ipnat.conf - map and rdr won't work!

Erik Norgaard norgaard at locolomo.org
Tue Jul 20 16:57:41 UTC 2010

On 20/07/10 18.02, alexus wrote:
> On Mon, Jul 19, 2010 at 12:38 PM, Erik Norgaard<norgaard at locolomo.org>  wrote:
>> On 19/07/10 16.46, alexus wrote:
>> Can't help you more, really, you need to investigate where packets are
>> dropped, tcpdump is a great tool and the man-page is excelent, can't explain
>> it better, if you don't like tcpdump then use any other packet sniffing tool
>> at hand, snort for example.
> ipmon:
> 20/07/2010 10:22:00.123106 @2 NAT:RDR,22<- ->
>,22 [,6346 PR tcp]
> 20/07/2010 10:26:00.340436 @2 NAT:EXPIRE,22<- ->
>,22 [,6346 PR tcp] Pkts 11/0 Bytes 640/0
> tcpdump:
> tcpdump: listening on fxp0, link-type EN10MB (Ethernet), capture size 96 bytes
> 11:40:07.366519 IP (tos 0x0, ttl 49, id 48580, offset 0, flags [DF],
> proto TCP (6), length 64)> S, cksum
> 0xc05d (correct), 208454974:208454974(0) win 65535<mss
> 1380,nop,wscale 3,nop,nop,timestamp 91387932 0,sackOK,eol>
> 0 packets dropped by kernel

What tcpdump options did you use, on what interface? where did you run 
it? on the hosting system or within the jail?

>> Do packets can get dropped because of your firewall default policy? For
>> stealth it may be set to simply drop packets which result in a connection
>> time-out rather than send a TCP-RST.

> i disabled ipfw, and i dont have any rules inside of ipfilter

You do have the default rule. IIRC this is set when you compile 
ipfilter, it can be set to either block or pass.

If you don't remember what it was, then you can override it by 
configuring two rules:

pass in quick all
pass out quick all

>> Do you have any logs in the jail that indicate that the first packet is
>> actually received? Do your firewall log connections? If not, see how you can
>> enable logs on all rules to get more information.
> nothing gets to jail there for no logs inside of jail

Ok, but you should be able to configure log on your firewall/nat rules. 
IIRC ipfilter does not permit log statement on nat rules, you can switch 
to packet filter it has almost same syntax and permits log.

>> Can you connect out from the jail, to external servers? only to the jail
>> hosting server? Did the jail's ssh log tell anything?
> no i can not connect out from jail, as map doesn't work either
> nothing gets to

Nor to the hosting system?

>> You wrote you can connect with ssh from the hosting server to the jail, but
>> it took a long time, did you investigate this? Is there some DNS issue that
>> times out and causes the connection to fail?

what about that "long time" I recall you mentioned?

>> Can you ping your jail? Can you ping out? Default route is configured?
> i can ping my jail within host environment
> once again nothing within jail works as map (nat) isn't working

Are you sure you're actually ping'ing the jail? IIRC from your previous 
mail you have configured the jail IP both on the host environment and in 
the jail.

So I suppose that from your host environment you can ssh into the jail? 
Did ssh start up, netstat -l? From the jail, can you ping the host 

> default router isn't configured in rc.conf (inside of jail) as per
> jail's man page its not needed
> it was working fine before without it
>> There are tons of tests you can do to figure out what's failing.

Do you have additional external ip addresses available?

Last time I played around with jail, I had this:

ifconfig_vr1="inet"         # Hosting system
ifconfig_vr1_alias0="inet"  # Jail

So that would create an alias for for the jail and bypasss the need for rdr.

BR, Erik

More information about the freebsd-questions mailing list