Questions on "Hide NAT" and 1:1 NAT Scenarios Using IPFW2 insteadof
natd
Holger Rauch
holger.rauch at empic.de
Sun Jun 14 15:27:07 UTC 2009
Hi to everybody,
up to now, I've only seen a working example for "hide NAT" (hiding several IP
addresses belonging to an internal private subnet "behind" an official, externally
accessible IP) based on user space natd from one of my former colleagues.
That means I'm new to kernel (IPFW) based NAT and thus asking for help on this mailing
list since the NAT fragments mentioned below don't work for me as expected (i.e.
I see no IPFW log message and no NAT takes place).
I'm referring to a FreeBSD 7.1-STABLE amd64 system with the following kernel options
compiled in (default policy is deny). The machine acts as a gateway (IP forwarding enabled;
no sysctls for layer2 enabled) and has six network interfaces in total
(bge0, bge1, em0-3). Two different forms of NAT should take place depending on whether
the packets flow between network interfaces bge0<->bge1 (hide NAT) and bge0<->em1
(1:1 NAT for a certain set of hosts). For the remaining interface combinations
bge0<->em0,em2,em3 no NAT should be performed since they are used to gain access to
other internal subnets represented by private IP addresses. The combinations
bge1<->em[0-3] are not permitted (blocked/logged by corresponding IPFW rules):
=========================================
options IPFIREWALL #firewall
options IPFIREWALL_VERBOSE #enable logging to syslogd(8)
options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity
options IPFIREWALL_FORWARD #packet destination changes
options IPFIREWALL_NAT #ipfw kernel nat support
options IPDIVERT #divert sockets
options DUMMYNET
options IPSTEALTH #support for stealth forwarding
options LIBALIAS
=========================================
So, at least I shouldn't be missing any relevant kernel options, right?
The following NAT rule fragments were taken from a larger firewall
#! /bin/sh script, which is structured in the following manner:
a) General logging/filtering rules for bogus packets (unsupported private
IP addresses, broadcasts, illegal inner<->outer network interface
combinations, etc.)
number range logging rules: 1000-1499
number range filtering rules: 1500-1999
b) filtering/logging rules with no NAT (bge0<->em0,em2,em3)
number range logging rules: 2000-2499
number range filtering rules: 2500-2999
c) 1:1 NAT fragment (see below)
fixed rule number: 3000
d) filtering/logging rules to individual hosts for which 1:1 NAT is
supposed to be performed
number range logging rules: 3001-3499
number range filtering rules: 3500-3999
e) hide NAT fragment (see below)
fixed rule number: 4000
f) filtering/logging rules to individual hosts for which hide NAT is
supposed to be performed
number range logging rules: 4001-4499
number range filtering rules: 4500-4999
OK, here the NAT fragments (inferred from the ipfw man page since I
couldn't find a better resource; unfortunately, neither the IPFW
HOWTO nor the IPFW advanced supplement HOWTO is of help here):
=========================================
# 1:1 NAT (intaddr1...intaddr5 <-> extaddr1...extaddr5)
${fwcmd} add 3000 nat 1 all from any to any via em1
${fwcmd} nat 1 config redirect_addr intaddr1 extaddr1 \
redirect_addr intaddr2 extaddr2 \
redirect_addr intaddr3 extaddr3 \
redirect_addr intaddr4 extaddr4 \
redirect_addr intaddr5 extaddr5
==========================================
Would the following alternative approach achieve the same (seems slightly
more elegant to me)?
==========================================
int_nat_hosts="\{ intaddr1,intaddr2,intaddr3,intaddr4,intaddr5 \}"
ext_nat_hosts="\{ extaddr1,extaddr2,extaddr3,extaddr4,extaddr5 \}"
${fwcmd} nat 1 config redirect_addr ${int_nat_hosts} ${ext_nat_hosts}
# hide NAT (10.51.0.0/16 -> one externally accessible IP address aa.bb.cc.dd)
${fwcmd} nat 2 config ip aa.bb.cc.dd log deny_in reset same_ports
${fwcmd} add 4000 nat 2 all from any to any via bge1
==========================================
General questions on both NAT scenarios:
- How to debug IPFW-based NAT in general?
- Is it OK to use "from any to any" in the ...add nat... rules above or would you
recommend specifying the address ranges explictly?
- Would using "skipto" rules be a good alternative here?
In case you need additional info, please don't hesitate to ask.
Thanks in advance for any help!
Kind regards,
Holger
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20090614/5ae9f859/attachment.pgp
More information about the freebsd-ipfw
mailing list