ipfw / natd does not allow lan traffic to reach external numbers
Johannes Angeldorff
johannes2 at smartnet.se
Sun Aug 10 14:39:09 PDT 2003
Hi,
I have a problem with our firewall/NAT, on a FreeBSD 4.7 box... Here
a list with some details:
*) The FreeBSD box uses natd and ipfw, and have two external IP:s,
lets say aaa.bbb.ccc.20 and ddd.eee.fff.21.
*) natd is used to redirect access to external IP addresses and ports
to internal LAN IP:s, for example 192.168.0.20 and 192.168.0.21,
where for example webservers are located.
*) natd rules:
natd_flags="-redirect_address 192.168.0.20 aaa.bbb.ccc.20
-redirect_port tcp 192.168.0.21:25-52 25-52
-redirect_port udp 192.168.0.21:25-52 25-52
-redirect_port tcp 192.168.0.30:80 80
-redirect_port udp 192.168.0.30:80 80
-redirect_port tcp 192.168.0.21:54-79 54-79
-redirect_port udp 192.168.0.21:54-79 54-79
-redirect_port tcp 192.168.0.21:81-722 81-722
-redirect_port udp 192.168.0.21:81-722 81-722
-redirect_port tcp 192.168.0.21:3306-4559 3306-4559
-redirect_port udp 192.168.0.21:3306-4559 3306-4559"
*) ipfw lets things through:
00050 divert 8668 ip from any to any via fxp0
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
65000 allow ip from any to any
65535 allow ip from any to any
Problem:
Most things works just fine, external access are redirected to
correct ports, and the webservers work just fine. BUT the problem
comes when a box on the LAN tries to reach a site residing on
192.168.0.20 using the _external_ IP aaa.bbb.ccc.20. Then I get
error: "Unable to connect to remote host". Connecting from a LAN
machine to the same site using the _internal_ IP works fine.
Connecting to other external IPs also works fine.
I want to be able to connect from LAN boxes to the external IP:s, for
example aaa.bbb.ccc.20. Can anyone lead me on the way...? Very
thankful for all comments on this matter.
Regards,
Smartnet Sverige AB
Johannes Angeldorff
More information about the freebsd-questions
mailing list