FreeBSD ipfw＆natd redirect_address

Question

我需要一點幫助。

我的rc.conf：

gateway_enable="YES" 
natd_enable="YES" 
natd_interface="xl0" 
natd_flags="-f /etc/natd.conf" 

ifconfig_xl0="inet 74.92.224.225 netmask 255.255.255.0" 
ifconfig_xl0_alias0="inet 74.92.224.227 netmask 255.255.255.255" 
ifconfig_xl0_alias1="inet 74.92.224.226 netmask 255.255.255.255" 
ifconfig_xl0_alias2="inet 74.92.224.228 netmask 255.255.255.255" 
ifconfig_xl0_alias3="inet 74.92.224.229 netmask 255.255.255.255" 

ifconfig_re0="up" 
ifconfig_re1="up" 
cloned_interfaces="lagg0" 
ifconfig_lagg0="laggproto loadbalance laggport re0 laggport re1 172.27.240.33 netmask 255.255.0.0" 

firewall_client_net="172.27.0.0:255.255.0.0" 
firewall_enable="YES" 
firewall_logging="YES" 
firewall_type="/etc/ipfw.rules" 

我natd.conf：

interface xl0 
use_sockets yes 
same_ports yes 
redirect_address 172.27.240.44 74.92.224.227 

我ipfw.rules：

add 50 divert natd log ip4 from any to any via xl0 
add 2000 pass all from 172.27.0.0:255.255.0.0 to 172.27.0.0:255.255.0.0 via 172.27.240.33 
add 2040 deny log all from any 23 to any 
add 2050 deny log all from any to any 23 
add 2060 deny log all from any 111 to any 
add 2070 deny log all from any to any 111 
add 2080 deny log all from any 221 to any 
add 2090 deny log all from any to any 221 
add 2100 deny log all from any 222 to any 
add 2110 deny log all from any to any 222 
add 5000 pass all from any to any 

一切正常，預計進入74.92.224.227做不去172.27.240.44它在網關上結束，但不在局域網上。

thx在此先感謝。

唐

Answer 1

據我所知，你清楚，你想NAT是從172.27.240.44來74.92.224.227的所有數據包？ 另外我不認爲你的語法在ipfw規則文件是正確的。

我寧願用的ipfw內核NAT：

的rc.conf（別忘了禁用LRO/TSO，因爲目前libalias不同意這個選項正常工作）：

gateway_enable="YES" 
firewall_enable="YES" 
firewall_script="/etc/ipfw.rules" 
firewall_nat_enable="YES" 
firewall_logging="YES" 

ifconfig_re0="up -rxcsum -txcsum -tso -lro" 
ifconfig_re1="up -rxcsum -txcsum -tso -lro" 
ifconfig_xl0="up -rxcsum -txcsum -tso -lro" 

ifconfig_xl0="inet 74.92.224.225 netmask 255.255.255.0" 
ifconfig_xl0_alias0="inet 74.92.224.227 netmask 255.255.255.255" 
ifconfig_xl0_alias1="inet 74.92.224.226 netmask 255.255.255.255" 
ifconfig_xl0_alias2="inet 74.92.224.228 netmask 255.255.255.255" 
ifconfig_xl0_alias3="inet 74.92.224.229 netmask 255.255.255.255" 

cloned_interfaces="lagg0" 
ifconfig_lagg0="laggproto loadbalance laggport re0 laggport re1 172.27.240.33 netmask 255.255.0.0" 

/etc/ipfw.rules：

#!/bin/sh - 

fwcmd="/sbin/ipfw" 

${fwcmd} -f flush 
${fwcmd} -q flush 
${fwcmd} -q table all flush 
${fwcmd} -q pipe flush all 
${fwcmd} -q queue flush all 

${fwcmd} nat 1 config ip 74.92.224.227 same_ports reset deny_in 

# Pass local traffic 
${fwcmd} add 101 allow all from any to any via lo0 

# Apply NAT on external interface 
${fwcmd} add 201 nat ip from 172.27.240.44 to any out xmit xl0 
${fwcmd} add 202 nat ip from any to 74.92.224.227 in recv xl0 

${fwcmd} add 301 allow all from 172.27.0.0/16 to 172.27.0.0/16 via re0 

${fwcmd} add 2040 deny log all from any 23 to any 
${fwcmd} add 2050 deny log all from any to any 23 
${fwcmd} add 2060 deny log all from any 111 to any 
${fwcmd} add 2070 deny log all from any to any 111 
${fwcmd} add 2080 deny log all from any 221 to any 
${fwcmd} add 2090 deny log all from any to any 221 
${fwcmd} add 2100 deny log all from any 222 to any 
${fwcmd} add 2110 deny log all from any to any 222 
${fwcmd} add 5000 allow all from any to any 

這裏規則201將把來自172.27.240.44的所有分組映射到74.92.224.227。規則202將執行相反的操作。