Re: Trying to do something complicated

On Thu, Feb 17, 2005 at 08:57:03AM -0500, Chris Ross wrote:
>
> So the issue is, if packets come in ppp0, I want to reply to them
> *out*
> ppp0, without NAT'ing. But, otherwise, I want the NAT rules to NAT
> them out the broadband connection.
>
> Is this sort of inquiry/selection possible with ipfilter/ipnat?

I used to have a patch that did exactly this. I am not sure
if it still works.

You should have rules like:

pass in quick on if0 to if0:DEFAULT_ROUTER proto tcp ... keep state keep frags
Here if0 is your broadband interface and DEFAULT_ROUTER needs to be
replaced by the ip address of the default router on the broadband side.

You also need RDR ruiles if you want to terminate a connection not on
your ipf host, but an internal one. E.g.:
rdr if0 0.0.0.0/0 port 22 -> 192.168.1.1 port 22 tcp frag
if an SSH connection to your broadband IP address should terminate internally
at host 192.168.1.1.

You can try if this works without a patch by I don't think it will.
Otherwise you'll have to make my old patch working on ipf4.
The old patch can be found at:
http://coombs.anu.edu.au/~avalon/ipf...lti_home.patch

Btw: this will only work for rules with "keep state" present.
I'm sorry that I will not be able to help due to ENOTIME and the fact
that I no longer have such a setup.

Btw2: You can use your setup to use the broadband for you http traffic.
Then you should use:

pass in quick on int0 to if0:DEFAULT_ROUTER proto tcp from internal_net to any port = 80 keep state
int0 is the interface of your internal network
with an appropriate NAT (map) rule like:
map if0 internal_net -> 0/32 frag


-Guido