DNAT in freebsd

Sami Halabi sodynet1 at gmail.com
Sun Jun 30 11:46:46 UTC 2013


Hi,

Thanks for your time.

What this configuration does is normal NAT configuration (SNAT).
what I'm seeking is combination of SNAT & DNAT to act as a transparent
proxy as:
192.168.0.2 connects to me (192.168.0.1) it'll talk actually with
193.xx.yy.1 whithout knowing it using my special public ip 194.xx.yy.1, and
when 193.xx.yy.1 wants to open connection with 192.168.0.2 it will connect
to 194.xx.yy.1 and 192.168.0.2 will think 192.168.0.1 is talking with it...

Any ideas???

Sami


On Sun, Jun 30, 2013 at 12:15 PM, Paul A. Procacci
<pprocacci at datapipe.com>wrote:

>
> On Sat, Jun 29, 2013 at 09:50:15AM +0300, Sami Halabi wrote:
> > I think I was misunderstood...
> > Here is the situation i want to handle:
> > My box is a router that handles several /24 behind.
> > One of my links (em0) is connected to a private network 192.168.0.1 is
> me,
> > my neighbour is 192.168.0.2.
> > I want to make that any connection comes to 192.168.0.1  to go to ip
> > 193.xxx.yyy.2 using specific public ip 84.xx.yy.1
> > And packets comming to my public 84.xx.yy.1 ip to be trsnslated as came
> > from 192.168.0.1 and sent to 192.168.0.2/or ant other ips
> > behind(192.168.1.xx/24).
> >
> > Hope that makes it clearer, and I appreciate any help.
> >
> > Sami
> > ???????????? 29 ???????? 2013 03:30, ?????? "Paul A. Procacci" <
> pprocacci at datapipe.com>:
>
> The answer I provided you does exactly what you want it to do.  Not to
> mention
> the man page goes over other things as well if the answer I provided you
> wasn't accurate.  Here is my config that I use for my home setup.
>
> The config:
>
> - binds a nat instance on the primary interface
> - denies all inbound syn's among other things
> - Forward packets originating on the internal network interface through nat
> - and returns packets (ack's) back to the original sender.
>
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> #!/bin/sh
> ###################### Start of IPFW Configuration ####################
> # Set rules command prefix :: Rule numbering cannot exceed 900
>
> cmd="/sbin/ipfw -q"
> pif="de0"       # Public NIC
> iif="bridge0"   # Internal NIC
>
> ##############################################
> # Flush current rules and do config.
> $cmd -f flush
> $cmd enable one_pass
> ##############################################
>
> ${cmd} add 00001 allow all from any to any via lo0
> ${cmd} add 00002 deny all from any to 127.0.0.0/8
> ${cmd} add 00003 deny ip from 127.0.0.0/8 to any
>
> ${cmd} nat 1 config if ${pif} log deny_in reset unreg_only same_ports
> ${cmd} add 00020 nat 1 all from any to any via ${pif}
>
> ${cmd} add 00050 allow all from any to any via ${iif}
>
> ${cmd} add 65534 deny log all from any to any
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>
> Again, this information is found in `man ipfw(8)` and does what you are
> asking.
>
> ~Paul
>
> ________________________________
>
> This message may contain confidential or privileged information. If you
> are not the intended recipient, please advise us immediately and delete
> this message. See http://www.datapipe.com/legal/email_disclaimer/ for
> further information on confidentiality and the risks of non-secure
> electronic communication. If you cannot access these links, please notify
> us by reply message and we will send the contents to you.
>



-- 
Sami Halabi
Information Systems Engineer
NMS Projects Expert
FreeBSD SysAdmin Expert


More information about the freebsd-net mailing list