natd port forward times out, tcpdump yields nothing
Henri Hennebert
hlh at restart.be
Mon Mar 24 03:10:42 PDT 2008
Kage wrote:
> Well, no, see it's hitting natd just fine as shown by my natd verbose
> logs, if you're assuming ipfw is blocking me from reaching natd. Are
> you talking about adding a firewall rule for each of my round-robin
> addresses, too?
Yes
> How would that do any good?
All response paquet to a paquet diverted to natd must also be diverted
to natd to be reverse translated. eg:
incoming request from client (c) to server (s) redirected to server (S)
c.c.c.c -> s.s.s.s nated as c.c.c.c -> S.S.S.S
must have response paquetd reverse translated:
S.S.S.S -> c.c.c.c nated as s.s.s.s -> c.c.c.c
to be a valid response to client (c).
>
> On Sat, Mar 22, 2008 at 9:27 AM, Henri Hennebert <hlh at restart.be> wrote:
>> Kage wrote:
>> > Hey guys,
>> >
>> > This is a fun one that's stumped people in Freenode ##freebsd.
>> > Basically, I have this layout:
>> >
>> > irc.domain.com -> DNS A -> IRC Jail
>> >
>> > When someone connects to irc.domain.com on IRC ports (6667, 8067,
>> > etc.), it round-robins them using natd, otherwise it sends all other
>> > port requests to the IRC jail as per normal (such as port 80, which is
>> > my primary concern). As for having it setup to have ipfw divert to
>> > natd, that's done and works, as shown by natd verbose mode:
>> >
>> > In {default}[TCP] [TCP] 72.65.73.23:2980 -> 207.210.114.45:6667 aliased to
>> > [TCP] 72.65.73.23:2980 -> 207.210.114.45:6667
>> >
>> > (For reference)
>> > 207.210.114.45 = jail IP
>> > 72.20.28.202 = example target IP in the round-robin
>> > 72.65.73.23 = my IP
>> >
>> > Right now, my ipfw.rules file is as follows:
>> >
>> > [root at nub /etc]# cat ipfw.rules
>> > IPF="ipfw -q add"
>> > ipfw -f -q flush
>> >
>> > #loopback
>> > $IPF 10 allow all from any to any via lo0
>> > $IPF 20 deny all from any to 127.0.0.0/8
>> > $IPF 30 deny all from 127.0.0.0/8 to any
>> > $IPF 40 deny tcp from any to any frag
>> >
>> > # statefull
>> > $IPF 50 check-state
>> > $IPF 60 allow tcp from any to any established
>> > $IPF 70 allow all from any to any out keep-state
>> > $IPF 54999 allow icmp from any to any
>> >
>> > # Include the deny file
>> > . /etc/ipfw.deny
>> >
>> > [snip -- some allowed ports]
>> > # IRC (natd divert for IRC port-forwarding
>> > $IPF 50220 divert natd all from any to 207.210.114.45 6667 via rl0
>> > $IPF 50230 divert natd all from any to 207.210.114.45 8067 via rl0
>> > $IPF 50240 divert natd all from any to 207.210.114.45 8068 via rl0
>> > $IPF 50250 divert natd all from any to 207.210.114.45 6697 via rl0
>> > $IPF 50260 divert natd all from any to 207.210.114.45 7000 via rl0
>>
>>
>> You must also divert the response trafic AFAIK eg:
>>
>> $IPF 50220 divert natd all from 72.20.28.202 6667 to 207.210.114.45 via rl0
>>
>>
>>
>> > # keep these two IRC ports normally open for BNC
>> > $IPF 50270 allow all from any to any 31337 in
>> > $IPF 50380 allow all from any to any 31337 out
>> > [snip -- more allowed ports]
>> > # deny and log everything
>> > $IPF 55000 deny log all from any to any
>> >
>> > -----
>> >
>> > Here's a dump of ipfw show, with some stuff cut out for space purposes
>> > (they're just denied DDoS IPs)
>> >
>> > [root at nub /etc]# ipfw show
>> > 00010 61124 16056802 allow ip from any to any via lo0
>> > 00020 0 0 deny ip from any to 127.0.0.0/8
>> > 00030 0 0 deny ip from 127.0.0.0/8 to any
>> > 00040 0 0 deny tcp from any to any frag
>> > 00050 0 0 check-state
>> > 00060 670616 455926379 allow tcp from any to any established
>> > 00070 16213 14071853 allow ip from any to any out keep-state
>> > [snip]
>> > 50220 468 22464 divert 8668 ip from any to 207.210.114.45
>> > dst-port 6667 via rl0
>> > 50230 0 0 divert 8668 ip from any to 207.210.114.45
>> > dst-port 8067 via rl0
>> > 50240 0 0 divert 8668 ip from any to 207.210.114.45
>> > dst-port 8068 via rl0
>> > 50250 0 0 divert 8668 ip from any to 207.210.114.45
>> > dst-port 6697 via rl0
>> > 50260 0 0 divert 8668 ip from any to 207.210.114.45
>> > dst-port 7000 via rl0
>> > 50270 1 60 allow ip from any to any dst-port 31337 in
>> > 54999 66 3991 allow icmp from any to any
>> > 55000 4364 343609 deny log logamount 100 ip from any to any
>> > 65535 29 4176 allow ip from any to any
>> >
>> > My natd.conf is as follows:
>> >
>> > [root at nub /etc]# cat natd.conf
>> > # Nub.Core NATd
>> > verbose
>> > alias_address 207.210.114.45
>> > log
>> > log_denied
>> > log_ipfw_denied
>> > pid_file /var/run/natd.pid
>> >
>> >
>> > ### IRC Redirect Ports
>> > # 6667
>>
>>
>> If I understand man natd
>>
>>
>>> redirect_port tcp 72.20.28.202:6667 207.210.114.45:6667 207.210.114.45:6667
>> ^^^^^^^^^^^^^
>> Trafic is comming from 72.65.73.23 - so the rule don't apply
>>
>>
>>> [root at nub /etc]#
>> >
>> > And, as stated above, I am showing connection diverts to natd. When I
>> > run the following three tcpdumps:
>> >
>> > tcpdump -s 0 -w me_to_nat.pcap -vvv -i rl0 src host 72.65.73.23 and
>> > dst host 207.210.114.45 and dst port 6667
>> > tcpdump -s 0 -w nat_to_jail.pcap -vvv -i rl0 src host 72.20.28.202 and
>> > dst host 207.210.114.45 and dst port 6667
>> > tcpdump -s 0 -w jail_to_nat.pcap -vvv -i rl0 src host 207.210.114.45
>> > and dst host 72.20.28.202 and src port 6667
>> >
>> > Only the "me_to_nat.pcap" gets any data. The rest are 0 bytes. Example:
>> >
>> > -rw-r--r-- 1 root wheel 0 Mar 21 14:57 jail_to_nat.pcap
>> > -rw-r--r-- 1 root wheel 16384 Mar 21 15:24 me_to_nat.pcap
>> > -rw-r--r-- 1 root wheel 0 Mar 21 14:57 nat_to_jail.pcap
>> >
>> > So, can anyone diagnose and fix this? Thanks.
>> >
>> > (P.S.: I'm aware of the DNS methods of doing round-robin, but please
>> > keep that from this discussion. I need to port-forward round-robin,
>> > not whole DNS)
>> >
>>
>>
>> _______________________________________________
>> freebsd-net at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>>
>
>
>
More information about the freebsd-net
mailing list