This is an old revision of the document!
debian11# apt install iptables root@gate:~# apt install conntrack root@gate:~# cat nat.sh
iptables -t nat --flush iptables -t nat -A POSTROUTING -o eth1 -s 192.168.X.0/24 -j MASQUERADE #iptables -t nat -A POSTROUTING -o eth1 -s 192.168.100+X.0/24 -j MASQUERADE #iptables -t nat -A POSTROUTING -o eth1 -s 192.168.X.0/24 -j SNAT --to-source 172.16.1.X conntrack -F
root@gate:~# sh nat.sh
root@gate:~# iptables -t nat -n -L -v --line-numbers root@gate:~# conntrack -L
root@gate:~# iptables-save > /etc/iptables.rules
root@gate:~# iptables-restore < /etc/iptables.rules
root@gate:~# cat /etc/network/interfaces
... auto eth1 iface eth1 inet static pre-up iptables-restore < /etc/iptables.rules ...
# apt install iptables-persistent # netfilter-persistent save
gate### apt install nftables gate# man nft gate# nft add table nat gate# nft 'add chain nat postrouting { type nat hook postrouting priority srcnat ; }' gate# nft add rule nat postrouting ip saddr 192.168.X.0/24 oif eth1 snat to 172.16.1.X gate# nft add rule nat postrouting ip saddr 192.168.100+X.0/24 oif eth1 snat to 172.16.1.X gate# nft list ruleset gate# nft flush ruleset gate# systemctl enable nftables.service --now gate# cat /etc/nftables.conf
... table ip nat { chain postrouting { type nat hook postrouting priority srcnat; policy accept; ip saddr 192.168.100+X.0/24 oif "eth1" snat to 172.16.1.X } }
gate# systemctl reload nftables.service
[gate:~] # cat /etc/pf.conf
nat on em1 from 192.168.X/24 to any -> (em1) # nat on em1 from 192.168.X/24 to any -> (em1) static-port # nat on em1 from 192.168.X/24 to any -> 172.16.1.X
[gate:~] # cat /etc/rc.conf
... pf_enable=yes
[gate:~] # service pf check [gate:~] # service pf start [gate:~] # pfctl -vs nat
root@gate:~# cat nat.sh
iptables -t nat --flush iptables -t nat -A POSTROUTING -o eth1 -s 192.168.X.0/24 -j MASQUERADE #iptables -t nat -A POSTROUTING -o eth1 -s 192.168.100+X.0/24 -j MASQUERADE #iptables -t nat -A POSTROUTING -o eth1 -s 192.168.X.10 -j MASQUERADE iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 2222 -j DNAT --to-destination 192.168.X.10:22 iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 53 -j DNAT --to-destination 192.168.X.10:53 iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p udp --dport 53 -j DNAT --to-destination 192.168.X.10:53 #iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 25 -j DNAT --to-destination 192.168.X.10:25 #iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 465 -j DNAT --to-destination 192.168.X.10:465 #iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 587 -j DNAT --to-destination 192.168.X.10:587 #iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 143 -j DNAT --to-destination 192.168.X.10:143 #iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 80 -j DNAT --to-destination 192.168.X.10:80 #iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 5222 -j DNAT --to-destination 192.168.X.10:5222 #iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p udp --dport 5060 -j DNAT --to-destination 192.168.X.10:5060 #iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 5061 -j DNAT --to-destination 192.168.X.10:5061 #iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p udp -m multiport --dport 10000:20000 -j DNAT --to-destination 192.168.X.10 #iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p udp --dport 4569 -j DNAT --to-destination 192.168.X.10:4569 conntrack -F
root@gate:~# sh nat.sh root@gate:~# iptables-save > /etc/iptables.rules
[gate:~] # cat /etc/pf.conf
ext_ip="172.16.1.X" ext_if="em1" corp_net="192.168.X/24" #pppoe_corp_net="192.168.100+X/24" ssh_server="192.168.X.10" dns_server="192.168.X.10" www_server="192.168.X.10" mail_server="192.168.X.10" asterisk_server="192.168.X.10" #nat on $ext_if proto udp from $asterisk_server to any -> ($ext_if) static-port nat on $ext_if from $corp_net to any -> ($ext_if) #nat on $ext_if from $pppoe_corp_net to any -> ($ext_if) #nat on $ext_if from $dns_server to any -> ($ext_if) rdr on $ext_if proto tcp from any to $ext_ip port 2222 -> $ssh_server port 22 #rdr on $ext_if proto tcp from any to $ext_ip port 25 -> $mail_server port 25 rdr on $ext_if proto {udp,tcp} from any to $ext_ip port 53 -> $dns_server port 53 rdr on $ext_if proto tcp from any to $ext_ip port 80 -> $www_server port 80 rdr on $ext_if proto tcp from any to $ext_ip port 143 -> $mail_server port 143 #rdr on $ext_if proto udp from any to $ext_ip port 5060 -> $asterisk_server port 5060 #rdr on $ext_if proto udp from any to $ext_ip port 10000:20000 -> $asterisk_server port 10000:* #rdr on $ext_if proto udp from any to $ext_ip port 4569 -> $asterisk_server port 4569 # set skip on lo0 # block in all ...
[gate:/etc] # /etc/rc.d/pf check [gate:/etc] # /etc/rc.d/pf reload
root@gate:~# conntrack -L root@gate:~# iptstate root@gate:~# conntrack -F
[gate:~] # pfctl -vs state [gate:~] # pkg_add -r pftop [gate:~] # rehash [gate:~] # pftop [gate:~] # pfctl -F state
iptables -t nat --flush iptables -t nat -A PREROUTING -d 192.168.6.N -j DNAT --to-destination 192.168.106.N iptables -t nat -A POSTROUTING -s 192.168.106.N -j SNAT --to-source 192.168.6.N
[gate:~] # kldload ipdivert [gate:~] # natd -interface le1 или [gate:~] # natd -alias_address 172.16.1.X [gate:~] # sysctl net.inet.ip.fw.enable=0 [gate:~] # ipfw -f flush [gate:~] # ipfw add divert natd all from 192.168.X.0/24 to any via le1 [gate:~] # ipfw add divert natd all from any to 172.16.1.X via le1 [gate:~] # ipfw add pass all from any to any [gate:~] # sysctl net.inet.ip.fw.enable=1
natd -interface en0 route add 192.168.6.0/24 172.16.1.6 sysctl -w net.inet.ip.forwarding=1 natd -alias_address 195.19.32.14 ipfw -f flush ipfw add pass all from 172.16.1.254 to any ipfw add divert natd all from 172.16.1.0/24 to any via en0 ipfw add divert natd all from 192.168.6.0/24 to any via en0 ipfw add divert natd all from any to 195.19.32.14 via en0 ipfw add pass all from any to any
http://www.propheta.ru/2009/11/pptp-gre-pf.html
# cat /etc/rc.conf
no nat on vlan2 proto gre all no nat on vlan2 proto tcp from any to any port = pptp no nat on vlan2 proto tcp from any port = pptp to any ;... pass quick on $external_if inet proto tcp from any to any port 1723 pass quick on $external_if inet proto tcp from any port 1723 to any pass quick on $external_if inet proto gre from any to any
# cat /etc/ipfw.script
#!/bin/sh /sbin/ipfw -q /dev/stdin <<RULES flush nat 10 config if vlan2 add 10 nat 10 gre from any to any add 11 nat 10 tcp from any to any dst-port pptp add 12 nat 10 tcp from any pptp to any add allow all from any to any RULES
# chmod +x /etc/ipfw.script # cat /etc/rc.conf
firewall_enable="YES" firewall_nat_enable="YES" firewall_script="/etc/ipfw.script"