Question that has dogged me for a while.
Karl Denninger
karl at denninger.net
Thu May 4 19:17:55 UTC 2017
On 5/4/2017 13:47, Rodney W. Grimes wrote:
>> On 5/4/2017 12:12, Rodney W. Grimes wrote:
>>>> Consider the following network configuration.
>>>>
>>>>
>>>> Internet ------- Gateway/Firewall ---------- Inside network (including a
>>>> web host)
>>>> 70.16.10.1/28 192.168.0.0/24
>>>>
>>>> The address of the outside is FICTIONAL, by the way.
>>>>
>>>> For policy reasons I do NOT want the gateway machine to actually have
>>>> the host on it. There may be a number of things running on there but
>>>> for the instant moment let's assume a standard pedestrian web host on
>>>> port 80.
>>>>
>>>> I have DNS pointing at "webhost.domain" @ 70.16.10.1.
>>>>
>>>> I have NAT on the gateway (NAT internal to the kernel), and a "hole
>>>> punch" in there with redirect_port tcp 192.168.1.1:80 70.16.10.1:80 as
>>>> pat of the nat configuration statement.
>>>>
>>>> This works fine for anyone on the outside. HOWEVER, anyone on the
>>>> INTERNAL network cannot see the host.
>>>>
>>>> My NAT configuration looks like this:
>>>>
>>>> #
>>>> # Now divert all inbound packets that should go through NAT. Since this
>>>> is NAT
>>>> # it can only match a packet that previously was NATted on the way out.
>>>> #
>>>> ${fwcmd} add 6000 nat 100 ip4 from any to me recv ${oif}
>>>> #
>>>> # Check stateful rules; we want to go there directly if there is a match
>>>> #
>>>> ${fwcmd} add 7000 check-state
>>>> #
>>>> # Now pick up all *outbound* packets that originated from an inside address
>>>> # and put them through NAT. We then have
>>>> # a packet with a local source address and we can allow it to be sent.
>>>> # Therefore, if the packet is outbound let it pass and be done with it.
>>>> #
>>>> ${fwcmd} add 8000 nat 100 ip4 from 192.168.0.0/16 to any xmit ${oif}
>>>>>> ${fwcmd} add 8001 nat 100 ip4 from 192.168.0.0/16 to ${oip}
>>>> ${fwcmd} add 8009 deny log ip4 from 192.168.0.0/16 to any xmit
>>>> ${oif}
>>>> ${fwcmd} add 8010 pass ip4 from ${onet} to any xmit ${oif}
>>>>
>>>> Without the ">>" line I get nothing; the packets get to the gateway and
>>>> disappear.
>>>>
>>>> With the ">>" line I DO get the packets re-emitted on the internal
>>>> interface HOWEVER there is no translation to the internal interface IP
>>>> on the gateway box. So what I see on the internal box is this:
>>>>
>>>> 11:19:16.369634 IP 192.168.10.40.60924 > 192.168.10.100.11443: Flags
>>>> [S], seq 292171178, win 8192, options [mss 1460,nop,wscale
>>>> 8,nop,nop,sackOK], length 0
>>>> 11:19:16.369662 IP 192.168.10.100.11443 > 192.168.10.40.60924: Flags
>>>> [S.], seq 3088872007, ack 292171179, win 65535, options [mss
>>>> 1460,nop,wscale 6,sackOK,eol], length 0
>>>>
>>>> Which won't work because the internal box got and sent this:
>>> What is the NAT command running at instance 100?
>>> Does it have an -alias_address of inside IP of router?
>>> Are you tryint to use the same Nat instance to do both
>>> the global internet acess translation and this special
>>> inside loop back translation? If so that usually can
>>> not be made to work.
>> Aha. That's probably the problem -- I need a second instance.
>>
>> Here's the entire salient section:
>>
>>
>> # Set up the NAT configuration; there are multiple entries that have to
>> be here
>> # because we redirect a bunch of ports around so we can see things from the
>> # outside -- specifically, webcams and the HomeDaemon server.
>> #
>> ${fwcmd} nat 100 config ip ${oip} log same_ports reset
>> redirect_port tcp.... (whole bunch of stuff)
>>
>> #
>> # Stop spoofing
>> #
>> ${fwcmd} add 2010 deny log all from ${inet} to any not ipsec in
>> via ${oif}
>> ${fwcmd} add 2020 deny log all from ${onet} to any in via ${iif}
>> if [ -n "$inet6" ]; then
>> ${fwcmd} add 2040 deny all from ${inet6} to any in via
>> ${oif6}
>> if [ -n "$onet6" ]; then
>> ${fwcmd} add 2050 deny log all from ${onet6} to
>> any in \
>> via ${iif6}
>> fi
>> fi
>>
>> ${fwcmd} add 3000 deny log all from ${onet} to any recv ${iif}
>>
>> #
>> # This table is a list of denied addresses that tried to attack us. Updated
>> # by sshguard. Anything coming inbound from the outside is blocked. We
>> also
>> # block anything on the "screw you" lists (two)
>> #
>> ${fwcmd} add 4000 deny log all from table\(22\) to any recv ${oif}
>> ${fwcmd} add 4010 deny all from any to ${foscam}
>> ${fwcmd} add 4020 deny log all from ${china} to any via ${oif}
>> #
>> # Anything related to RFC1918 or the Manning range that comes in on
>> # the external interface (shouldn't happen) gets tossed immediately, EXCEPT
>> # for RFC1918 stuff coming in via IPSEC. That we must pass or our IPSEC
>> # gateway will not work.
>> #
>> ${fwcmd} add 5000 deny log all from ${rfc1918} to any not ipsec
>> recv ${oif}
>> ${fwcmd} add 5010 deny log all from ${manning} to any recv ${oif}
>>
>> #
>> # Now divert all inbound packets that should go through NAT. Since this
>> is NAT
>> # it can only match a packet that previously was NATted on the way out.
>> #
>> ${fwcmd} add 6000 nat 100 ip4 from any to me recv ${oif}
>> #
>> # Check stateful rules; we want to go there directly if there is a match
>> #
>> ${fwcmd} add 7000 check-state
>> #
>> # Now pick up all *outbound* packets that originated from an inside address
>> # (including IPSEC tunneled stuff) and put them through NAT. We $then have
>> # a packet with a local source address and we can allow it to be sent.
>> # Therefore, if the packet is outbound let it pass and be done with it.
>> #
>> ${fwcmd} add 8000 nat 100 ip4 from 192.168.0.0/16 to any xmit ${oif}
>> ${fwcmd} add 8001 nat 100 ip4 from 192.168.0.0/16 to ${oip}
>> ${fwcmd} add 8009 deny log ip4 from 192.168.0.0/16 to any xmit
>> ${oif}
>> ${fwcmd} add 8010 pass ip4 from ${onet} to any xmit ${oif}
>>
>> From the above I assume I need to direct 8001 through a nat 200, and
>> define that as "twist anything that comes through there to be aliased
>> from the INTERNAL IP address", yes?
>>
>> So I changed the above to be this:
>>
>> ${fwcmd} add 8000 nat 200 ip4 from 192.168.0.0/16 to ${oip}
>> ${fwcmd} add 8001 nat 100 ip4 from 192.168.0.0/16 to any xmit ${oif}
>>
>> So the first one would catch any inside packet that was headed to the
>> outside IP before the other gets ahold of it.
> What is your net.inet.ip.fw.one_pass set to?
0. (This config on the host IS working generally for NAT)
>
> Are we getting counts on rule 8000 from a ipfw -a list 8000?
Yes.
>> And added:
>>
>> ipfw nat 200 config ip ${iip} same_ports reset
>>
>> Up above for the second NAT channel; "iip" is the gateway's internal IP
>> address.
> Yep yep, that looks good.
>
>> But that winds up doing nothing; I get no packets back out on the inside
>> interface at all (just as if the "200" nat stuff was not there at all)
> Lets see if there are packets matching the rule, and if so maybe add log to the rule,
> and add a log rule after it to catch what the packets may look like after that nat.
> You may also be falling on down and denying the packet it some future rule, like
> a keep state rule????
Don't think so. There's a rule right under it that should pass it (and
thus terminate.)
> It is almost impossible to remotly debug this type of stuff without a
> complete and full picture of all elements involved.
> As a minimum:
> ifconfig -a
> ipfw -a list
> sysctl net.inet.ip.fw.one_pass
> sysctl net.inet.ip.forwarding
>
> I know this can be made to work, I think even dd-wrt has it right....
> And here is a good jumping off point from a very quick google:
> http://www.nycnetworkers.com/real-world/nat-reflectionnat-loopbacknat-hairpinning/
root at IPGw:/usr/local/etc # ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
ue0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=80009<RXCSUM,VLAN_MTU,LINKSTATE>
ether b8:27:eb:4e:88:64
inet 192.168.10.200 netmask 0xffffff00 broadcast 192.168.10.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
ue1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8000b<RXCSUM,TXCSUM,VLAN_MTU,LINKSTATE>
ether 00:50:b6:5d:1d:9f
inet 70.169.168.7 netmask 0xffffff80 broadcast 70.169.168.127
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
ue0.3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether b8:27:eb:4e:88:64
inet 192.168.4.200 netmask 0xffffff00 broadcast 192.168.4.255
groups: vlan
vlan: 3 vlanpcp: 0 parent interface: ue0
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
root at IPGw:/usr/local/etc # ipfw -a list
00100 14 1042 allow ip from any to any via lo0
00200 0 0 deny log ip from any to 127.0.0.0/8
00300 0 0 deny log ip from 127.0.0.0/8 to any
00400 0 0 deny log ip from any to ::1
00500 0 0 deny log ip from ::1 to any
02000 0 0 allow ip from 192.168.100.1 to any in via ue1
02010 0 0 deny log ip from 192.168.0.0/16 to any not ipsec in
via ue1
02020 0 0 deny log ip from 70.169.168.0/25 to any in via ue0
03000 0 0 deny log ip from 70.169.168.0/25 to any recv ue0
04000 0 0 deny log ip from table(22) to any recv ue1
04010 0 0 deny ip from any to
114.215.179.104,122.226.84.253,122.248.234.207,167.206.87.147,168.1.83.89,175.41.238.100,176.58.116.160,202.96.134.133,203.143.89.106,220.181.111.147,23.234.53.61,23.234.53.67,46.137.188.54,50.19.254.134,50.7.114.59,50.7.124.48,50.7.176.18,50.7.235.90,50.7.44.82,61.188.37.216,68.192.249.119,74.125.31.99
04020 0 0 deny log ip from
218.90.0.0/16,218.91.0.0/16,218.92.0.0/16,218.93.0.0/16,218.94.0.0/16 to
any via ue1
05000 0 0 deny log ip from
10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 to any not ipsec recv ue1
05010 0 0 deny log ip from
0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,224.0.0.0/4,240.0.0.0/4 to any
recv ue1
06000 8726 10333291 nat 100 ip4 from any to me recv ue1
07000 0 0 check-state :default
08000 21 1064 nat 200 ip4 from 192.168.0.0/16 to 70.169.168.7
08001 4834 264258 nat 100 ip4 from 192.168.0.0/16 to any xmit ue1
08009 0 0 deny log ip4 from 192.168.0.0/16 to any xmit ue1
08010 4836 264410 allow ip4 from 70.169.168.0/25 to any xmit ue1
08011 0 0 allow log ip from 192.168.10.200 to 192.168.0.0/16
dst-port 2552
08020 5374 306553 allow ip from 192.168.0.0/16 to any recv ue0
08030 2 104 allow ip from 192.168.4.0/25 to any recv ue0.3
08500 0 0 deny log ip from 192.168.0.0/16 to any xmit ue1
09000 17823 20712366 allow ip from any to 192.168.0.0/16
22000 0 0 allow tcp from any to any established
22700 0 0 allow tcp from any to me dst-port 2200 setup
22710 0 0 allow tcp from any to me dst-port 22 setup
22800 0 0 allow icmp from any to me
23100 0 0 allow udp from any to me dst-port 33434-34000
23110 0 0 allow udp from any 33434-34000 to me
23410 0 0 allow udp from any to me dst-port 53
23420 0 0 allow udp from me 53 to any
23430 4 545 allow udp from any 53 to me
23500 0 0 allow tcp from any to 192.168.1.214 dst-port 8080 setup
23510 0 0 allow tcp from any to 192.168.4.210 dst-port 443 setup
23520 0 0 allow tcp from any to 192.168.4.211 dst-port 443 setup
23530 0 0 allow tcp from any to 192.168.4.211 dst-port 554 setup
24430 0 0 allow udp from any 123 to me dst-port 123
24500 0 0 allow udp from any to me dst-port 500
24510 0 0 allow udp from me 500 to any
24520 0 0 allow udp from any to me dst-port 4500
24530 0 0 allow udp from me 4500 to any
24600 46 2760 deny tcp from 192.168.4.211 to any dst-port 80 setup
29999 5 272 deny log ip from any to any
65535 2603 379766 deny ip from any to any
onepass is 0, forwarding is 1 of course.
root at IPGw:/usr/local/etc # sysctl -a|grep forwarding
net.inet.ip.forwarding: 1
net.inet6.ip6.forwarding: 0
root at IPGw:/usr/local/etc # sysctl -a | grep one_pass
net.inet.ip.fw.one_pass: 0
If it matters this is running on -HEAD (it's running on a PI3, so -HEAD
is a mandate at this point.) The 0.3 interface is a VLAN for things
that I have DMZd off so they can't play "send back data to poppa and
scan the LAN" games (think consumer appliances.)
Line 8000 does have packets that match. There IS a "check-state" right
above it, but that shouldn't kill the output side -- and I moved it to
10000 (below the pass lines) without effect, just in case it was. NAT
is working perfectly well for someone on the internal network but
connecting to something outside on the Internet and the "hole punches"
for a connection outside to the interior host work as well. Note that
the line 8011, which SHOULD trap a "telnet 70.169.168.7 2552" from the
inside network (and which DOES generate the packet counts on line 8000)
does NOT register counts nor log anything, so whatever is nailing it
it's happening before it gets there -- which is why I'm confused here.
--
Karl Denninger
karl at denninger.net <mailto:karl at denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2993 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20170504/c1378137/attachment.bin>
More information about the freebsd-ipfw
mailing list