IPNAT / IPF / rdr issue
fbsd_user
fbsd_user at a1poweruser.com
Sun Jun 26 03:03:52 GMT 2005
Do you have your mydomain.com in the /etc/hosts file on the gateway?
All your clients are on the LAN behind the gateway correct.
Do you have static IP from your ISP?
Are you using a dynamic DNS service?
Explain you cabling layout of your network.
-----Original Message-----
From: Andy Sutcliffe [mailto:andy.sutcliffe at gmail.com]
Sent: Saturday, June 25, 2005 10:36 PM
To: fbsd_user at a1poweruser.com
Cc: freebsd-questions at freebsd.org
Subject: Re: IPNAT / IPF / rdr issue
I tried that as well, but am still getting the same 'connection
refused' error from the web browser on the local client machine.
On 6/25/05, fbsd_user <fbsd_user at a1poweruser.com> wrote:
> Your using the public ip address of your gateway box from the
> private LAN.
> In this mode NAT and thus your rdr rule is never evoked. Your
> request never exits your private network. The gateway system knows
> himself by that public ip address.
> What you should be doing is using the www.domainname.com so the
> request has to go to your ISP DNS server to get your public ip
> address, then it will enter on the external interface and be
> nated/rdr to correct location.
> There is nothing wrong with your ipfilter configuration, your just
> using the wrong URL.
>
> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Andy
> Sutcliffe
> Sent: Saturday, June 25, 2005 9:01 PM
> To: freebsd-questions at freebsd.org
> Subject: IPNAT / IPF / rdr issue
>
>
> I am having problems accessing internal resources (such as a web
> server) from other internal clients when going from internal
> client ->
> public address -> internal resource. For example, when I attempt
to
> reach 'mydomain.com' from client machine X, the connection is
> refused
> (I am of course, able to reach the web server through the internal
> IP), however, I am able to access the web server via that URL from
> an
> external network. I have 'mydomain.com' pointed towards the
> external
> IP of my gateway which in turn relays it to the internal web
server.
> I have included the pertinent contents of /etc/ipnat.rules as well
> as
> my /etc/ipf.conf file. I am at a loss at this point...can anyone
> point me in the right direction ?
>
> Thanks in advance,
> - andy ( andy dot sutcliffe at gmail dot com)
>
> Gateway:
> OS:FreeBSD 5.4
> Firewall: IPFilter
> Port Forwarding: IPNAT
> External eth: dc0
> Internal eth: ed0 (10.0.0.0)
>
> Web Server
> OS: FreeBSD 5.4
> WWW: Apache 2.0
>
> Client Machine(s)
> OS: Windows XP, FreeBSD, Linux
>
> I have the following in /etc/ipnat.rules:
>
> # innernet
> map dc0 10.0.0.0/16 -> 0.0.0.0/32 portmap tcp/udp 40000:65000
> map dc0 10.0.0.0/16 -> 0.0.0.0/32
>
> # www
> rdr dc0 0.0.0.0/0 port 80 -> 10.0.0.3 port 80
>
> I have the following in /etc/ipf.conf:
> #################################################################
> # No restrictions on Inside LAN Interface for private network
> # Not needed unless you have LAN
> #################################################################
>
> pass out quick on ed0 all
> pass in quick on ed0 all
>
> #################################################################
> # No restrictions on Loopback Interface
> #################################################################
> pass in quick on lo0 all
> pass out quick on lo0 all
>
> #################################################################
> # Interface facing Public Internet (Outbound Section)
> # Interrogate session start requests originating from behind the
> # firewall on the private network
> # or from this gateway server destine for the public Internet.
> #################################################################
>
> # Allow out access to my ISP's Domain name server.
> # xxx must be the IP address of your ISP's DNS.
> # Dup these lines if your ISP has more than one DNS server
> # Get the IP addresses from /etc/resolv.conf file
> pass out quick on dc0 proto tcp from any to 67.43.192.6 port = 53
> flags S keep state
> pass out quick on dc0 proto udp from any to 67.43.192.6 port = 53
> keep state
> pass out quick on dc0 proto tcp from any to 137.118.1.33 port = 53
> flags S keep state
> pass out quick on dc0 proto udp from any to 137.118.1.33 port = 53
> keep state
>
> # Allow out access to my ISP's DHCP server for cable or DSL
> networks.
> # This rule is not needed for 'user ppp' type connection to the
> # public Internet, so you can delete this whole group.
> # Use the following rule and check log for IP address.
> # Then put IP address in commented out rule & delete first rule
> pass out quick on dc0 proto udp from any to 67.43.192.6 port = 67
> keep state
>
>
> # Allow out non-secure standard www function
> pass out quick on dc0 proto tcp from any to any port = 80 flags S
> keep state
> pass out quick on dc0 proto tcp from any to any port = 81 flags S
> keep state
>
> # Allow out secure www function https over TLS SSL
> pass out quick on dc0 proto tcp from any to any port = 443 flags S
> keep state
>
> # Allow out send & get email function
> pass out quick on dc0 proto tcp from any to any port = 110 flags S
> keep state
> pass out quick on dc0 proto tcp from any to any port = 25 flags S
> keep state
>
> # Allow out Time
> pass out quick on dc0 proto tcp from any to any port = 37 flags S
> keep state
>
> # Allow out nntp news
> pass out quick on dc0 proto tcp from any to any port = 119 flags S
> keep state
>
> # Allow out gateway & LAN users non-secure FTP ( both passive &
> active modes)
> # This function uses the IPNAT built in FTP proxy function coded
in
> # the nat rules file to make this single rule function correctly.
> # If you want to use the pkg_add command to install application
> packages
> # on your gateway system you need this rule.
> pass out quick on dc0 proto tcp from any to any port = 21 flags S
> keep state
>
> # Allow out secure FTP, Telnet, and SCP
> # This function is using SSH (secure shell)
> pass out quick on dc0 proto tcp from any to any port = 22 flags S
> keep state
>
> # Allow out non-secure Telnet
> pass out quick on dc0 proto tcp from any to any port = 23 flags S
> keep state
>
> # Allow out FBSD CVSUP function
> pass out quick on dc0 proto tcp from any to any port = 5999 flags
S
> keep state
>
> # Allow out ping to public Internet
> pass out quick on dc0 proto icmp from any to any icmp-type 8 keep
> state
>
> # Allow out whois for LAN PC to public Internet
> pass out quick on dc0 proto tcp from any to any port = 43 flags S
> keep state
>
> # Block and log only the first occurrence of everything
> # else that's trying to get out.
> # This rule enforces the block all by default logic.
> block out log first quick on dc0 all
>
> #################################################################
> # Interface facing Public Internet (Inbound Section)
> # Interrogate packets originating from the public Internet
> # destine for this gateway server or the private network.
> #################################################################
>
> # Block all inbound traffic from non-routable or reserved address
> spaces
> block in quick on dc0 from 192.168.0.0/16 to any #RFC 1918
> private IP
> block in quick on dc0 from 172.16.0.0/12 to any #RFC 1918
> private IP
> # block in quick on dc0 from 10.0.0.0/8 to any #RFC 1918
> private IP
> block in quick on dc0 from 127.0.0.0/8 to any #loopback
> block in quick on dc0 from 0.0.0.0/8 to any #loopback
> block in quick on dc0 from 169.254.0.0/16 to any #DHCP
> auto-config
> block in quick on dc0 from 192.0.2.0/24 to any #reserved for
> docs
> block in quick on dc0 from 204.152.64.0/23 to any #Sun cluster
> interconnect
> block in quick on dc0 from 224.0.0.0/3 to any #Class D & E
> multicast
>
> ##### Block a bunch of different nasty things. ############
> # That I do not want to see in the log
>
> # Block frags
> block in quick on dc0 all with frags
>
> # Block short tcp packets
> block in quick on dc0 proto tcp all with short
>
> # block source routed packets
> block in quick on dc0 all with opt lsrr
> block in quick on dc0 all with opt ssrr
>
> # Block nmap OS fingerprint attempts
> # Log first occurrence of these so I can get their IP address
> block in log first quick on dc0 proto tcp from any to any flags
FUP
>
> # Block anything with special options
> block in quick on dc0 all with ipopts
>
> # Block public pings
> block in quick on dc0 proto icmp all icmp-type 8
>
> # Block ident
> block in quick on dc0 proto tcp from any to any port = 113
>
> # Block all Netbios service. 137=name, 138=datagram, 139=session
> # Netbios is MS/Windows sharing services.
> # Block MS/Windows hosts2 name server requests 81
> block in log first quick on dc0 proto tcp/udp from any to any port
=
> 137
> block in log first quick on dc0 proto tcp/udp from any to any port
=
> 138
> block in log first quick on dc0 proto tcp/udp from any to any port
=
> 139
> block in log first quick on dc0 proto tcp/udp from any to any port
=
> 81
>
> # Allow traffic in from ISP's DHCP server. This rule must contain
> # the IP address of your ISP's DHCP server as it's the only
> # authorized source to send this packet type. Only necessary for
> # cable or DSL configurations. This rule is not needed for
> # 'user ppp' type connection to the public Internet.
> # This is the same IP address you captured and
> # used in the outbound section.
> pass in quick on dc0 proto udp from 67.43.192.6 to any port = 68
> keep state
>
> # Allow in standard www function because I have apache server
> pass in quick on dc0 proto tcp from any to any port = 80 flags S
> keep state
> pass in quick on dc0 proto tcp from any to any port = 81 flags S
> keep state
>
> # Allow in secure FTP, Telnet, and SCP from public Internet
> # This function is using SSH (secure shell)
> pass in quick on dc0 proto tcp from any to any port = 22 flags S
> keep state
>
> # Allow in non-scure FTP access to file server (bombadil)
> pass in quick on dc0 proto ftp from any to 10.0.0.2 port = 21
flags
> S keep state
> pass in quick on dc0 proto ftp from any to 10.0.0.2 port = 20
flags
> S keep state
> pass out quick on dc0 proto ftp from 10.0.0.2 to any port = 20
flags
> S
> keep state
>
> # Block and log only first occurrence of all remaining traffic
> # coming into the firewall. The logging of only the first
> # occurrence stops a .denial of service. attack targeted
> # at filling up your log file space.
> # This rule enforces the block all by default logic.
> block in log first quick on dc0 all
> ################### End of rules file
> #####################################
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
>
>
More information about the freebsd-questions
mailing list