Portforwarding - still the same issue
Julian Elischer
julian at elischer.org
Mon Oct 27 16:33:16 UTC 2008
Leander S. wrote:
> Roman Kurakin schrieb:
>> John Hay wrote:
>>> On Mon, Oct 20, 2008 at 11:19:22PM +0200, Leander S. wrote:
>>>
>>>> Hi,
>>>>
>>>> I'm trying to set up something like a HotSpot. Goal is it to force
>>>> unregistred users to get redirected to the Captive Portalsite where
>>>> they'll be able to agree my licence therms and get some information
>>>> ... etc. ...
>>>>
>>>> So fact is I need an IPFW rule which forwards Port 80,443,8080
>>>> Traffic to another Port i.e. 8080 --> where my Apache will already
>>>> wait for serving the Captive Portalsite back to the request.
>>>>
>>>> So I did read the man and saw something like the fwd rule and the
>>>> Kernel Option for it - so I added the option - rcompiled the Kernel
>>>> and gave my Firewall the following fwd rule in an extra script:
>>>>
>>>> ${fwcmd} add 01100 fwd ${LAN_IP},8080 tcp from ${LAN} to any
>>>> 80,443,8080 in via ${LAN_if}
>>>>
>> Try to make the rule stateful, eq add 'setup keep-state'. Also add
>> some logging in the rule
>> and add the last one additional deny with the logging.
> Oh-oh ... Can't log right now - have to recompile the kernel before ...
> sry.
>>> You have to catch it where it is going out and not in. Fwd only works
>>> when packets are out bound.
I think you can forward an incoming packet out again..
I am sure I have done that.
> I don't think so ?! And what sence would it make? Because think twice
> ... I want to fwd incoming HTTP:80 packages to make them look like
> HTTP:8080 packages ... the outgoing ones are uninteresting because it's
> apache's job to send back Websitedata on port 8080 where it's listening
> anyway.
>>>
>> But how this works for me?
>>
>> ipfw fwd 192.168.0.4,3128 log logamount 1000 tcp from 172.22.4.0/24
>> to 172.22.4.254 dst-port 3128 setup in via vr0 keep-state
>>
>> rik
>>> John
>>>
> I tried:
>
> [...] fwd 127.0.0.1,8080 tcp from 192.1.1.0/24 to me dst-port 80 setup
> in via ath0 keep-state
>
> as well as this one too:
>
> [...] fwd 127.0.0.1,8080 tcp from 192.1.1.0/24 to me src-port 80
> dst-port 8080 setup in via ath0 keep-state
>
> ^^
> But sadly without success - "root$ ipfw show" doesn't even show me at
> least one package going through .... not even blocked ones ... 0 0 ;-)
>
>
what version of FreeBSD..
forwarding was crippled in an early 6.x revision I think.
you needed to ad another option as well.
>
>
> But here is my szenario again:
>
> 127.0.0.1 is my FreeBSDMashine wehre IPFW acts and Apache22 Listens on
> port 8080.
>
> 192.1.1.0/24 is the ath0 Interface where Wirlessclients will try to
> klick http://google:80 BUT accidently should be fwded & run into my
> PortalSite:8080
> 192.1.1.1 is the Interfaces IP Adress. 192.1.1.1:8080 would you also
> bring as well as 127.0.0.1:8080 to the portalsite.
>
>
> Regards,
>
> Leander
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
More information about the freebsd-ipfw
mailing list