Cuando tenemos un equipo tras un NAT y queremos acceder a algún servicio de dicho equipo la práctica mas habitual es redirigir el puerto de dicho servicio al equipo interno, en esta ocasión lo haremos mediante IPFW en FreeBSD.
Vamos a continuar con el ejemplo en el que nateabamos y a partir de aquà realizaremos la redirección de puertos, como en el NAT la redirección se puede hacer de dos maneras, mediante natd y mediante el módulo.
NATD
Habilitamos natd, le indicamos la interfaz WAN y los parámetros de configuración:
sysrc natd_interface=“em0”
sysrc natd_flags="-m -f /etc/natd.conf"
En la configuración de natd indicamos que puertos y hacia que equipo se debe redirigir el tráfico, en este caso el tráfico recibido en el puerto 7777 acabará en 192.168.55.2 puerto 7777:
redirect_port tcp 192.168.55.2:7777 7777
Modificamos el script de firewall para que haga la comprobación de las redirecciones:
#!/bin/sh
# Flush out the list before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add"
wanif="em0"
lanif="em1"
lannet="192.168.55.0/24"
# No restrictions on Loopback Interface
$cmd 00001 allow all from any to any via lo0
# Allow all LAN traffic
$cmd 00002 allow all from $lannet to any in via $lanif
# Check inbound traffic for redirections
$cmd 00003 divert natd ip from any to me in via $wanif
# Allow dynamic rules table connections
$cmd 00101 check-state
# Allow redirected traffic
$cmd 00200 allow tcp from any to 192.168.55.2 dst-port 7777 out via $lanif
# NAT port redirection answer traffic, without states because its a redirected connections not regular connection
$cmd 00201 skipto 1000 tcp from 192.168.55.2 to any src-port 7777 out via $wanif
# NAT Lan traffic:
$cmd 00300 skipto 1000 tcp from $lannet to any out via $wanif setup keep-state
$cmd 00301 skipto 1000 udp from $lannet to any out via $wanif keep-state
$cmd 00302 skipto 1000 icmp from $lannet to any out via $wanif keep-state
# -- Host Traffic --
# Allow access to public DNS
# DNS TCP
$cmd 00401 allow tcp from me to 8.8.8.8 53 out via $wanif setup keep-state
$cmd 00402 allow tcp from me to 8.8.4.4 53 out via $wanif setup keep-state
# DNS UDP
$cmd 00403 allow udp from me to 8.8.8.8 53 out via $wanif keep-state
$cmd 00404 allow udp from me to 8.8.4.4 53 out via $wanif keep-state
# Allow outbound HTTP and HTTPS connections
$cmd 00405 allow tcp from me to any 80 out via $wanif setup keep-state
$cmd 00406 allow tcp from me to any 443 out via $wanif setup keep-state
# Allow outbound email connections
$cmd 00407 allow tcp from me to any 25 out via $wanif setup keep-state
$cmd 00408 allow tcp from me to any 110 out via $wanif setup keep-state
# Allow outbound ping
$cmd 00409 allow icmp from me to any out via $wanif keep-state
# Allow outbound NTP
$cmd 00410 allow udp from me to any 123 out via $wanif keep-state
# Allow outbound SSH
$cmd 00411 allow tcp from me to any 22 out setup keep-state
# Allow inbound public pings
$cmd 00412 allow icmp from any to me in via $wanif
# Allow inbound SSH
# With stateless rules we dont break our ssh connection each time we restart ipfw service
$cmd 00413 allow tcp from any to me 22 in
$cmd 00414 allow tcp from me 22 to any out
# ------------------
# Deny and log all other outbound connections
$cmd 00900 deny log all from any to any out
# NAT outbound traffiC
$cmd 01000 divert natd ip from any to any out via $wanif
$cmd 01001 allow ip from any to any
KERNEL-SPACE
Habilitamos el módulo de firewall del kernel:
sysrc firewall_nat_interface=“em0”
Por alguna razón para que la redirección mediante kernel funcione hay que deshabilitar el fw.one_pass:
Hacemos que sea permanente:
net.inet.ip.fw.one_pass=0
Adaptamos nuestro script de firewall:
#!/bin/sh
# Flush out the list before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add"
wanif="em0"
lanif="em1"
lannet="192.168.55.0/24"
# No restrictions on Loopback Interface
$cmd 00001 allow all from any to any via lo0
# Allow all LAN traffic
$cmd 00002 allow all from $lannet to any in via $lanif
# Configure NAT-WAN-PortRedirection
ipfw -q nat 1 config same_ports if $wanif redirect_port tcp 192.168.55.2:7777 7777
# Check inbound traffic for redirections
$cmd 00004 nat 1 ip from any to me in via $wanif
# Allow dynamic rules table connections
$cmd 00101 check-state
# Allow redirected traffic
$cmd 00200 allow tcp from any to 192.168.55.2 dst-port 7777 out via $lanif
# NAT port redirection answer traffic, without states because its a redirected connections not regular connection
$cmd 00201 skipto 1000 tcp from 192.168.55.2 to any src-port 7777 out via $wanif
# NAT Lan traffic:
$cmd 00300 skipto 1000 tcp from $lannet to any out via $wanif setup keep-state
$cmd 00301 skipto 1000 udp from $lannet to any out via $wanif keep-state
$cmd 00302 skipto 1000 icmp from $lannet to any out via $wanif keep-state
# -- Host Traffic --
# Allow access to public DNS
# DNS TCP
$cmd 00400 allow tcp from me to 8.8.8.8 53 out via $wanif setup keep-state
$cmd 00401 allow tcp from me to 8.8.4.4 53 out via $wanif setup keep-state
# DNS UDP
$cmd 00402 allow udp from me to 8.8.8.8 53 out via $wanif keep-state
$cmd 00403 allow udp from me to 8.8.4.4 53 out via $wanif keep-state
# Allow outbound HTTP and HTTPS connections
$cmd 00404 allow tcp from me to any 80 out via $wanif setup keep-state
$cmd 00405 allow tcp from me to any 443 out via $wanif setup keep-state
# Allow outbound email connections
$cmd 00406 allow tcp from me to any 25 out via $wanif setup keep-state
$cmd 00407 allow tcp from me to any 110 out via $wanif setup keep-state
# Allow outbound ping
$cmd 00408 allow icmp from me to any out via $wanif keep-state
# Allow outbound NTP
$cmd 00409 allow udp from me to any 123 out via $wanif keep-state
# Allow outbound SSH
$cmd 00410 allow tcp from me to any 22 out setup keep-state
# Allow inbound public pings
$cmd 00411 allow icmp from any to me in via $wanif
# Allow inbound SSH
# With stateless rules we dont break our ssh connection each time we restart ipfw service
$cmd 00412 allow tcp from any to me 22 in
$cmd 00413 allow tcp from me 22 to any out
# ------------------
# Deny and log all other outbound connections
$cmd 00900 deny log all from any to any out
# NAT outbound traffiC
$cmd 01000 nat 1 ip from any to any out via $wanif
$cmd 01001 allow ip from any to any