port forwarding and ipfw rules

Tony Frank tfrank at optushome.com.au
Fri Mar 19 19:23:33 PST 2004


Hi there,

On Fri, Mar 19, 2004 at 03:22:07PM +1100, ktulu at net2000.com.au wrote:
> Hi All,
> 
> I have posted this question before, but I don't think I made myself very clear
> in what I was hoping to achieve.  Hopefully, this post will help out.  
> 
> I have a situation where I have one network interface (fxp1) connected to the
> network with the IP address xxx.xxx.19.110 which is port forwarding (on port
> 443) to a host xxx.xxx.19.109.  Currently, this situation works fine.
> 
> The problem I'm having is that I have two of these machines doing the same thing
> and I require the ability for one machine to take over from the other in the
> event of a hardware failure, etc.  The diagram below basically shows what I want
> to achieve:
> 
> 
>          Internet
>         ----------
>             |
>             |
>             |
>     fxp1    |  fxp1
>    .19.110  |  .19.111
>             |  (alias)
>             |
>     -----------------
>     |      FW       |
>     | Default route |
>     |  xx.xx.19.225 |
>     |             |
>     -----------------
>             |
>            / \
>     fxp1  /   \ fxp1
>   .19.110/     \.19.111 (alias)
>         /       \
>        /         \
>       /           \
>      /             \
>     /               \
>    /                 \
>   /                   \
> -----               -----
> |   |               |   |
> |   |               |   |
> |   |               |   |
> |   |               |   |
> -----               -----
> Web Server          Web Server
> x.x.19.109:443      x.x.19.102:443

fxp1 seems to be very busy in this picture.

My understanding is that you want to do:

1. redirect any connections to .19.110:443 to .19.109:443
2. redirect any connections to .19.111:443 to .19.102:443

Assuming your uplink is sending traffic for .19.110 and .19.111 to your interface (fxp1)
(You can do this by aliasing 111 to the 110 interface as you already indicated)

You just need a natd.conf with something like this in it:

redirect_port tcp .19.109:443 .19.110:443
redirect_port tcp .19.102:443 .19.111:443

I got it going with similar kind of setup.
In my case I used port 80 and tried to get network setup as I 
understand your description, something like the below:

      (internet)
          | public IP
      +------+
      | fxp0 | In my case this one runs natd/squid
      | ext. | so all queries to internal net appear to
      |  f/w | originate from .10
      | fxp2 |
      +------+
          | .10
      +---+------+---------+
 .110 | .111     | .109    | .102
   +------+   +------+  +------+
   | fxp0 |   | fxp0 |  | fxp0 | 
   | g/w  |   | www1 |  | www2 |
   +------+   +------+  +------+


g/w is running ipfw + natd to divert traffic
www1 and www2 are simple servers running apache


tcpdump shows:

1. syn packet comes in to 110:80
2. syn packet is sent out to 109:80 (rewritten by natd to appear from 110:80)
3. syn+ack comes back to 110
4. 110 forwards back to original source
and so on for the rest of the connection.

Same deal for traffic to 111 (tcpdump output below)

Note:
www1 and www2 see the traffic as originating from .110
and reply appropriately.
.110 sends it all to natd which replaces the IP headers
so the reply traffic has source either .110 or .111 depending on
where the request came from.
Also my g/w (.110) is currently 5.2.1 but the config should be same
for 4.9.

Details follow:

/etc/natd.conf:
log yes
dynamic yes
log_denied yes
deny_incoming no
use_sockets yes
same_ports yes
target_address 255.255.255.255
log_ipfw_denied yes
redirect_port tcp 192.168.200.109:80 192.168.200.110:80
redirect_port tcp 192.168.200.102:80 192.168.200.111:80

ifconfig -a:
midway# ifconfig -a
fxp0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        inet 192.168.200.110 netmask 0xffffff00 broadcast 192.168.200.255
        inet 192.168.200.111 netmask 0xffffffff broadcast 192.168.200.111
        ether 00:06:29:f1:82:72
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet 127.0.0.1 netmask 0xff000000

ipfw rules:
00050 216691 60715152 divert 8668 ip from any to any via fxp0
00100      0        0 allow ip from any to any via lo0
00200      0        0 deny ip from any to 127.0.0.0/8
00300      0        0 deny ip from 127.0.0.0/8 to any
65000 212716 60372772 allow ip from any to any
65535      0        0 deny ip from any to any

tcpdumps of the traffic:

13:47:25.595348 192.168.200.10.3881 > 192.168.200.110.80: S 642583182:642583182(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 1012945518 0> (DF)
13:47:25.596052 192.168.200.110.3881 > 192.168.200.109.80: S 642583182:642583182(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 1012945518 0> (DF)
13:47:25.596121 192.168.200.110 > 192.168.200.10: icmp: redirect 192.168.200.109 to host 192.168.200.109 (DF)
13:47:25.596495 192.168.200.109.80 > 192.168.200.110.3881: S 1971745869:1971745869(0) ack 642583183 win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 417505 1012945518> (DF)
13:47:25.596712 192.168.200.110.80 > 192.168.200.10.3881: S 1971745869:1971745869(0) ack 642583183 win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 417505 1012945518> (DF)
13:47:25.596791 192.168.200.110 > 192.168.200.109: icmp: redirect 192.168.200.10 to host 192.168.200.10 (DF)
13:47:25.596847 192.168.200.10.3881 > 192.168.200.110.80: . ack 1 win 33304 <nop,nop,timestamp 1012945526 417505> (DF)
13:47:25.597035 192.168.200.110.3881 > 192.168.200.109.80: . ack 1 win 33304 <nop,nop,timestamp 1012945526 417505> (DF)
13:47:25.597098 192.168.200.110 > 192.168.200.10: icmp: redirect 192.168.200.109 to host 192.168.200.109 (DF)
13:47:25.597211 192.168.200.10.3881 > 192.168.200.110.80: P 1:509(508) ack 1 win 33304 <nop,nop,timestamp 1012945527 417505> (DF)
13:47:25.597415 192.168.200.110.3881 > 192.168.200.109.80: P 1:509(508) ack 1 win 33304 <nop,nop,timestamp 1012945527 417505> (DF)
13:47:25.597480 192.168.200.110 > 192.168.200.10: icmp: redirect 192.168.200.109 to host 192.168.200.109 (DF)
13:47:25.616863 192.168.200.109.80 > 192.168.200.110.3881: P 1:274(273) ack 509 win 33304 <nop,nop,timestamp 417525 1012945527> (DF)
13:47:25.617161 192.168.200.110.80 > 192.168.200.10.3881: P 1:274(273) ack 509 win 33304 <nop,nop,timestamp 417525 1012945527> (DF)
13:47:25.617227 192.168.200.110 > 192.168.200.109: icmp: redirect 192.168.200.10 to host 192.168.200.10 (DF)
13:47:25.716982 192.168.200.10.3881 > 192.168.200.110.80: . ack 274 win 33304 <nop,nop,timestamp 1012945647 417525> (DF)
13:47:25.717368 192.168.200.110.3881 > 192.168.200.109.80: . ack 274 win 33304 <nop,nop,timestamp 1012945647 417525> (DF)
13:47:25.717436 192.168.200.110 > 192.168.200.10: icmp: redirect 192.168.200.109 to host 192.168.200.109 (DF)


13:49:48.703004 192.168.200.10.3882 > 192.168.200.111.80: S 3017889378:3017889378(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 1013088640 0> (DF)
13:49:48.703591 192.168.200.110.3882 > 192.168.200.102.80: S 3017889378:3017889378(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 1013088640 0> (DF)
13:49:48.703680 192.168.200.110 > 192.168.200.10: icmp: redirect 192.168.200.102 to host 192.168.200.102 (DF)
13:49:48.703941 192.168.200.102.80 > 192.168.200.110.3882: S 33897141:33897141(0) ack 3017889379 win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 587887 1013088640> (DF)
13:49:48.704137 192.168.200.111.80 > 192.168.200.10.3882: S 33897141:33897141(0) ack 3017889379 win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 587887 1013088640> (DF)
13:49:48.704201 192.168.200.110 > 192.168.200.102: icmp: redirect 192.168.200.10 to host 192.168.200.10 (DF)
13:49:48.704270 192.168.200.10.3882 > 192.168.200.111.80: . ack 1 win 33304 <nop,nop,timestamp 1013088641 587887> (DF)
13:49:48.704458 192.168.200.110.3882 > 192.168.200.102.80: . ack 1 win 33304 <nop,nop,timestamp 1013088641 587887> (DF)
13:49:48.704521 192.168.200.110 > 192.168.200.10: icmp: redirect 192.168.200.102 to host 192.168.200.102 (DF)
13:49:48.704636 192.168.200.10.3882 > 192.168.200.111.80: P 1:509(508) ack 1 win 33304 <nop,nop,timestamp 1013088642 587887> (DF)
13:49:48.704839 192.168.200.110.3882 > 192.168.200.102.80: P 1:509(508) ack 1 win 33304 <nop,nop,timestamp 1013088642 587887> (DF)
13:49:48.704904 192.168.200.110 > 192.168.200.10: icmp: redirect 192.168.200.102 to host 192.168.200.102 (DF)
13:49:48.718553 192.168.200.102.80 > 192.168.200.110.3882: P 1:274(273) ack 509 win 33304 <nop,nop,timestamp 587902 1013088642> (DF)
13:49:48.718844 192.168.200.111.80 > 192.168.200.10.3882: P 1:274(273) ack 509 win 33304 <nop,nop,timestamp 587902 1013088642> (DF)
13:49:48.718910 192.168.200.110 > 192.168.200.102: icmp: redirect 192.168.200.10 to host 192.168.200.10 (DF)
13:49:48.818588 192.168.200.10.3882 > 192.168.200.111.80: . ack 274 win 33304 <nop,nop,timestamp 1013088756 587902> (DF)
13:49:48.818947 192.168.200.110.3882 > 192.168.200.102.80: . ack 274 win 33304 <nop,nop,timestamp 1013088756 587902> (DF)
13:49:48.819014 192.168.200.110 > 192.168.200.10: icmp: redirect 192.168.200.102 to host 192.168.200.102 (DF)


> This configuration must be able to be added and removed dynamically without
> effecting the existing network setup (other than changing ipfw rules).  Below
> are the relevant sections of my current configuration settings:

Should be able to do this by using ifconfig to add/remove an alias on the interface.
There are various tools in ports to do this automatically.
If the mappings are static, you should be able to have all combinations defined
in a standard natd config file.


Hope it helps,

Tony


More information about the freebsd-ipfw mailing list