PacketFilter NAT & RDR

[slam2]

Hello

I post this message here to ask for help on Packet Filter. Please forgive me primarily for my English deplorable fact that our friend Google just allows me to translate.

I contact you because I want to parameterize packet filter so I can connect an external IP network to a server that operates locally (Unable to run external)

I look at NAT and RDR, but nothing has given ..

Here's my setup:

> Network :

em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 08:00:27:2a:de:51
        inet 192.168.1.85 netmask 0xffffff00 broadcast 192.168.1.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet6 ::1 prefixlen 128
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=3<PERFORMNUD,ACCEPT_RTADV>

> Rc.conf

gateway_enable="YES"
ifconfig_em0="inet 192.168.1.85  netmask 255.255.255.0"
defaultrouter="192.168.1.1"

Thank you very much!

PS: My local network runs on an address like: 192.168.1.x - 255.255.255.0

 

[DutchDaemon]

Post your current pf.conf.

 

[slam2]

My current pf.conf

# Interface entrante
etho = 'em0'
tcpflags = 'flags S/SAFR'

#Ports
pServer1   = '1102'
pServer2   = '1000'
pServer3   = '1001'

# Options
set block-policy return
set loginterface $etho
set skip on lo0
scrub in all

### Tables
table <http_abuse> persist
table <server_abuse> persist

rdr on $etho inet proto {tcp,udp} from any to any -> 192.168.1.85
nat on $etho inet proto {tcp,udp} from any to any -> $etho

# DROP - Ip Blacklisté
block drop in quick on $etho proto tcp from { <http_abuse>, <server_abuse>} to any

### Règles
#Règle de base && blocage
block all
block in quick from urpf-failed

# INPUT - Règles de paramètrages
pass in quick log on $etho inet proto tcp from any to $etho port ssh $tcpflags synproxy state
pass in quick log on $etho inet proto tcp from any to $etho port www $tcpflags synproxy state
pass in quick log on $etho inet proto tcp from any to $etho port {$pServer1,$pServer2,$pServer3} $tcpflags synproxy state

# OUTPUT - Règles de paramètrages
pass out quick on $etho inet proto tcp from $etho to any port domain modulate state
pass out quick on $etho inet proto tcp from $etho to any port www modulate state
pass out quick log on $etho inet proto tcp from $etho to any port {$pServer1,$pServer2,$pServer3} $tcpflags modulate state

 

[slam2]

I keep looking on my side, nothing works .. I am completely disoriented. Thank you for your help

 

[SirDice]

Your machine has a private IP address. That means you are probably behind a router that does the NAT for you. If you want to access a webserver for example from the internet you will have to forward ports on your router.

 

[slam2]

Hello,

Yes I am behind a router, I agree, most of my ports are Forwarded. The only problem is the application of game server, which launches this BIND only via the Network address of the machine. Among other things, someone outside the network that can connect but not access the games, because the maps allow connections only from the address class C. Among other things, 192.168.1.x..

What is very problematic for a person from outside .. On or Allowing NAT & PF RDR connection via the external IP address for the switch to Internal. And the same reverse process, to make it to the game server's external IP.

It is very complex, but I hope you understand the desired direction of PF rules put in place.

Thank you!

 

[SirDice]

The issue isn't with FreeBSD but with the game and/or your router.

 

[slam2]

For the game server, if it is hosted on a dedicated server, the address range is operational so that all connections "Internet" that can connect to said game server.

If the game server is local, it is the local address range. Not possible to connect to it from an external connection.

That is why I seek a way around the problem.

 

[quintessence]

Hello,

As already SirDice wrote, your NAT & RDR rules have to be made on your router, not on the local PC where game (game server is).

For example if you want to play "local games in network", you can use some software like Garena or GameRanger (better one) or other. There you can set custom ports which the software will use, and on your router you have to make then RDR rules.

For example (RDR rules from my old pf.conf)

# garena
#rdr pass on $ext_if proto { tcp, udp } from any to $ext_if port 1513 -> $laptop

# game ranger
rdr pass on $ext_if proto udp from any to $ext_if port 16000 -> $laptop port 16000

Which allows me to "host" a game on my laptop, to be a "master host" and play it via such software, people from the "internet" also have to have the software installed, but does not need this RDRs if they are not playing as a "master host".