Re: natd port forward times out, tcpdump yields nothing
- From: Henri Hennebert <hlh@xxxxxxxxxx>
- Date: Mon, 24 Mar 2008 21:24:33 +0100
Kage wrote:
Still not working, but I DO have natd aliasing properly. Here's my
natd output (remember which IP is mine, the IRC jail, and the example
round-robin IP):
[root@nub /etc]# natd -f /etc/natd.conf
In {default}[TCP] [TCP] 72.65.73.23:2897 -> 207.210.114.45:6667 aliased to
[TCP] 72.65.73.23:2897 -> 72.20.28.202:6667
In {default}[TCP] [TCP] 72.65.73.23:2897 -> 207.210.114.45:6667 aliased to
[TCP] 72.65.73.23:2897 -> 72.20.28.202:6667
In {default}[TCP] [TCP] 72.65.73.23:2897 -> 207.210.114.45:6667 aliased to
[TCP] 72.65.73.23:2897 -> 72.20.28.202:6667
72...23 (me) is hitting the natd on the jail IP (207...45), which is
getting correctly aliased to 72...202 (example round-robin IP). So it
appears the natd is working properly.
In the client -> server direction only for now -- see bellow.
Here's my natd configuration as^^^^
it exists now:
# Nub.Core NATd
verbose
alias_address 207.210.114.45
log
log_denied
log_ipfw_denied
pid_file /var/run/natd.pid
### IRC Redirect Ports
# 6667
redirect_port tcp 72.20.28.202:6667 207.210.114.45:6667
And for more record, here's my ipfw.rules file up until the divert:
[root@nub /etc]# cat ipfw.rules
IPF="ipfw -q add"
ipfw -f -q flush
#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag
# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 54999 allow icmp from any to any
[snip -- Some allowed ports (port 80, 443, etc.), and some denied IPs]
# IRC (natd divert for IRC port-forwarding
$IPF 50220 divert natd all from 72.20.28.202 6667 to 207.210.114.45 6667 via rl0
The destination port must not be given (ie any destination port corresponding to any source port greater than 1023 for the request) - in this test the source port is 2897, in the next one it may be anything > 1023. Moreover `any' in place of 207.210.114.45 would be nice to allow others to chat. So the rule should be:
$IPF 50220 divert natd all from 72.20.28.202 6667 to any via rl0
Henri
$IPF 50221 divert natd all from any to 207.210.114.45 6667 via rl0
Any attempt to connect to the IRC jail IP thus far, though, still
fails with a "connection timed out."
Thanks for your help thus far. Any additional ideas?
On Mon, Mar 24, 2008 at 6:10 AM, Henri Hennebert <hlh@xxxxxxxxxx> wrote:Kage wrote:
> Well, no, see it's hitting natd just fine as shown by my natd verbose
> logs, if you're assuming ipfw is blocking me from reaching natd. Are
> you talking about adding a firewall rule for each of my round-robin
> addresses, too?
Yes
> How would that do any good?
All response paquet to a paquet diverted to natd must also be diverted
to natd to be reverse translated. eg:
incoming request from client (c) to server (s) redirected to server (S)
c.c.c.c -> s.s.s.s nated as c.c.c.c -> S.S.S.S
must have response paquetd reverse translated:
S.S.S.S -> c.c.c.c nated as s.s.s.s -> c.c.c.c
to be a valid response to client (c).
>
> On Sat, Mar 22, 2008 at 9:27 AM, Henri Hennebert <hlh@xxxxxxxxxx> wrote:
>> Kage wrote:
>> > Hey guys,
>> >
>> > This is a fun one that's stumped people in Freenode ##freebsd.
>> > Basically, I have this layout:
>> >
>> > irc.domain.com -> DNS A -> IRC Jail
>> >
>> > When someone connects to irc.domain.com on IRC ports (6667, 8067,
>> > etc.), it round-robins them using natd, otherwise it sends all other
>> > port requests to the IRC jail as per normal (such as port 80, which is
>> > my primary concern). As for having it setup to have ipfw divert to
>> > natd, that's done and works, as shown by natd verbose mode:
>> >
>> > In {default}[TCP] [TCP] 72.65.73.23:2980 -> 207.210.114.45:6667 aliased to
>> > [TCP] 72.65.73.23:2980 -> 207.210.114.45:6667
>> >
>> > (For reference)
>> > 207.210.114.45 = jail IP
>> > 72.20.28.202 = example target IP in the round-robin
>> > 72.65.73.23 = my IP
>> >
>> > Right now, my ipfw.rules file is as follows:
>> >
>> > [root@nub /etc]# cat ipfw.rules
>> > IPF="ipfw -q add"
>> > ipfw -f -q flush
>> >
>> > #loopback
>> > $IPF 10 allow all from any to any via lo0
>> > $IPF 20 deny all from any to 127.0.0.0/8
>> > $IPF 30 deny all from 127.0.0.0/8 to any
>> > $IPF 40 deny tcp from any to any frag
>> >
>> > # statefull
>> > $IPF 50 check-state
>> > $IPF 60 allow tcp from any to any established
>> > $IPF 70 allow all from any to any out keep-state
>> > $IPF 54999 allow icmp from any to any
>> >
>> > # Include the deny file
>> > . /etc/ipfw.deny
>> >
>> > [snip -- some allowed ports]
>> > # IRC (natd divert for IRC port-forwarding
>> > $IPF 50220 divert natd all from any to 207.210.114.45 6667 via rl0
>> > $IPF 50230 divert natd all from any to 207.210.114.45 8067 via rl0
>> > $IPF 50240 divert natd all from any to 207.210.114.45 8068 via rl0
>> > $IPF 50250 divert natd all from any to 207.210.114.45 6697 via rl0
>> > $IPF 50260 divert natd all from any to 207.210.114.45 7000 via rl0
>>
>>
>> You must also divert the response trafic AFAIK eg:
>>
>> $IPF 50220 divert natd all from 72.20.28.202 6667 to 207.210.114.45 via rl0
>>
>>
>>
>> > # keep these two IRC ports normally open for BNC
>> > $IPF 50270 allow all from any to any 31337 in
>> > $IPF 50380 allow all from any to any 31337 out
>> > [snip -- more allowed ports]
>> > # deny and log everything
>> > $IPF 55000 deny log all from any to any
>> >
>> > -----
>> >
>> > Here's a dump of ipfw show, with some stuff cut out for space purposes
>> > (they're just denied DDoS IPs)
>> >
>> > [root@nub /etc]# ipfw show
>> > 00010 61124 16056802 allow ip from any to any via lo0
>> > 00020 0 0 deny ip from any to 127.0.0.0/8
>> > 00030 0 0 deny ip from 127.0.0.0/8 to any
>> > 00040 0 0 deny tcp from any to any frag
>> > 00050 0 0 check-state
>> > 00060 670616 455926379 allow tcp from any to any established
>> > 00070 16213 14071853 allow ip from any to any out keep-state
>> > [snip]
>> > 50220 468 22464 divert 8668 ip from any to 207.210.114.45
>> > dst-port 6667 via rl0
>> > 50230 0 0 divert 8668 ip from any to 207.210.114.45
>> > dst-port 8067 via rl0
>> > 50240 0 0 divert 8668 ip from any to 207.210.114.45
>> > dst-port 8068 via rl0
>> > 50250 0 0 divert 8668 ip from any to 207.210.114.45
>> > dst-port 6697 via rl0
>> > 50260 0 0 divert 8668 ip from any to 207.210.114.45
>> > dst-port 7000 via rl0
>> > 50270 1 60 allow ip from any to any dst-port 31337 in
>> > 54999 66 3991 allow icmp from any to any
>> > 55000 4364 343609 deny log logamount 100 ip from any to any
>> > 65535 29 4176 allow ip from any to any
>> >
>> > My natd.conf is as follows:
>> >
>> > [root@nub /etc]# cat natd.conf
>> > # Nub.Core NATd
>> > verbose
>> > alias_address 207.210.114.45
>> > log
>> > log_denied
>> > log_ipfw_denied
>> > pid_file /var/run/natd.pid
>> >
>> >
>> > ### IRC Redirect Ports
>> > # 6667
>>
>>
>> If I understand man natd
>>
>>
>>> redirect_port tcp 72.20.28.202:6667 207.210.114.45:6667 207.210.114.45:6667
>> ^^^^^^^^^^^^^
>> Trafic is comming from 72.65.73.23 - so the rule don't apply
>>
>>
>>> [root@nub /etc]#
>> >
>> > And, as stated above, I am showing connection diverts to natd. When I
>> > run the following three tcpdumps:
>> >
>> > tcpdump -s 0 -w me_to_nat.pcap -vvv -i rl0 src host 72.65.73.23 and
>> > dst host 207.210.114.45 and dst port 6667
>> > tcpdump -s 0 -w nat_to_jail.pcap -vvv -i rl0 src host 72.20.28.202 and
>> > dst host 207.210.114.45 and dst port 6667
>> > tcpdump -s 0 -w jail_to_nat.pcap -vvv -i rl0 src host 207.210.114.45
>> > and dst host 72.20.28.202 and src port 6667
>> >
>> > Only the "me_to_nat.pcap" gets any data. The rest are 0 bytes. Example:
>> >
>> > -rw-r--r-- 1 root wheel 0 Mar 21 14:57 jail_to_nat.pcap
>> > -rw-r--r-- 1 root wheel 16384 Mar 21 15:24 me_to_nat.pcap
>> > -rw-r--r-- 1 root wheel 0 Mar 21 14:57 nat_to_jail.pcap
>> >
>> > So, can anyone diagnose and fix this? Thanks.
>> >
>> > (P.S.: I'm aware of the DNS methods of doing round-robin, but please
>> > keep that from this discussion. I need to port-forward round-robin,
>> > not whole DNS)
>> >
>>
>>
>> _______________________________________________
>> freebsd-net@xxxxxxxxxxx mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"
>>
>
>
>
_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"
- Follow-Ups:
- References:
- natd port forward times out, tcpdump yields nothing
- From: Kage
- Re: natd port forward times out, tcpdump yields nothing
- From: Henri Hennebert
- Re: natd port forward times out, tcpdump yields nothing
- From: Kage
- Re: natd port forward times out, tcpdump yields nothing
- From: Henri Hennebert
- Re: natd port forward times out, tcpdump yields nothing
- From: Kage
- natd port forward times out, tcpdump yields nothing
- Prev by Date: Re: Lock order reversal in ral driver
- Next by Date: Re: natd port forward times out, tcpdump yields nothing
- Previous by thread: Re: natd port forward times out, tcpdump yields nothing
- Next by thread: Re: natd port forward times out, tcpdump yields nothing
- Index(es):
Relevant Pages
|
|
