[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT rdr port problem



I've got the solution. Port 10850 was blocked from external so that NAT 
can't correct work. Well, it was too simple to fix it. :/

Nevertheless thanks to all.

* Danny Koenig <lists-obsd_(_at_)_bsdberlin_(_dot_)_org> [06/24/04 18:22]:
> Hi,
> 
> yesterday I've set up an OpenBSD 3.5 router for security reasons. ;) The 
> only problem is NAT. It won't run. All I want to do is redirect port 
> 10850 from external (tun0) to an internal client (Tiberian).
> 
> Following my current rc.conf:
> ------
> Ext = "tun0"                    # Internet -> ADSL
> Int = "rl0"                     # internes Netzwerk
> IntNet = "192.168.1.0/24"       # Adressraum des internen Netzes
> RouterIP = "192.168.1.1"        # IP des Routers
> Tiberian = "192.168.1.101"      # Client -> Tiberian
> Loop = "lo0"                    # Loopback Device
> 
> # Adressen die auf dem externen Device nicht geroutet werden
> table <NoRoute> { 127.0.0.1/8, 172.16.0.0/12, 192.168.0.0/16, !$IntNet, 10.0.0.0/8, 255.255.255.255/32 }
> 
> ### Options ###
> 
> # Statistiken fuer die ADSL-Verbindung
> set loginterface $Ext
> 
> # Beendet inaktive Verbindungen schneller (Speicher... blah)
> set optimization aggressive
> 
> # Fragmentierte Pakete saeubern
> scrub on $Ext all fragment reassemble random-id
> 
> # Queueing
> altq on $Ext priq bandwidth 125Kb queue { q_pri, q_def }
> queue q_pri priority 7
> queue q_def priority 1 priq(default)
> 
> ### NAT & Forward ###
> 
> # NAT aktivieren
> nat on $Ext from $IntNet to any -> $Ext
> rdr on $Ext proto tcp from !$IntNet to any port 10850 -> $Tiberian
> pass in quick on $Ext inet proto tcp from any to any port 10850 flags S/SAFR keep state label TiberianTCP
> rdr-anchor redirect
> 
> ### Filter ###
> 
> # generelle block regel
> block on $Ext
> 
> # blubb ;)
> block return log on $Ext
> 
> # NO IPv6
> block quick inet6
> 
> # lo0 darf alles
> pass quick on $Loop
> 
> # portscans erschweren
> block in log quick on $Ext inet proto tcp from any to any flags FUP/FUP
> block in log quick on $Ext inet proto tcp from any to any flags SF/SFRA
> block in log quick on $Ext inet proto tcp from any to any flags /SFRA
> block in log quick on $Ext os NMAP
> 
> # IP Spoofing verhindern
> block in log quick on $Ext inet from <NoRoute> to any
> block in log quick on $Ext inet from any to <NoRoute>
> 
> # ping akzeptieren
> pass in quick on $Ext inet proto icmp all icmp-type 8 code 0 keep state
> 
> # out
> pass out quick on $Ext keep state queue (q_def,q_pri)
> ------
> 
> I guess I'm blind - so what's wrong?
> 
> Thanks for help.
> 
> Danny



Visit your host, monkey.org