PF IPTables rules conversions into PF rules.

[jul007]

I need to convert these iptables' rules into pf rules.

iptables -t nat -A PREROUTING -i enp1s0 -p tcp --dport 80 -j REDIRECT --to-port 3080
iptables -t nat -A PREROUTING -i enp1s0 -p tcp --dport 443 -j REDIRECT --to-port 3443
iptables -t nat -A POSTROUTING -o enp1s0 -j MASQUERADE

Can anyone help?

 

[VladiBG]

nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $ext_if proto tcp from any to any port 80 -> 127.0.0.1 port 3080
rdr on $ext_if proto tcp from any to any port 443 -> 127.0.0.1 port 3443

 

[SirDice]

You cannot "bounce" packets out the same interface they came in on. So, if these rules simply redirect the incoming port 80 to port 3080 on the same interface, that's never going to work. Just run the service on port 80/443 or use a reverse proxy (haproxy, apache, nginx, etc) that directs the traffic from 80 to 3080.

     Translation rules apply only to packets that pass through the specified
     interface, and if no interface is specified, translation is applied to
     packets on all interfaces.  For instance, redirecting port 80 on an
     external interface to an internal web server will only work for
     connections originating from the outside.  Connections to the address of
     the external interface from local hosts will not be redirected, since
     such packets do not actually pass through the external interface.
     Redirections cannot reflect packets back through the interface they
     arrive on, they can only be redirected to hosts connected to different
     interfaces or to the firewall itself.

Nat and redirecting ports in principle works like this:

nat on enp1s0 from $localnet to any -> (enp1s0)

rdr on enp1s0 proto tcp from any to any port 80 -> 1.2.3.4 port 3080
rdr on enp1s0 proto tcp from any to any port 443 -> 1.2.3.4 port 3443