NAT for one, or more IP
Patrick Tracanelli
eksffa at freebsdbrasil.com.br
Tue Mar 30 12:59:09 PST 2004
Divert the incoming packets from your network to the registered IP you
want to translate your unregistered network to, and on the other hand,
divert the outgoing packets from your network to any destination (or
non-public one, say the internet).
01200 69 30884 divert 8668 ip from any to 200.40.30.77 in
01300 81718 15592449 divert 8668 ip from 192.168.2.0/28 to any out
You may create this kind of rules for both, network and hosts, or even a
set of hosts/networks (say, with an or-block);
You may even FWD packets in such a way where ipfw would act like a
"next-hop" router, and set up policy-routing based on source/destination
and services (ports).
Here, we have some set of rules that
[skip]
00300 6116 7935516 divert 8668 ip from any to 200.30.40.67 in
00400 21832 20430068 divert 8668 ip from any to 200.30.40.68 in
00500 20382 20217368 divert 8668 ip from any to 200.30.40.69 in
[skip]
01300 81718 15592449 divert 8668 ip from 192.168.2.0/28 to any out
01400 3959 258874 fwd 200.30.40.65 ip from 200.30.40.67 to any
01500 20052 6124430 fwd 200.30.40.65 ip from 200.30.40.68 to any
01600 18071 2967705 fwd 200.30.40.65 ip from 200.30.40.69 to any
[skip]
02300 62364 7935516 divert 8669 ip from any to 200.30.40.195 in
02400 97345 20430068 divert 8669 ip from any to 200.30.40.196 in
02500 75345 20217368 divert 8669 ip from any to 200.30.40.197 in
[skip]
03300 817181 15592449 divert 8669 ip from 10.0.2.0/24 to any out
03400 3793 258874 fwd 200.30.40.193 ip from 200.30.40.195 to any
03500 88034 6124430 fwd 200.30.40.193 ip from 200.30.40.196 to any
03600 9635 2967705 fwd 200.30.40.193 ip from 200.30.40.197 to any
[skip]
In this specific case it is a multi-homed scenario where each unregister
network goes out on different links (gateways) and the default flow
goes, obviously, by the default gateway on the system (in this case,
they are not unregistered networks, but a third registered network).
Nat in this scenario is STATIC (that is why the rules are translated to
many different IPs), say:
# $ natd2.conf $ Patrick Tracanelli
# patrick at freebsdbrasil.com.br
#
interface fxp0
same_ports yes
use_sockets yes
punch_fw 00001:99
log_ipfw_denied yes
redirect_address 192.168.2.2 200.30.40.67
redirect_address 192.168.2.3 200.30.40.68
redirect_address 192.168.2.4 200.30.40.69
...
[skip]
There are 2 natd instances, running on port 8669 and the default one
(8668); everything else goes via the default route (the third link)
There are other simple examples that may fit your needs better, you
might take a look at the following thread:
http://www4.fugspbr.org/lista/html/FUG-BR/2004-03/msg00149.html
Althought it's in portuguese, the rules are there;
--
Atenciosamente,
Patrick Tracanelli
FreeBSD Brasil LTDA.
The FreeBSD pt_BR Documentation Project
http://www.freebsdbrasil.com.br
patrick @ freebsdbrasil.com.br
"Long live Hanin Elias, Kim Deal!"
More information about the freebsd-ipfw
mailing list