IPFW Substitute external address

[YuryG]

I'm too newbie in networking, so I'm not sure if it is poible and how. I need to redirect all traffic from one address to another, similarly to Linux command:

iptables -t nat -A PREROUTING -p tcp -m tcp --dport $pp1 -d $addr1/$mask1 -j DNAT --to-destination $addr2:$pp2

Can I make it with ipfw (or how else)? The machine is an Internet gate for my laptop also, if that means something.
I have very basic ipfw.rules at the moment:

#compromiss
/sbin/ipfw add 00100 pass all from any to any via lo0
/sbin/ipfw add 00101 deny all from any to 127.0.0.0/8
/sbin/ipfw add 00102 deny all from 127.0.0.0/8 to any
/sbin/ipfw add 00500 check-state

/sbin/ipfw add 02000 allow icmp from any to any out icmptype 8
/sbin/ipfw add 02001 allow icmp from any to any in icmptype 0
/sbin/ipfw add 32767 allow all from any to any

Shall be grateful for any suggestions and corrections.

 

[obsigna]

This can be done with ipfw/nat, and it is called NAT redirection. I assume, that your gateway got two interfaces, one which is connected to the WAN, and another one, which is connected to the LAN, and for now let's assume the respective interface specifiers are "wanif0" and "lanif0".

You need to prepare a ipfw(8) script, along the following template for a stateful NAT'ting firewall -- replace "wani0f" and "lanif0" with your actual interface specifiers, and replace $pp1, $addr2, $pp2 with the actual addresses and port numbers:

#!/bin/sh
WAN="wanif0"
LAN="lanif0"

/sbin/ipfw -q flush
/sbin/ipfw -q table all flush
/sbin/ipfw -q nat 1 config if $WAN unreg_only \
                                   reset \
                                   redirect_port tcp $addr2:$pp2 $pp1 \
                                   redirect_port udp $addr2:$pp2 $pp1

# Allow anything within the LAN - interface with heaviest traffic shall come first.
/sbin/ipfw -q add 10 allow ip from any to any via $LAN
/sbin/ipfw -q add 20 allow ip from any to any via lo0

# Catch spoofing from outside.
/sbin/ipfw -q add 70 deny ip from any to any not antispoof via $WAN

# NAT rule for incoming packets - IPv4 only, IPv6 ain't work with NAT.
/sbin/ipfw -q add 100 nat 1 ip4 from any to any in recv $WAN
/sbin/ipfw -q add 101 check-state

# Rules for outgoing traffic - allow everything that is not explicitely denied.
# /sbin/ipfw -q add 1000 deny ip from not me to any 25,53 out xmit $WAN
# /sbin/ipfw -q add 1001 deny ip from any to any 5353 out xmit $WAN

# Allow all other outgoing connections, i.e. skip processing to the outbound NAT rule #10000
/sbin/ipfw -q add 2000 skipto 10000 tcp from any to any out xmit $WAN setup keep-state
/sbin/ipfw -q add 2001 skipto 10000 udp from any to any out xmit $WAN keep-state

# Rules for incomming traffic - deny everything that is not explicitely allowed.
/sbin/ipfw -q add 5000 allow tcp from any to me 22,25,80,587,993,995 in recv $WAN setup keep-state
/sbin/ipfw -q add 5001 allow udp from any to me 500,4500 in recv $WAN keep-state

# Rules for allowing packets to services which are listening on a LAN interface behind the NAT
/sbin/ipfw -q add 6000 skipto 10000 tcp from any to any $pp1 in recv $WAN setup keep-state
/sbin/ipfw -q add 6001 skipto 10000 udp from any to any $pp1 in recv $WAN keep-state

# Catch any other tcp/udp packet, but don't touch gre, esp, icmp, etc...
/sbin/ipfw -q add 9998 deny tcp from any to any via $WAN
/sbin/ipfw -q add 9999 deny udp from any to any via $WAN

# NAT rule for outgoing packets.
/sbin/ipfw -q add 10000 nat 1 ip4 from any to any out xmit $WAN

# Allow anything else - just in case ipfw is not configured as open firewall.
/sbin/ipfw -q add 65534 allow ip from any to any

1. Save this script to e.g. /root/config/ipfw.conf (or any other convenient place), also make it executable chmod +x /root/config/ipfw.conf.
   
   
2. To /etc/sysctl.conf add:
   

   ...
   net.inet.ip.fw.one_pass=0

3. To /etc/rc.conf add:
   

   ...
   # Firewall & NAT
   gateway_enable="YES"
   firewall_enable="YES"
   firewall_nat_enable="YES"
   firewall_script="/root/config/ipfw.conf"

4. In /etc/rc.conf add to the ifconfig_lanif0="" and ifconfig_wanif0="" directives the -tso flag.
   
   
5. Finally restart.

 

[YuryG]

This can be done with ipfw/nat, and it is called NAT redirection. I assume, that your gateway got two interfaces, one which is connected to the WAN, and another one, which is connected to the LAN, and for now let's assume the respective interface specifiers are "wanif0" and "lanif0"…

And if I need this NAT on the only interface, on the machine I get ISP cable in?

 

[YuryG]

This can be done with ipfw/nat, and it is called NAT redirection…

And where's $addr1/$mask1 in your script? As I see, the rule substitutes (redirects) only port in transition from one interface to another, but I need also to substitute a bunch of addresses.