IPNAT / IPF / rdr issue

Andy Sutcliffe andy.sutcliffe at gmail.com
Sun Jun 26 14:28:02 GMT 2005 

The hosts file on the gateway contains subdomains of domainname.com
(such as www for th web server, ftp, as well as client hostnames). 
All clients are behind the gateway.  The IP address is not static, but
it may as well be, as it rarely changes.  The cabling for the network
is as follows:

DSL interface -> gateway's external interface | gateway's internal
interface -> switch -> all clients, including www server and normal
pc's

On 6/25/05, fbsd_user <fbsd_user at a1poweruser.com> wrote:
> Do you have your mydomain.com in the /etc/hosts file on the gateway?
> All your clients are on the LAN behind the gateway correct.
> Do you have static IP from your ISP?
> Are you using a dynamic DNS service?
> Explain you cabling layout of your network.
> 
> -----Original Message-----
> From: Andy Sutcliffe [mailto:andy.sutcliffe at gmail.com]
> Sent: Saturday, June 25, 2005 10:36 PM
> To: fbsd_user at a1poweruser.com
> Cc: freebsd-questions at freebsd.org
> Subject: Re: IPNAT / IPF / rdr issue
> 
> 
> I tried that as well, but am still getting the same 'connection
> refused' error from the web browser on the local client machine.
> 
> On 6/25/05, fbsd_user <fbsd_user at a1poweruser.com> wrote:
> > Your using the public ip address of your gateway box from the
> > private LAN.
> > In this mode NAT and thus your rdr rule is never evoked. Your
> > request never exits your private network. The gateway system knows
> > himself by that public ip address.
> > What you should be doing is using the www.domainname.com so the
> > request has to go to your ISP DNS server to get your public ip
> > address, then it will enter on the external interface and be
> > nated/rdr to correct location.
> > There is nothing wrong with your ipfilter configuration, your just
> > using the wrong URL.
> >
> > -----Original Message-----
> > From: owner-freebsd-questions at freebsd.org
> > [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Andy
> > Sutcliffe
> > Sent: Saturday, June 25, 2005 9:01 PM
> > To: freebsd-questions at freebsd.org
> > Subject: IPNAT / IPF / rdr issue
> >
> >
> > I am having problems accessing internal resources (such as a web
> > server) from other internal clients when going from internal
> > client ->
> > public address -> internal resource.  For example, when I attempt
> to
> > reach 'mydomain.com' from client machine X, the connection is
> > refused
> > (I am of course, able to reach the web server through the internal
> > IP), however, I am able to access the web server via that URL from
> > an
> > external network.  I have 'mydomain.com' pointed towards the
> > external
> > IP of my gateway which in turn relays it to the internal web
> server.
> > I have included the pertinent contents of /etc/ipnat.rules as well
> > as
> > my /etc/ipf.conf file.  I am at a loss at this point...can anyone
> > point me in the right direction ?
> >
> > Thanks in advance,
> >   - andy ( andy dot sutcliffe at gmail dot com)
> >
> > Gateway:
> >   OS:FreeBSD 5.4
> >   Firewall: IPFilter
> >   Port Forwarding: IPNAT
> >   External eth: dc0
> >   Internal eth: ed0 (10.0.0.0)
> >
> > Web Server
> >   OS: FreeBSD 5.4
> >  WWW: Apache 2.0
> >
> > Client Machine(s)
> >   OS: Windows XP, FreeBSD, Linux
> >
> > I have the following in /etc/ipnat.rules:
> >
> > # innernet
> > map dc0 10.0.0.0/16 -> 0.0.0.0/32 portmap tcp/udp 40000:65000
> > map dc0 10.0.0.0/16 -> 0.0.0.0/32
> >
> > # www
> > rdr dc0 0.0.0.0/0 port 80 -> 10.0.0.3 port 80
> >
> > I have the following in /etc/ipf.conf:
> > #################################################################
> > # No restrictions on Inside LAN Interface for private network
> > # Not needed unless you have LAN
> > #################################################################
> >
> > pass out quick on ed0 all
> > pass in quick on ed0 all
> >
> > #################################################################
> > # No restrictions on Loopback Interface
> > #################################################################
> > pass in quick on lo0 all
> > pass out quick on lo0 all
> >
> > #################################################################
> > # Interface facing Public Internet (Outbound Section)
> > # Interrogate session start requests originating from behind the
> > # firewall on the private network
> > # or from this gateway server destine for the public Internet.
> > #################################################################
> >
> > # Allow out access to my ISP's Domain name server.
> > # xxx must be the IP address of your ISP's DNS.
> > # Dup these lines if your ISP has more than one DNS server
> > # Get the IP addresses from /etc/resolv.conf file
> > pass out quick on dc0 proto tcp from any to 67.43.192.6 port = 53
> > flags S keep state
> > pass out quick on dc0 proto udp from any to 67.43.192.6 port = 53
> > keep state
> > pass out quick on dc0 proto tcp from any to 137.118.1.33 port = 53
> > flags S keep state
> > pass out quick on dc0 proto udp from any to 137.118.1.33 port = 53
> > keep state
> >
> > # Allow out access to my ISP's DHCP server for cable or DSL
> > networks.
> > # This rule is not needed for 'user ppp' type connection to the
> > # public Internet, so you can delete this whole group.
> > # Use the following rule and check log for IP address.
> > # Then put IP address in commented out rule & delete first rule
> > pass out quick on dc0 proto udp from any to 67.43.192.6 port = 67
> > keep state
> >
> >
> > # Allow out non-secure standard www function
> > pass out quick on dc0 proto tcp from any to any port = 80 flags S
> > keep state
> > pass out quick on dc0 proto tcp from any to any port = 81 flags S
> > keep state
> >
> > # Allow out secure www function https over TLS SSL
> > pass out quick on dc0 proto tcp from any to any port = 443 flags S
> > keep state
> >
> > # Allow out send & get email function
> > pass out quick on dc0 proto tcp from any to any port = 110 flags S
> > keep state
> > pass out quick on dc0 proto tcp from any to any port = 25 flags S
> > keep state
> >
> > # Allow out Time
> > pass out quick on dc0 proto tcp from any to any port = 37 flags S
> > keep state
> >
> > # Allow out nntp news
> > pass out quick on dc0 proto tcp from any to any port = 119 flags S
> > keep state
> >
> > # Allow out gateway & LAN users non-secure FTP ( both passive &
> > active modes)
> > # This function uses the IPNAT built in FTP proxy function coded
> in
> > # the nat rules file to make this single rule function correctly.
> > # If you want to use the pkg_add command to install application
> > packages
> > # on your gateway system you need this rule.
> > pass out quick on dc0 proto tcp from any to any port = 21 flags S
> > keep state
> >
> > # Allow out secure FTP, Telnet, and SCP
> > # This function is using SSH (secure shell)
> > pass out quick on dc0 proto tcp from any to any port = 22 flags S
> > keep state
> >
> > # Allow out non-secure Telnet
> > pass out quick on dc0 proto tcp from any to any port = 23 flags S
> > keep state
> >
> > # Allow out FBSD CVSUP function
> > pass out quick on dc0 proto tcp from any to any port = 5999 flags
> S
> > keep state
> >
> > # Allow out ping to public Internet
> > pass out quick on dc0 proto icmp from any to any icmp-type 8 keep
> > state
> >
> > # Allow out whois for LAN PC to public Internet
> > pass out quick on dc0 proto tcp from any to any port = 43 flags S
> > keep state
> >
> > # Block and log only the first occurrence of everything
> > # else that's trying to get out.
> > # This rule enforces the block all by default logic.
> > block out log first quick on dc0 all
> >
> > #################################################################
> > # Interface facing Public Internet (Inbound Section)
> > # Interrogate packets originating from the public Internet
> > # destine for this gateway server or the private network.
> > #################################################################
> >
> > # Block all inbound traffic from non-routable or reserved address
> > spaces
> > block in quick on dc0 from 192.168.0.0/16 to any    #RFC 1918
> > private IP
> > block in quick on dc0 from 172.16.0.0/12 to any     #RFC 1918
> > private IP
> > # block in quick on dc0 from 10.0.0.0/8 to any        #RFC 1918
> > private IP
> > block in quick on dc0 from 127.0.0.0/8 to any       #loopback
> > block in quick on dc0 from 0.0.0.0/8 to any         #loopback
> > block in quick on dc0 from 169.254.0.0/16 to any    #DHCP
> > auto-config
> > block in quick on dc0 from 192.0.2.0/24 to any      #reserved for
> > docs
> > block in quick on dc0 from 204.152.64.0/23 to any   #Sun cluster
> > interconnect
> > block in quick on dc0 from 224.0.0.0/3 to any       #Class D & E
> > multicast
> >
> > ##### Block a bunch of different nasty things. ############
> > # That I do not want to see in the log
> >
> > # Block frags
> > block in quick on dc0 all with frags
> >
> > # Block short tcp packets
> > block in quick on dc0 proto tcp all with short
> >
> > # block source routed packets
> > block in quick on dc0 all with opt lsrr
> > block in quick on dc0 all with opt ssrr
> >
> > # Block nmap OS fingerprint attempts
> > # Log first occurrence of these so I can get their IP address
> > block in log first quick on dc0 proto tcp from any to any flags
> FUP
> >
> > # Block anything with special options
> > block in quick on dc0 all with ipopts
> >
> > # Block public pings
> > block in quick on dc0 proto icmp all icmp-type 8
> >
> > # Block ident
> > block in quick on dc0 proto tcp from any to any port = 113
> >
> > # Block all Netbios service. 137=name, 138=datagram, 139=session
> > # Netbios is MS/Windows sharing services.
> > # Block MS/Windows hosts2 name server requests 81
> > block in log first quick on dc0 proto tcp/udp from any to any port
> =
> > 137
> > block in log first quick on dc0 proto tcp/udp from any to any port
> =
> > 138
> > block in log first quick on dc0 proto tcp/udp from any to any port
> =
> > 139
> > block in log first quick on dc0 proto tcp/udp from any to any port
> =
> > 81
> >
> > # Allow traffic in from ISP's DHCP server. This rule must contain
> > # the IP address of your ISP's DHCP server as it's the only
> > # authorized source to send this packet type. Only necessary for
> > # cable or DSL configurations. This rule is not needed for
> > # 'user ppp' type connection to the public Internet.
> > # This is the same IP address you captured and
> > # used in the outbound section.
> > pass in quick on dc0 proto udp from 67.43.192.6 to any port = 68
> > keep state
> >
> > # Allow in standard www function because I have apache server
> > pass in quick on dc0 proto tcp from any to any port = 80 flags S
> > keep state
> > pass in quick on dc0 proto tcp from any to any port = 81 flags S
> > keep state
> >
> > # Allow in secure FTP, Telnet, and SCP from public Internet
> > # This function is using SSH (secure shell)
> > pass in quick on dc0 proto tcp from any to any port = 22 flags S
> > keep state
> >
> > # Allow in non-scure FTP access to file server (bombadil)
> > pass in quick on dc0 proto ftp from any to 10.0.0.2 port = 21
> flags
> > S keep state
> > pass in quick on dc0 proto ftp from any to 10.0.0.2 port = 20
> flags
> > S keep state
> > pass out quick on dc0 proto ftp from 10.0.0.2 to any port = 20
> flags
> > S
> > keep state
> >
> > # Block and log only first occurrence of all remaining traffic
> > # coming into the firewall. The logging of only the first
> > # occurrence stops a .denial of service. attack targeted
> > # at filling up your log file space.
> > # This rule enforces the block all by default logic.
> > block in log first quick on dc0 all
> > ################### End of rules file
> > #####################################
> > _______________________________________________
> > freebsd-questions at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to
> > "freebsd-questions-unsubscribe at freebsd.org"
> >
> >
> 
>

More information about the freebsd-questions mailing list