Date: Tue, 11 Jan 2000 11:01:18 +0200 From: Ruslan Ermilov <ru@ucb.crimea.ua> To: mw@sax.de Cc: freebsd-questions@FreeBSD.ORG Subject: Re: NATD and Public IP Addresses Message-ID: <20000111110118.C18967@relay.ucb.crimea.ua> In-Reply-To: <20000111030946.A14785@theatre.sax.de>; from Martin Welk on Tue, Jan 11, 2000 at 03:09:46AM %2B0100 References: <Pine.BSF.4.10.10001101619480.88174-100000@intertain.interlog.com> <20000111003327.C33776@extremis.demon.co.uk> <20000111030946.A14785@theatre.sax.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jan 11, 2000 at 03:09:46AM +0100, Martin Welk wrote: > On Tue, Jan 11, 2000 at 12:33:27AM +0000, George Cox wrote: > > > > I have several machines (6) which must be individually publicly accessable. > > And you propose to put them on the inner side of the NAT machine? Well, you > > can't do that -- because those machines will have addresses that are NOT > > ROUTABLE on the Internet. > > He can at least hook them to the internal network, give them local > (private) addresses and redirect those addresses through natd on a > FreeBSD box that works as a gateway host: > > Public network interface <-> Private network interface > a.b.c.1 = Primary public interface address > a.b.c.2 <-> x.y.z.2 (*) > a.b.c.3 <-> x.y.z.3 (*) > a.b.c.4 <-> x.y.z.4 (*) > (...) > > (*) Public network interface addresses configured as ifconfig aliases, that > means, the gateway recognizes itself as that address. When this is done, it > can pass the packets through natd which changes the address and forwards > them to an assigned address in the private network. > It is *NOT* required to bind these addresses to interface. > > OK -- here you say you have the IP addresses (presumably you mean public IP > > addresses) and say you want to use NAT. > > He may need NAT because he has six addresses (an 29 bit netmasked network > piece) but n (with n > 6) network hosts that should be accessable from > the public. > > This is possible. First of all, I recommend you read the man pages for > ipfw(4), ipfw(8), divert(4), natd(8), dummynet(4) and build a custom > kernel. You need at least the IPFIREWALL/IPDIVERT rules, perhaps for > a start the IPFIREWALL_DEFAULT_TO_OPEN (sp?) is handy. Configure your > FreeBSD machine as a gateway host. > > What you need is the redirect function of natd. For a start, you can > use some minimal firewall setup like > > ipfw add 100 divert 8668 ip from any to any via xxx > ipfw add 200 allow all from any to any > > (xxx is the public network interface name) > A sticter ruleset would look like: ipfw add 100 divert natd ip from any to a.b.c.2 in via xxx ipfw add 100 divert natd ip from any to a.b.c.3 in via xxx ipfw add 100 divert natd ip from any to a.b.c.4 in via xxx ipfw add 100 divert natd ip from x.y.z.2 to any out via xxx ipfw add 100 divert natd ip from x.y.z.3 to any out via xxx ipfw add 100 divert natd ip from x.y.z.4 to any out via xxx > and a natd configuration like > > unregistered_only yes > alias_address a.b.c.1 > redirect_address x.y.z.2 a.b.c.2 > redirect_address x.y.z.3 a.b.c.3 > redirect_address x.y.z.4 a.b.c.4 > (...) > Why wasting the a.b.c.1? The `interface xxx' clause will do the trick. I would also recommend `deny_incoming', `use_sockets' and `same_ports'. > Don't forget to define those alias addresses for the public network > interface, like > > ifconfig xxx alias a.b.c.2 netmask n.m.n.o > ifconfig xxx alias a.b.c.3 netmask n.m.n.o > ifconfig xxx alias a.b.c.4 netmask n.m.n.o > (...) > Like I said, the latter is not required at all, just make sure the traffic for a.b.c.[2-4] is passed via `xxx' interface. -- Ruslan Ermilov Sysadmin and DBA of the ru@ucb.crimea.ua United Commercial Bank, ru@FreeBSD.org FreeBSD committer, +380.652.247.647 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000111110118.C18967>