Subject: Re: i dont bring it to fly my ports ?`:-(
To: Caloro Maurizio <mauric@gmx.ch>
From: Manuel Bouyer <bouyer@antioche.lip6.fr>
List: netbsd-users
Date: 07/01/2003 07:32:28
On Mon, Jun 30, 2003 at 11:53:15PM +0200, Caloro Maurizio wrote:
> public ............
> ....... . . x¹*****************
> pop3/ .~~~~~. Internet .~~~>>~~~<<~~* (R) S Classic *
> \smtp . . . *****************
> ....... ............ x²| x³------
> a.b.c.d -----------PC 1-
>
>
> Network config
> \·°°°°°°°°°°°°·/
> x¹ = ext NIC IP dhcp adr X.X.X.X
> x² = ext (R) NIC = 192.168.20.222 (R) = Router,Squid:3128 ,Apache:80,
> Dns, LPD
> x³ = Win2000 PC1 = 192.168.20.199
>
> Dear IPfilter Group :
> --------------------
> What i want to do its like, from my PC1 take the email from the public pop
> server, but to do this i must go over my router that at the momment dont
> want my do this, please have a look why i dont see my mistake that i have
>
> dropdown>< ipnat.conf > many attemps that i proved, without results:-(
> please help
> maurizio
>
> .->
> KERNEL config >>
> #
> options IPFILTER # IPFILTER manueller eintrag
> options IPFILTER_LOG # Add ipmon(8) logging for ipfilter device
> options IPFILTER_DEFAULT_BLOCK # block all packets by default
>
> .->
> netsun# cat sysctl.conf
> #!/sbin/sysctl -f
> #
> net.inet.ip.forwarding=1
> net.inet.ip.mtudisc=1
> net.inet.tcp.recvspace=65535
> net.inet.tcp.sendspace=65535
>
> .->
> netsun# cat rc.conf
> # Networking startup.
> #
> ipfilter=YES # uses /etc/ipf.conf
> ipnat=YES # uses /etc/ipnat.conf
> ipmon=YES ipmon_flags="-Dns" # syslog ipfilter messages
>
> .->
> netsun# cat ipf.conf
> #
> pass in all
> pass out all
>
> netsun# cat ipnat.conf
> #
> #
> #
> #rdr le0 0.0.0.0/0 port 80 -> 127.0.0.1 port 3128
>
> #map le1 192.168.20.0/16 -> 0.0.0.0/32 proxy port ftp ftp/tcp
> #map le1 192.168.20.0/16 -> 0.0.0.0/32 portmap tcp/udp 10000:40000
> #map le1 192.168.20.0/16 -> 0.0.0.0/32
>
> #
> # pass in quick on le0 proto tcp from any to any port = smtp flags S keep
> frags keep state
>
> rdr le1 0.0.0.0/0 port 25 -> 192.168.20.199 port 25
> rdr le1 0.0.0.0/0 port 25 -> 192.168.20.199 port 110
>
> #rdr le1 213.165.64.20/32 port 25 -> 192.168.20.199 port 25
> #rdr le1 213.165.64.20/32 port 110 -> 192.168.20.199 port 110
>
> #rdr le0 192.168.20.199 port 25 -> 0.0.0.0/0 port 25
> #rdr le0 192.168.20.199 port 110 -> 0.0.0.0/0 port 110
>
> #rdr le1 213.165.64.20/32 port 25 -> 192.168.20.199/32 port 25
> #rdr le1 213.165.64.20/32 port uucp -> 192.168.20.199/32 port uucp
> #rdr le1 213.165.64.20/32 port pop -> 192.168.20.199/32 port pop
You got it wrong. The rdr lines here means that an *external* *client*
would be able to access SMTP and POP3 *servers* on ports 25 and 110 on your
Win2000 PC.
You need it the other way round, to you need the map lines:
map le1 192.168.20.0/16 -> 0.0.0.0/32 proxy port ftp ftp/tcp
map le1 192.168.20.0/16 -> 0.0.0.0/32 portmap tcp/udp 10000:40000
map le1 192.168.20.0/16 -> 0.0.0.0/32
That's all.
--
Manuel Bouyer, LIP6, Universite Paris VI. Manuel.Bouyer@lip6.fr
NetBSD: 24 ans d'experience feront toujours la difference
--