IPFW + Portforwarding
Leander S.
leander.schaefer at gmx.net
Mon Oct 20 21:41:43 UTC 2008
Hi,
I'm trying to set up something like a HotSpot. Goal is it to force
unregistred users to get redirected to the Captive Portalsite where
they'll be able to agree my licence therms and get some information ...
etc. ...
So fact is I need an IPFW rule which forwards Port 80,443,8080 Traffic
to another Port i.e. 8080 --> where my Apache will already wait for
serving the Captive Portalsite back to the request.
So I did read the man and saw something like the fwd rule and the Kernel
Option for it - so I added the option - rcompiled the Kernel and gave my
Firewall the following fwd rule in an extra script:
${fwcmd} add 01100 fwd ${LAN_IP},8080 tcp from ${LAN} to any
80,443,8080 in via ${LAN_if}
^^ But it's sadly not working ....
so here is my whole Firewallscript.
Btw. my IPFW is compiled as default deny into the Kernel.
The Script:
____________________________________________________________________________
#!/bin/sh
if [ -z "${source_rc_confs_defined}" ]; then
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi
fi
#############################
#### Globale Variablen: #####
#############################
WAN_if="msk0"
WAN_IP="10.1.10.50"
WAN_net="255.0.0.0"
WAN="10.0.0.0/8"
LAN_if="ath0"
LAN_IP="192.1.1.1"
LAN_net="255.255.255.0"
LAN="192.1.1.0/24"
fwcmd="/sbin/ipfw -q"
#############################
########## Start: ###########
#############################
### Firewall Reset ###
${fwcmd} -f flush
### Localhost ###
${fwcmd} add 00100 allow all from any to any via lo0
${fwcmd} add 00200 deny all from any to 127.0.0.0/8
${fwcmd} add 00300 deny all from 127.0.0.0/8 to any
### WAN Konfiguration ###
${fwcmd} add 00400 allow all from any to any via ${WAN_if}
${fwcmd} add 00500 divert natd all from any to any in via ${WAN_if}
${fwcmd} add 00600 divert natd all from any to any out via ${WAN_if}
### LAN Konfiguration ###
### Ping
${fwcmd} add 00700 allow icmp from ${LAN} to ${LAN} icmptypes 0,8
### Portfreigabe
${fwcmd} add 00800 allow tcp from any to ${LAN_IP} 22 in via ${LAN_if}
${fwcmd} add 00900 allow tcp from any to ${LAN_IP} 1723 in via ${LAN_if}
${fwcmd} add 01000 allow tcp from any to ${LAN_IP} 8080 in via ${LAN_if}
### PortalSite - Forwarding:
${fwcmd} add 01100 fwd ${LAN_IP},8080 tcp from ${LAN} to any
80,8080,443 in via ${LAN_if}
### Package Detour
${fwcmd} add 01200 allow all from any to any out via ${LAN_if}
____________________________________________________________________________
Every positiv type of help will be very appreciated !!!
Thanks,
Leander
P.S. Additionally: This is my first firewallscript - so if this seems to
be to ugly for you - feel free to give me some NewBee tips and tricks!
;) THX
-------------- next part --------------
#!/bin/sh
if [ -z "${source_rc_confs_defined}" ]; then
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi
fi
#############################
#### Globale Variablen: #####
#############################
WAN_if="msk0"
WAN_IP="10.1.10.50"
WAN_net="255.0.0.0"
WAN="10.0.0.0/8"
LAN_if="ath0"
LAN_IP="192.1.1.1"
LAN_net="255.255.255.0"
LAN="192.1.1.0/24"
fwcmd="/sbin/ipfw -q"
#############################
########## Start: ###########
#############################
### Firewall Reset ###
${fwcmd} -f flush
### Localhost ###
${fwcmd} add 00100 allow all from any to any via lo0
${fwcmd} add 00200 deny all from any to 127.0.0.0/8
${fwcmd} add 00300 deny all from 127.0.0.0/8 to any
### WAN Konfiguration ###
${fwcmd} add 00400 allow all from any to any via ${WAN_if}
${fwcmd} add 00500 divert natd all from any to any in via ${WAN_if}
${fwcmd} add 00600 divert natd all from any to any out via ${WAN_if}
### LAN Konfiguration ###
### Ping
${fwcmd} add 00700 allow icmp from ${LAN} to ${LAN} icmptypes 0,8
### Portfreigabe
${fwcmd} add 00800 allow tcp from any to ${LAN_IP} 22 in via ${LAN_if}
${fwcmd} add 00900 allow tcp from any to ${LAN_IP} 1723 in via ${LAN_if}
${fwcmd} add 01000 allow tcp from any to ${LAN_IP} 8080 in via ${LAN_if}
### PortalSite - Forwarding:
${fwcmd} add 01100 fwd ${LAN_IP},8080 tcp from ${LAN} to any 80,8080,443 in via ${LAN_if}
### Package Detour
${fwcmd} add 01200 allow all from any to any out via ${LAN_if}
More information about the freebsd-ipfw
mailing list