I'm trying to forward an external IP address to another external IP address with pf. The equivalent iptables command would be iptables -t nat -A OUTPUT -d [ipaddress1] -j DNAT --to-destination [ipaddress2]
.
I've tried various forms of nat and rdr in my pf.conf, examples of which are:
($int_if
is internal interface, $ext_if
external interface, $out_ad
is ipaddress1 (address to redirect) and $res_ad
is ipaddress2 (address to redirect to)
nat on $int_if from 127.0.0.1 to $out_ad -> $res_ad
rdr pass on $ext_if proto tcp from $out_ad to $res_ad -> 127.0.0.1
rdr pass on $int_if proto tcp from 127.0.0.1 to $out_ad -> $res_ad
rdr pass log proto tcp from any to $out_ad -> $res_ad
nat from $out_ad to $res_ad -> 127.0.0.1
nat on $ext_if from $out_ad to $res_ad -> $ext_if
rdr on $int_if proto tcp from any to $out_ad -> $res_ad
rdr pass quick on $ext_if proto tcp from any to $out_ad -> $res_ad
None of these seem to do the trick. I have set sysctl net.inet.ip.forwarding=1
as well. Any help would be greatly appreciated. Thanks
Best Answer
This will just enable routing on your machine. It could work if you would create a to allow any to the destination IP on the external interface (at least in theory) (10.20.30.40 is your final destination in this example)
(just an idea)
But your rdr rules will not work because they so happen to be on the same interface which (according to some forum posts) are not allowed, or just simply don't work
The public NAT rule in the other hand should work, but you will lose the originating IP address on the final destination. (intended?)
(or synproxy state)
for debugin purpose try enable logging of the rules (by adding log to the pass rule, enabeling pflog, and the following command)
Ohh, and please maybe provide some simple network structure ;)