'Re: Question on rdr'ing for all IPs except ...'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: Question on rdr'ing for all IPs except ...
From:       Josef Pojsl <jp () tns ! cz>
Date:       2002-11-22 15:29:26
[Download RAW message or body]

Sean,

On Fri, Nov 22, 2002 at 08:44:33AM -0600, Sean O'Neill wrote:
> I'm still a bit confused by the above.  Let me give you a sample network 
> and can you send me the rdr rules for the example.
> 
> Web server running on port 80 on IP 9.9.9.9.
> 
> I have remote clients at 1.1.1.1, 2.2.2.2, and 3.3.3.0/24 that I want to 
> pass through IPFilter rdr without being redirected.  So basically I want 
> these folks talking to the Web server running on 9.9.9.9:80
> 
> Everyone else I want redirected to a Web server running 7.7.7.7 port 
> 85.  So would it be something like this ?
> 
> rdr iface0 from 1.1.1.1/32 to any -> 0 port 0
> rdr iface0 from 2.2.2.2/32 to any -> 0 port 0
> rdr iface0 from 3.3.3.0/24 to any -> 0 port 0
> rdr iface0 from any to 9.9.9.9 port 80 -> 7.7.7.7 port 85 tcp

Basically, this could work, given no other rules interferre with that ones
(but I beleive that the last line should write "...port = 80...").
However, I would rather use more specific rules:

    rdr iface0 from 1.1.1.1/32 to 9.9.9.9 port = 80 -> 9.9.9.9 port 80 tcp
    rdr iface0 from 2.2.2.2/32 to 9.9.9.9 port = 80 -> 9.9.9.9 port 80 tcp
    rdr iface0 from 3.3.3.0/24 to 9.9.9.9 port = 80 -> 9.9.9.9 port 80 tcp
    rdr iface0 from any to 9.9.9.9 port = 80 -> 7.7.7.7 port 85 tcp

In both rulesets, connections from 1.1.1.1 etc. ARE redirected,
but the original destination address and the address they get redirected to
are the same. You can see active NAT mappings for those connections.

If there was a single address or subnet that should not be redirected,
then you could use a rule like

    rdr iface0 ! from 1.1.1.1/32 to 9.9.9.9 port = 80 -> 7.7.7.7 port 85 tcp

and all connections coming from other addresses than 1.1.1.1 would be redirected.
In this case, no self-redirection would be performed for 1.1.1.1.

> So the first three "0 port 0" lines means leave everything ( TCP, UDP, what 
> about ICMP [not that I care about this - just curious] ) as is and go into 
> the IPFilter "filter" logic next ?  Right ?

The "0 port 0" defaults to "0 port 0 tcp". It would also work for "udp"
but I don't know how to achieve the same effect for icmp or any other
IP protocol, sorry. (And I would appreciate it for GRE and ESP a lot,
anybody?)

> And then the fourth line catches everything else for TCP-only going to 
> 9.9.9.9:80 and redirects them to 7.7.7.7:85 and then go into the IPFilter 
> "filter" logic next ?  Right ?

Yes, incoming packet are processed by ipnat first and then by ipf,
outcoming packets are processed by ipf first and then by ipnat.

--Josef
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic