Hello.
I'm playing around with ipfw nat functionality. I met unexpected problems with functions like redirect_proto and redirect_addr. Also there is unclear behaviour with localy initiated connetions pass through nat.
I have testing enviroment that consists of three systems - one of them I use as a "Client", second is "NAT router" and third is "ISP gateway".
NAT has two nic's - fxp0 in client's side, and em0 in ISP side.
clent's nic: 192.168.1.2
nat's private nic: 192.168.1.1
nat's public nic: 1.2.3.100
ISP gateway nic: 1.2.3.122
net.inet.ip.fw.one_pass=1
ipfw config:
So, the problems are the following:
- I'm unable to use only nat rules without keep-state rules. If I do so, then I'm unable to initiate TCP sessions from NAT machine. In the same time looks like UDP connections initiated from NAT works just fine, and client's trafic that pass through nat also works just fine. So this is why I should catch all local trafic with keep-state rules. Why it is so? Linux iptables have abitity to nat both (clent+router) trafic at once. Here is tcpdump of localy initiated connection from nat to ISP (routing setting are fine there, if any... Both of them use each other as default gw):
- I'm unable to perform redirect_proto or redirect_addr. In the same time redirect_port rules works just fine with single ports and also with redirection of scope of ports... Siting at ISP gateway console, I make a try to initiate redirect_proto and redirect_addr action with all of this examples of nat configuration (none of them working for me):
- What is about proxy_only rule? natd have also proxy_rule rule but ipfw nat do not. How to use proxy_only in ipfw nat?
Any clue, please?
I'm playing around with ipfw nat functionality. I met unexpected problems with functions like redirect_proto and redirect_addr. Also there is unclear behaviour with localy initiated connetions pass through nat.
I have testing enviroment that consists of three systems - one of them I use as a "Client", second is "NAT router" and third is "ISP gateway".
Code:
(Client)<--192.168.1.0/24-->(NAT)<--1.2.3.0/24-->(ISP)
clent's nic: 192.168.1.2
nat's private nic: 192.168.1.1
nat's public nic: 1.2.3.100
ISP gateway nic: 1.2.3.122
net.inet.ip.fw.one_pass=1
ipfw config:
Code:
add check-state
add allow ip from any to any via fxp0
add deny ip from any to 192.168.0.0/16 in recv em0
add deny ip from 192.168.0.0/16 to any in recv em0
add allow tcp from any to me 6881
add allow udp from any to me 4444
add allow icmp from me to any out keep-state
add allow tcp from me to any out keep-state
add allow udp from me to any out keep-state
nat 1 config if em0 deny_in unreg_only reset
add nat 1 all from any to any via em0
add deny ip from any to any
So, the problems are the following:
- I'm unable to use only nat rules without keep-state rules. If I do so, then I'm unable to initiate TCP sessions from NAT machine. In the same time looks like UDP connections initiated from NAT works just fine, and client's trafic that pass through nat also works just fine. So this is why I should catch all local trafic with keep-state rules. Why it is so? Linux iptables have abitity to nat both (clent+router) trafic at once. Here is tcpdump of localy initiated connection from nat to ISP (routing setting are fine there, if any... Both of them use each other as default gw):
Code:
# tcpdump -i 2 -v -n -l ip
tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes
14:27:29.314586 IP (tos 0x0, ttl 64, id 13378, offset 0, flags [DF], proto TCP (6), length 60) 1.2.3.100.54713 > 1.2.3.122.1234: S, cksum \
0xa1c0 (incorrect (-> 0x5599), 2816946197:2816946197(0) win 65535 <mss 1460,nop,wscale 3,sackOK,timestamp 14851438 0>
14:27:29.314817 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) 1.2.3.122.1234 > 1.2.3.100.54713: R, cksum 0x5bb5 \
(correct), 0:0(0) ack 2816946198 win 0
^C
2 packets captured
6 packets received by filter
0 packets dropped by kernel
- I'm unable to perform redirect_proto or redirect_addr. In the same time redirect_port rules works just fine with single ports and also with redirection of scope of ports... Siting at ISP gateway console, I make a try to initiate redirect_proto and redirect_addr action with all of this examples of nat configuration (none of them working for me):
Code:
ipfw nat 1 config if em0 deny_in unreg_only reset redirect_proto tcp 192.168.1.2 1.2.3.100 1.2.3.122
ipfw nat 1 config if em0 deny_in unreg_only reset redirect_proto tcp 192.168.1.2 1.2.3.100
ipfw nat 1 config if em0 deny_in unreg_only reset redirect_proto tcp 192.168.1.2
ipfw nat 1 config redirect_proto tcp 192.168.1.2 1.2.3.100
ipfw nat 1 config if em0 deny_in unreg_only reset redirect_addr 192.168.1.2 1.2.3.100
ipfw nat 1 config if em0 deny_in unreg_only reset redirect_addr 192.168.1.2 0.0.0.0
ipfw nat 1 config if em0 redirect_addr 192.168.1.2 1.2.3.100
ipfw nat 1 config redirect_addr 192.168.1.2 1.2.3.100
ipfw nat 1 config redirect_addr 192.168.1.2 0.0.0.0
- What is about proxy_only rule? natd have also proxy_rule rule but ipfw nat do not. How to use proxy_only in ipfw nat?
Any clue, please?