docs/95262: Correction to handbook section 26.5.20 Port Redirection

Joe fbsd_user at a1poweruser.com
Mon Apr 3 13:00:57 UTC 2006 

>Number:         95262
>Category:       docs
>Synopsis:       Correction to handbook section 26.5.20 Port Redirection
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-doc
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Apr 03 13:00:34 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Joe
>Release:        6.0
>Organization:
none
>Environment:
>Description:
Content of section is totally incorrect.
>How-To-Repeat:

>Fix:
Replace section with this content.

An very common practice is to have a web server, email server, database server or domain name server each segregated to a different PC on the LAN. Any traffic originating from those servers destine for the public internet would pass out the firewall on keep state rules automatically controlling the bidirectional exchange of packets for the duration of the session conversation. Due to the nature of these servers they also need to receive unsolicited inbound traffic from the public internet. The problem is how to direct this unsolicited inbound traffic to the correct target PC on the LAN?

For this purpose we use the NAT 'rdr' directive in the /etc/ipnat.rules file to instruct where to redirect (or route) a particular packet to on the NAT'ed LAN.

For example, lets say your web server resides on the LAN and you want it to be accessible from the public internet. The NAT rules file would need a additional rule added after the MAP rules to handle this. You would code the rule like this:


        rdr xl0 0.0.0.0/0 port 80 -> 10.0.10.5 port 80



"rdr" = the command which provides the selection information and target redirect information. 

"xl0" = is the network interface that is connected to the public internet.

"0.0.0.0/0" = is a special aliases which means any source IP address contained in the inbound packet traveling the interface is to be selected for testing. The other special aliases |0.32|, |0/0| and |0/32|, only work in IPNAT's map and bimap rules. They do NOT work in IPF rules, or in IPNAT rdr rules and 0.0.0.0/0 only works in rdr rules. Beware how and where you use these special aliases as incorrect usage generates no errors. 

"port 80" = is the destination port number that has to be matched in the inbound packet to select the candidate packet to be redirected. The number "80" don't have to be used. You can use "port www" to specify a redirection of port 80. If you would like to use a name instead of a number, the service name and corresponding port, must exist in the file /etc/services.

"->" = Mandatory arrow symbol used to distinguish between the rule selection information side and the redirect information side of the rule.
 
"10.0.10.5" = the IP address of the LAN PC which the matched packets are to be targeted to. The netmask defaults to "/32" and therefore should not be coded.

"port 80" - this is the port number value to substitute in the destination port number of the redirected packet. You could make it 8088 and tell the web server on 10.0.10.5 to listen on that port number. If omitted the destination port number goes unchanged.

The above IPNAT redirect rule says that any inbound packet that has not already had it's destination IP address translated by earlier MAP rules will then have it's destination port tested for match to the port number on the left of the mandatory arrow symbol, if  matched, the packet's destination IP address and port number are over written with the values on the right of the mandatory arrow symbol and then released for processing against the firewall rules. NAT then posts an entry in its internal NAT table so when the packet returns after first being processed by the firewall rules on it's outbound journey it can have it's private LAN IP address mapped back to your gateway's public routable IP address. After reloading the NAT rules, the redirection will start immediately.

Depending on how tightly or loosely you control the services by firewall rules the redirected packet may require a firewall rule to let it pass. 
Such as this for the above example:

pass in quick on xl0 proto tcp from any to 10.0.10.5 port = 80 flags S keep state

The main thing to remember is the firewall rules only sees the non-public routable private LAN IP address. The NAT function happens after the outbound packet has been processed by the firewall and before the inbound packet gets to the firewall.
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-doc mailing list