On Wed, Sep 24, 2014 at 01:35:53PM +0000, Nagle, Edwin (James) wrote: > Hi all, > > I'm trying to accomplish something that I think should be pretty simple, but > cannot figure out how to do... Here is my scenario: > > I am building a remote access server which will accept ssh connections on > three private IP addresses in the same subnet. The users coming in will need > to have their IP sourced from the same IP as they arrived on because current > infrastructure is in place to firewall and segment those connections to > prevent unauthorized access to assets. Incoming access will be controlled by > radius based on IP address. Outbound traffic will be controlled via an > external firewall based on IP address (thus the need to lock users to the IP > address they arrive on). > > The server has four interfaces configured, the physical interface (bce0) and > three virtual (tap0, tap1, tap2). > > I have rebuilt my kernel to allow NAT in PF as well as multiple routing > tables. I found a good article which describes source based routing with > multiple routing tables but I think my problem stems from having all the IP > addresses on the same network subnet. I have successfully been able to have > the outbound NAT to a single IP but I'm still unclear on how PF works so I'm > basically mucking around trying to find something that works (please forgive > my ignorance): > > My current pf.conf: > > nat on ! tap0 from any to any port ssh -> 10.1.9.59 > nat on ! tap1 from any to any port ssh -> 10.1.9.60 > nat on ! tap2 from any to any port ssh -> 10.1.9.61 > > All outbound traffic now translates to 10.1.9.59 regardless of which IP I > arrived on. I need to basically match the incoming IP and nat outbound TCP > 22 traffic across the same IP. > > Anyone have any ideas or suggestions as to how to accomplish this?
Checkout the Routing section in pf.conf and give 'route-to' a try,
example for outgoing traffic could be:
pass out log quick on $ext_if route-to tap0 from (tap0:network) to any
port ssh
--
Oliver PETER oli...@gfuzz.de 0x456D688F
signature.asc
Description: Digital signature
