[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    RE: Packet Redirect
From:       "Damien Gardner Jnr" <damien.gardner () systemsintelligence ! com ! au>
Date:       2004-04-18 2:25:21
Message-ID: 19a901c424ec$69c9a140$2100000a () ISA ! NET ! AU
[Download RAW message or body]

From: owner-ipfilter@coombs.anu.edu.au
[mailto:owner-ipfilter@coombs.anu.edu.au] On Behalf Of tripivceta
>> rdr A 10.1.1.1/32 port 80 -> 192.168.1.254 port 8080 tcp
>>
>> That is change packets with a TCP destination of 10.1.1.1,80 to 
>> 192.168.1.254,8080
>So if I have:

>() a firewall out on the internet with two interfaces, 151.52.2.130 and
172.16.1.3
>() my ISP gave me only one static IP (151.52.2.130)
>() I have a web server on the DMZ, 172.16.3.1 (netmask 255.255.0.0)
>() and I want to make it look like "firewall.company.net" is also a web
server to 
>the outside world, but in reality I RDR packets for port 80 to the
172.16.1.3 box
>
>I would do, based on the example above:
>
>rdr 172.16.3.1 port 80 ->  151.52.2.130 port 80 tcp?
>
>The syntax is backward?

No, the syntax above was for proxying the connection to a given host (so
it's capturing connections bound for 10.1.1.1/32 port 80, and
redirecting them to the proxy server running on the firewall..)..

The way rdr works is:

Rdr int dest dest dport -> newdest port newdest

So what you would do is: (assuming your firewall's external interface is
xl0)
rdr xl0 0.0.0.0/0 port 80 -> 172.16.3.1 port 80

Or alternatively you can use the 'from x to y port y' syntax - say you
have two external IP addresses, and you want them to go to two separate
internal hosts, you could do something like this:

rdr xl0 from 0.0.0.0/0 to 151.52.2.130 port 80 -> 172.16.3.1 port 80
rdr xl0 from 0.0.0.0/0 to 151.52.2.131 port 80 -> 172.16.3.2 port 80

We quite often use this to redirect 'naughty' hosts off to another
server (i.e. we had a rather large mail loop a few weeks ago - we simply
redirected connections from the external server involved to our server,
off to a machine running a daemon which was simply accepting the emails
and piping them to /dev/null..)

Cheers,

Damien


[prev in list] [next in list] [prev in thread] [next in thread]