[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NAT rdr port problem



Hi,

yesterday I've set up an OpenBSD 3.5 router for security reasons. ;) The 
only problem is NAT. It won't run. All I want to do is redirect port 
10850 from external (tun0) to an internal client (Tiberian).

Following my current rc.conf:
------
Ext = "tun0"                    # Internet -> ADSL
Int = "rl0"                     # internes Netzwerk
IntNet = "192.168.1.0/24"       # Adressraum des internen Netzes
RouterIP = "192.168.1.1"        # IP des Routers
Tiberian = "192.168.1.101"      # Client -> Tiberian
Loop = "lo0"                    # Loopback Device

# Adressen die auf dem externen Device nicht geroutet werden
table <NoRoute> { 127.0.0.1/8, 172.16.0.0/12, 192.168.0.0/16, !$IntNet, 10.0.0.0/8, 255.255.255.255/32 }

### Options ###

# Statistiken fuer die ADSL-Verbindung
set loginterface $Ext

# Beendet inaktive Verbindungen schneller (Speicher... blah)
set optimization aggressive

# Fragmentierte Pakete saeubern
scrub on $Ext all fragment reassemble random-id

# Queueing
altq on $Ext priq bandwidth 125Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)

### NAT & Forward ###

# NAT aktivieren
nat on $Ext from $IntNet to any -> $Ext
rdr on $Ext proto tcp from !$IntNet to any port 10850 -> $Tiberian
pass in quick on $Ext inet proto tcp from any to any port 10850 flags S/SAFR keep state label TiberianTCP
rdr-anchor redirect

### Filter ###

# generelle block regel
block on $Ext

# blubb ;)
block return log on $Ext

# NO IPv6
block quick inet6

# lo0 darf alles
pass quick on $Loop

# portscans erschweren
block in log quick on $Ext inet proto tcp from any to any flags FUP/FUP
block in log quick on $Ext inet proto tcp from any to any flags SF/SFRA
block in log quick on $Ext inet proto tcp from any to any flags /SFRA
block in log quick on $Ext os NMAP

# IP Spoofing verhindern
block in log quick on $Ext inet from <NoRoute> to any
block in log quick on $Ext inet from any to <NoRoute>

# ping akzeptieren
pass in quick on $Ext inet proto icmp all icmp-type 8 code 0 keep state

# out
pass out quick on $Ext keep state queue (q_def,q_pri)
------

I guess I'm blind - so what's wrong?

Thanks for help.

Danny