IPFW and NAT

k1piee · 05-12-2009, 07:01 AM

Hi!

I'm in need of little help with my firewall on my FreeBSD 7.0 server.
I have OpenVPN installed and have it configured with routed vpn.
Now I want to NAT all the traffic that comes from tun0 so it can reach the internet on vr0, but I'm not exactly sure how to do that..

My firewall looks like this atm:
(/usr/local/etc/ipfw.rules)

Code:

IPF="ipfw -q add"
ipfw -q -f flush

#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any

# open port ssh (22), http (80), openvpn (1194) etc
$IPF 130 allow tcp from any to any 22 in
$IPF 140 allow tcp from any to any 22 out
$IPF 150 allow tcp from any to any 80 in
$IPF 160 allow tcp from any to any 80 out
$IPF 210 allow udp from any to any 1194 in
$IPF 215 allow udp from any to any 1194 out

# allow some inbound icmps - echo reply, dest unreach, source quench,
# echo, ttl exceeded.
$IPF allow icmp from any to any icmptypes 0,3,4,8,11

# deny and log everything
$IPF 500 deny log all from any to any

Is there anyone that knows what to do and can help me with this?

k1piee · 05-13-2009, 07:01 AM

I think I've found how to nat it now

Code:

IPF="ipfw -q add"
ipfw -q -f flush

#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any

# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any

# NAT
$IPF 90 divert natd ip from 10.9.0.0/24 to any via vr0
$IPF 100 divert natd ip from any to 10.9.0.0/24 via vr0

# open port ftp (20,21), ssh (22), mail (25)
# http (80) etc
$IPF 130 allow tcp from any to any 21 in
$IPF 140 allow tcp from any to any 21 out
$IPF 150 allow tcp from any to any 80 in
$IPF 160 allow tcp from any to any 80 out
$IPF 170 allow tcp from any to any 1024-1100 in
$IPF 180 allow tcp from any to any 1024-1100 out
$IPF 190 allow tcp from any to any 3784 in
$IPF 195 allow tcp from any to any 3784 out
$IPF 200 allow tcp from any to any 8989 in
$IPF 205 allow tcp from any to any 8989 out
$IPF 210 allow tcp from any to any 25 in
$IPF 215 allow tcp from any to any 25 out
$IPF 220 allow tcp from any to any 110 in
$IPF 225 allow tcp from any to any 100 out
$IPF 230 allow tcp from any to any 995 in
$IPF 235 allow tcp from any to any 995 out
$IPF 240 allow tcp from any to any 993 in
$IPF 245 allow tcp from any to any 993 out
$IPF 250 allow tcp from any to any 443 in
$IPF 255 allow tcp from any to any 443 out
$IPF 250 allow tcp from any to any 465 in
$IPF 255 allow tcp from any to any 465 out
$IPF 260 allow tcp from any to any 3306 in
$IPF 265 allow tcp from any to any 3306 out
$IPF 280 allow tcp from any to any 7500-8000 in
$IPF 285 allow tcp from any to any 7500-8000 out
$IPF 290 allow udp from any to any 1194 in
$IPF 295 allow udp from any to any 1194 out
$IPF 296 allow tcp from any to any 1194 in
$IPF 297 allow tcp from any to any 1194 out



# allow some inbound icmps - echo reply, dest unreach, source quench,
# echo, ttl exceeded.
$IPF allow icmp from any to any icmptypes 0,3,4,8,11

# deny and log everything
#$IPF 499 divert natd ip from any to any out via vr0

But the problem is that it doesnt seem to work..
Is there something else I have to do to get NAT to work?
Start something or change something with sysctl?

Fin7PL · 06-02-2009, 05:28 PM

Do you have natd running, you have DIVERT compiled in kernel?.

Also i remember having DIVERT rule the first thing or right after LOOP BACK rules.

Code:

options IPFIREWALL
options IPDIVERT

Last line enables nat in kernel config.

This might be useful i dunno. I prefer to use PF firewall and there has been a long time since i've used IPFW.
http://www.freebsddiary.org/ipfw.php

Code:

$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state

I think with these lines you are allowing everything out already on your NIC's. What does ipfw show display.