From owner-freebsd-net@FreeBSD.ORG Mon Mar 24 16:04:36 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 485721065676 for ; Mon, 24 Mar 2008 16:04:36 +0000 (UTC) (envelope-from kagekonjou@gmail.com) Received: from ti-out-0910.google.com (ti-out-0910.google.com [209.85.142.186]) by mx1.freebsd.org (Postfix) with ESMTP id B35528FC30 for ; Mon, 24 Mar 2008 16:04:34 +0000 (UTC) (envelope-from kagekonjou@gmail.com) Received: by ti-out-0910.google.com with SMTP id j2so678116tid.3 for ; Mon, 24 Mar 2008 09:04:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=oVzNHRVF3M02oYdv+ebbtMa037W6DuJLjdmEwDtmG3w=; b=LS/Cj/b89MfljaAMwmInVaUe8ZdmsUQvVlkirog3OY0vSMEFAtGpY5kV8n8sD3xfzxPHYIj4mgIcprwxBqQWwi4ar89zeGggTCz0pRv7FnJ+sxrxdLtKjduN1S4og8OK4ovTLLSZQakvovBp11MM8u9FuMuANo4YuBlE3pF3xh0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=VE4CiWbe8wfU5KWecfaSCTZ1xqIR1a4wVO06M6izNV1BYdbKT8DWz6cGXqnHFJIVxsGTFX+7HdIaiFkVY/Z2CtnDup0eiE/VKYcxEsFVuQsPfI2UWiNo+maLmltsVR1ZFmx/+dbS3JJpwuEj2B6R4LXTcn8uSubs3q3RKG5o4YY= Received: by 10.110.62.14 with SMTP id k14mr1586010tia.5.1206374672845; Mon, 24 Mar 2008 09:04:32 -0700 (PDT) Received: by 10.70.48.17 with HTTP; Mon, 24 Mar 2008 09:04:32 -0700 (PDT) Message-ID: Date: Mon, 24 Mar 2008 12:04:32 -0400 From: Kage To: "Henri Hennebert" , freebsd-net@freebsd.org In-Reply-To: <47E77E1C.7090000@restart.be> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <47E50936.1010405@restart.be> <47E77E1C.7090000@restart.be> Cc: Subject: Re: natd port forward times out, tcpdump yields nothing X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Mar 2008 16:04:36 -0000 Still not working, but I DO have natd aliasing properly. Here's my natd output (remember which IP is mine, the IRC jail, and the example round-robin IP): [root@nub /etc]# natd -f /etc/natd.conf In {default}[TCP] [TCP] 72.65.73.23:2897 -> 207.210.114.45:6667 aliased to [TCP] 72.65.73.23:2897 -> 72.20.28.202:6667 In {default}[TCP] [TCP] 72.65.73.23:2897 -> 207.210.114.45:6667 aliased to [TCP] 72.65.73.23:2897 -> 72.20.28.202:6667 In {default}[TCP] [TCP] 72.65.73.23:2897 -> 207.210.114.45:6667 aliased to [TCP] 72.65.73.23:2897 -> 72.20.28.202:6667 72...23 (me) is hitting the natd on the jail IP (207...45), which is getting correctly aliased to 72...202 (example round-robin IP). So it appears the natd is working properly. Here's my natd configuration as it exists now: # Nub.Core NATd verbose alias_address 207.210.114.45 log log_denied log_ipfw_denied pid_file /var/run/natd.pid ### IRC Redirect Ports # 6667 redirect_port tcp 72.20.28.202:6667 207.210.114.45:6667 And for more record, here's my ipfw.rules file up until the divert: [root@nub /etc]# cat ipfw.rules IPF="ipfw -q add" ipfw -f -q flush #loopback $IPF 10 allow all from any to any via lo0 $IPF 20 deny all from any to 127.0.0.0/8 $IPF 30 deny all from 127.0.0.0/8 to any $IPF 40 deny tcp from any to any frag # statefull $IPF 50 check-state $IPF 60 allow tcp from any to any established $IPF 70 allow all from any to any out keep-state $IPF 54999 allow icmp from any to any [snip -- Some allowed ports (port 80, 443, etc.), and some denied IPs] # IRC (natd divert for IRC port-forwarding $IPF 50220 divert natd all from 72.20.28.202 6667 to 207.210.114.45 6667 via rl0 $IPF 50221 divert natd all from any to 207.210.114.45 6667 via rl0 Any attempt to connect to the IRC jail IP thus far, though, still fails with a "connection timed out." Thanks for your help thus far. Any additional ideas? On Mon, Mar 24, 2008 at 6:10 AM, Henri Hennebert wrote: > Kage wrote: > > Well, no, see it's hitting natd just fine as shown by my natd verbose > > logs, if you're assuming ipfw is blocking me from reaching natd. Are > > you talking about adding a firewall rule for each of my round-robin > > addresses, too? > > Yes > > > > How would that do any good? > > All response paquet to a paquet diverted to natd must also be diverted > to natd to be reverse translated. eg: > > incoming request from client (c) to server (s) redirected to server (S) > > c.c.c.c -> s.s.s.s nated as c.c.c.c -> S.S.S.S > > must have response paquetd reverse translated: > > S.S.S.S -> c.c.c.c nated as s.s.s.s -> c.c.c.c > > to be a valid response to client (c). > > > > > > > On Sat, Mar 22, 2008 at 9:27 AM, Henri Hennebert wrote: > >> Kage wrote: > >> > Hey guys, > >> > > >> > This is a fun one that's stumped people in Freenode ##freebsd. > >> > Basically, I have this layout: > >> > > >> > irc.domain.com -> DNS A -> IRC Jail > >> > > >> > When someone connects to irc.domain.com on IRC ports (6667, 8067, > >> > etc.), it round-robins them using natd, otherwise it sends all other > >> > port requests to the IRC jail as per normal (such as port 80, which is > >> > my primary concern). As for having it setup to have ipfw divert to > >> > natd, that's done and works, as shown by natd verbose mode: > >> > > >> > In {default}[TCP] [TCP] 72.65.73.23:2980 -> 207.210.114.45:6667 aliased to > >> > [TCP] 72.65.73.23:2980 -> 207.210.114.45:6667 > >> > > >> > (For reference) > >> > 207.210.114.45 = jail IP > >> > 72.20.28.202 = example target IP in the round-robin > >> > 72.65.73.23 = my IP > >> > > >> > Right now, my ipfw.rules file is as follows: > >> > > >> > [root@nub /etc]# cat ipfw.rules > >> > IPF="ipfw -q add" > >> > ipfw -f -q flush > >> > > >> > #loopback > >> > $IPF 10 allow all from any to any via lo0 > >> > $IPF 20 deny all from any to 127.0.0.0/8 > >> > $IPF 30 deny all from 127.0.0.0/8 to any > >> > $IPF 40 deny tcp from any to any frag > >> > > >> > # statefull > >> > $IPF 50 check-state > >> > $IPF 60 allow tcp from any to any established > >> > $IPF 70 allow all from any to any out keep-state > >> > $IPF 54999 allow icmp from any to any > >> > > >> > # Include the deny file > >> > . /etc/ipfw.deny > >> > > >> > [snip -- some allowed ports] > >> > # IRC (natd divert for IRC port-forwarding > >> > $IPF 50220 divert natd all from any to 207.210.114.45 6667 via rl0 > >> > $IPF 50230 divert natd all from any to 207.210.114.45 8067 via rl0 > >> > $IPF 50240 divert natd all from any to 207.210.114.45 8068 via rl0 > >> > $IPF 50250 divert natd all from any to 207.210.114.45 6697 via rl0 > >> > $IPF 50260 divert natd all from any to 207.210.114.45 7000 via rl0 > >> > >> > >> You must also divert the response trafic AFAIK eg: > >> > >> $IPF 50220 divert natd all from 72.20.28.202 6667 to 207.210.114.45 via rl0 > >> > >> > >> > >> > # keep these two IRC ports normally open for BNC > >> > $IPF 50270 allow all from any to any 31337 in > >> > $IPF 50380 allow all from any to any 31337 out > >> > [snip -- more allowed ports] > >> > # deny and log everything > >> > $IPF 55000 deny log all from any to any > >> > > >> > ----- > >> > > >> > Here's a dump of ipfw show, with some stuff cut out for space purposes > >> > (they're just denied DDoS IPs) > >> > > >> > [root@nub /etc]# ipfw show > >> > 00010 61124 16056802 allow ip from any to any via lo0 > >> > 00020 0 0 deny ip from any to 127.0.0.0/8 > >> > 00030 0 0 deny ip from 127.0.0.0/8 to any > >> > 00040 0 0 deny tcp from any to any frag > >> > 00050 0 0 check-state > >> > 00060 670616 455926379 allow tcp from any to any established > >> > 00070 16213 14071853 allow ip from any to any out keep-state > >> > [snip] > >> > 50220 468 22464 divert 8668 ip from any to 207.210.114.45 > >> > dst-port 6667 via rl0 > >> > 50230 0 0 divert 8668 ip from any to 207.210.114.45 > >> > dst-port 8067 via rl0 > >> > 50240 0 0 divert 8668 ip from any to 207.210.114.45 > >> > dst-port 8068 via rl0 > >> > 50250 0 0 divert 8668 ip from any to 207.210.114.45 > >> > dst-port 6697 via rl0 > >> > 50260 0 0 divert 8668 ip from any to 207.210.114.45 > >> > dst-port 7000 via rl0 > >> > 50270 1 60 allow ip from any to any dst-port 31337 in > >> > 54999 66 3991 allow icmp from any to any > >> > 55000 4364 343609 deny log logamount 100 ip from any to any > >> > 65535 29 4176 allow ip from any to any > >> > > >> > My natd.conf is as follows: > >> > > >> > [root@nub /etc]# cat natd.conf > >> > # Nub.Core NATd > >> > verbose > >> > alias_address 207.210.114.45 > >> > log > >> > log_denied > >> > log_ipfw_denied > >> > pid_file /var/run/natd.pid > >> > > >> > > >> > ### IRC Redirect Ports > >> > # 6667 > >> > >> > >> If I understand man natd > >> > >> > >>> redirect_port tcp 72.20.28.202:6667 207.210.114.45:6667 207.210.114.45:6667 > >> ^^^^^^^^^^^^^ > >> Trafic is comming from 72.65.73.23 - so the rule don't apply > >> > >> > >>> [root@nub /etc]# > >> > > >> > And, as stated above, I am showing connection diverts to natd. When I > >> > run the following three tcpdumps: > >> > > >> > tcpdump -s 0 -w me_to_nat.pcap -vvv -i rl0 src host 72.65.73.23 and > >> > dst host 207.210.114.45 and dst port 6667 > >> > tcpdump -s 0 -w nat_to_jail.pcap -vvv -i rl0 src host 72.20.28.202 and > >> > dst host 207.210.114.45 and dst port 6667 > >> > tcpdump -s 0 -w jail_to_nat.pcap -vvv -i rl0 src host 207.210.114.45 > >> > and dst host 72.20.28.202 and src port 6667 > >> > > >> > Only the "me_to_nat.pcap" gets any data. The rest are 0 bytes. Example: > >> > > >> > -rw-r--r-- 1 root wheel 0 Mar 21 14:57 jail_to_nat.pcap > >> > -rw-r--r-- 1 root wheel 16384 Mar 21 15:24 me_to_nat.pcap > >> > -rw-r--r-- 1 root wheel 0 Mar 21 14:57 nat_to_jail.pcap > >> > > >> > So, can anyone diagnose and fix this? Thanks. > >> > > >> > (P.S.: I'm aware of the DNS methods of doing round-robin, but please > >> > keep that from this discussion. I need to port-forward round-robin, > >> > not whole DNS) > >> > > >> > >> > >> _______________________________________________ > >> freebsd-net@freebsd.org mailing list > >> http://lists.freebsd.org/mailman/listinfo/freebsd-net > >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > >> > > > > > > > > -- ~ Kage http://vitund.com http://hackthissite.org