|
FreeBSD 5.1 HOWTO for multiple interface gateway nat routers with a dynamic interface
This has been updated. I'll highlight instructions for 4.0 as being as such but the new
version of ipfilter that's in FreeBSD (4.6 forward I believe) is alot snazzier in regards to
dynamic IP addresses.
Here's what I had:
Celeron 533Mhz with Asus MB and 192MB of Ram (was: AMD k6-200Mhz with Asus MB and 64MB Ram)
3Com 3C905 PCI Network Card. This will appear as xl0
Intel EtherExpress 10/100 PCI. This will appear at fxp0
You can use 2 of the same network card but having two different brands
makes the difference between the WAN side and the LAN side obvious. (Plus
it's what I had laying around)
Here's what I did: (commands will appear in yellow)
Installed FreeBSD 5.1-RELEASE from CDROM (Installed FreeBSD 4.0-RELEASE from ftp3.freebsd.org using a
DHCP installation using the floppies.)
cd /usr/ports/net/cvsup; make install clean
Created a 5.X (4.X) supfile for cvs. This will get
the latest sources and ports for me.
cvsup -g -l2
Edited my kernel config (/usr/src/sys/i386/conf/KERNELNAME) to
include a couple options not in the GENERIC kernel config. These changes
will enable the IPFILTER in the kernel.
options IPFILTER
options IPFILTER_LOG
(this is only 4.0 /usr/sbin/config KERNELNAME)
cd /usr/src; make buildkernel KERNCONF=KERNELNAME; make installkernel KERNCONF=KERNELNAME (4.0: cd ../../config/KERNELNAME;make depend;make;make install;make clean)
While that was compiling, I logged into another tty and was sure to add (firewall_type=open) to my /etc/rc.conf file. This
will make it so that the default stance of the firewall is to allow anything. We don't need to
set an assumed deny on the packets until we get this working. While I was in the rc.conf, I
added (ifconfig_fxp0="inet 10.0.0.1 netmask 255.255.255.0") and changed the (network_interfaces="xl0 lo0")
to say (network_interfaces="xl0 lo0 fxp0") instead. Then I plugged the LAN hub
into the fxp0 NIC.
All this is 4.0 ONLY:
Now, to set it up so that our rules will get loaded upon boot. I went to /usr/local/etc/rc.d and created
two files, the contents of each follow the filename. Be sure to chmod the files to something like 755 so that
they can be executed.
- 050.ipf.sh
#!/bin/sh
WAN_IP_ADDRESS=`ifconfig -a | grep inet | cut -d " " -f2 | grep -v 192.168 | grep -v 10. | grep -v 127. | grep -v : `
sed 's/WAN_IP_ADDRESS/'$WAN_IP_ADDRESS'/' /usr/local/etc/ipf_rules.master > /usr/local/etc/ipf_rules
/sbin/ipf -Fa -f /usr/local/etc/ipf_rules
This is for either OS:
- 060.ipnat.sh
#!/bin/sh
ipnat -f /usr/local/etc/nat_rules
Time to make some ipnat rules. I created the /usr/local/etc/nat_rules file
and then put the following into it.
map xl0 10.0.0.0/24 -> 0/32 portmap tcp/udp 40000:65000
map xl0 10.0.0.0/24 -> 0/32
For the time being, I'm not creating any firewall rules. We'll make sure this works first.
After going back and verifying that we had no errors in the kernel build, I rebooted the machine
The machine booted. I tried pinging www.yahoo.com and it worked. Had the firewall got in the way
(common from forgetting to set the firewall type to open) you would get messages like
"SendTo: Permission Denied". Then I tried to ping 10.0.0.3, another machine on my network. That worked too.
Then I tried to surf from my other machine (after setting it's gateway ip to 10.0.0.1) and that worked fine.
Now it's time to put some firewall rules in. We'll put a default document of
5.0 ruleset (ipf_rules.master and then let sed alter it) with our currnet IP. This ruleset is pretty decent, it will basically deny any ICMP
packets (which are frequently used in Denial of Service attacks) except ping and traceroute, unless it's coming from inside the network.
It will also deny packets to your X server, NetBIOS and a couple other ports that you don't want open. Then finally
it'll let everything else through.
|
