DNAT in freebsd

Paul A. Procacci pprocacci at datapipe.com
Sun Jun 30 09:16:02 UTC 2013 

On Sat, Jun 29, 2013 at 09:50:15AM +0300, Sami Halabi wrote:
> I think I was misunderstood...
> Here is the situation i want to handle:
> My box is a router that handles several /24 behind.
> One of my links (em0) is connected to a private network 192.168.0.1 is me,
> my neighbour is 192.168.0.2.
> I want to make that any connection comes to 192.168.0.1  to go to ip
> 193.xxx.yyy.2 using specific public ip 84.xx.yy.1
> And packets comming to my public 84.xx.yy.1 ip to be trsnslated as came
> from 192.168.0.1 and sent to 192.168.0.2/or ant other ips
> behind(192.168.1.xx/24).
>
> Hope that makes it clearer, and I appreciate any help.
>
> Sami
> ???????????? 29 ???????? 2013 03:30, ?????? "Paul A. Procacci" <pprocacci at datapipe.com>:

The answer I provided you does exactly what you want it to do.  Not to mention
the man page goes over other things as well if the answer I provided you
wasn't accurate.  Here is my config that I use for my home setup.

The config:

- binds a nat instance on the primary interface
- denies all inbound syn's among other things
- Forward packets originating on the internal network interface through nat
- and returns packets (ack's) back to the original sender.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#!/bin/sh
###################### Start of IPFW Configuration ####################
# Set rules command prefix :: Rule numbering cannot exceed 900

cmd="/sbin/ipfw -q"
pif="de0"       # Public NIC
iif="bridge0"   # Internal NIC

##############################################
# Flush current rules and do config.
$cmd -f flush
$cmd enable one_pass
##############################################

${cmd} add 00001 allow all from any to any via lo0
${cmd} add 00002 deny all from any to 127.0.0.0/8
${cmd} add 00003 deny ip from 127.0.0.0/8 to any

${cmd} nat 1 config if ${pif} log deny_in reset unreg_only same_ports
${cmd} add 00020 nat 1 all from any to any via ${pif}

${cmd} add 00050 allow all from any to any via ${iif}

${cmd} add 65534 deny log all from any to any
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Again, this information is found in `man ipfw(8)` and does what you are
asking.

~Paul

________________________________

This message may contain confidential or privileged information. If you are not the intended recipient, please advise us immediately and delete this message. See http://www.datapipe.com/legal/email_disclaimer/ for further information on confidentiality and the risks of non-secure electronic communication. If you cannot access these links, please notify us by reply message and we will send the contents to you.

More information about the freebsd-net mailing list