selective NAT/gateway

Ivan Levchenko levchenko.i at gmail.com
Wed Oct 18 14:54:43 UTC 2006 

I did the exact same thing using pf on freebsd:

I added all the allowed ip addresses to a table <allowed>
then in the nat rule:
nat on $ext_if from <allowed> to any -> $ext_if

(you can put the last $ext_if in parentheses if you use dchp for your
external address)

On 10/18/06, Nathan Vidican <nathan at envieweb.net> wrote:
> Got a bit of an interesting question, wondering how others out there might
> have dealt with this:
>
> we have a single machine acting as router/firewall/nat gateway via DSL. It
> routes a small (/29) subnet of static IP's to our servers, and routes
> between internal (non-public) subnets. Internet traffic is then routed via
> NAT translation over the PPPoE link. We then use a proxy server to cache
> most of our web traffic. Works well, and has been for several years now but,
> we need to be able to deny traffic through the NAT gateway based on IP
> addresses or ranges. Given the following example:
>
>
> Internet -> DSL+Subnet -> FreeBSD router + NAT/PPPoE ->
> 192.168.0.1 + 192.168.1.1 + 192.168.2.1 + 192.168.3.1
> (each of these private subnets is a physically different network, connected
> via an independant ethernet interface - multiport intel 'fxp' cards)
>
>
> Internal machines -> 192.168.0.100 - 192.168.0.200
> Select Internal machines -> 192.168.0.10 - 192.168.0.50
>
> Want to allow 192.168.0.10 through 192.168.0.50 full use of the gateway
> (enabling internet access via NAT), but deny machines in the 192.168.0.100 -
> 192.168.0.200 range from using NAT - yet still allow them to use 'regular'
> routes, (given the example below, want to allow 192.168.0.X to connect
> to/from 192.168.3.X for instance).
>
> So the long-question shortened, is how do I deny NAT traffic for specific IP
> addresses, without blocking those addresses from routing through 'normal'
> routes to other subnets. Essentially, I need an IPFW rule to block traffic
> from 192.168.0.X through via NAT, or don't I ?
>
> Any ideas/comments/suggestions greatly appreciated, (note the above is an
> example, not actual addresses).
>
>
> --
> Nathan Vidican
> nathan at vidican.com
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>


-- 
Best Regards,

Ivan Levchenko
levchenko.i at gmail.com

More information about the freebsd-questions mailing list