[prev in list] [next in list] [prev in thread] [next in thread]
List: ipfilter
Subject: RE: Packet Redirect
From: "Damien Gardner Jnr" <damien.gardner () systemsintelligence ! com ! au>
Date: 2004-04-18 2:25:21
Message-ID: 19a901c424ec$69c9a140$2100000a () ISA ! NET ! AU
[Download RAW message or body]
From: owner-ipfilter@coombs.anu.edu.au
[mailto:owner-ipfilter@coombs.anu.edu.au] On Behalf Of tripivceta
>> rdr A 10.1.1.1/32 port 80 -> 192.168.1.254 port 8080 tcp
>>
>> That is change packets with a TCP destination of 10.1.1.1,80 to
>> 192.168.1.254,8080
>So if I have:
>() a firewall out on the internet with two interfaces, 151.52.2.130 and
172.16.1.3
>() my ISP gave me only one static IP (151.52.2.130)
>() I have a web server on the DMZ, 172.16.3.1 (netmask 255.255.0.0)
>() and I want to make it look like "firewall.company.net" is also a web
server to
>the outside world, but in reality I RDR packets for port 80 to the
172.16.1.3 box
>
>I would do, based on the example above:
>
>rdr 172.16.3.1 port 80 -> 151.52.2.130 port 80 tcp?
>
>The syntax is backward?
No, the syntax above was for proxying the connection to a given host (so
it's capturing connections bound for 10.1.1.1/32 port 80, and
redirecting them to the proxy server running on the firewall..)..
The way rdr works is:
Rdr int dest dest dport -> newdest port newdest
So what you would do is: (assuming your firewall's external interface is
xl0)
rdr xl0 0.0.0.0/0 port 80 -> 172.16.3.1 port 80
Or alternatively you can use the 'from x to y port y' syntax - say you
have two external IP addresses, and you want them to go to two separate
internal hosts, you could do something like this:
rdr xl0 from 0.0.0.0/0 to 151.52.2.130 port 80 -> 172.16.3.1 port 80
rdr xl0 from 0.0.0.0/0 to 151.52.2.131 port 80 -> 172.16.3.2 port 80
We quite often use this to redirect 'naughty' hosts off to another
server (i.e. we had a rather large mail loop a few weeks ago - we simply
redirected connections from the external server involved to our server,
off to a machine running a daemon which was simply accepting the emails
and piping them to /dev/null..)
Cheers,
Damien
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic