Site Navigation

Date:      Mon, 20 Oct 2008 23:14:58 +0200
From:      "Leander S." <leander.schaefer@gmx.net>
To:        freebsd-ipfw@freebsd.org
Subject:   IPFW + Portforwarding
Message-ID:  <48FCF4D2.4080103@gmx.net>

---

next in thread | raw e-mail | index | archive | help

---

This is a multi-part message in MIME format.
--------------020503040305000300030801
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 7bit

Hi,

I'm trying to set up something like a HotSpot. Goal is it to force 
unregistred users to get redirected to the Captive Portalsite where 
they'll be able to agree my licence therms and get some information ... 
etc. ...

So fact is I need an IPFW rule which forwards Port 80,443,8080 Traffic 
to another Port i.e. 8080 --> where my Apache will already wait for 
serving the Captive Portalsite back to the request.

So I did read the man and saw something like the fwd rule and the Kernel 
Option for it - so I added the option - rcompiled the Kernel and gave my 
Firewall the following fwd rule in an extra script:

       ${fwcmd} add 01100 fwd ${LAN_IP},8080 tcp from ${LAN} to any 
80,443,8080 in via ${LAN_if}


^^ But it's sadly not working ....


so here is my whole Firewallscript.
Btw. my IPFW is compiled as default deny into the Kernel.






The Script:
____________________________________________________________________________ 



#!/bin/sh

if [ -z "${source_rc_confs_defined}" ]; then
       if [ -r /etc/defaults/rc.conf ]; then
               . /etc/defaults/rc.conf
               source_rc_confs
       elif [ -r /etc/rc.conf ]; then
               . /etc/rc.conf
       fi
fi


#############################
#### Globale Variablen: #####
#############################

WAN_if="msk0"
WAN_IP="10.1.10.50"
WAN_net="255.0.0.0"
WAN="10.0.0.0/8"

LAN_if="ath0"
LAN_IP="192.1.1.1"
LAN_net="255.255.255.0"
LAN="192.1.1.0/24"

fwcmd="/sbin/ipfw -q"


#############################
########## Start: ###########
#############################

### Firewall Reset ###

   ${fwcmd} -f flush


### Localhost ###

   ${fwcmd} add 00100 allow all from any to any via lo0
   ${fwcmd} add 00200 deny all from any to 127.0.0.0/8
   ${fwcmd} add 00300 deny all from 127.0.0.0/8 to any



### WAN Konfiguration ###

   ${fwcmd} add 00400 allow all from any to any via ${WAN_if}
   ${fwcmd} add 00500 divert natd all from any to any in via ${WAN_if}
   ${fwcmd} add 00600 divert natd all from any to any out via ${WAN_if}



### LAN Konfiguration ###

   ### Ping
   ${fwcmd} add 00700 allow icmp from ${LAN} to ${LAN} icmptypes 0,8

   ### Portfreigabe
   ${fwcmd} add 00800 allow tcp from any to ${LAN_IP} 22 in via ${LAN_if}
   ${fwcmd} add 00900 allow tcp from any to ${LAN_IP} 1723 in via ${LAN_if}
   ${fwcmd} add 01000 allow tcp from any to ${LAN_IP} 8080 in via ${LAN_if}

   ### PortalSite - Forwarding:
   ${fwcmd} add 01100 fwd ${LAN_IP},8080 tcp from ${LAN} to any 
80,8080,443 in via ${LAN_if}

   ### Package Detour
   ${fwcmd} add 01200 allow all from any to any out via ${LAN_if}


____________________________________________________________________________ 




Every positiv type of help will be very appreciated !!!
Thanks,

  Leander


P.S. Additionally: This is my first firewallscript - so if this seems to 
be to ugly for you - feel free to give me some NewBee tips and tricks! 
;) THX







--------------020503040305000300030801
Content-Type: text/plain; x-mac-type="0"; x-mac-creator="0";
	name="rc.firewall_extension"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="rc.firewall_extension"

#!/bin/sh

if [ -z "${source_rc_confs_defined}" ]; then
        if [ -r /etc/defaults/rc.conf ]; then
                . /etc/defaults/rc.conf
                source_rc_confs
        elif [ -r /etc/rc.conf ]; then
                . /etc/rc.conf
        fi
fi


#############################
#### Globale Variablen: #####
############################# 

WAN_if="msk0"
WAN_IP="10.1.10.50"
WAN_net="255.0.0.0"
WAN="10.0.0.0/8"

LAN_if="ath0"
LAN_IP="192.1.1.1"
LAN_net="255.255.255.0"
LAN="192.1.1.0/24"

fwcmd="/sbin/ipfw -q"


############################# 
########## Start: ###########
#############################

### Firewall Reset ###

	${fwcmd} -f flush


### Localhost ###

	${fwcmd} add 00100 allow all from any to any via lo0
	${fwcmd} add 00200 deny all from any to 127.0.0.0/8
	${fwcmd} add 00300 deny all from 127.0.0.0/8 to any



### WAN Konfiguration ###

	${fwcmd} add 00400 allow all from any to any via ${WAN_if}
	${fwcmd} add 00500 divert natd all from any to any in via ${WAN_if}
	${fwcmd} add 00600 divert natd all from any to any out via ${WAN_if}



### LAN Konfiguration ###

	### Ping
	${fwcmd} add 00700 allow icmp from ${LAN} to ${LAN} icmptypes 0,8

	### Portfreigabe
	${fwcmd} add 00800 allow tcp from any to ${LAN_IP} 22 in via ${LAN_if}
	${fwcmd} add 00900 allow tcp from any to ${LAN_IP} 1723 in via ${LAN_if}
	${fwcmd} add 01000 allow tcp from any to ${LAN_IP} 8080 in via ${LAN_if}

	### PortalSite - Forwarding:
	${fwcmd} add 01100 fwd ${LAN_IP},8080 tcp from ${LAN} to any 80,8080,443 in via ${LAN_if}

	### Package Detour
	${fwcmd} add 01200 allow all from any to any out via ${LAN_if}





--------------020503040305000300030801--

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48FCF4D2.4080103>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact