RE: Problems using natd to access internal webserver

From: Andras Kende (andras_at_kende.com)
Date: 11/25/03

  • Next message: Bob Collins: "Re: Disklabel problem IBM SCSI3 disks, vinum too" 
    To: "'Clayton F'" <nospam@bitheaven.net>, <freebsd-questions@FreeBSD.org>
Date: Tue, 25 Nov 2003 09:39:33 -0600

    I think it's your firewall's "keep state" is the problem.
    Here is some examples which works great for me:

    This is working example:

    /etc/rc.conf
    gateway_enable="YES"
    natd_enable=yes
    natd_interface=fxp0
    natd_flags="-f /etc/rc.natd"
    firewall_enable=YES
    firewall_script="/etc/rc.firewall"

    /etc/rc.natd
    redirect_port tcp 10.1.1.18:80 8000

    /etc/rc.firewall
    $fwcmd add allow log tcp from any to any 8000 setup

    / kernel
    options IPFIREWALL
    options IPFIREWALL_FORWARD
    options IPFIREWALL_VERBOSE
    options IPFIREWALL_VERBOSE_LIMIT=100
    options IPDIVERT

    Best regards,

    Andras Kende
    http://www.kende.com

    -----Original Message-----
    From: owner-freebsd-questions@freebsd.org
    [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Clayton F
    Sent: Tuesday, November 25, 2003 3:12 AM
    To: freebsd-questions@FreeBSD.org
    Subject: Problems using natd to access internal webserver

    I am having trouble using natd to redirect incoming http requests to an
    internal web server. My ISP blocks incoming port 80 (the dogs!), so the
    browser needs to send its request on an unprivileged port - I chose
    port 5500

    So in my web browser I enter url http://www.mydomain.com:5500/

    My rc.conf sets up the natd redirect as as follows:

            natd_enable="YES"
            natd_interface="fxp0"
            natd_flags="-redirect_port tcp 192.168.1.99:80 5500"

    my firewall explicitly allows port 5500 entry as follows:

            pass in quick on fxp0 proto tcp from any to any port = 5500 keep
    state

    But when I point my web browser at port 5500, I get the following:
    "Could not open the page "http://www.mydomain.com:5500/" because Safari
    couldn't connect to the server "www.mydomain.com".

    With tcpdump set to listen on port 5500 I get the following output:

    01:06:19.345827 e-66-117-83-2.empnet.net.12488 >
    bc120155.bendcable.com.5500: S 3657164703:3657164703(0) win 65535 <mss
    1460,nop,wscale 0,nop,nop,timestamp 2239916522 0> (DF)
    01:06:19.345988 bc120155.bendcable.com.5500 >
    e-66-117-83-2.empnet.net.12488: R 0:0(0) ack 3657164704 win 0
    01:06:19.390964 e-66-117-83-2.empnet.net.4458 >
    bc120155.bendcable.com.5500: S 2671871142:2671871142(0) win 65535 <mss
    1460,nop,wscale 0,nop,nop,timestamp 2239916522 0> (DF)
    01:06:19.391015 bc120155.bendcable.com.5500 >
    e-66-117-83-2.empnet.net.4458: R 0:0(0) ack 2671871143 win 0
    01:06:19.434339 e-66-117-83-2.empnet.net.55900 >
    bc120155.bendcable.com.5500: S 2109062641:2109062641(0) win 65535 <mss
    1460,nop,wscale 0,nop,nop,timestamp 2239916522 0> (DF)
    01:06:19.434390 bc120155.bendcable.com.5500 >
    e-66-117-83-2.empnet.net.55900: R 0:0(0) ack 2109062642 win 0
    01:06:19.479086 e-66-117-83-2.empnet.net.33048 >
    bc120155.bendcable.com.5500: S 1018302934:1018302934(0) win 65535 <mss
    1460,nop,wscale 0,nop,nop,timestamp 2239916522 0> (DF)
    01:06:19.479130 bc120155.bendcable.com.5500 >
    e-66-117-83-2.empnet.net.33048: R 0:0(0) ack 1018302935 win 0
    01:06:19.522875 e-66-117-83-2.empnet.net.60586 >
    bc120155.bendcable.com.5500: S 26968154:26968154(0) win 65535 <mss
    1460,nop,wscale 0,nop,nop,timestamp 2239916522 0> (DF)
    01:06:19.523022 bc120155.bendcable.com.5500 >
    e-66-117-83-2.empnet.net.60586: R 0:0(0) ack 26968155 win 0
    01:06:19.578958 e-66-117-83-2.empnet.net.57944 >
    bc120155.bendcable.com.5500: S 1035247753:1035247753(0) win 65535 <mss
    1460,nop,wscale 0,nop,nop,timestamp 2239916522 0> (DF)
    01:06:19.578993 bc120155.bendcable.com.5500 >
    e-66-117-83-2.empnet.net.57944: R 0:0(0) ack 1035247754 win 0
    01:06:19.623151 e-66-117-83-2.empnet.net.57938 >
    bc120155.bendcable.com.5500: S 1144796038:1144796038(0) win 65535 <mss
    1460,nop,wscale 0,nop,nop,timestamp 2239916522 0> (DF)
    01:06:19.623189 bc120155.bendcable.com.5500 >
    e-66-117-83-2.empnet.net.57938: R 0:0(0) ack 1144796039 win 0
    01:06:19.666940 e-66-117-83-2.empnet.net.27714 >
    bc120155.bendcable.com.5500: S 347489487:347489487(0) win 65535 <mss
    1460,nop,wscale 0,nop,nop,timestamp 2239916523 0> (DF)
    01:06:19.666985 bc120155.bendcable.com.5500 >
    e-66-117-83-2.empnet.net.27714: R 0:0(0) ack 347489488 win 0
    01:06:19.709585 e-66-117-83-2.empnet.net.40754 >
    bc120155.bendcable.com.5500: S 1869973581:1869973581(0) win 65535 <mss
    1460,nop,wscale 0,nop,nop,timestamp 2239916523 0> (DF)
    01:06:19.709612 bc120155.bendcable.com.5500 >
    e-66-117-83-2.empnet.net.40754: R 0:0(0) ack 1869973582 win 0
    01:06:19.756122 e-66-117-83-2.empnet.net.18348 >
    bc120155.bendcable.com.5500: S 3628283803:3628283803(0) win 65535 <mss
    1460,nop,wscale 0,nop,nop,timestamp 2239916523 0> (DF)
    01:06:19.756152 bc120155.bendcable.com.5500 >
    e-66-117-83-2.empnet.net.18348: R 0:0(0) ack 3628283804 win 0
    01:06:19.804295 e-66-117-83-2.empnet.net.52446 >
    bc120155.bendcable.com.5500: S 3652608703:3652608703(0) win 65535 <mss
    1460,nop,wscale 0,nop,nop,timestamp 2239916523 0> (DF)
    01:06:19.804377 bc120155.bendcable.com.5500 >
    e-66-117-83-2.empnet.net.52446: R 0:0(0) ack 3652608704 win 0
    01:06:19.847865 e-66-117-83-2.empnet.net.18192 >
    bc120155.bendcable.com.5500: S 238075128:238075128(0) win 65535 <mss
    1460,nop,wscale 0,nop,nop,timestamp 2239916523 0> (DF)
    01:06:19.847897 bc120155.bendcable.com.5500 >
    e-66-117-83-2.empnet.net.18192: R 0:0(0) ack 238075129 win 0
    01:06:19.891162 e-66-117-83-2.empnet.net.25176 >
    bc120155.bendcable.com.5500: S 60109903:60109903(0) win 65535 <mss
    1460,nop,wscale 0,nop,nop,timestamp 2239916523 0> (DF)
    01:06:19.891206 bc120155.bendcable.com.5500 >
    e-66-117-83-2.empnet.net.25176: R 0:0(0) ack 60109904 win 0
    01:06:19.934624 e-66-117-83-2.empnet.net.41352 >
    bc120155.bendcable.com.5500: S 2942823322:2942823322(0) win 65535 <mss
    1460,nop,wscale 0,nop,nop,timestamp 2239916523 0> (DF)
    01:06:19.934652 bc120155.bendcable.com.5500 >
    e-66-117-83-2.empnet.net.41352: R 0:0(0) ack 2942823323 win 0
    01:06:19.976920 e-66-117-83-2.empnet.net.25770 >
    bc120155.bendcable.com.5500: S 1830184345:1830184345(0) win 65535 <mss
    1460,nop,wscale 0,nop,nop,timestamp 2239916523 0> (DF)
    01:06:19.976947 bc120155.bendcable.com.5500 >
    e-66-117-83-2.empnet.net.25770: R 0:0(0) ack 1830184346 win 0
    01:06:20.019365 e-66-117-83-2.empnet.net.37826 >
    bc120155.bendcable.com.5500: S 3428010868:3428010868(0) win 65535 <mss
    1460,nop,wscale 0,nop,nop,timestamp 2239916523 0> (DF)
    01:06:20.019392 bc120155.bendcable.com.5500 >
    e-66-117-83-2.empnet.net.37826: R 0:0(0) ack 3428010869 win 0
    01:06:20.063532 e-66-117-83-2.empnet.net.57502 >
    bc120155.bendcable.com.5500: S 373758618:373758618(0) win 65535 <mss
    1460,nop,wscale 0,nop,nop,timestamp 2239916523 0> (DF)
    01:06:20.063574 bc120155.bendcable.com.5500 >
    e-66-117-83-2.empnet.net.57502: R 0:0(0) ack 373758619 win 0
    01:06:20.112894 e-66-117-83-2.empnet.net.44448 >
    bc120155.bendcable.com.5500: S 3033730069:3033730069(0) win 65535 <mss
    1460,nop,wscale 0,nop,nop,timestamp 2239916523 0> (DF)
    01:06:20.112935 bc120155.bendcable.com.5500 >
    e-66-117-83-2.empnet.net.44448: R 0:0(0) ack 3033730070 win 0
    01:06:20.155772 e-66-117-83-2.empnet.net.31148 >
    bc120155.bendcable.com.5500: S 134626080:134626080(0) win 65535 <mss
    1460,nop,wscale 0,nop,nop,timestamp 2239916524 0> (DF)
    01:06:20.155805 bc120155.bendcable.com.5500 >
    e-66-117-83-2.empnet.net.31148: R 0:0(0) ack 134626081 win 0
    01:06:20.198041 e-66-117-83-2.empnet.net.23638 >
    bc120155.bendcable.com.5500: S 1299869796:1299869796(0) win 65535 <mss
    1460,nop,wscale 0,nop,nop,timestamp 2239916524 0> (DF)
    01:06:20.198067 bc120155.bendcable.com.5500 >
    e-66-117-83-2.empnet.net.23638: R 0:0(0) ack 1299869797 win 0
    01:06:20.240643 e-66-117-83-2.empnet.net.20744 >
    bc120155.bendcable.com.5500: S 2584151359:2584151359(0) win 65535 <mss
    1460,nop,wscale 0,nop,nop,timestamp 2239916524 0> (DF)
    01:06:20.240671 bc120155.bendcable.com.5500 >
    e-66-117-83-2.empnet.net.20744: R 0:0(0) ack 2584151360 win 0

    It appears the web server's attempt to make the connection is falling
    on deaf ears.

    (btw: I've confirmed the web server is up and running - if I set up a
    localhost port forward using ssh - aka "ssh -L 5500:192.168.1.99:80
    myname@mydomain.com" I am able to access the web server)

    Any tips on what I'm doing wrong?

    Thanks!
    Clayton

    _______________________________________________
    freebsd-questions@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-questions
    To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"

    _______________________________________________
    freebsd-questions@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-questions
    To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"

  • Next message: Bob Collins: "Re: Disklabel problem IBM SCSI3 disks, vinum too"

    Relevant Pages

    • Re: excessive TCP dulplicate acks revisted
      ... The tcp duplicate ACK attack is back. ... there was a thread on duplicate TCP acks in -CURRENT. ... TCP STREAM TEST from localhost port 0 AF_INET to greenhouse- george.18clay.com port 0 AF_INET ... Socket Socket Message Elapsed ...
      (freebsd-current)
    • excessive TCP dulplicate acks revisted
      ... The tcp duplicate ACK attack is back. ... there was a thread on duplicate TCP acks in -CURRENT. ... TCP STREAM TEST from localhost port 0 AF_INET to greenhouse- george.18clay.com port 0 AF_INET ... Socket Socket Message Elapsed ...
      (freebsd-current)
    • Re: application for an employment
      ... a web browser makes a connect. ... Especially on layer 4. ... Generally a port scan does not consist of connection to a single port ... Sending a mail message is TCP 25. ...
      (Security-Basics)
    • Re: How to tell if a firewall alert is suspicious or not
      ... > WHY this SBCGlobal DNS server would be contacting Adobe Acrobat on port ... They have to parts, a kernel and the userland, in which programs, which are ... With Internet Protocol and TCP it is so, that any network interface in the ... To initiate a TCP connection, first the server has to "listen" on a port. ...
      (comp.security.firewalls)
    • RE: Configure Hardware Firewall for SBS 2003
      ... the corresponding ports to the SBS box. ... When a router is deployed at the SBS end, you must forward the port numbers ... TCP 110 This port is used for POP3 mail clients. ... TCP 1723 PPTP VPN connection ...
      (microsoft.public.windows.server.sbs)