nathan at envieweb.net
Wed Oct 18 14:24:47 UTC 2006
Got a bit of an interesting question, wondering how others out there might
have dealt with this:
we have a single machine acting as router/firewall/nat gateway via DSL. It
routes a small (/29) subnet of static IP's to our servers, and routes
between internal (non-public) subnets. Internet traffic is then routed via
NAT translation over the PPPoE link. We then use a proxy server to cache
most of our web traffic. Works well, and has been for several years now but,
we need to be able to deny traffic through the NAT gateway based on IP
addresses or ranges. Given the following example:
Internet -> DSL+Subnet -> FreeBSD router + NAT/PPPoE ->
192.168.0.1 + 192.168.1.1 + 192.168.2.1 + 192.168.3.1
(each of these private subnets is a physically different network, connected
via an independant ethernet interface - multiport intel 'fxp' cards)
Internal machines -> 192.168.0.100 - 192.168.0.200
Select Internal machines -> 192.168.0.10 - 192.168.0.50
Want to allow 192.168.0.10 through 192.168.0.50 full use of the gateway
(enabling internet access via NAT), but deny machines in the 192.168.0.100 -
192.168.0.200 range from using NAT - yet still allow them to use 'regular'
routes, (given the example below, want to allow 192.168.0.X to connect
to/from 192.168.3.X for instance).
So the long-question shortened, is how do I deny NAT traffic for specific IP
addresses, without blocking those addresses from routing through 'normal'
routes to other subnets. Essentially, I need an IPFW rule to block traffic
from 192.168.0.X through via NAT, or don't I ?
Any ideas/comments/suggestions greatly appreciated, (note the above is an
example, not actual addresses).
nathan at vidican.com
More information about the freebsd-questions