Re: Source nat question (ipfw and natd) Revised
On Tue, 28 Jan 2003, Vikash Badal - PCS wrote: > Greetings, > > My current natd.conf is as follows : > -- > redirect_address 10.136.236.18 192.168.28.61 > redirect_address 10.136.236.20 192.168.20.47 > redirect_address 10.136.236.19 192.168.21.47 > - > When i add the following maping : > redirect_address 10.136.236.18 192.168.15.47 > the source address for connections to 192.168.15.0/24 > is 192.168.25.61 > > what I want to do is : if i initiate a connection to 192.168.15.0/24 > from 10.136.238.18 then i need the source address to be 192.168.15.47 > > If i initiate a connection to 192.168.28.0/24 from 10.136.238.18 then i > need the source address to be 192.168.28.61 > > network layout > > 192.168.16.0:255.255.240.0 --- > 192.168.15.0:255.255.255.0 ---| | > | | > | HUB | > | | > vx0 === 192.168.15.47 (alias address) 192.168.28.61 > > xl0 === 10.136.236.5 > | > | > | > 10.136.236.0/24 > > > The machines on 192.168.x.x only hit 10.136.236.[18/19/20] > depending the application required. The source address of packets > from the 192.168.x.x remains unaltered. > > The machines on the 10.136.236.0 network have a static route > to the 192.168.x.x network. > > The translations work for : > 10.136.236.20 to 192.168.20.0/24 i.e > the 192.168.20.0/24 sees the source as 192.168.28.61 > 10.136.236.19 to 192.168.21.0/24 i.e > the 192.168.20.0/24 sees the source as 192.168.20.47 > > When i try to connect from 10.136.236.18 to 192.168.15.0/24, > the source address is 192.168.28.61. I needed the source > address to be 192.168.15.47 only when i connect to 192.168.15.0/24 > > If i change the order of the redirect rules in /etc/natd.conf : > i.e > redirect_address 10.136.236.18 192.168.15.47 > is place before > redirect_address 10.136.236.18 192.168.28.61 > > then the translation to 192.168.28.0/24 no longer works but the > translation for 192.168.15.0/24 works. Yes, this is true as it will use the first entry in natd.conf for the translation. The problem is, you are thinking of the translations backwards. Are only 3 machines on the 10.136 segment talking to only 3 machines on the 192 segment? Does communication have to go both ways, ie. do the 192.168 machines need to talk to 10.136 machines? Also, you can run multiple copies of natd for the same interface (different port needed) and direct packets to the different natds based on the firewall rules applied: Firewall rules and Corresponding Natd #1( on port 8668): # ipfw divert 8668 ip from 10.136.236.18/32 to 192.168.15.0/24 out via vx0 # ipfw divert 8668 ip from 192.168.15.0/24 to 192.168.15.47/32 in via vx0 # natd -p 8668 -n vx0 -redirect_address 10.136.236.18 192.168.15.47 Firewall rules and Corresponding natd #2 (port 8669): # ipfw divert 8669 ip from 10.136.236.18/32 to 192.168.28.0/24 out via vx0 # ipfw divert 8669 ip from 192.168.28.0/24 to 192.168.28.61/32 in via vx0 # natd -p 8669 -n vx0 -redirect_address 10.136.236.18 192.168.28.61 Nick Rogness <[EMAIL PROTECTED]> - How many people here have telekenetic powers? Raise my hand. -Emo Philips To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Source nat question (ipfw and natd)
On Sun, 26 Jan 2003, Vikash Badal wrote: > > > I currently have a box (4.7p3) that i want to connect to four different > > > networks According to the man page i can only nat on one interface using > > > natd. > > > > > > My current natd.conf is as follows : > > > -- > > > redirect_address 10.136.236.18 192.168.28.61 > > > redirect_address 10.136.236.20 192.168.20.47 > > > redirect_address 10.136.236.19 192.167.11.47 > > > -- > > > > > > When i add the following maping : > > > redirect_address 10.136.236.18 192.168.15.47 > > > > > > the source address for connections to 192.168.15.0/24 is 192.168.25.61 > > > is there any way i can setup natd and ipfw so that if packets are > > > destined for 192.168.15.0/24 then the source address should be > > > 192.168.15.47 > > > I'm still not sure what you are trying to accomplish here. You talk about source address for connections to 192.168.15.0/24...from where ? From the 192.168.X.X network? If so, you can run a seperate copy of natd in -reverse mode and an alias address to translate the source address. It becomes tricky to do but it might be what you want. What are you trying to accomplish? It sounds like you want the -reverse option for nat but I don't know what machines are where and how your network is laid out and how traffic flows across the BSD machine. Do you want all machines on the 192.168.X.X network (connected via vx0) to hit 10.136.X.X network with the same source address always? Please clarify. Also, comments below: > > I made a typo in the original mail : > ===> redirect_address 10.136.236.19 192.167.11.47 > should be redirect_address 10.136.236.19 192.168.21.47 > > configs: > > rc.conf: > > kern_securelevel_enable="NO" > nfs_reserved_port_only="YES" > sendmail_enable="NONE" > sshd_enable="YES" > inetd_enable="NO" > portmap_enable="NO" > gateway_enable="YES" > ntpdate_flags="10.131.156.5" > ntpdate_enable="YES" > natd_enable="YES" > natd_interface="vx0" > natd_flags="-config /etc/natd.conf" > hostname="nwest-fw.natis.natis" > ifconfig_xl0="inet 10.136.236.5 netmask 255.255.255.0" > ifconfig_vx0="inet 192.168.28.61 netmask 255.255.240.0" > ifconfig_vx0_alias0="inet 192.168.15.57 netmask 255.255.255.0 > defaultrouter="10.136.236.1" > firewall_enable="YES" > firewall_type="natis" > firewall_quiet="YES" > > With your default gateway 10.136.236.1 I hope that the machines on the 10.136 network know how to reach the 192 network. > nwest-fw# ipfw -a l > 00050 0 0 divert 8668 ip from any to any via vx0 > 00100 32 2000 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 00400 0 0 check-state [SNIP] Why are you running stateful inspection intermixed with nat? That is a bad combination. > > nwest-fw# cat /etc/natd.conf > redirect_address 10.136.236.18 192.168.28.61 > redirect_address 10.136.236.20 192.168.20.47 > redirect_address 10.136.236.19 192.168.21.47 > redirect_address 10.136.236.18 192.168.15.47 So do these translations work? The only way to test them is from the 192.168 network. Also, 192.168.15.47.??.But the vx0 interface is setup with IP 192.168.15.57? Nick Rogness <[EMAIL PROTECTED]> - How many people here have telekenetic powers? Raise my hand. -Emo Philips To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Source nat question (ipfw and natd)
Hi Nick, - Original Message - From: "Nick Rogness" <[EMAIL PROTECTED]> To: "Vikash Badal" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Sunday, January 26, 2003 2:01 AM Subject: Re: Source nat question (ipfw and natd) > On Sat, 25 Jan 2003, Vikash Badal wrote: > > > Greetings, > > > > I currently have a box (4.7p3) that i want to connect to four different > > networks According to the man page i can only nat on one interface using > > natd. > > > > My current natd.conf is as follows : > > -- > > redirect_address 10.136.236.18 192.168.28.61 > > redirect_address 10.136.236.20 192.168.20.47 > > redirect_address 10.136.236.19 192.167.11.47 > > -- > > > > When i add the following maping : > > redirect_address 10.136.236.18 192.168.15.47 > > > > the source address for connections to 192.168.15.0/24 is 192.168.25.61 > > is there any way i can setup natd and ipfw so that if packets are > > destined for 192.168.15.0/24 then the source address should be > > 192.168.15.47 > > > > Yes, it is possible...just a pain in the butt. I am not clear > exactly what your mean. If you wish to pursue this, you need to > send the output of: > > # cat /etc/rc.conf > # ipfw -a l > # netstat -rn > # ps -aux |grep nat > > > And any additional nat configuration files or settings. That > would greatly improve the chances of your questions getting > answered. > > > Nick Rogness <[EMAIL PROTECTED]> I made a typo in the original mail : ===> redirect_address 10.136.236.19 192.167.11.47 should be redirect_address 10.136.236.19 192.168.21.47 configs: rc.conf: kern_securelevel_enable="NO" nfs_reserved_port_only="YES" sendmail_enable="NONE" sshd_enable="YES" inetd_enable="NO" portmap_enable="NO" gateway_enable="YES" ntpdate_flags="10.131.156.5" ntpdate_enable="YES" natd_enable="YES" natd_interface="vx0" natd_flags="-config /etc/natd.conf" hostname="nwest-fw.natis.natis" ifconfig_xl0="inet 10.136.236.5 netmask 255.255.255.0" ifconfig_vx0="inet 192.168.28.61 netmask 255.255.240.0" ifconfig_vx0_alias0="inet 192.168.15.57 netmask 255.255.255.0 defaultrouter="10.136.236.1" firewall_enable="YES" firewall_type="natis" firewall_quiet="YES" nwest-fw# ipfw -a l 00050 0 0 divert 8668 ip from any to any via vx0 00100 32 2000 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 0 0 check-state 00500 0 0 deny tcp from any to any established 00600 0 0 deny log logamount 256 ip from any to any ipopt ssrr 00700 0 0 deny log logamount 256 ip from any to any ipopt lsrr 00800 0 0 deny ip from 10.136.236.0/24 to any in recv vx0 00900 0 0 deny ip from 192.168.16.0/20 to any in recv xl0 01000 0 0 allow tcp from any to 10.136.236.5 22 keep-state setup 01200 0 0 allow tcp from any to 192.168.28.61 5507 keep-state setup 01300 0 0 allow tcp from any to 192.168.20.47 8080 keep-state setup 01400 0 0 allow tcp from any to 192.168.21.47 5150 keep-state setup 01500 0 0 allow tcp from any to 192.168.15.57 5507 keep-state setup 01600 0 0 allow tcp from any to 10.136.236.18 5507 keep-state setup 01700 0 0 allow tcp from any to 10.136.236.20 8080 keep-state setup 01800 0 0 allow tcp from any to 10.136.236.19 5150 keep-state setup 01900 0 0 deny log logamount 256 tcp from any to any in recv vx0 02000 0 0 deny log logamount 256 icmp from any to any frag 02100 0 0 allow udp from any to any 33434-33443 keep-state 02200 0 0 allow icmp from any to any keep-state icmptype 3,11 02300 0 0 allow icmp from any to any keep-state icmptype 0,8 02400 0 0 allow udp from 10.136.236.5 to 10.131.156.5 123 keep-state 02500 0 0 allow tcp from 10.136.236.5 to 10.131.156.5 5999,80 keep-state setup 65535 0 0 deny ip from any to any == nwest-fw# netstat -rn Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default10.136.236.1 UGSc10xl0 10.10.10/24link#2 UC 10xl0 10.10.10.1 00:c0:df:e3:da:a9 UHLW1 506xl0937 10.136.236/24 link#2 UC 10xl0 10.136.236.1 link#2 UHLW20xl0 127.0.0.1 127.0.0.1 UH 0
Re: Source nat question (ipfw and natd)
On Sat, 25 Jan 2003, Vikash Badal wrote: > Greetings, > > I currently have a box (4.7p3) that i want to connect to four different > networks According to the man page i can only nat on one interface using > natd. > > My current natd.conf is as follows : > -- > redirect_address 10.136.236.18 192.168.28.61 > redirect_address 10.136.236.20 192.168.20.47 > redirect_address 10.136.236.19 192.167.11.47 > -- > > When i add the following maping : > redirect_address 10.136.236.18 192.168.15.47 > > the source address for connections to 192.168.15.0/24 is 192.168.25.61 > is there any way i can setup natd and ipfw so that if packets are > destined for 192.168.15.0/24 then the source address should be > 192.168.15.47 > Yes, it is possible...just a pain in the butt. I am not clear exactly what your mean. If you wish to pursue this, you need to send the output of: # cat /etc/rc.conf # ipfw -a l # netstat -rn # ps -aux |grep nat And any additional nat configuration files or settings. That would greatly improve the chances of your questions getting answered. Nick Rogness <[EMAIL PROTECTED]> - How many people here have telekenetic powers? Raise my hand. -Emo Philips To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Source nat question (ipfw and natd)
Greetings, I currently have a box (4.7p3) that i want to connect to four different networks According to the man page i can only nat on one interface using natd. My current natd.conf is as follows : -- redirect_address 10.136.236.18 192.168.28.61 redirect_address 10.136.236.20 192.168.20.47 redirect_address 10.136.236.19 192.167.11.47 -- When i add the following maping : redirect_address 10.136.236.18 192.168.15.47 the source address for connections to 192.168.15.0/24 is 192.168.25.61 is there any way i can setup natd and ipfw so that if packets are destined for 192.168.15.0/24 then the source address should be 192.168.15.47 Please Advise Vikash To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
