1

I'm trying to forward an external IP address to another external IP address with pf. The equivalent iptables command would be iptables -t nat -A OUTPUT -d [ipaddress1] -j DNAT --to-destination [ipaddress2].

I've tried various forms of nat and rdr in my pf.conf, examples of which are: ($int_if is internal interface, $ext_if external interface, $out_ad is ipaddress1 (address to redirect) and $res_ad is ipaddress2 (address to redirect to)

nat on $int_if from 127.0.0.1 to $out_ad -> $res_ad
rdr pass on $ext_if proto tcp from $out_ad to $res_ad -> 127.0.0.1
rdr pass on $int_if proto tcp from 127.0.0.1 to $out_ad -> $res_ad
rdr pass log proto tcp from any to $out_ad -> $res_ad
nat from $out_ad to $res_ad -> 127.0.0.1
nat on $ext_if from $out_ad to $res_ad -> $ext_if
rdr on $int_if proto tcp from any to $out_ad -> $res_ad
rdr pass quick on $ext_if proto tcp from any to $out_ad -> $res_ad

None of these seem to do the trick. I have set sysctl net.inet.ip.forwarding=1 as well. Any help would be greatly appreciated. Thanks

Andrew Schulman
  • 8,811
  • 21
  • 32
  • 47
chaz2505
  • 11
  • 2

1 Answers1

2
sysctl net.inet.ip.forwarding=1

This will just enable routing on your machine. It could work if you would create a to allow any to the destination IP on the external interface (at least in theory) (10.20.30.40 is your final destination in this example)

pass in inet proto tcp from any to 10.20.30.40

(just an idea)

But your rdr rules will not work because they so happen to be on the same interface which (according to some forum posts) are not allowed, or just simply don't work

The public NAT rule in the other hand should work, but you will lose the originating IP address on the final destination. (intended?)

nat on $ext_if inet from any to 10.20.30.40 -> ($ext_if:0) port 1024:65535
pass on $ext_if inet from any to 10.20.30.40 keep state

(or synproxy state)

for debugin purpose try enable logging of the rules (by adding log to the pass rule, enabeling pflog, and the following command)

/etc/rc.conf
...
pflog_enable="YES"
pflog_logfile="/var/log/pflog
...


# tcpdump -i pflog0 -n -e -ttt

Ohh, and please maybe provide some simple network structure ;)

Daywalker
  • 495
  • 5
  • 25
  • I don't know if you understood the problem because you make no mention of the two addresses I would like to forward from/to. – chaz2505 Mar 06 '15 at 12:54
  • The address the connection will b NATed to can be found in the macro $ext_if:0 as it is the first IP address of this Interface (i have 3 aliases on this interface for example, so 0 is the first one – Daywalker Mar 08 '15 at 09:05