Weird ipf rdr rule behaviour

Jeremie Le Hen jeremie.le-hen at epita.fr
Tue Jul 6 10:20:29 PDT 2004 

Hi freebsd-net@,

I set jailed DNS and SMTP server on a box in my LAN, and I want to make
them accessible from Internet.  Since my router uses FreeBSD 4.10 with
IPFilter for firewalling and NATing, I simply added these two lines
in my ipnat.rules :

rdr tun0 0.0.0.0/0 port 53 -> 192.168.1.53 port 53 tcp/udp
rdr tun0 0.0.0.0/0 port 25 -> 192.168.1.25 port 25 tcp

I encounter a very strange behaviour : while the redirection on port 53
works well, the one on port 25 doesn't ; I tried setting "tcp/udp"
instead of "tcp", but it does not change anything.

After a few tcpdump(8), I understood that while the SYN packet was
correctly rdr'ed (destination IP address becomes 192.168.1.25 on the
LAN wire), the SYN/ACK packet answered goes on Internet without having
its source IP address changed (it still has a private source IP address)
and the initiator of the connection obviously discards it.  Very oddly,
this does not append with rdr on port 53.  Here are dumps on my public
interface :

yoda:log# tcpdump -vni tun0 'tcp port 25'
tcpdump: listening on tun0
18:46:03.888283 213.223.XXX.XXX.38609 > 212.180.XXX.XXX.25: SWE [tcp sum ok] 3067984472:3067984472(0) win 5840 <mss 1414,sackOK,timestamp 105745727 0,nop,wscale 0> (DF) [tos 0x10]  (ttl 55, id 14183, len 60)
18:46:03.950498 192.168.1.25.25 > 213.223.XXX.XXX.38609: S [tcp sum ok] 496647005:496647005(0) ack 3067984473 win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 34750661 105745727> (DF) (ttl 63, id 28213, len 60)

yoda:log# tcpdump -vni tun0 'tcp port 53'
tcpdump: listening on tun0
18:47:29.303454 213.223.XXX.XXX.38613 > 212.180.XXX.XXX.53: SWE [tcp sum ok] 3149981312:3149981312(0) win 5840 <mss 1414,sackOK,timestamp 105754269 0,nop,wscale 0> (DF) [tos 0x10]  (ttl 55, id 18461, len 60)
18:47:29.351839 212.180.XXX.XXX.53 > 213.223.XXX.XXX.38613: S [tcp sum ok] 3077327056:3077327056(0) ack 3149981313 win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 34759201 105754269> (DF) (ttl 63, id 44544, len 60)
18:47:29.425325 213.223.XXX.XXX.38613 > 212.180.XXX.XXX.53: . [tcp sum ok] ack 1 win 5840 <nop,nop,timestamp 105754281 34759201> (DF) [tos 0x10]  (ttl 55, id 18462, len 52)

Here are the corresponding IPFilter's log :
Jul  6 18:46:04 <local0.notice> yoda ipmon[59]: 18:46:03.888426 tun0 @1:4 p 213.
223.XXX.XXX,38609 -> 192.168.1.25,25 PR tcp len 20 60 -SEC K-S K-F IN
Jul  6 18:47:29 <local0.notice> yoda ipmon[59]: 18:47:29.303592 tun0 @1:2 p 213.
223.XXX.XXX,38613 -> 192.168.1.53,53 PR tcp len 20 60 -SEC K-S K-F IN

I notice a difference between the two cases while watching a connections
state using ipnat(8) :
List of active sessions:
RDR 192.168.1.53    53    <- -> 212.180.XXX.XXX 53    [213.223.XXX.XXX 38656]
RDR 192.168.1.25    25    <- -> 192.168.1.25    25    [213.223.XXX.XXX 38655]
RDR 192.168.1.25    25    <- -> 212.180.XXX.XXX 25    [213.223.XXX.XXX 38655]

As you can see, there are two mappings for the rdr of port 25 which is
clearly unusual.  Another difference I noticed is that there are an SMTP
server bound to *:25 and a DNS server bound to 212.180.XXX.XXX:53 (no
wildcard) on the router itself.  But I tried to disable them, and it
doesn't matter.

I would greatly appreciate if someone could help me to resolve this
problem.  I didn't supplied all the informations that may be relevant in
the case, but I can give nearly whatever you might ask for.

Regards,
-- 
Jeremie LE HEN aka TtZ/TataZ                          jeremie.le-hen at epita.fr
                                                                 ttz at epita.fr
Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread!

More information about the freebsd-net mailing list