Gateway Rules Adding custom rulesets to your Network Gateway (FreeBSD 5.4) |
|
Posted 08.10.2006 | Updated 25.10.2006 | Contributed by Andy Mallett
The assumption is that the FreeBSD Gateway is up and running properly, so the following comprises some extra rulesets for customisation of the /etc/ipnat.rules file. It also uses the example of a typical gateway joining two LANs as shown in the following diagram..  ..and a basic ipnat.rules ruleset as illustrated here: #Andys ipnat.rules file #-------------------------------------------------------------------- # Do 'normal' IP address translation. This line will take all packets # going out on your external NIC (rl0) that have a source address # coming # from your internal network (192.168.1.0), and translate it # to whatever # IP address your external NIC happens to have at that # time #-------------------------------------------------------------------- map rl0 192.168.0.0/24 -> 0/32 #-------------------------------------------------------------------- # If you have a system on your internal network that needs to be # 'reachable' by external systems on the internet, you'll need a rule # similar to the one below. This one takes all inbound http traffic # (TCP port 80) that hits the firewall's external interface (rl0) and # redirects it to port 80 on the 192.168.1.50 system on the internal # network. # Simply uncomment the rule, change the IP address and port number so # that # it does what you need. Remember that you have to enable the # corresponding # inbound filter in your /etc/ipf.rules file, too. #-------------------------------------------------------------------- # rdr rl0 0.0.0.0/0 port 80 -> 192.168.1.50 port 80 tcp Note that the internally facing network interface is referred to as fxp0 with a Class-C IP Address of 192.168.0.13 and the externally-facing interface is called rl0 with a Class-A IP Address of 10.147.86.63. Your own interfaces and IP addressing scheme are likely to differ and will need to be modified accordingly. However note that what is happening at the internal and external interface level will still be quite relevant. As usual anything with a hash (#) in front of it is a remark only and will not be read by the script. Thus far we have only one unhashed line, which takes all traffic coming from the internally-facing rl0 interface, performs Network Address Translation (NAT) on all of the packets and then sends them on their way out through the externally-facing fxp0 network interface. This is explained in the top part of the script above. Mapping Services to IP AddressesAdding to or modifying the functioning of the gateway usually involves editing the /etc/ipnat.rules file. The following is a list of modifications I have added to my own gateway in order to map services coming from outside the gateway to the relevant system inside the Local Area Network (LAN).Again note that although the two networks are referred to as trusted and untrusted, no security or firewall settings have been configured at this stage. This is purely a listing of rules contained within the /etc/ipnat.rules configuration file, in order to allow outside systems to access services behind the gateway. These port forwarders will allow traffic through your gateway, possibly from unknown sources and it is strongly recommended you use firewalling rules to enforce security, once the gateway rules are running smoothly. The process is basically one of creating a line which redirects anything coming in on the external network interface to the IP Address and port of the system on the inside of the network, which needs to be accessed. Remember there are thousands of possible ports (0-65535), each of which could be either tcp, udp or tcp/udp. Many services, especially games, use several ports at once. If you're not sure of the correct port(s) for the required service, application or game, chuck it into a google search and use the example below to forward the requests to the right place. #Andys ipnat.rules file #-------------------------------------------------------------------- # Do 'normal' IP address translation. This line will take all packets # going out on your external NIC (rl0) that have a source address # coming # from your internal network (192.168.1.0), and translate it # to whatever # IP address your external NIC happens to have at that # time #-------------------------------------------------------------------- map rl0 192.168.0.0/24 -> 0/32 #-------------------------------------------------------------------- # If you have a system on your internal network that needs to be # 'reachable' by external systems on the internet, you'll need a rule # similar to the one below. This one takes all inbound http traffic # (TCP port 80) that hits the firewall's external interface (rl0) and # redirects it to port 80 on the 192.168.1.50 system on the internal # network. # Simply uncomment the rule, change the IP address and port number so # that # it does what you need. Remember that you have to enable the # corresponding # inbound filter in your /etc/ipf.rules file, too. #-------------------------------------------------------------------- # rdr rl0 0.0.0.0/0 port 80 -> 192.168.1.50 port 80 tcp # Custom port forwarders # SIZEPopup rdr rl0 10.147.86.0/0 port 34888 -> 192.168.0.1 port 34888 udp # TeamSpeak rdr rl0 10.147.86.0/0 port 8767 -> 192.168.0.1 port 8767 udp rdr rl0 10.147.86.0/0 port 51234 -> 192.168.0.1 port 51234 tcp rdr rl0 10.147.86.0/0 port 14534 -> 192.168.0.1 port 14534 tcp # MoHAA rdr rl0 10.147.86.0/0 port 12201 -> 192.168.0.1 port 12201 udp rdr rl0 10.147.86.0/0 port 12202 -> 192.168.0.1 port 12202 udp rdr rl0 10.147.86.0/0 port 12203 -> 192.168.0.1 port 12203 udp rdr rl0 10.147.86.0/0 port 12204 -> 192.168.0.1 port 12204 udp rdr rl0 10.147.86.0/0 port 12205 -> 192.168.0.1 port 12205 udp rdr rl0 10.147.86.0/0 port 12206 -> 192.168.0.1 port 12206 udp rdr rl0 10.147.86.0/0 port 12207 -> 192.168.0.1 port 12207 udp rdr rl0 10.147.86.0/0 port 12208 -> 192.168.0.1 port 12208 udp rdr rl0 10.147.86.0/0 port 12209 -> 192.168.0.1 port 12209 udp rdr rl0 10.147.86.0/0 port 12210 -> 192.168.0.1 port 12210 udp rdr rl0 10.147.86.0/0 port 12300 -> 192.168.0.1 port 12300 udp # Desert Combat rdr rl0 10.147.86.0/0 port 28900 -> 192.168.0.1 port 28900 tcp rdr rl0 10.147.86.0/0 port 14567 -> 192.168.0.1 port 14567 udp rdr rl0 10.147.86.0/0 port 22000 -> 192.168.0.1 port 22000 udp rdr rl0 10.147.86.0/0 port 23000 -> 192.168.0.1 port 23000 udp rdr rl0 10.147.86.0/0 port 23001 -> 192.168.0.1 port 23001 udp rdr rl0 10.147.86.0/0 port 23002 -> 192.168.0.1 port 23002 udp rdr rl0 10.147.86.0/0 port 23003 -> 192.168.0.1 port 23003 udp rdr rl0 10.147.86.0/0 port 23004 -> 192.168.0.1 port 23004 udp rdr rl0 10.147.86.0/0 port 23005 -> 192.168.0.1 port 23005 udp rdr rl0 10.147.86.0/0 port 23006 -> 192.168.0.1 port 23006 udp rdr rl0 10.147.86.0/0 port 23007 -> 192.168.0.1 port 23007 udp rdr rl0 10.147.86.0/0 port 23008 -> 192.168.0.1 port 23008 udp rdr rl0 10.147.86.0/0 port 23009 -> 192.168.0.1 port 23009 udp rdr rl0 10.147.86.0/0 port 27900 -> 192.168.0.1 port 27900 udp # Windows XP Remote Desktop rdr rl0 10.147.86.0/0 port 3389 -> 192.168.0.1 port 3389 tcp # Windows File Sharing (SMB) rdr rl0 10.147.86.0/0 port 445 -> 192.168.0.1 port 445 tcp rdr rl0 10.147.86.0/0 port 139 -> 192.168.0.1 port 139 tcp rdr rl0 10.147.86.0/0 port 138 -> 192.168.0.1 port 138 udp Don't forget to flush the gateway rules and reload them after modification.. ipnat -C -f /etc/ipnat.rules Referenceshttp://www.enderunix.org/docs/en/freebsd61/06.08-NAT_Explanation.htmhttp://www.schlacter.net/public/FreeBSD-STABLE_and_IPFILTER.html http://www.mostgraveconcern.com/freebsd. http://inc2.com/isba/080-compilation-installation.html https://neon1.net/misc/firewall.html http://www.obfuscation.org/ipf http://www.instructables.com/id/EN69P8RZ28EP2871BW |
|