I know this is basic stuff, but I can't seem to get it to work.
As a test, I want to forward telnet from my firewall/router
to a box inside on the NAT'ed LAN
So I created the rule in 'ipf.conf':
pass in quick on eri0 proto tcp from any to any port = 23
flags S keep state
And in 'ipnat.conf':
rdr eri0 375.64.91.174/32 port 23 -> 192.168.5.5 port 23 tcp
(sorry about the bogus IP address)
When I 'ssh' to a remote machine, the telnet back, I don't get
connected to 192.168.5.5.
ipnat -l shows:
List of active sessions:
RDR 192.168.5.5 23 <- -> 375.64.91.174 23 [208.255.18.94
57310]
but I don't get connected.
Anyone tell me what I've done wrong??
I'm running Solaris 10 on a Netra T1 using the built in IPfilter.
Attached are my ipf.conf and ipnat.conf
Thanks!
## ipf.conf - config file for ipfilter
###############################################################################
## pass all local traffic
pass in quick on lo0 all
pass out quick on lo0 all
##
###############################################################################
## OUTBOUND = eri0
#
## block inbound traffic from a particular IP on a particular port
#block in quick on hme0 from <IP #> to any port = <port #>
##
###############################################################################
## FIRST - THE "IN" STUFF
#
# First - block everything, then (as processing continues) allow
# specific things through
#
###
block in on eri0 all
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Allow outgoing DNS requests (no named on firewall)
# (I don't know if this works)
pass in quick on eri0 proto udp from any to any port = 53 # keep state
## pass inbound echo request
pass in quick on eri0 proto icmp from any to any icmp-type 8
## pass inbound smtp
# The "flags S" allows the initial connection. The "keep states" allows
# future packets.
pass in quick on eri0 proto tcp from any to any port = 25 flags S keep state
pass in quick on eri0 proto tcp from any to any port = 12196 flags S keep state
## pass inbound ssh
pass in quick on eri0 proto tcp from any to any port = 22 flags S keep state
## pass inbound imap
pass in quick on eri0 proto tcp from any to any port = 143 flags S keep state
## pass inbound http and https
pass in quick on eri0 proto tcp from any to any port = 80 flags S keep state
pass in quick on eri0 proto tcp from any to any port = 4848 flags S keep state
pass in quick on eri0 proto tcp from any to any port = 443 flags S keep state
## pass inbound SunRay
#pass in quick on eri0 proto udp from any to any port = 7009
pass in quick on eri0 proto tcp from any to any port = 7009 flags S keep state
pass in quick on eri0 proto tcp from any to any port = 7010 flags S keep state
pass in quick on eri0 proto udp from any to any port = 40000
pass in quick on eri0 proto udp from any to any port = 40001
pass in quick on eri0 proto udp from any to any port = 40002
pass in quick on eri0 proto udp from any to any port = 40003
##
## RTP/RTSP stuff
pass in quick on eri0 proto tcp from any to any port = 554 flags S keep state
##
###############################################################################
## SECOND - THE "OUT" STUFF
## pass all outbound tcp, udp, icmp traffic with state, except HTTP
## first, pass everything, then block specific applications as we continue
## processing
pass out on eri0 from any to any keep state keep frags
# Block HTTP and HTTPS (force through the proxy)
block out quick on eri0 proto tcp from 192.168.0.0/16 to any port = 80
block out quick on eri0 proto tcp from 192.168.0.0/16 to any port = 443
# allow HTTP on the XBOX 360
pass out quick on eri0 proto tcp from 192.168.5.11/32 to any port = 80
pass out quick on eri0 proto tcp from 192.168.5.11/32 to any port = 443
# Block Kazaa, et.al.
block out quick on eri0 proto tcp from 192.168.0.0/16 to any port = 3531
#pass out from any to any
#pass out quick on eri0 proto tcp from any to any # keep state keep frags
#pass out quick on eri0 proto udp from any to any # keep state keep frags
#pass out quick on eri0 proto icmp from any to any # keep state
#pass out quick on eri0 from any to any # keep state
##
###############################################################################
## end of ipfilter ruleset
## VPN?
pass in quick on eri0 proto tcp/udp from any to any port = 400
pass in quick on eri0 proto tcp/udp from any to any port = 500
pass in quick on eri0 proto tcp/udp from any to any port = 4500
#
# Xbox Live
#
pass in quick on eri0 proto udp from any to any port = 88
pass in quick on eri0 proto tcp/udp from any to any port = 3074 flags S keep
state
pass in quick on eri0 proto tcp from any to any port = 23 flags S keep
state
#
# XBOX Live
#
rdr eri0 375.64.91.174/32 port 23 -> 192.168.5.5 port 23 tcp
rdr eri0 375.64.91.174/32 port 88 -> 192.168.5.11 port 88 udp
rdr eri0 375.64.91.174/32 port 3074 -> 192.168.5.11 port 3074 udp
rdr eri0 375.64.91.174/32 port 3074 -> 192.168.5.11 port 3074 tcp
#
map eri0 192.168.5.0/24 -> 375.64.91.174/32 portmap tcp/udp 20000:50000
map eri0 192.168.6.0/24 -> 375.64.91.174/32 portmap tcp/udp 50001:60000
map eri0 192.168.5.0/24 -> 375.64.91.174/32
map eri0 192.168.6.0/24 -> 375.64.91.174/32
