IPFW IPFW In-Kernel NAT Port forwarding question

Code:
cat <<EOF> /root/ipfw
#!/bin/sh
kldload ipfw_nat
ipfw -q -f flush

ipfw -q nat 1 config if em0 redirect_port tcp Public_IP_address:22 2222
ipfw -q add 10 nat 1 ip from any to any

ipfw -q add 00100 allow all from any to any via lo0
ipfw -q add 00200 allow icmp from any to any
ipfw -q add 00300 allow tcp from any to any 22,2222,80,443,8443,53,853 setup keep-state
ipfw -q add 00400 allow udp from any to any 53,853,4000,5000 keep-state
EOF

Code:
root@freebsd:~ # cat /etc/rc.conf
firewall_enable="YES"
firewall_type="open"
gateway_enable="YES"
ss5_enable="YES"

FreeBSD run on digitalocean

I installed ss5 proxy server using tcp 1080 port

The problem I encountered

In FreeBSD 13.0-RELEASE
I can forward Public_IP_address:22
And tcp 1080 port is forbidden to access
psping my_vps_ipaddr:2222
is ok
psping my_vps_ipaddr:1080
is block (this is the block I need, because my ss5 has no password, I use udp to forward tcp 1080 through kcptun)

However in FreeBSD 12.2-RELEASE
My firewall rules are all allowed
I did not allow tcp 1080
But tcp 1080 is accessible on the public network
The same configuration and rules, in the 13.0/12.2 system version, actually have different results
Excuse me, why is this?
 
What is the reason for redirectiong 2222 to 22?

My firewall rules are all allowed
I did not allow tcp 1080
But tcp 1080 is accessible on the public network
You write about 'firewall rules are all allowed' so something might to be accessible for public.

The same configuration and rules, in the 13.0/12.2 system version, actually have different results
Check the list of interfaces which are used by the proxy.
I predict that the proxy just listens on public interface instead of localhost.
 
What is the reason for redirectiong 2222 to 22?


You write about 'firewall rules are all allowed' so something might to be accessible for public.


Check the list of interfaces which are used by the proxy.
I predict that the proxy just listens on public interface instead of localhost.

What is the reason for redirectiong 2222 to 22?
This is just an example.Sometimes I need to forward ports.For example, the Chinese government has banned certain IPs for some reasons, and I need to forward the banned IP ports through Hong Kong servers.

Check the list of interfaces which are used by the proxy.
I predict that the proxy just listens on public interface instead of localhost.
Code:
root@freebsd:~ # sockstat -l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS     
root     natd       3061  3  div4   *:8668                *:*
root     sshd       3024  6  stream (not connected)
root     sshd       3019  6  stream (not connected)
root     sshd       2744  6  stream (not connected)
root     sshd       2739  6  stream (not connected)
root     sshd       2661  6  stream (not connected)
root     sshd       1099  6  stream (not connected)
root     sendmail   829   3  tcp4   127.0.0.1:25          *:*
root     sshd       826   3  tcp6   *:22                  *:*
root     sshd       826   4  tcp4   *:22                  *:*
nobody   ss5        801   4  tcp4   *:1080                *:*
root     syslogd    627   6  udp6   *:514                 *:*
root     syslogd    627   7  udp4   *:514                 *:*
root     syslogd    627   8  dgram  /var/run/log
root     syslogd    627   9  dgram  /var/run/logpriv
root     devd       533   4  stream /var/run/devd.pipe
root     devd       533   5  seqpac /var/run/devd.seqpacket.pipe
 
I tried to use ipfw + natd for port forwarding. When I turn on the firewall, the port forwarding will not work...

Code:
root@freebsd:~ # cat /etc/rc.conf
hostname="freebsd"
ifconfig_DEFAULT="DHCP inet6 accept_rtadv"
growfs_enable="YES"
sshd_enable="YES"
ss5_enable="YES"
gateway_enable="YES"
firewall_enable="YES"
firewall_type="OPEN"
natd_enable="YES"
natd_interface="em0"
natd_flags="-f /etc/natd.conf"

Code:
root@freebsd:~ # cat /etc/natd.conf 
redirect_port tcp public_ip_addr:22 2222

Code:
cat <<EOF> /root/ipfw
#!/bin/sh
ipfw -q -f flush
ipfw -q add 00100 allow all from any to any via lo0
ipfw -q add 00200 allow icmp from any to any
ipfw -q add 00300 allow tcp from any to any 22,2222,80,443,8443,53,853 setup keep-state
ipfw -q add 00400 allow udp from any to any 53,853,4000,5000 keep-state
ipfw -q add 65535 deny ip from any to any
EOF
 
nobody ss5 801 4 tcp4 *:1080 *:*
It looks like 'ss5' listens on all interfaces. So it might be accessible from internet.
You can use a firewall for limit an amount of permited hosts.
Also you can try to edit proxy configuration file for forcing to listen only on localhost.

Compare it to sendmail. It listens only on localhost.
root sendmail 829 3 tcp4 127.0.0.1:25 *:*

Port forwarding with NAT usually used for pass some traffic from the internet to the LAN behind the NAT-server.
You should have a NAT rule for a reverse traffic.
Example for ipfw+natd (not a kernel nat):
Code:
/root/bin/natd.conf
#torrents
redirect_port tcp 192.168.0.252:46890-46999 46890-46999
#web
redirect_port tcp 192.168.0.251:8000 60808

ipfw list:
04200 divert 8668 ip from 192.168.0.252 to not 192.168.0.0/24
05500 divert 8668 tcp from 192.168.0.251 8000 to not 192.168.0.0/24

If you want to forward some traffic betwen the different standalone servers - just use another tool.
Try to use net/simpleproxy for proxying some traffic between the different hosts.
Install it using packages or ports, if you need it.
How it works: simpleproxy -L 1.1.1.1:2222 -R 2.2.2.2:22 &
 
It looks like 'ss5' listens on all interfaces. So it might be accessible from internet.
You can use a firewall for limit an amount of permited hosts.
Also you can try to edit proxy configuration file for forcing to listen only on localhost.

Compare it to sendmail. It listens only on localhost.


Port forwarding with NAT usually used for pass some traffic from the internet to the LAN behind the NAT-server.
You should have a NAT rule for a reverse traffic.
Example for ipfw+natd (not a kernel nat):
Code:
/root/bin/natd.conf
#torrents
redirect_port tcp 192.168.0.252:46890-46999 46890-46999
#web
redirect_port tcp 192.168.0.251:8000 60808

ipfw list:
04200 divert 8668 ip from 192.168.0.252 to not 192.168.0.0/24
05500 divert 8668 tcp from 192.168.0.251 8000 to not 192.168.0.0/24

If you want to forward some traffic betwen the different standalone servers - just use another tool.
Try to use net/simpleproxy for proxying some traffic between the different hosts.
Install it using packages or ports, if you need it.
How it works: simpleproxy -L 1.1.1.1:2222 -R 2.2.2.2:22 &

Thank you!
ipfw nat usually applies to LAN

Port forwarding seems to be more convenient and faster with iptables and firewalld...

Code:
iptables -t nat -A PREROUTING -p udp --dport 8443 -j DNAT --to-destination 162.159.192.1:2408
iptables -t nat -A POSTROUTING -d 162.159.192.1 -p udp --dport 2408 -j MASQUERADE

Code:
firewall-cmd --zone=public --add-masquerade
firewall-cmd --zone=public --add-forward-port=port=8443:proto=udp:toport=2408:toaddr=162.159.192.1
 
Back
Top