Marcel Grandemange wrote: > Ok so I know this is a newbie question.. > > But ive for years now wanted to know how to only nat certain traffic or maby > only across a certain ip. > > Ive tried many examples all not working.. Maby im just doing something > stupid.. > > But, below is a example of a machine that is natting everything on em0. > > Id like to know how to change that to everything on say 22.214.171.124 > instead of entire interface. > > Or better yet.. > > Stop natting everything and say only nat web traffic. > > Im having issues where certain traffic is being nated that MUSTN be!
If you're running 7.0, you can ditch divert and use the built-in NAT functionality (you can probably replace the nat rules for divert rules). You can use source and destination ports and addresses when deciding what to have ipfw divert/nat. They're rules just like any others. Here's what I do: /etc/ipfw.rules: | CMD="/sbin/ipfw -q add" | | # Configure NAT | /sbin/ipfw -q nat 1 config if inet log reset unreg_only same_ports \ | redirect_port tcp 10.1.10.20:80 80 \ | redirect_port tcp 10.1.10.20:443 443 | | # loopback | $CMD allow all from any to any via lo0 | $CMD deny log all from 127.0.0.0/8 to any | | # Anti-spoof | $CMD deny log all from any to any not verrevpath in | | # Catch proto 41 without NATing | $CMD allow ipv6 from any to me | | # Allow this box to initiate unNATed outbound connections | $CMD allow ip from me to any keep-state | | # NAT | $CMD nat 1 ip4 from any to me in via inet | $CMD nat 1 ip4 from 10.1.10.0/24 to not me out via inet | | # ICMP | $CMD allow icmp from any to any | | # SSH From local nets | $CMD allow tcp from 10.1.10.0/24 to me ssh | | # DNS from local nets | $CMD allow udp from 10.1.10.0/24 to me domain | | # DHCP from local nets | $CMD allow udp from any to me bootps in via bridge0 | $CMD allow udp from 0.0.0.0 to 255.255.255.255 bootps in via bridge0 | | # Deny anything else destined to me | $CMD deny log ip from any to me | | # But forward any other traffic | $CMD allow ip4 from any to any -- Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley
Description: PGP signature