IPFILTER/NAT problem
J. Seth Henry
jshamlet at comcast.net
Fri Jan 30 11:48:55 PST 2004
Guys/gals,
I've got a curious networking problem with ipfilter/ipnat (or possibly ssh).
The firewall where I work allows only 4 ports to go through unmolested (i.e.,
no proxy servers/authentication). These are 21 (FTP), 22 (SSH), 23 (TELNET),
and 110 (POP3). I have three hosts at the house I would like to be able to
ssh into, and window X apps back. So, I thought I would use each of these
ports to point to a host on the lan at home, plus FTP access to the file
server host.
The local network is very simple. I have a FreeBSD router sitting between the
CM and the local LAN. The two other hosts are connected to the router via
switched ethenet - and all have LAN address in the 192.168.1.x range.
So, I allow these four ports to pass through my firewall, and use nat to
redirect, ala:
<ipf.rules>
# External Interface
block out on xl0 all
block in log on xl0 all
pass in quick on xl0 proto tcp from any to any port = 21 flags S keep frags
keep state
pass in quick on xl0 proto tcp from any to any port = 22 flags S keep frags
keep state
pass in quick on xl0 proto tcp from any to any port = 23 flags S keep frags
keep state
pass in quick on xl0 proto tcp from any to any port = 110 flags S keep frags
keep state
pass in quick on xl0 proto udp from any to any port = 68 keep state
pass out quick on xl0 proto tcp from any to any flags S keep frags keep state
pass out quick on xl0 proto udp from any to any keep state keep frags
pass out quick on xl0 proto icmp from any to any keep state
# Internal Interface
pass in quick on vr0 all
pass out quick on vr0 all
pass in quick on xl1 all
pass out quick on xl1 all
# Loopback Interface
pass in quick on lo0 all
pass out quick on lo0 all
I checked the firewall log, and used tcpdump to verify that these ports were
getting passed through. (well, they aren't being blocked at least)
And then redirect the ports to the appropriate hosts:
<ipnat.rules>
map xl0 192.168.1.254/24 -> 0/32 proxy port ftp ftp/tcp
rdr xl0 0.0.0.0/0 port 21 -> 192.168.1.1 port 21 tcp
rdr xl0 0.0.0.0/0 port 22 -> 192.168.1.1 port 22 tcp
rdr x10 0.0.0.0/0 port 23 -> 192.168.1.249 port 23 tcp
map xl0 192.168.1.254/24 -> 0/32 portmap tcp/udp auto
map xl0 192.168.1.254/24 -> 0/32
The router (which is also one of the hosts) is listening on port 110 at the
moment, but it will work on any of the ports. Port 22 will work to either of
the remote hosts. BUT if I try to to run sshd on an _internal_ host on port
23, the connection doesn't go through. I know ssh is listening on the ports,
because I can use ssh <host> -p 23 from the router or other host and get a
login. I can also toggle the local IP addresses for port 22 and 23 in the
ipnat.rules file, and login on 22 to either host.
The router is a FreeBSD 4.8-REL system, and, although simply switching the IP
addresses allows login to either host, the other hosts are a FreeBSD 4.9-REL
file server, and a RedHat Linux 9 test box. Ipfilter is set to block all by
default, so only the four ports mentioned are allowed in. My work machine is
a Win2k box, and I'm using the F-secure client, version 5.2 build 33. (I've
also tried putty 0.53b.
I have verified that the sshd daemons on all of the machines are responding on
the both 22 and 23 by logging in from the other host (iow, I can ssh to
192.168.1.249 at port 23 by typing 'ssh hades -p 23' from one of the other
hosts, and it works.
The reason I suspect an ipnat problem is that i don't see any traffic on port
23 on the local interface. (iow, typing tcpdump -i xl1 | grep telnet produces
nothing)
I also don't see anything on the local network from any of the other hosts -
so it doesn't appear that the router is passing packets on port 23 to the
local interface. Programs on the remote network all report timeouts.
Did I miss something?
Thanks,
Seth Henry
More information about the freebsd-questions
mailing list