natd port forward times out, tcpdump yields nothing
Henri Hennebert
hlh at restart.be
Tue Mar 25 08:23:22 PDT 2008
Kage wrote:
> I changed my rules, and it's still not working:
>
> $IPF 50220 divert natd all from 72.20.28.202 6667 to any via rl0
> $IPF 50221 divert natd all from any to 207.210.114.45 6667 via rl0
>
> It's still timing connections out.
Does the server hosting natd is the default route for 72.20.28.202 ?
Henri
>
> On Mon, Mar 24, 2008 at 4:24 PM, Henri Hennebert <hlh at restart.be> wrote:
>> Kage wrote:
>> > Still not working, but I DO have natd aliasing properly. Here's my
>> > natd output (remember which IP is mine, the IRC jail, and the example
>> > round-robin IP):
>> >
>> > [root at nub /etc]# natd -f /etc/natd.conf
>> > In {default}[TCP] [TCP] 72.65.73.23:2897 -> 207.210.114.45:6667 aliased to
>> > [TCP] 72.65.73.23:2897 -> 72.20.28.202:6667
>> > In {default}[TCP] [TCP] 72.65.73.23:2897 -> 207.210.114.45:6667 aliased to
>> > [TCP] 72.65.73.23:2897 -> 72.20.28.202:6667
>> > In {default}[TCP] [TCP] 72.65.73.23:2897 -> 207.210.114.45:6667 aliased to
>> > [TCP] 72.65.73.23:2897 -> 72.20.28.202:6667
>> >
>> > 72...23 (me) is hitting the natd on the jail IP (207...45), which is
>> > getting correctly aliased to 72...202 (example round-robin IP). So it
>> > appears the natd is working properly.
>>
>> In the client -> server direction only for now -- see bellow.
>>
>>
>>
>> > Here's my natd configuration as
>> > it exists now:
>> >
>> > # Nub.Core NATd
>> > verbose
>> > alias_address 207.210.114.45
>> > log
>> > log_denied
>> > log_ipfw_denied
>> > pid_file /var/run/natd.pid
>> >
>> > ### IRC Redirect Ports
>> > # 6667
>> > redirect_port tcp 72.20.28.202:6667 207.210.114.45:6667
>> >
>> > And for more record, here's my ipfw.rules file up until the divert:
>> >
>> > [root at nub /etc]# cat ipfw.rules
>> > IPF="ipfw -q add"
>> > ipfw -f -q flush
>> >
>> > #loopback
>> > $IPF 10 allow all from any to any via lo0
>> > $IPF 20 deny all from any to 127.0.0.0/8
>> > $IPF 30 deny all from 127.0.0.0/8 to any
>> > $IPF 40 deny tcp from any to any frag
>> >
>> > # statefull
>> > $IPF 50 check-state
>> > $IPF 60 allow tcp from any to any established
>> > $IPF 70 allow all from any to any out keep-state
>> > $IPF 54999 allow icmp from any to any
>> >
>> > [snip -- Some allowed ports (port 80, 443, etc.), and some denied IPs]
>> >
>> > # IRC (natd divert for IRC port-forwarding
>> > $IPF 50220 divert natd all from 72.20.28.202 6667 to 207.210.114.45 6667 via rl0
>> ^^^^
>> The destination port must not be given (ie any destination port
>> corresponding to any source port greater than 1023 for the request) - in
>> this test the source port is 2897, in the next one it may be anything >
>> 1023. Moreover `any' in place of 207.210.114.45 would be nice to allow
>> others to chat. So the rule should be:
>>
>> $IPF 50220 divert natd all from 72.20.28.202 6667 to any via rl0
>>
>> Henri
>>
>>
>>
>> > $IPF 50221 divert natd all from any to 207.210.114.45 6667 via rl0
>> >
>> > Any attempt to connect to the IRC jail IP thus far, though, still
>> > fails with a "connection timed out."
>> >
>> > Thanks for your help thus far. Any additional ideas?
>> >
>> > On Mon, Mar 24, 2008 at 6:10 AM, Henri Hennebert <hlh at restart.be> wrote:
>> >> Kage wrote:
>> >> > Well, no, see it's hitting natd just fine as shown by my natd verbose
>> >> > logs, if you're assuming ipfw is blocking me from reaching natd. Are
>> >> > you talking about adding a firewall rule for each of my round-robin
>> >> > addresses, too?
>> >>
>> >> Yes
>> >>
>> >>
>> >> > How would that do any good?
>> >>
>> >> All response paquet to a paquet diverted to natd must also be diverted
>> >> to natd to be reverse translated. eg:
>> >>
>> >> incoming request from client (c) to server (s) redirected to server (S)
>> >>
>> >> c.c.c.c -> s.s.s.s nated as c.c.c.c -> S.S.S.S
>> >>
>> >> must have response paquetd reverse translated:
>> >>
>> >> S.S.S.S -> c.c.c.c nated as s.s.s.s -> c.c.c.c
>> >>
>> >> to be a valid response to client (c).
>> >>
>> >>
>> >>
>> >> >
>> >> > On Sat, Mar 22, 2008 at 9:27 AM, Henri Hennebert <hlh at restart.be> wrote:
>> >> >> Kage wrote:
>> >> >> > Hey guys,
>> >> >> >
>> >> >> > This is a fun one that's stumped people in Freenode ##freebsd.
>> >> >> > Basically, I have this layout:
>> >> >> >
>> >> >> > irc.domain.com -> DNS A -> IRC Jail
>> >> >> >
>> >> >> > When someone connects to irc.domain.com on IRC ports (6667, 8067,
>> >> >> > etc.), it round-robins them using natd, otherwise it sends all other
>> >> >> > port requests to the IRC jail as per normal (such as port 80, which is
>> >> >> > my primary concern). As for having it setup to have ipfw divert to
>> >> >> > natd, that's done and works, as shown by natd verbose mode:
>> >> >> >
>> >> >> > In {default}[TCP] [TCP] 72.65.73.23:2980 -> 207.210.114.45:6667 aliased to
>> >> >> > [TCP] 72.65.73.23:2980 -> 207.210.114.45:6667
>> >> >> >
>> >> >> > (For reference)
>> >> >> > 207.210.114.45 = jail IP
>> >> >> > 72.20.28.202 = example target IP in the round-robin
>> >> >> > 72.65.73.23 = my IP
>> >> >> >
>> >> >> > Right now, my ipfw.rules file is as follows:
>> >> >> >
>> >> >> > [root at nub /etc]# cat ipfw.rules
>> >> >> > IPF="ipfw -q add"
>> >> >> > ipfw -f -q flush
>> >> >> >
>> >> >> > #loopbackpg_dumpall >all.dmp
>> >> >> > $IPF 10 allow all from any to any via lo0
>> >> >> > $IPF 20 deny all from any to 127.0.0.0/8
>> >> >> > $IPF 30 deny all from 127.0.0.0/8 to any
>> >> >> > $IPF 40 deny tcp from any to any frag
>> >> >> >
>> >> >> > # statefull
>> >> >> > $IPF 50 check-state
>> >> >> > $IPF 60 allow tcp from any to any established
>> >> >> > $IPF 70 allow all from any to any out keep-state
>> >> >> > $IPF 54999 allow icmp from any to any
>> >> >> >
>> >> >> > # Include the deny file
>> >> >> > . /etc/ipfw.deny
>> >> >> >
>> >> >> > [snip -- some allowed ports]
>> >> >> > # IRC (natd divert for IRC port-forwarding
>> >> >> > $IPF 50220 divert natd all from any to 207.210.114.45 6667 via rl0
>> >> >> > $IPF 50230 divert natd all from any to 207.210.114.45 8067 via rl0
>> >> >> > $IPF 50240 divert natd all from any to 207.210.114.45 8068 via rl0
>> >> >> > $IPF 50250 divert natd all from any to 207.210.114.45 6697 via rl0
>> >> >> > $IPF 50260 divert natd all from any to 207.210.114.45 7000 via rl0
>> >> >>
>> >> >>
>> >> >> You must also divert the response trafic AFAIK eg:
>> >> >>
>> >> >> $IPF 50220 divert natd all from 72.20.28.202 6667 to 207.210.114.45 via rl0
>> >> >>
>> >> >>
>> >> >>
>> >> >> > # keep these two IRC ports normally open for BNC
>> >> >> > $IPF 50270 allow all from any to any 31337 in
>> >> >> > $IPF 50380 allow all from any to any 31337 out
>> >> >> > [snip -- more allowed ports]
>> >> >> > # deny and log everything
>> >> >> > $IPF 55000 deny log all from any to any
>> >> >> >
>> >> >> > -----
>> >> >> >
>> >> >> > Here's a dump of ipfw show, with some stuff cut out for space purposes
>> >> >> > (they're just denied DDoS IPs)
>> >> >> >
>> >> >> > [root at nub /etc]# ipfw show
>> >> >> > 00010 61124 16056802 allow ip from any to any via lo0
>> >> >> > 00020 0 0 deny ip from any to 127.0.0.0/8
>> >> >> > 00030 0 0 deny ip from 127.0.0.0/8 to any
>> >> >> > 00040 0 0 deny tcp from any to any frag
>> >> >> > 00050 0 0 check-state
>> >> >> > 00060 670616 455926379 allow tcp from any to any established
>> >> >> > 00070 16213 14071853 allow ip from any to any out keep-state
>> >> >> > [snip]
>> >> >> > 50220 468 22464 divert 8668 ip from any to 207.210.114.45
>> >> >> > dst-port 6667 via rl0
>> >> >> > 50230 0 0 divert 8668 ip from any to 207.210.114.45
>> >> >> > dst-port 8067 via rl0
>> >> >> > 50240 0 0 divert 8668 ip from any to 207.210.114.45
>> >> >> > dst-port 8068 via rl0
>> >> >> > 50250 0 0 divert 8668 ip from any to 207.210.114.45
>> >> >> > dst-port 6697 via rl0
>> >> >> > 50260 0 0 divert 8668 ip from any to 207.210.114.45
>> >> >> > dst-port 7000 via rl0
>> >> >> > 50270 1 60 allow ip from any to any dst-port 31337 in
>> >> >> > 54999 66 3991 allow icmp from any to any
>> >> >> > 55000 4364 343609 deny log logamount 100 ip from any to any
>> >> >> > 65535 29 4176 allow ip from any to any
>> >> >> >
>> >> >> > My natd.conf is as follows:
>> >> >> >
>> >> >> > [root at nub /etc]# cat natd.conf
>> >> >> > # Nub.Core NATd
>> >> >> > verbose
>> >> >> > alias_address 207.210.114.45
>> >> >> > log
>> >> >> > log_denied
>> >> >> > log_ipfw_denied
>> >> >> > pid_file /var/run/natd.pid
>> >> >> >
>> >> >> >
>> >> >> > ### IRC Redirect Ports
>> >> >> > # 6667
>> >> >>
>> >> >>
>> >> >> If I understand man natd
>> >> >>
>> >> >>
>> >> >>> redirect_port tcp 72.20.28.202:6667 207.210.114.45:6667 207.210.114.45:6667
>> >> >> ^^^^^^^^^^^^^
>> >> >> Trafic is comming from 72.65.73.23 - so the rule don't apply
>> >> >>
>> >> >>
>> >> >>> [root at nub /etc]#
>> >> >> >
>> >> >> > And, as stated above, I am showing connection diverts to natd. When I
>> >> >> > run the following three tcpdumps:
>> >> >> >
>> >> >> > tcpdump -s 0 -w me_to_nat.pcap -vvv -i rl0 src host 72.65.73.23 and
>> >> >> > dst host 207.210.114.45 and dst port 6667
>> >> >> > tcpdump -s 0 -w nat_to_jail.pcap -vvv -i rl0 src host 72.20.28.202 and
>> >> >> > dst host 207.210.114.45 and dst port 6667
>> >> >> > tcpdump -s 0 -w jail_to_nat.pcap -vvv -i rl0 src host 207.210.114.45
>> >> >> > and dst host 72.20.28.202 and src port 6667
>> >> >> >
>> >> >> > Only the "me_to_nat.pcap" gets any data. The rest are 0 bytes. Example:
>> >> >> >
>> >> >> > -rw-r--r-- 1 root wheel 0 Mar 21 14:57 jail_to_nat.pcap
>> >> >> > -rw-r--r-- 1 root wheel 16384 Mar 21 15:24 me_to_nat.pcap
>> >> >> > -rw-r--r-- 1 root wheel 0 Mar 21 14:57 nat_to_jail.pcap
>> >> >> >
>> >> >> > So, can anyone diagnose and fix this? Thanks.
>> >> >> >
>> >> >> > (P.S.: I'm aware of the DNS methods of doing round-robin, but please
>> >> >> > keep that from this discussion. I need to port-forward round-robin,
>> >> >> > not whole DNS)
>> >> >> >
>> >> >>
>> >> >>
>> >> >> _______________________________________________
>> >> >> freebsd-net at freebsd.org mailing list
>> >> >> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> >> >> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>> >> >>
>> >> >
>> >> >
>> >> >
>> >>
>> >>
>> >
>> >
>> >
>>
>>
>
>
>
More information about the freebsd-net
mailing list