Una de las tareas mas comunes que un router puede llevar a cabo es el enmascaramiento de direcciones o mas comunmente llamado NAT, con IPFW se puede natear de dos modos distintos, mediante natd y mediante el código integrado en el propio kernel, el primero nos proporcionará mayor flexibilidad mientras que el segundo un mayor rendimiento.
En FreeBSD se puede hacer NAT de dos modos distintos, en user-space mediante el demonio natd o en el propio kernel-space.
La elección entre una opción u otra se hará en base a nuestras necesidades, por ejemplo natd nos permite insertar reglas dinámicas para ftp, por otro lado el modo kernel-space es mas rápido.
Vamos a ir construyendo nuestro script de firewall tomando como base este otro .
En este ejemplo tendremos dos redes:
- LAN: 192.168.61.0/24
- WAN: 192.168.55.0/24
Lo primero serÃa habilitar el enrutado de tráfico entre redes:
service routing restart
NATD:
Habilitamos el servicio natd, le indicamos la interfaz WAN y el parámetro -m para que intente conservar los mismos puertos del paquete original en el paquete enmascarado, de este modo es mas probable que los servicios RPC funcionen correctamente.
sysrc natd_interface=“em0”
sysrc natd_flags="-m"
Editamos el script de firewall para que haga un divert al proceso de natd cuando sea necesario:
#!/bin/sh
# Flush out the list before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add"
wanif="em0"
lanif="em1"
lannet="192.168.55.0/24"
# No restrictions on Loopback Interface
$cmd 00001 allow all from any to any via lo0
# Allow all LAN traffic
$cmd 00002 allow all from $lannet to any in via $lanif
# Check inbound traffic for redirections
$cmd 00003 divert natd ip from any to me in via $wanif
# Allow dynamic rules table connections
$cmd 00101 check-state
# NAT Lan traffic:
$cmd 00102 skipto 1000 tcp from $lannet to any out via $wanif setup keep-state
$cmd 00103 skipto 1000 udp from $lannet to any out via $wanif keep-state
$cmd 00104 skipto 1000 icmp from $lannet to any out via $wanif keep-state
# -- Host Traffic --
# Allow access to public DNS
# DNS TCP
$cmd 00201 allow tcp from me to 8.8.8.8 53 out via $wanif setup keep-state
$cmd 00202 allow tcp from me to 8.8.4.4 53 out via $wanif setup keep-state
# DNS UDP
$cmd 00203 allow udp from me to 8.8.8.8 53 out via $wanif keep-state
$cmd 00204 allow udp from me to 8.8.4.4 53 out via $wanif keep-state
# Allow outbound HTTP and HTTPS connections
$cmd 00300 allow tcp from me to any 80 out via $wanif setup keep-state
$cmd 00301 allow tcp from me to any 443 out via $wanif setup keep-state
# Allow outbound email connections
$cmd 00400 allow tcp from me to any 25 out via $wanif setup keep-state
$cmd 00401 allow tcp from me to any 110 out via $wanif setup keep-state
# Allow outbound ping
$cmd 00500 allow icmp from me to any out via $wanif keep-state
# Allow outbound NTP
$cmd 00501 allow udp from me to any 123 out via $wanif keep-state
# Allow outbound SSH
$cmd 00680 allow tcp from me to any 22 out setup keep-state
# Allow inbound public pings
$cmd 00700 allow icmp from any to me in via $wanif
# Allow inbound SSH
# With stateless rules we dont break our ssh connection each time we restart ipfw service
$cmd 00711 allow tcp from any to me 22 in
$cmd 00712 allow tcp from me 22 to any out
# ------------------
# Deny and log all other outbound connections
$cmd 00900 deny log all from any to any out
# NAT outbound traffic
$cmd 01000 divert natd ip from any to any out via $wanif
$cmd 01001 allow ip from any to any
KERNEL-SPACE:
Habilitamos el nat a nivel de kernel e indicamos la interfaz WAN:
sysrc firewall_nat_interface=“em0”
Realizamos una configuración similiar pero esta vez no hacemos ningún divert, directamente hacemos un nat:
#!/bin/sh
# Flush out the list before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add"
wanif="em0"
lanif="em1"
lannet="192.168.55.0/24"
# No restrictions on Loopback Interface
$cmd 00001 allow all from any to any via lo0
# Allow all LAN traffic
$cmd 00002 allow all from $lannet to any in via $lanif
# Configure NAT-WAN interface
ipfw -q nat 1 config same_ports if $wanif
# Check inbound traffic for redirections
$cmd 00004 nat 1 ip from any to me in via $wanif
# Allow dynamic rules table connections
$cmd 00101 check-state
# NAT Lan traffic:
$cmd 00102 skipto 1000 tcp from $lannet to any out via $wanif setup keep-state
$cmd 00103 skipto 1000 udp from $lannet to any out via $wanif keep-state
$cmd 00104 skipto 1000 icmp from $lannet to any out via $wanif keep-state
# -- Host Traffic --
# Allow access to public DNS
# DNS TCP
$cmd 00201 allow tcp from me to 8.8.8.8 53 out via $wanif setup keep-state
$cmd 00202 allow tcp from me to 8.8.4.4 53 out via $wanif setup keep-state
# DNS UDP
$cmd 00203 allow udp from me to 8.8.8.8 53 out via $wanif keep-state
$cmd 00204 allow udp from me to 8.8.4.4 53 out via $wanif keep-state
# Allow outbound HTTP and HTTPS connections
$cmd 00300 allow tcp from me to any 80 out via $wanif setup keep-state
$cmd 00301 allow tcp from me to any 443 out via $wanif setup keep-state
# Allow outbound email connections
$cmd 00400 allow tcp from me to any 25 out via $wanif setup keep-state
$cmd 00401 allow tcp from me to any 110 out via $wanif setup keep-state
# Allow outbound ping
$cmd 00500 allow icmp from me to any out via $wanif keep-state
# Allow outbound NTP
$cmd 00501 allow udp from me to any 123 out via $wanif keep-state
# Allow outbound SSH
$cmd 00680 allow tcp from me to any 22 out setup keep-state
# Allow inbound public pings
$cmd 00700 allow icmp from any to me in via $wanif
# Allow inbound SSH
# $cmd 00711 allow tcp from any to me 22 in setup keep-state
# With stateless rules we dont break our ssh connection each time we restart ipfw service
$cmd 00711 allow tcp from any to me 22 in
$cmd 00712 allow tcp from me 22 to any out
# ------------------
# Deny and log all other outbound connections
$cmd 00900 deny log all from any to any out
# NAT outbound traffiC
$cmd 01000 nat 1 ip from any to any out via $wanif
$cmd 01001 allow ip from any to any