Re: ipfilter port redirection doesn't work

Tue, 21 Feb 2006 15:38:02 -0800 

My mistake, I forgot the -f in ipnat -f /etc/ipnat.rules

When I add it, ipnat -l gives:

frankie:~# ipnat -l
List of active MAP/Redirect filters:
map tun0 192.168.1.0/24 -> 0.0.0.0/32
rdr tun0 0.0.0.0/32 port 22 -> 192.168.1.2 port 22 tcp
<snip>

But SSH sessions end up on the router and not on the LAN machine, as before.

Artom Lifshitz wrote:
Hrmm. I've decided to do some tests, and I think this is best presented by pasting my terminal: 

frankie:~# ipf -FaS
frankie:~# ipnat -CF
0 entries flushed from NAT table
0 entries flushed from NAT list
frankie:~# cat /etc/ipnat.rules
map tun0 192.168.1.0/24 -> 0/32
rdr tun0 0/32 port 22 -> 192.168.1.2 port 22
frankie:~# ipnat /etc/ipnat.rules
frankie:~# cat /etc/ipf.rules
pass in quick all
pass out quick all
frankie:~# ipf -f /etc/ipf.rules
frankie:~# ipnat -lv
List of active MAP/Redirect filters:

List of active sessions:

List of active host mappings:
frankie:~#
And SSH sesstions still end up at the router, and not forwarded to the LAN machine as they should. 

Guido van Rooij wrote:


On Tue, Feb 21, 2006 at 02:52:19PM -0500, Artom Lifshitz wrote:

Hello,

I have a small home LAN with a FreeBSD 6 machine as the router. I got
NAT to work, otherwise I wouldn't be posting this. But I can't get port
redirection to work.

I want to redirect aMule's ports (4662 TCP, 4665 UDP and 4672 UDP) to
`arlon' 192.168.1.2 on the LAN, so my /etc/ipnat.rules looks like:

map tun0 192.168.1.0/24 -> 0/32
rdr tun0 0/32 port 4662 -> 192.168.1.2 port 4662
rdr tun0 0/32 port 4665 -> 192.168.1.2 port 4665 udp
rdr tun0 0/32 port 4672 -> 192.168.1.2 port 4672 udp




This should work. Have you checked with ipnat -lv if the rdr state
is created?


Then I find out that incoming NAT happens before filtering, so I add
pretty liberal pass lines to my /etc/ipf.rules.script, which now looks like: 



pass in quick on $eif proto tcp from any to any port=4662
pass in quick on $eif proto udp from any to any port=4665
pass in quick on $eif proto udp from any to any port=4672



Why not:
pass in quick on $eif proto tcp from any to 192.168.1.2 port=4662 keep state 
ect?

-Guido

Reply via email to