NAT in PF

douglasfim

Active Member


Messages: 139

/etc/rc.conf
Code:
ifconfig_em0="DHCP"
ifconfig_em1="192.168.2.1"
ifconfig_em2="192.168.3.1"
ifconfig_em3="192.168.4.1"
# PF
pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"

gateway_enable="YES"
/etc/sysctl.conf
Code:
net.inet.ip.forwarding=1
I am studying the PF but I have many doubts
and must put the network to function

I need to convert this rule in Iptables to PF
Code:
REDE=192.168.0.0/16
iptables -t nat -a POSTROUTING -s $REDE -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -D 192.168.1.102 -p tcp --dport 22 -j DNAT --to 192.168.2.10:22
This is the basic to operate the network
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 9,285
Messages: 33,826

douglasfim said:
/etc/sysctl.conf
Code:
net.inet.ip.forwarding=1
This already gets set by the "gateway_enable" in rc.conf. No need to explicitly set it.

I need to convert this rule in Iptables to PF
Code:
REDE=192.168.0.0/16
iptables -t nat -a POSTROUTING -s $REDE -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -D 192.168.1.102 -p tcp --dport 22 -j DNAT --to 192.168.2.10:22
Code:
ext_if=eth0
rede="{192.168.0.0/16}"

nat on $ext_if from $rede to any -> ($ext_if)
rdr on $ext_if inet proto tcp to port 22 -> 192.168.1.102 22
 
OP
douglasfim

douglasfim

Active Member


Messages: 139

# more pf.conf
Code:
# Regra padrao
pass in all

# define macros for each network interface
INET=em0
ILAN1=em1
ILAN2=em2
ILAN3=em3
IP_EXT="{ 192.168.1.1 }"
REDE="{ 192.168.0.0/16 }"
#tcp_services="{ 22, 443 }"

#scrub in all

#############
# NAT Rules #
#############
nat on $INET from $REDE to any -> ($INET)

#############
# Route Rules
#############
rdr on $INET inet proto tcp to port 22 -> 192.168.2.2 22
# /etc/rc.d/pf start
Code:
Enabling pf/etc/pf.conf:18: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:23: syntax error
pfctl: Syntax error in config file: pf rules not loaded
.
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Reaction score: 2,954
Messages: 11,352

'pass' is filtering, 'nat/rdr' is translation. They're in the wrong order in your ruleset.

[cmd=]man 5 pf.conf | less +/^STATEMENT[/cmd]
 
OP
douglasfim

douglasfim

Active Member


Messages: 139

# more /etc/pf.conf
Code:
####################
#      MACROS      #
####################
INET=em0
#ILAN1=em1
#ILAN2=em2
#ILAN3=em3
#IP_EXT="{ 192.168.1.1 }"
REDE="{ 192.168.0.0/16 }"
#tcp_services="{ 22, 443 }"

####################
#      TABLES      #
####################

####################
#     OPTIONS      #
####################

####################
#     TRAFFIC      #
####################

####################
#     QUEUEING     #
####################

####################
#   TRANSLATION    #
####################
nat on $INET from $REDE to any -> ($INET)
rdr on $INET inet proto tcp to port 22 -> 192.168.2.2 22

####################
# PACKET FILTERING #
####################
pass in all
# /etc/rc.d/pf start
Code:
Enabling pf/etc/pf.conf:32: syntax error
pfctl: Syntax error in config file: pf rules not loaded
.
 
OP
douglasfim

douglasfim

Active Member


Messages: 139

I edited

Code:
rdr on $ INET inet proto tcp to port 22 -> 192.168.2.2 22
to
Code:
rdr on $ INET inet proto tcp to port 22 -> 192.168.2.2 port 22
and everything worked, but I lost connection SSH
How do I release the SSH connection?

Code:
pass in all
did not release all
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Reaction score: 2,954
Messages: 11,352

If 192.168.2.2 is behind a different interface, you'll probably need to allow 'pass out' on that one. Also make sure you have
Code:
set skip on lo0
somewhere. Without free traffic over loopback almost everything start acting strange.

Setting up pflog(4) and running tcpdump(1) on the interfaces and on pflog is the first step in troubleshooting.
 
Top