natd port forward times out, tcpdump yields nothing

Kage kagekonjou at gmail.com
Mon Mar 24 09:04:36 PDT 2008 

Still not working, but I DO have natd aliasing properly.  Here's my
natd output (remember which IP is mine, the IRC jail, and the example
round-robin IP):

[root at nub /etc]# natd -f /etc/natd.conf
In  {default}[TCP]  [TCP] 72.65.73.23:2897 -> 207.210.114.45:6667 aliased to
           [TCP] 72.65.73.23:2897 -> 72.20.28.202:6667
In  {default}[TCP]  [TCP] 72.65.73.23:2897 -> 207.210.114.45:6667 aliased to
           [TCP] 72.65.73.23:2897 -> 72.20.28.202:6667
In  {default}[TCP]  [TCP] 72.65.73.23:2897 -> 207.210.114.45:6667 aliased to
           [TCP] 72.65.73.23:2897 -> 72.20.28.202:6667

72...23 (me) is hitting the natd on the jail IP (207...45), which is
getting correctly aliased to 72...202 (example round-robin IP).  So it
appears the natd is working properly.  Here's my natd configuration as
it exists now:

# Nub.Core NATd
verbose
alias_address 207.210.114.45
log
log_denied
log_ipfw_denied
pid_file /var/run/natd.pid

### IRC Redirect Ports
# 6667
redirect_port tcp 72.20.28.202:6667 207.210.114.45:6667

And for more record, here's my ipfw.rules file up until the divert:

[root at nub /etc]# cat ipfw.rules
IPF="ipfw -q add"
ipfw -f -q flush

#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 54999 allow icmp from any to any

[snip -- Some allowed ports (port 80, 443, etc.), and some denied IPs]

# IRC (natd divert for IRC port-forwarding
$IPF 50220 divert natd all from 72.20.28.202 6667 to 207.210.114.45 6667 via rl0
$IPF 50221 divert natd all from any to 207.210.114.45 6667 via rl0

Any attempt to connect to the IRC jail IP thus far, though, still
fails with a "connection timed out."

Thanks for your help thus far.  Any additional ideas?

On Mon, Mar 24, 2008 at 6:10 AM, Henri Hennebert <hlh at restart.be> wrote:
> Kage wrote:
>  > Well, no, see it's hitting natd just fine as shown by my natd verbose
>  > logs, if you're assuming ipfw is blocking me from reaching natd.  Are
>  > you talking about adding a firewall rule for each of my round-robin
>  > addresses, too?
>
>  Yes
>
>
>  >  How would that do any good?
>
>  All response paquet to a paquet diverted to natd must also be diverted
>  to natd to be reverse translated. eg:
>
>  incoming request from client (c) to server (s) redirected to server (S)
>
>  c.c.c.c -> s.s.s.s   nated as c.c.c.c -> S.S.S.S
>
>  must have response paquetd reverse translated:
>
>  S.S.S.S -> c.c.c.c  nated as s.s.s.s -> c.c.c.c
>
>  to be a valid response to client (c).
>
>
>
>  >
>  > On Sat, Mar 22, 2008 at 9:27 AM, Henri Hennebert <hlh at restart.be> wrote:
>  >> Kage wrote:
>  >>  > Hey guys,
>  >>  >
>  >>  >    This is a fun one that's stumped people in Freenode ##freebsd.
>  >>  > Basically, I have this layout:
>  >>  >
>  >>  > irc.domain.com -> DNS A -> IRC Jail
>  >>  >
>  >>  > When someone connects to irc.domain.com on IRC ports (6667, 8067,
>  >>  > etc.), it round-robins them using natd, otherwise it sends all other
>  >>  > port requests to the IRC jail as per normal (such as port 80, which is
>  >>  > my primary concern).  As for having it setup to have ipfw divert to
>  >>  > natd, that's done and works, as shown by natd verbose mode:
>  >>  >
>  >>  > In  {default}[TCP]  [TCP] 72.65.73.23:2980 -> 207.210.114.45:6667 aliased to
>  >>  >            [TCP] 72.65.73.23:2980 -> 207.210.114.45:6667
>  >>  >
>  >>  > (For reference)
>  >>  > 207.210.114.45 = jail IP
>  >>  > 72.20.28.202 = example target IP in the round-robin
>  >>  > 72.65.73.23 = my IP
>  >>  >
>  >>  > Right now, my ipfw.rules file is as follows:
>  >>  >
>  >>  > [root at nub /etc]# cat ipfw.rules
>  >>  > IPF="ipfw -q add"
>  >>  > ipfw -f -q flush
>  >>  >
>  >>  > #loopback
>  >>  > $IPF 10 allow all from any to any via lo0
>  >>  > $IPF 20 deny all from any to 127.0.0.0/8
>  >>  > $IPF 30 deny all from 127.0.0.0/8 to any
>  >>  > $IPF 40 deny tcp from any to any frag
>  >>  >
>  >>  > # statefull
>  >>  > $IPF 50 check-state
>  >>  > $IPF 60 allow tcp from any to any established
>  >>  > $IPF 70 allow all from any to any out keep-state
>  >>  > $IPF 54999 allow icmp from any to any
>  >>  >
>  >>  > # Include the deny file
>  >>  > . /etc/ipfw.deny
>  >>  >
>  >>  > [snip -- some allowed ports]
>  >>  > # IRC (natd divert for IRC port-forwarding
>  >>  > $IPF 50220 divert natd all from any to 207.210.114.45 6667 via rl0
>  >>  > $IPF 50230 divert natd all from any to 207.210.114.45 8067 via rl0
>  >>  > $IPF 50240 divert natd all from any to 207.210.114.45 8068 via rl0
>  >>  > $IPF 50250 divert natd all from any to 207.210.114.45 6697 via rl0
>  >>  > $IPF 50260 divert natd all from any to 207.210.114.45 7000 via rl0
>  >>
>  >>
>  >> You must also divert the response trafic AFAIK eg:
>  >>
>  >>  $IPF 50220 divert natd all from 72.20.28.202 6667 to 207.210.114.45 via rl0
>  >>
>  >>
>  >>
>  >>  > # keep these two IRC ports normally open for BNC
>  >>  > $IPF 50270 allow all from any to any 31337 in
>  >>  > $IPF 50380 allow all from any to any 31337 out
>  >>  > [snip -- more allowed ports]
>  >>  > # deny and log everything
>  >>  > $IPF 55000 deny log all from any to any
>  >>  >
>  >>  > -----
>  >>  >
>  >>  > Here's a dump of ipfw show, with some stuff cut out for space purposes
>  >>  > (they're just denied DDoS IPs)
>  >>  >
>  >>  > [root at nub /etc]# ipfw show
>  >>  > 00010  61124  16056802 allow ip from any to any via lo0
>  >>  > 00020      0         0 deny ip from any to 127.0.0.0/8
>  >>  > 00030      0         0 deny ip from 127.0.0.0/8 to any
>  >>  > 00040      0         0 deny tcp from any to any frag
>  >>  > 00050      0         0 check-state
>  >>  > 00060 670616 455926379 allow tcp from any to any established
>  >>  > 00070  16213  14071853 allow ip from any to any out keep-state
>  >>  > [snip]
>  >>  > 50220    468     22464 divert 8668 ip from any to 207.210.114.45
>  >>  > dst-port 6667 via rl0
>  >>  > 50230      0         0 divert 8668 ip from any to 207.210.114.45
>  >>  > dst-port 8067 via rl0
>  >>  > 50240      0         0 divert 8668 ip from any to 207.210.114.45
>  >>  > dst-port 8068 via rl0
>  >>  > 50250      0         0 divert 8668 ip from any to 207.210.114.45
>  >>  > dst-port 6697 via rl0
>  >>  > 50260      0         0 divert 8668 ip from any to 207.210.114.45
>  >>  > dst-port 7000 via rl0
>  >>  > 50270      1        60 allow ip from any to any dst-port 31337 in
>  >>  > 54999     66      3991 allow icmp from any to any
>  >>  > 55000   4364    343609 deny log logamount 100 ip from any to any
>  >>  > 65535     29      4176 allow ip from any to any
>  >>  >
>  >>  > My natd.conf is as follows:
>  >>  >
>  >>  > [root at nub /etc]# cat natd.conf
>  >>  > # Nub.Core NATd
>  >>  > verbose
>  >>  > alias_address 207.210.114.45
>  >>  > log
>  >>  > log_denied
>  >>  > log_ipfw_denied
>  >>  > pid_file /var/run/natd.pid
>  >>  >
>  >>  >
>  >>  > ### IRC Redirect Ports
>  >>  > # 6667
>  >>
>  >>
>  >> If I understand man natd
>  >>
>  >>
>  >>> redirect_port tcp 72.20.28.202:6667 207.210.114.45:6667 207.210.114.45:6667
>  >>                                                            ^^^^^^^^^^^^^
>  >>  Trafic is comming from 72.65.73.23 - so the rule don't apply
>  >>
>  >>
>  >>> [root at nub /etc]#
>  >>  >
>  >>  > And, as stated above, I am showing connection diverts to natd.  When I
>  >>  > run the following three tcpdumps:
>  >>  >
>  >>  > tcpdump -s 0 -w me_to_nat.pcap -vvv -i rl0 src host 72.65.73.23 and
>  >>  > dst host 207.210.114.45 and dst port 6667
>  >>  > tcpdump -s 0 -w nat_to_jail.pcap -vvv -i rl0 src host 72.20.28.202 and
>  >>  > dst host 207.210.114.45 and dst port 6667
>  >>  > tcpdump -s 0 -w jail_to_nat.pcap -vvv -i rl0 src host 207.210.114.45
>  >>  > and dst host 72.20.28.202 and src port 6667
>  >>  >
>  >>  > Only the "me_to_nat.pcap" gets any data.  The rest are 0 bytes.  Example:
>  >>  >
>  >>  > -rw-r--r--     1 root  wheel      0 Mar 21 14:57 jail_to_nat.pcap
>  >>  > -rw-r--r--     1 root  wheel  16384 Mar 21 15:24 me_to_nat.pcap
>  >>  > -rw-r--r--     1 root  wheel      0 Mar 21 14:57 nat_to_jail.pcap
>  >>  >
>  >>  > So, can anyone diagnose and fix this?  Thanks.
>  >>  >
>  >>  > (P.S.: I'm aware of the DNS methods of doing round-robin, but please
>  >>  > keep that from this discussion.  I need to port-forward round-robin,
>  >>  > not whole DNS)
>  >>  >
>  >>
>  >>
>  >>  _______________________________________________
>  >>  freebsd-net at freebsd.org mailing list
>  >>  http://lists.freebsd.org/mailman/listinfo/freebsd-net
>  >>  To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>  >>
>  >
>  >
>  >
>
>



-- 
~ Kage
http://vitund.com
http://hackthissite.org

More information about the freebsd-net mailing list