From owner-freebsd-questions@FreeBSD.ORG Tue Jul 20 18:07:57 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B9508106564A for ; Tue, 20 Jul 2010 18:07:56 +0000 (UTC) (envelope-from alexus@gmail.com) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 4951E8FC0C for ; Tue, 20 Jul 2010 18:07:55 +0000 (UTC) Received: by wwe15 with SMTP id 15so699465wwe.31 for ; Tue, 20 Jul 2010 11:07:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:reply-to :in-reply-to:references:date:message-id:subject:from:to:cc :content-type:content-transfer-encoding; bh=aBsf1qwMRE4547uNKLSPeOvjpXJvfND7b1D8mav4UP0=; b=YlusNTCpk2U5B2quzeMi+b9GcRuaMnqzqYLn6+DLcr2wJ2w2mXONg1mPu0R1XOJiQJ cEgy0lRjzBK68tW/oS/k6NtkXSPjprL4josIApPbYHUvZojX7A4qffYfjCtqDEwORUhq UUg/YAkVu3xC6ntiru+Qh6kgk/gnsmocj1G0Y= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:content-transfer-encoding; b=QlhjkhvQFBZP4ojJvAjjbdCu71McKT4Q9qH9DITiF/EZysB7+9bDUycjiwxvUAMsIJ gLbQkxgu63Ezx2Zee2aEOYI6vBO3wGLjSeZru5FLROHVfmNMazHydmE0tA946njqURk3 ybb2OCHx8pBzPAl2bRb9i/Z69fWc8b0EdK3e8= MIME-Version: 1.0 Received: by 10.227.135.65 with SMTP id m1mr5864976wbt.212.1279649274983; Tue, 20 Jul 2010 11:07:54 -0700 (PDT) Received: by 10.216.229.202 with HTTP; Tue, 20 Jul 2010 11:07:54 -0700 (PDT) In-Reply-To: <4C45D57F.2020506@locolomo.org> References: <4C3F91CF.5090206@locolomo.org> <4C419944.8030702@locolomo.org> <4C447F7F.6020308@locolomo.org> <4C45D57F.2020506@locolomo.org> Date: Tue, 20 Jul 2010 14:07:54 -0400 Message-ID: From: alexus To: Erik Norgaard Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-questions@freebsd.org Subject: Re: ipnat.conf - map and rdr won't work! X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: google@alexus.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Jul 2010 18:07:57 -0000 On Tue, Jul 20, 2010 at 12:57 PM, Erik Norgaard wro= te: > On 20/07/10 18.02, alexus wrote: >> >> On Mon, Jul 19, 2010 at 12:38 PM, Erik Norgaard >> =C2=A0wrote: >>> >>> On 19/07/10 16.46, alexus wrote: >>> Can't help you more, really, you need to investigate where packets are >>> dropped, tcpdump is a great tool and the man-page is excelent, can't >>> explain >>> it better, if you don't like tcpdump then use any other packet sniffing >>> tool >>> at hand, snort for example. >> >> ipmon: >> >> 20/07/2010 10:22:00.123106 @2 NAT:RDR 172.16.172.16,22<- -> >> 64.52.58.58,22 [69.10.67.106,6346 PR tcp] >> 20/07/2010 10:26:00.340436 @2 NAT:EXPIRE 172.16.172.16,22<- -> >> 64.52.58.58,22 [69.10.67.106,6346 PR tcp] Pkts 11/0 Bytes 640/0 >> >> tcpdump: >> >> tcpdump: listening on fxp0, link-type EN10MB (Ethernet), capture size 96 >> bytes >> 11:40:07.366519 IP (tos 0x0, ttl 49, id 48580, offset 0, flags [DF], >> proto TCP (6), length 64) 69.10.67.106.9408> =C2=A064.52.58.58.22: S, ck= sum >> 0xc05d (correct), 208454974:208454974(0) win 65535> 1380,nop,wscale 3,nop,nop,timestamp 91387932 0,sackOK,eol> >> 0 packets dropped by kernel > > What tcpdump options did you use, on what interface? where did you run it= ? > on the hosting system or within the jail? 'tcpdump -n -i fxp0 -vv' was run on host fxp0 is a public interface >>> Do packets can get dropped because of your firewall default policy? For >>> stealth it may be set to simply drop packets which result in a connecti= on >>> time-out rather than send a TCP-RST. > >> i disabled ipfw, and i dont have any rules inside of ipfilter > > You do have the default rule. IIRC this is set when you compile ipfilter,= it > can be set to either block or pass. the main reason why i have ipfilter is because it requires by ipnat > If you don't remember what it was, then you can override it by configurin= g > two rules: > > pass in quick all > pass out quick all done su-3.2# cat /etc/ipf.rules | grep -v ^# pass in quick all pass out quick all su-3.2# >>> Do you have any logs in the jail that indicate that the first packet is >>> actually received? Do your firewall log connections? If not, see how yo= u >>> can >>> enable logs on all rules to get more information. >> >> nothing gets to jail there for no logs inside of jail > > Ok, but you should be able to configure log on your firewall/nat rules. I= IRC > ipfilter does not permit log statement on nat rules, you can switch to > packet filter it has almost same syntax and permits log. > plan b is to run natd, but i'd rather run ipnat especially that ipnat used to work before no problem! >>> Can you connect out from the jail, to external servers? only to the jai= l >>> hosting server? Did the jail's ssh log tell anything? >> >> no i can not connect out from jail, as map doesn't work either >> nothing gets to > > Nor to the hosting system? > i'm able to ssh out from jail to a host system as this local, no "map" (nat) is needed for this connection >>> You wrote you can connect with ssh from the hosting server to the jail, >>> but >>> it took a long time, did you investigate this? Is there some DNS issue >>> that >>> times out and causes the connection to fail? > > what about that "long time" I recall you mentioned? my guess it's trying to do dns reverse look up and since map (nat) doesn't work it takes long time back in the days when nat was working, sshing it didn't take long time at a= ll >>> Can you ping your jail? Can you ping out? Default route is configured? >> >> i can ping my jail within host environment >> once again nothing within jail works as map (nat) isn't working > > Are you sure you're actually ping'ing the jail? IIRC from your previous m= ail > you have configured the jail IP both on the host environment and in the > jail. su-3.2# ping -c1 lama PING lama (172.16.172.16): 56 data bytes 64 bytes from 172.16.172.16: icmp_seq=3D0 ttl=3D64 time=3D0.075 ms --- lama ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/stddev =3D 0.075/0.075/0.075/0.000 ms su-3.2# ip address tells me that this is in fact jail's IP > So I suppose that from your host environment you can ssh into the jail? D= id > ssh start up, netstat -l? From the jail, can you ping the host environmen= t? su-3.2# jls JID IP Address Hostname Path 1 172.16.172.16 lama /usr/jail/lama su-3.2# jexec 1 /etc/rc.d/sshd status sshd is running as pid 1085. su-3.2# ps -p 1085 PID TT STAT TIME COMMAND 1085 ?? IsJ 0:00.00 /usr/sbin/sshd su-3.2# >> default router isn't configured in rc.conf (inside of jail) as per >> jail's man page its not needed >> it was working fine before without it >> >>> There are tons of tests you can do to figure out what's failing. > > Do you have additional external ip addresses available? unfortunately no, if i had them i wouldn't need to do "map" nor "rdr" > Last time I played around with jail, I had this: > > ifconfig_vr1=3D"inet 172.16.0.1/23" =C2=A0 =C2=A0 =C2=A0 =C2=A0 # Hosting= system > ifconfig_vr1_alias0=3D"inet 172.16.0.2/32" =C2=A0# Jail > .... > jail_test_ip=3D"172.16.0.2" > .... > > So that would create an alias for for the jail and bypasss the need for r= dr. > > BR, Erik > i know, i can run it that IP address as an alias on public interface, but we on purpose added another NIC to be private NIC. --=20 http://alexus.org/