# IPfilter and NAT not allowing



## fullauto (May 31, 2012)

Hello,

I have been stuggling for a while trying to get my FreeBSD 9 server to route properly.
This machine has two interfaces:
External -> rl0 68.15.x.x
Internal -> dc0 192.168.1.1

I can lynx to a webpage from it, and all the machines behind it can reach the internet, but it is not allowing traffic to get at the DNS located on the machine, or any of the servers configured in ipnat.rules.  I have gone as far as to try and allow ALL traffic through the firewall in an attempt to figure this out, but still no avail.

map is as follows:


```
Bender: rl0(68.15.x.x)|dc0(192.168.1.1) 
Running: IPfilter, IPnat, Named, Sshd
|
|
|
V
Switch
|
|
|--- Amy (192.168.1.3) Windows 7 - Teamspeak3 server
|
|
|--- Hubert (192.168.1.10) FreeBSD 9 - Apache22, Proftpd
|
|
|--- (192.168.1.50-99) Windows Clients
|
|
|
---- (192.168.1.100) DHCPd (192.168.1.101-250)
```

Please tell me what I'm doing wrong.  I would really like to have this up and running and I have been devouring man pages with no success. 

FYI: I used the Doc here to set it up http://www.freebsd.org/doc/handbook/firewalls-ipf.html


```
[root@Bender]/etc-> cat rc.conf
##################################
# Network Name of Machine
hostname="Bender"

# Test Config
ifconfig_rl0=" inet 68.15.62.102 netmask 255.255.255.224"
ifconfig_dc0=" inet 192.168.1.1 netmask 255.255.255.0"
defaultrouter="68.15.62.97"

# IP4 address and Netmask
#ifconfig_rl0=" inet 68.15.62.102 netmask 255.255.255.224"
#ifconfig_dc0=" inet 192.168.1.2 netmask 255.255.255.0"
#defaultrouter="192.168.1.1"

# Firewall (IP Filter)
ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.rules"
ipmon_enable="YES"
ipmon_flags="-Ds"

# IP NAT
gateway_enable="YES"
ipnat_enable="YES"
ipnat_rules="/etc/ipnat.rules"

# Alternet IP4
#ifconfig_rl0="DHCP"
#ifconfig_dc0=" inet 192.168.1.2 netmask 255.255.255.0"
#defaultrouter="192.168.1.1"

#ntpd_enable="YES"
#ntpd_flags="-g"

# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"

# Added to get X11 working 3-25-12
hald_enable="YES"
dbus_enable="YES"

###############################
#
# Services
sshd_enable="YES"
ftpd_enable="NO"
inetd_enable="NO"
proftpd_enable="YES"
#proftpd_flags="<set as needed>"
sendmail_enable="NO"
apache22_enable="NO"
#apache_flags=""
qpopper_enable="NO"
named_enable="YES"
#dhcpd_enable="NO"
#dhcpd_ifaces="dc0"
[root@Bender]/etc->
```


```
[root@Bender]/etc-> cat ipf.rules
#################################################################
# No restrictions on Inside LAN Interface for private network
# Not needed unless you have LAN
#################################################################

pass out quick on rl0 all
pass in quick on rl0 all
pass out quick on dc0 all
pass in quick on dc0 all

#################################################################
# No restrictions on Loopback Interface
#################################################################
pass in quick on lo0 all
pass out quick on lo0 all


[root@Bender]/etc->
```


```
[root@Bender]/etc-> cat ipnat.rules
# IPNAT configuration rules
map rl0 192.168.1.0/24 -> 0/32

### Port Forwarding ##
rdr rlo 68.15.62.102/32 port 80 -> 192.168.1.10 port 80

  # TS3 VoIP Server
rdr rlo 68.15.62.102/32 port 9987 -> 192.168.1.3 port 9987
  # TS3 File Transfer Server
rdr rlo 68.15.62.102/32 port 30033 -> 192.168.1.3 port 30033
  # Mincraft Server (Kids Server)
rdr rlo 68.15.62.102/32 port 25565 -> 192.168.1.3 port 25565
[root@Bender]/etc->
```

My kernel options in case I made a mistake.

```
#cpu            I486_CPU
#cpu            I586_CPU
cpu             I686_CPU
ident           MYKERNEL

makeoptions     DEBUG=-g                # Build kernel with gdb(1) debug symbols

### Added 5/29/12 Trf ###
options         IPFILTER
options         IPFILTER_LOG
options         IPFILTER_DEFAULT_BLOCK
#########################

options         SCHED_ULE               # ULE scheduler
options         PREEMPTION              # Enable kernel thread preemption
options         INET                    # InterNETworking
options         INET6                   # IPv6 communications protocols
options         SCTP                    # Stream Control Transmission Protocol
options         FFS                     # Berkeley Fast Filesystem
options         SOFTUPDATES             # Enable FFS soft updates support
options         UFS_ACL                 # Support for access control lists

### Remove UPS_DIRHASH after machine is IPW'ing ###
options         UFS_DIRHASH             # Improve performance on big directories
###################################################

options         UFS_GJOURNAL            # Enable gjournal-based UFS journaling
options         MD_ROOT                 # MD is a potential root device
options         NFSCL                   # New Network Filesystem Client

options         NFSD                    # New Network Filesystem Server
options         NFSLOCKD                # Network Lock Manager
options         NFS_ROOT                # NFS usable as /, requires NFSCL
#options        MSDOSFS                 # MSDOS Filesystem
#options        CD9660                  # ISO 9660 Filesystem
options         PROCFS                  # Process filesystem (requires PSEUDOFS)
options         PSEUDOFS                # Pseudo-filesystem framework
options         GEOM_PART_GPT           # GUID Partition Tables.
options         GEOM_LABEL              # Provides labelization
options         COMPAT_FREEBSD4         # Compatible with FreeBSD4
options         COMPAT_FREEBSD5         # Compatible with FreeBSD5
options         COMPAT_FREEBSD6         # Compatible with FreeBSD6
options         COMPAT_FREEBSD7         # Compatible with FreeBSD7
options         SCSI_DELAY=5000         # Delay (in ms) before probing SCSI
options         KTRACE                  # ktrace(1) support
options         STACK                   # stack(9) support
options         SYSVSHM                 # SYSV-style shared memory
options         SYSVMSG                 # SYSV-style message queues
options         SYSVSEM                 # SYSV-style semaphores
options         _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
options         PRINTF_BUFR_SIZE=128    # Prevent printf output being interspersed.
options         KBD_INSTALL_CDEV        # install a CDEV entry in /dev
options         HWPMC_HOOKS             # Necessary kernel hooks for hwpmc(4)
options         AUDIT                   # Security event auditing
options         MAC                     # TrustedBSD MAC Framework
#options        KDTRACE_HOOKS           # Kernel DTrace hooks
options         INCLUDE_CONFIG_FILE     # Include this file in kernel
options         KDB                     # Kernel debugger related code
options         KDB_TRACE               # Print a stack trace for a panic

# To make an SMP kernel, the next two lines are needed
options         SMP                     # Symmetric MultiProcessor Kernel
device          apic                    # I/O APIC
```


```
[root@Bender]/etc-> cat resolv.conf
#domain spreadspectrum.net
#nameserver 192.168.1.2


nameserver 68.105.28.16
nameserver 68.105.29.16


[root@Bender]/etc->
```


----------



## SirDice (May 31, 2012)

Your redirects reference rlo instead of rl0.

Use the _internal_ address (192.168.1.1) for your DNS settings.


----------

