Since I have no experience at all with
iptables, I am not 100 % sure about what you want to achieve. Because of two keywords in the respective command
-t nat ... -j REDIRECT, I assume, that you are aiming for NAT redirection.
ipfw fwd ... is not the appropriate command for NAT redirection.
ipfw fwd is used for setting up transparent proxies, for example, you would need this, if you wanted to setup a web cache using
www/squid, and this is a different story. If you want this, or something else
then forget the rest of this writing, and detail out your goals.
For setting up NAT redirection with
ipfw, you need to enable
ipfw_nat in the startup file
/etc/rc.conf:
Code:
...
gateway_enable="YES"
firewall_enable="YES"
firewall_nat_enable="YES"
firewall_script="/etc/ipfw.conf"
...
Note, when adding NAT redirection to a stateful
ipfw rulset, you would need to enclose the stateful rules within two NAT rules as shown below. For this, I show a full configuration example, because the sequence matters. Replace
<wan> with the identifier of the WAN interface,
<lan> with the identifier of the LAN interface.
<dest-ip-N>,
<dest-port-N>, and
<src-port-N> are to be replaced by the actual IP addresses and Port numbers.
If you don't use stateful firewall rules, one NAT rule at the beginning suffices.
Example for NAT port redirection in a stateful ipfw rulset in the script file /etc/ipfw.conf:
Code:
#!/bin/sh
/sbin/ipfw -q flush
/sbin/ipfw -q nat 1 config if <wan> unreg_only reset \
redirect_port tcp <dest-ip-1>:<dest-port-1> <src-port-1> \
redirect_port udp <dest-ip-2>:<dest-port-2> <src-port-2>
# Allow anything within the LAN -- the interface with heaviest traffic shall come first
/sbin/ipfw -q add 10 allow ip from any to any via <lan>
/sbin/ipfw -q add 20 allow ip from any to any via lo0
# Catch spoofing from outside
/sbin/ipfw -q add 90 deny ip from any to any not antispoof in
# NAT rule for incomming packets
/sbin/ipfw -q add 100 nat 1 ip from any to any via <wan> in
/sbin/ipfw -q add 101 check-state
# Allow access to NAT redirected services listening on a LAN interface behind the NAT
/sbin/ipfw -q add 201 skipto 10000 tcp from any to any <src-port-1> via <wan> in setup keep-state
/sbin/ipfw -q add 202 skipto 10000 udp from any to any <src-port-2> via <wan> in keep-state
# Rules for outgoing traffic -- allow everything that is not explicitely denied
/sbin/ipfw -q add 1000 deny ip from not me to any 25,53 via <wan> out
# Allow all other outgoing connections
/sbin/ipfw -q add 2000 skipto 10000 tcp from any to any via <wan> out setup keep-state
/sbin/ipfw -q add 2010 skipto 10000 udp from any to any via <wan> out keep-state
# Rules for incomming traffic -- deny everything that is not explicitely allowed
/sbin/ipfw -q add 5000 allow tcp from any to me 25,80,443,587,993,995 via <wan> in setup keep-state
# Catch tcp/udp packets, but don't touch gre, esp, icmp traffic
/sbin/ipfw -q add 9998 deny tcp from any to any via <wan>
/sbin/ipfw -q add 9999 deny udp from any to any via <wan>
# NAT rule for outgoing packets
/sbin/ipfw -q add 10000 nat 1 ip from any to any via <wan> out
# Allow anything else -- just in case ipfw has not been configured as open firewall
/sbin/ipfw -q add 65534 allow ip from any to any
In a stateful NAT rulset, the packets may pass more than 1 time the firewall, and this need to be enabled by a sysctl setting in
/etc/sysctl.conf:
Code:
...
net.inet.ip.fw.one_pass=0
...
