LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > *BSD
User Name
Password
*BSD This forum is for the discussion of all BSD variants.
FreeBSD, OpenBSD, NetBSD, etc.

Notices

Reply
 
LinkBack Search this Thread
Old 05-12-2009, 07:01 AM   #1
k1piee
LQ Newbie
 
Registered: Jul 2005
Distribution: Debian squeeze
Posts: 11

Rep: Reputation: 0
IPFW and NAT


Hi!

I'm in need of little help with my firewall on my FreeBSD 7.0 server.
I have OpenVPN installed and have it configured with routed vpn.
Now I want to NAT all the traffic that comes from tun0 so it can reach the internet on vr0, but I'm not exactly sure how to do that..

My firewall looks like this atm:
(/usr/local/etc/ipfw.rules)

Code:
IPF="ipfw -q add"
ipfw -q -f flush

#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any

# open port ssh (22), http (80), openvpn (1194) etc
$IPF 130 allow tcp from any to any 22 in
$IPF 140 allow tcp from any to any 22 out
$IPF 150 allow tcp from any to any 80 in
$IPF 160 allow tcp from any to any 80 out
$IPF 210 allow udp from any to any 1194 in
$IPF 215 allow udp from any to any 1194 out

# allow some inbound icmps - echo reply, dest unreach, source quench,
# echo, ttl exceeded.
$IPF allow icmp from any to any icmptypes 0,3,4,8,11

# deny and log everything
$IPF 500 deny log all from any to any
Is there anyone that knows what to do and can help me with this?
 
Old 05-13-2009, 07:01 AM   #2
k1piee
LQ Newbie
 
Registered: Jul 2005
Distribution: Debian squeeze
Posts: 11

Original Poster
Rep: Reputation: 0
I think I've found how to nat it now

Code:
IPF="ipfw -q add"
ipfw -q -f flush

#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any

# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any

# NAT
$IPF 90 divert natd ip from 10.9.0.0/24 to any via vr0
$IPF 100 divert natd ip from any to 10.9.0.0/24 via vr0

# open port ftp (20,21), ssh (22), mail (25)
# http (80) etc
$IPF 130 allow tcp from any to any 21 in
$IPF 140 allow tcp from any to any 21 out
$IPF 150 allow tcp from any to any 80 in
$IPF 160 allow tcp from any to any 80 out
$IPF 170 allow tcp from any to any 1024-1100 in
$IPF 180 allow tcp from any to any 1024-1100 out
$IPF 190 allow tcp from any to any 3784 in
$IPF 195 allow tcp from any to any 3784 out
$IPF 200 allow tcp from any to any 8989 in
$IPF 205 allow tcp from any to any 8989 out
$IPF 210 allow tcp from any to any 25 in
$IPF 215 allow tcp from any to any 25 out
$IPF 220 allow tcp from any to any 110 in
$IPF 225 allow tcp from any to any 100 out
$IPF 230 allow tcp from any to any 995 in
$IPF 235 allow tcp from any to any 995 out
$IPF 240 allow tcp from any to any 993 in
$IPF 245 allow tcp from any to any 993 out
$IPF 250 allow tcp from any to any 443 in
$IPF 255 allow tcp from any to any 443 out
$IPF 250 allow tcp from any to any 465 in
$IPF 255 allow tcp from any to any 465 out
$IPF 260 allow tcp from any to any 3306 in
$IPF 265 allow tcp from any to any 3306 out
$IPF 280 allow tcp from any to any 7500-8000 in
$IPF 285 allow tcp from any to any 7500-8000 out
$IPF 290 allow udp from any to any 1194 in
$IPF 295 allow udp from any to any 1194 out
$IPF 296 allow tcp from any to any 1194 in
$IPF 297 allow tcp from any to any 1194 out



# allow some inbound icmps - echo reply, dest unreach, source quench,
# echo, ttl exceeded.
$IPF allow icmp from any to any icmptypes 0,3,4,8,11

# deny and log everything
#$IPF 499 divert natd ip from any to any out via vr0
But the problem is that it doesnt seem to work..
Is there something else I have to do to get NAT to work?
Start something or change something with sysctl?
 
Old 06-02-2009, 05:28 PM   #3
Fin7PL
Member
 
Registered: Mar 2005
Location: Finland
Distribution: FreeBSD 9.0
Posts: 59

Rep: Reputation: 16
Do you have natd running, you have DIVERT compiled in kernel?.

Also i remember having DIVERT rule the first thing or right after LOOP BACK rules.

Code:
options IPFIREWALL
options IPDIVERT
Last line enables nat in kernel config.

This might be useful i dunno. I prefer to use PF firewall and there has been a long time since i've used IPFW.
http://www.freebsddiary.org/ipfw.php

Code:
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
I think with these lines you are allowing everything out already on your NIC's. What does ipfw show display.

Last edited by Fin7PL; 06-02-2009 at 05:40 PM.
 
  


Reply

Tags
nat, vpn


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ipfw help eduac *BSD 9 08-28-2006 08:58 AM
ipfw gazman1 *BSD 6 07-10-2006 03:24 AM
portforwarding using ipfw thar Linux - Networking 1 08-15-2005 05:38 PM
IPFW rules ryancoolest *BSD 5 02-19-2004 01:03 AM
Ipfw rule J_Szucs *BSD 1 05-03-2003 08:29 PM


All times are GMT -5. The time now is 10:15 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration