Discussion:
need help using ng_patch to modify src/dst packets or alternative way
(too old to reply)
Sami Halabi
2017-12-17 07:52:15 UTC
Permalink
hi,

Can you help in my situation? My goal is so Box in my lan 10.1.1.2 to talk
to 10.1.1.1 and actually it would be talking to X.X.X.X outside ip using
one of my public IPs say 1.1.1.1.

I'm trying to modify packets to passthrough to a local IP.
I have a box that a specific IP is routed to it.. say 1.1.1.1
in my bce0 i don't have that ip configured but i have my public IP that say
2.2.2.2 that 1.1.1.1 is routed to it.
i configured 10.1.1.1/24 in bce0, my target box is 10.1.1.2/24.
i tried the following inside ngctl:

mkpeer ipfw: patch 300 in
name ipfw:300 src_dst_chg
msg src_dst_chg: setconfig { count=2 csum_flags=1 ops=[ { mode=1
value=0x0a010101 length=4 offset=3 } { mode=1 value=0x0a010102 length=4
offset=4 } ] }

in my box(10.1.1.1) i did:
sysctl net.inet.ip.fw.one_pass=0
/sbin/ipfw add 50 netgraph 300 ip from any to any to 1.1.1.1

then i do simple ping from outside box
i see the packets arrive on my 160 rule
but never leaves the box..

I would at least see packeta flow one direction to 10.1.1.2 and then that
need another ipfw and netgraph opposite rule.

If you have alternative way I'm happy to try...


Help much appreciated...
Sami
Sami Halabi
2017-12-17 10:59:25 UTC
Permalink
Hi Eugene,
I'm looking for a solution for IP traffic. in linux iptables its possible
but I couldn't find freebsd way yet.
bkuncr soulution works for tcp only.

Thanks for the hint though,

Sami
Post by Sami Halabi
hi,
Can you help in my situation? My goal is so Box in my lan 10.1.1.2 to
talk
Post by Sami Halabi
to 10.1.1.1 and actually it would be talking to X.X.X.X outside ip using
one of my public IPs say 1.1.1.1.
If you need this just for single or several tcp ports, easiest way
pkg install bounce
bounce -a 10.1.1.1 -b 1.1.1.1 -p 443 X.X.X.X 443
Eugene Grosbein
2017-12-17 18:42:24 UTC
Permalink
Post by Sami Halabi
Hi Eugene,
I'm looking for a solution for IP traffic. in linux iptables its possible but I couldn't find freebsd way yet.
bkuncr soulution works for tcp only.
Then, you need to realize that for every packet, you need to change (translate)
both of source IP address from 10.1.1.2 to 1.1.1.1 and destination IP address
from 10.1.1.1 to X.X.X.X. This is called network address translation and,
in fact, you need NAT. But not ordinary "simple" NAT that translates
only source address in outgoing packets (and destination in incoming replies)
but double or "binat" to translate destination address in outgoing packets too
(and source address in corresponding replies).

This is possible to do with two instances of "ipfw nat" (or natd) for single external destination
but not for arbitrary number of external destinations.

They say, "pf(4)" packet filter can perform "binat" properly.
I have not tried that. You should start reading its documentation.
Loading...