Portforwarding - still the same issue
Leander S.
leander.schaefer at gmx.net
Mon Oct 27 21:39:31 UTC 2008
Julian Elischer schrieb:
> Leander S. wrote:
>> Roman Kurakin schrieb:
>>> John Hay wrote:
>>>> On Mon, Oct 20, 2008 at 11:19:22PM +0200, Leander S. wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I'm trying to set up something like a HotSpot. Goal is it to force
>>>>> unregistred users to get redirected to the Captive Portalsite
>>>>> where they'll be able to agree my licence therms and get some
>>>>> information ... etc. ...
>>>>>
>>>>> So fact is I need an IPFW rule which forwards Port 80,443,8080
>>>>> Traffic to another Port i.e. 8080 --> where my Apache will already
>>>>> wait for serving the Captive Portalsite back to the request.
>>>>>
>>>>> So I did read the man and saw something like the fwd rule and the
>>>>> Kernel Option for it - so I added the option - rcompiled the
>>>>> Kernel and gave my Firewall the following fwd rule in an extra
>>>>> script:
>>>>>
>>>>> ${fwcmd} add 01100 fwd ${LAN_IP},8080 tcp from ${LAN} to any
>>>>> 80,443,8080 in via ${LAN_if}
>>>>>
>>> Try to make the rule stateful, eq add 'setup keep-state'. Also add
>>> some logging in the rule
>>> and add the last one additional deny with the logging.
>> Oh-oh ... Can't log right now - have to recompile the kernel before
>> ... sry.
>>>> You have to catch it where it is going out and not in. Fwd only works
>>>> when packets are out bound.
>
> I think you can forward an incoming packet out again..
> I am sure I have done that.
I'm also very sure - you might wanna have a quick look here:
http://wannabe.guru.org/scott/hobbies/wireless/wireless.html
^^ That's where I've originally heard about that ... but it sadly didn't
work out for me ...
>
>> I don't think so ?! And what sence would it make? Because think twice
>> ... I want to fwd incoming HTTP:80 packages to make them look like
>> HTTP:8080 packages ... the outgoing ones are uninteresting because
>> it's apache's job to send back Websitedata on port 8080 where it's
>> listening anyway.
>>>>
>>> But how this works for me?
>>>
>>> ipfw fwd 192.168.0.4,3128 log logamount 1000 tcp from 172.22.4.0/24
>>> to 172.22.4.254 dst-port 3128 setup in via vr0 keep-state
>>>
>>> rik
>>>> John
>>>>
>> I tried:
>>
>> [...] fwd 127.0.0.1,8080 tcp from 192.1.1.0/24 to me dst-port 80
>> setup in via ath0 keep-state
>>
>> as well as this one too:
>>
>> [...] fwd 127.0.0.1,8080 tcp from 192.1.1.0/24 to me src-port 80
>> dst-port 8080 setup in via ath0 keep-state
>>
>> ^^
>> But sadly without success - "root$ ipfw show" doesn't even show me
>> at least one package going through .... not even blocked ones ... 0
>> 0 ;-)
>>
>>
>
> what version of FreeBSD..
> forwarding was crippled in an early 6.x revision I think.
> you needed to ad another option as well.
I'm running the latest 7.0 RELEASE
... those are included into the Kernel
NETGRAPH_IPFW
IPFIREWALL
IPFIREWALL_VERBOSE
IPFIREWALL_VERBOSE_LIMIT=5
IPFIREWALL_FORWARD
DUMMYNET
IPDIVERT
>
>>
>>
>> But here is my szenario again:
>>
>> 127.0.0.1 is my FreeBSDMashine wehre IPFW acts and Apache22 Listens
>> on port 8080.
>>
>> 192.1.1.0/24 is the ath0 Interface where Wirlessclients will try to
>> klick http://google:80 BUT accidently should be fwded & run into my
>> PortalSite:8080
>> 192.1.1.1 is the Interfaces IP Adress. 192.1.1.1:8080 would you also
>> bring as well as 127.0.0.1:8080 to the portalsite.
>>
>>
>> Regards,
>>
>> Leander
>> _______________________________________________
>> freebsd-ipfw at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
>> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
>
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
>
More information about the freebsd-ipfw
mailing list