NAT Loopback
Cédric Jonas
cedric at virtual-globe.net
Wed Nov 3 14:39:52 PST 2004
Bonjour Cédric Jonas,
Le mardi 2 novembre 2004 à 14:53:16, vous écriviez :
Cédric Jonas> Hi freebsd-pf,
Cédric Jonas> Since 5 days, I try to install PF on my
Cédric Jonas> Server, to replace my old
Cédric Jonas> hardware router... Until now,
Cédric Jonas> everything was ok, better als the old
Cédric Jonas> router - BUT, what I miss is the NAT
Cédric Jonas> Loopback functionnality (so
Cédric Jonas> that IP packets which comes from the
Cédric Jonas> LAN and are destined to my WAN
Cédric Jonas> IP, leaves effectively the WAN
Cédric Jonas> interface and come back through the
Cédric Jonas> WAN interface => the packet is
Cédric Jonas> subjected to the filter rulesets for
Cédric Jonas> incoming packets on my WAN interface = NAT Loopback)
Cédric Jonas> I found this in the OpenBSD PF FAQ:
Cédric Jonas>
Cédric Jonas> http://www.openbsd.org/faq/pf/rdr.html#rdrnat, but it
Cédric Jonas> isn't what I
Cédric Jonas> search, because the packets don't leave and reentry the WAN
Cédric Jonas> interface.
Cédric Jonas> So I try following: I blocked incoming
Cédric Jonas> Telnet connections on my WAN
Cédric Jonas> interface, and start a telnet to my WAN
Cédric Jonas> IP from a host on my LAN,
Cédric Jonas> telnet was successfull... so that isn't what I want.
Cédric Jonas> After a tcpdump on my 2 WAN and LAN
Cédric Jonas> interface (fxp0 and tun0 on the FreeBSD
Cédric Jonas> router), I noted that the server
Cédric Jonas> accepts already the telnet
Cédric Jonas> connection at fxp0, so I can see an
Cédric Jonas> incoming packet to my WAN IP,
Cédric Jonas> but nothing more, because it's already
Cédric Jonas> accepted here. Why? After
Cédric Jonas> some researchs, I found out that the
Cédric Jonas> TCP/IP stack on the router
Cédric Jonas> compares the destination address with
Cédric Jonas> his own interfaces and aliases
Cédric Jonas> - if one agrees, he accept the connection.
Cédric Jonas> Next test: with the same ruleset, I
Cédric Jonas> start a telnet on my WAN IP from
Cédric Jonas> the router, here the connection was
Cédric Jonas> blocked, and thanks tcpdump I
Cédric Jonas> see that the IP packet leaves tun0,
Cédric Jonas> come back - and was successfully
Cédric Jonas> blocked (packet had the WAN IP as
Cédric Jonas> source AND destination address).
Cédric Jonas> So, in conclusion, I try a nat rule on
Cédric Jonas> fxp0, the LAN interface:
Cédric Jonas> nat on fxp0 inet from fxp0:network to (tun0) -> (tun0)
Cédric Jonas> So that incoming connection on this
Cédric Jonas> interface, out the LAN, get the
Cédric Jonas> WAN IP was source address... but one
Cédric Jonas> more time, telnet from the LAN
Cédric Jonas> was successfull, the packet doesn't
Cédric Jonas> leave tun0, and was already
Cédric Jonas> accepted on fxp0.
Cédric Jonas> I don't know if it's really possible to
Cédric Jonas> realize NAT Loopback with
Cédric Jonas> PF, if yes, do you have experience with it?
Cédric Jonas> Or is it possible to oblige FreeBSD/PF
Cédric Jonas> to only accept connections
Cédric Jonas> with the same destination address as
Cédric Jonas> the IP address from the
Cédric Jonas> interface where the packet comes in (so
Cédric Jonas> that a comparison with every
Cédric Jonas> interface IP does not take place)?
Cédric Jonas> In resume, that's what I want:
Cédric Jonas> 000509 rule 2/0(match): pass out on
Cédric Jonas> tun0: IP 83.134.149.196.63347 > 83.134.149.196.23: S
Cédric Jonas> 1094509118:1094509118(0) win 65535 <mss
Cédric Jonas> 1452,nop,nop,sackOK,nop,wscale 1,nop,nop,timestamp
Cédric Jonas> 13450428 0>
Cédric Jonas> 000249 rule 0/0(match): block in on
Cédric Jonas> tun0: IP 83.134.149.196.63347 > 83.134.149.196.23: S
Cédric Jonas> 1094509118:1094509118(0) win 65535 <mss
Cédric Jonas> 1452,nop,nop,sackOK,nop,wscale 1,nop,nop,timestamp
Cédric Jonas> 13450428 0>
Cédric Jonas> That's from a tcpdump after a telnet
Cédric Jonas> connection to my WAN IP from
Cédric Jonas> the router... but in case of a telnet
Cédric Jonas> from a LAN host to the WAN IP,
Cédric Jonas> the only thing I was able to log was:
Cédric Jonas> 555257 rule 5/0(match): pass in on
Cédric Jonas> fxp0: IP 192.168.0.99.1547 > 83.134.149.196.23: S
Cédric Jonas> 377131760:377131760(0) win 16384 <mss
Cédric Jonas> 1460,nop,nop,sackOK>
Cédric Jonas> ... and the connection was accepted
Cédric Jonas> here - I wish to have the same
Cédric Jonas> "effect" here as above... a NAT Loopback.
Cédric Jonas> I hope that one will be able to help me
Cédric Jonas> here (and that I described
Cédric Jonas> it understandably), it's my last
Cédric Jonas> possibility I think.
Cédric Jonas> Sorry for my bad englisch, but I do what I can ;-)
The solution is:
pass in on $internal_if route-to ($external_if $external_ip) \
from any to $external_ip keep state
Thx to Max Laier for the excellent help ;)
--
Best regards,
Cédric Jonas Courriel : cedric at virtual-globe.net
More information about the freebsd-pf
mailing list