# IPFW NAT setting



## random01 (Jun 22, 2014)

Hello,

I try to understand how to set IPFW. I would like to set the following equivalent of iptables rules using IPFW: 


```
iptables -t nat -A PREROUTING -p tcp –dport port_number -j REDIRECT
iptables -A FORWARD -j ACCEPT
```

I tried to set the following rule, but it does not seem to work..


```
ipfw add 100 fwd 127.0.0.1,port_number tcp from any to any in
```

I appreciate any help or advice, how to set this properly.


----------



## obsigna (Jun 22, 2014)

Since I have no experience at all with iptables, I am not 100 % sure about what you want to achieve. Because of two keywords in the respective command -t nat ... -j REDIRECT, I assume, that you are aiming for NAT redirection.

ipfw fwd ... is not the appropriate command for NAT redirection. ipfw fwd is used for setting up transparent proxies, for example, you would need this, if you wanted to setup a web cache using www/squid, and this is a different story. If you want this, or something else then forget the rest of this writing, and detail out your goals.

For setting up NAT redirection with ipfw, you need to enable ipfw_nat in the startup file /etc/rc.conf:

```
...
gateway_enable="YES"
firewall_enable="YES"
firewall_nat_enable="YES"
firewall_script="/etc/ipfw.conf"
...
```

Note, when adding NAT redirection to a stateful ipfw rulset, you would need to enclose the stateful rules within two NAT rules as shown below. For this, I show a full configuration example, because the sequence matters. Replace <wan> with the identifier of the WAN interface, <lan> with the identifier of the LAN interface. <dest-ip-N>, <dest-port-N>, and <src-port-N> are to be replaced by the actual IP addresses and Port numbers.

If you don't use stateful firewall rules, one NAT rule at the beginning suffices.


*Example for NAT port redirection in a stateful ipfw rulset in the script file /etc/ipfw.conf:*


```
#!/bin/sh

/sbin/ipfw -q flush
/sbin/ipfw -q nat 1 config if <wan> unreg_only reset \
                           redirect_port tcp <dest-ip-1>:<dest-port-1> <src-port-1> \
                           redirect_port udp <dest-ip-2>:<dest-port-2> <src-port-2>

# Allow anything within the LAN -- the interface with heaviest traffic shall come first
/sbin/ipfw -q add 10 allow ip from any to any via <lan>
/sbin/ipfw -q add 20 allow ip from any to any via lo0

# Catch spoofing from outside
/sbin/ipfw -q add 90 deny ip from any to any not antispoof in

# NAT rule for incomming packets
/sbin/ipfw -q add 100 nat 1 ip from any to any via <wan> in
/sbin/ipfw -q add 101 check-state

# Allow access to NAT redirected services listening on a LAN interface behind the NAT
/sbin/ipfw -q add 201 skipto 10000 tcp from any to any <src-port-1> via <wan> in setup keep-state
/sbin/ipfw -q add 202 skipto 10000 udp from any to any <src-port-2> via <wan> in keep-state

# Rules for outgoing traffic -- allow everything that is not explicitely denied
/sbin/ipfw -q add 1000 deny ip from not me to any 25,53 via <wan> out

# Allow all other outgoing connections
/sbin/ipfw -q add 2000 skipto 10000 tcp from any to any via <wan> out setup keep-state
/sbin/ipfw -q add 2010 skipto 10000 udp from any to any via <wan> out keep-state

# Rules for incomming traffic -- deny everything that is not explicitely allowed
/sbin/ipfw -q add 5000 allow tcp from any to me 25,80,443,587,993,995 via <wan> in setup keep-state

# Catch tcp/udp packets, but don't touch gre, esp, icmp traffic
/sbin/ipfw -q add 9998 deny tcp from any to any via <wan>
/sbin/ipfw -q add 9999 deny udp from any to any via <wan>

# NAT rule for outgoing packets
/sbin/ipfw -q add 10000 nat 1 ip from any to any via <wan> out

# Allow anything else -- just in case ipfw has not been configured as open firewall
/sbin/ipfw -q add 65534 allow ip from any to any
```

In a stateful NAT rulset, the packets may pass more than 1 time the firewall, and this need to be enabled by a sysctl setting in /etc/sysctl.conf:

```
...
net.inet.ip.fw.one_pass=0
...
```


----------



## quintessence (Jun 23, 2014)

Hello,

This "specialized case of DNAT, called redirection" may be used not only for NAT purposes (and cases). Since you didn't give the whole ruleset from your firewall and how your network is organized (how many interfaces and so on), let us assume that you just want to redirect all incoming requests to your external interface port 587 -> to your external interface port 25 ( this is one of the cases, no NAT needed here, just simple port redirection ), the ipfw rules are as follows:

Example external IP: X.X.X.X, example ports: 587 and 25


```
iptables -t nat -A PREROUTING -p tcp –dport 587 -j REDIRECT
```
 is:


```
/sbin/ipfw add 100 fwd X.X.X.X,587 tcp from any to me 587 in
```

with --to-ports option with single port:

```
iptables -t nat -A PREROUTING -p tcp –dport 587 -j REDIRECT --to-ports 25
```
 is:


```
/sbin/ipfw add 100 fwd X.X.X.X,587 tcp from any to me 25 in
```


----------

