.x.x:2961 -> 65.x.x.x:80 aliased to [TCP] 216.x.x.x:2961 -> 192.168.1.17:80 In [TCP] [TCP] 216.x.x.x:2961 -> 65.x.x.x:80 aliased to [TCP] 216.x.x.x:2961 -> 192.168.1.17:80 In [TCP] [TCP] 216.x.x.x:2961 -> 65.x.x.x:80 aliased to [TCP] 216.x.x.x:2961 -> 192.168.1.17:80 In [TCP] [TCP] 216.x.x.x:2961 -> 65.x.x.x:80 aliased to [TCP] 216.x.x.x:2961 -> 192.168.1.17:80 The requests appear to be aliasing properly, but no response ever comes from the .17 machine at least not that I can see. Shouldn't I get an OUT [TCP] sort of thing from this? (Note: If I connect to the .17 machine's web server from inside the network, it works fine (i.e. if I go to 192.168.1.17 it is alive and well.) (Interestingly I see lots of IP addresses trying to connect to my web server. I really want to get this aliasing thing fixed so that I can put up a page that tells these nosy punks to go blow.) Any thoughts? Thanks, Rich. | rich fox / F2 | rich@f2sys.net | www.f2sys.net | 5927 Ridge View Drive | Alexandria, VA 22310-2074 | t:703.528.9616 | f:703.528.0599 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0109301214090.48292-100000>