4

I have tried this a few different ways. Currently trying with pf on freebsd 8.2

I am trying to insert a nat solution into an existing network that will redirect traffic from an outside ip address to an inside ip address on all ports (static nat) but I also want to translate the source address.

Current network. 

hosta
192.168.1.2/24 

gw
192.168.1.1/24

outsidehost
10.0.0.1/24 

natbox
em0 192.168.1.3/24 (used to manage the box)
em1 10.0.0.2/24 (outside address same lan as outsidehost)
em0_alias0 192.168.1.4/24 (inside address same lan as hosta)
route 192.168.1.0/24 192.168.1.1
route 0.0.0.0 0.0.0.0 10.0.0.1

I want outsidehost to be able to telnet to 192.168.1.3 by telneting(sp) to 10.0.0.2

For this to work I assume I will have to change the source of the packet as it leaves em0 or it will get lost on the way back to em1.

So the flow goes like this:

  • from outsidehost telnet 10.0.0.2
  • change source address to 192.168.1.4
  • redirect traffic for 10.0.0.2 to 192.168.1.2
  • the packet leaves with src 192.168.1.4 goes to 192.168.1.2 then gets sent back to 192.168.1.4 translates back to whatever the source addy was in this case 10.0.0.1

I keep thinking this can be done with

binat and rdr but I can't figure out the syntax.

How can I get this done?

Improve this question

1 Answer 1

Reset to default
2

I ended up going with iptables under linux to accomplish this.

For, IP forwarding needs to be turned on:

echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf

And set the following rules:

iptables -F -t nat
# flush the NAT Table.
iptables -t nat -P INPUT DROP
# set the input chain on the NAT table to DROP by default. 
# This way any traffic not allowed by defining a source address gets dropped.
# If you don't provide a -s address below it will allow all hosts from anywhere
# to reach the inside address via the outside ip. 

iptables -t nat -A PREROUTING -s 10.0.0.1 -d 10.0.0.2 \
         -j DNAT --destination-address 192.168.1.3 
# define the source and destination of the traffic allowed through.
# Change the dest address to our inside host. 

iptable -t nat -A INPUT -s 192.168.0.0/24 -J ALLOW
# Drop all traffic on sourcing from inside subnet. 
# This won't apply to traffic that matches the rule above
# as the source address will change in the next rule. 

iptables -t nat -A POSTROUTING -d 192.168.1.3 \
         -j SNAT --source-address 192.168.1.4
# here is the insert magic. Change the source address of any traffic destined
# for our inside host to our vip or owned inside address.
# This way the traffic is routed back to us at the FW.
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.