»

Aug 03

NAT in FreeBSD

Network Address Translation (NAT)
IP Filter
Step 1: Install Kernel

Note: If there is not a /usr/src/sys directory on your system, then the kernel source has not been installed. The easiest way to do this is by running sysinstall as root, choosing Configure, then Distributions, then src, then base and sys. If you have an aversion to sysinstall and you have access to an “official” FreeBSD CDROM, then you can also install the source from the command line:

Step 2: Compile Kernel

$ cd /sys/i386/conf
$cp GENERIC IPFILTERKERNEL

Open the new kernel

$vi IPFILTERKERNEL

Add following lines.

options IPFILTER
options IPFILTER_LOG
options IPFILER_DEFAULT_BLOCK
options IPSTEALTH
options TCP_DROP_SYNFIN // If it does not work just comment out.
ident IPFILTERKERNEL

After writing those options in conf file as shown above, you need to execute the following commands.

  • config [Configuration Filename] for example
$config IPFILTERKERNEL
  • The kernel build directory will be located in ../compile/IPFILTERKERNEL

Now change directory to IPFILTERKERNEL

  • Execute the following commands
$make cleandepend && make depend # It will take time to make the kernel
  • Make the kernel
$make
$make install
  • Reboot your system

Step 3: Edit /etc/rc.conf File
Enter the following line in rc.conf

hostname=”Your full Qualified FQDN ”
ifconfig_bge0=”DHCP” # connected to Internet and getting 10.16.96.175
ifconfig_nge0=”inet 192.168.0.1/24″ # Interface Running for NAT
gateway_enable=”YES”
ipfilter_enable=”YES”
ipfilter_rules=”/etc/ipf.rules”
ipnat_enable=”YES”
ipnat_rules=”/etc/ipnat.rules”
ipmon_enable=”YES”
tcp_drop_synfin=”YES”
icmp_drop_redirect=”YES”
icmp_log_redirect=”YES”
keymap=”jp.106″
sshd_enable=”YES”

Step4: Edit /etc/ipf.rules
Create a IP Filter rule file.

$ vi /etc/ipf.rules

Write rules as below. This is very simple rule. More rule can be defined.

pass in all
pass out all

Step4: Edit /etc/ipnat.rules

Write NAT rules as below. NAT rules can be added as per need in new line.

map bge0 192.168.0.0/24 -> 10.16.96.175/32 portmap tcp/udp 49152:65535
map bge0 192.168.0.0/24 -> 10.16.96.175/32

Restart your system

shutdown -r now

IPFW ( FreeBSD IP Packet Filter)


Ipfirewall (ipfw) is a FreeBSD IP packet filter and traffic accounting facility. IPFW is included in the basic FreeBSD install as a separate run time loadable module. The system will dynamically load the kernel module when the rc.conf statement firewall_enable=”YES” is used.

      1. Step1. Install Kernel
Note: If there is not a /usr/src/sys directory on your system, then the kernel source has not been installed. The easiest way to do this is by running sysinstall as root, choosing Configure, then Distributions, then src, then base and sys. If you have an aversion to sysinstall and you have access to an official” FreeBSD CDROM, then you can also install the source from the command line:
      1. Step 2: Compile Kernel

Copy kernel to your new kernel file.

$cd /sys/i386/conf
$cp GENERIC MYKERNEL

Open the kernel file

$vi MYKERNEL

Add following lines.

options IPFIREWALL # required for IPFW
options IPFIREWALL_VERBOSE # optional; logging
options IPFIREWALL_VERBOSE_LIMIT=10 # optional; don’t get too many log entries
options IPDIVERT # needed for natd

After writing those options in conf file as shown above, you need to execute the following commands.

  1. config [Configuration Filename] for example
$config MYKERNEL
  1. The kernel build directory will be located in ../compile/MYKERNEL

Now change directory to MYKERNEL

  1. Execute the following commands
$make clean depend && make depend # It will take time to make the kernel
  1. Make the kernel
$make
$make install
      1. Enabling IPFW

Open /etc/rc.conf file

$ vi /etc/rc.conf

Add the following line into this file:

hostname=”Your full Qualified FQDN ”
ifconfig_bge0=”DHCP” # connected to Internet and getting 10.16.96.175
ifconfig_nge0=”inet 192.168.0.1/24″ # Interface Running for NAT
firewall_enable=”YES”
firewall_type=”OPEN”
gateway_enable=”YES”
natd_enable=”YES”
natd_interface=”bge0
firewall_script=”/etc/ipfw.rules”
gkeymap=”jp.106″
sshd_enable=”YES”

You need to place a firewall rules in a script called /etc/ipfw.rules:

$vi /etc/ipfw.rules

Add the following line into this file:

#!/bin/sh
## Define Variable cmd for calling script ipfw
cmd=”ipfw -q add”
##Flush existing rules
ipfw -q flush
## Divert ip4 from outer Interface connected to Internet
$cmd 10 divert natd ip4 from any to any via bge0
## Rule Goes here
$cmd 20 allow tcp from any to any 21
$cmd 30 allow tcp from any to any 22
$cmd 40 allow tcp from any to any 23
$cmd 50 deny tcp from 192.168.0.2 to any 80
$cmd 60 allow tcp from any to any 80
$cmd 70 allow ip from any to any

Restart your system

shutdown -r now

Now let’s see if natd is running:

$ ps -auxw |grep nat

Recover old Kernel
In case new kernel is not functioning well the following step will drive you to recover old kernel.
Restart your FreeBSD Machine

shutdown -r now

Stop the normal booting process by press option 6 [Escape to loader prompt] in your keyboard.
Enter the following command.

unload
load /boot /kernel.old/kernel
boot

Now your previous kernel will be recovered.
Check your kernel version now

$uname -a

Leave a Reply