Date: Mon, 24 Mar 2008 16:53:19 -0400 From: Kage <kagekonjou@gmail.com> To: freebsd-net@freebsd.org Subject: Re: natd port forward times out, tcpdump yields nothing Message-ID: <d1556b2b0803241353s1a9b0977sf1218ae3a61e3c2c@mail.gmail.com> In-Reply-To: <47E80E01.4060605@restart.be> References: <d1556b2b0803211239r598e66eqf2adf04662201a76@mail.gmail.com> <47E50936.1010405@restart.be> <d1556b2b0803232123w6108819dgabdd4ea1fdcf94d4@mail.gmail.com> <47E77E1C.7090000@restart.be> <d1556b2b0803240904n5b286a08hf5fffc6bde3fa09b@mail.gmail.com> <47E80E01.4060605@restart.be>
next in thread | previous in thread | raw e-mail | index | archive | help
I changed my rules, and it's still not working: $IPF 50220 divert natd all from 72.20.28.202 6667 to any via rl0 $IPF 50221 divert natd all from any to 207.210.114.45 6667 via rl0 It's still timing connections out. On Mon, Mar 24, 2008 at 4:24 PM, Henri Hennebert <hlh@restart.be> wrote: > Kage wrote: > > Still not working, but I DO have natd aliasing properly. Here's my > > natd output (remember which IP is mine, the IRC jail, and the example > > round-robin IP): > > > > [root@nub /etc]# natd -f /etc/natd.conf > > In {default}[TCP] [TCP] 72.65.73.23:2897 -> 207.210.114.45:6667 aliased to > > [TCP] 72.65.73.23:2897 -> 72.20.28.202:6667 > > In {default}[TCP] [TCP] 72.65.73.23:2897 -> 207.210.114.45:6667 aliased to > > [TCP] 72.65.73.23:2897 -> 72.20.28.202:6667 > > In {default}[TCP] [TCP] 72.65.73.23:2897 -> 207.210.114.45:6667 aliased to > > [TCP] 72.65.73.23:2897 -> 72.20.28.202:6667 > > > > 72...23 (me) is hitting the natd on the jail IP (207...45), which is > > getting correctly aliased to 72...202 (example round-robin IP). So it > > appears the natd is working properly. > > In the client -> server direction only for now -- see bellow. > > > > > Here's my natd configuration as > > it exists now: > > > > # Nub.Core NATd > > verbose > > alias_address 207.210.114.45 > > log > > log_denied > > log_ipfw_denied > > pid_file /var/run/natd.pid > > > > ### IRC Redirect Ports > > # 6667 > > redirect_port tcp 72.20.28.202:6667 207.210.114.45:6667 > > > > And for more record, here's my ipfw.rules file up until the divert: > > > > [root@nub /etc]# cat ipfw.rules > > IPF="ipfw -q add" > > ipfw -f -q flush > > > > #loopback > > $IPF 10 allow all from any to any via lo0 > > $IPF 20 deny all from any to 127.0.0.0/8 > > $IPF 30 deny all from 127.0.0.0/8 to any > > $IPF 40 deny tcp from any to any frag > > > > # statefull > > $IPF 50 check-state > > $IPF 60 allow tcp from any to any established > > $IPF 70 allow all from any to any out keep-state > > $IPF 54999 allow icmp from any to any > > > > [snip -- Some allowed ports (port 80, 443, etc.), and some denied IPs] > > > > # IRC (natd divert for IRC port-forwarding > > $IPF 50220 divert natd all from 72.20.28.202 6667 to 207.210.114.45 6667 via rl0 > ^^^^ > The destination port must not be given (ie any destination port > corresponding to any source port greater than 1023 for the request) - in > this test the source port is 2897, in the next one it may be anything > > 1023. Moreover `any' in place of 207.210.114.45 would be nice to allow > others to chat. So the rule should be: > > $IPF 50220 divert natd all from 72.20.28.202 6667 to any via rl0 > > Henri > > > > > $IPF 50221 divert natd all from any to 207.210.114.45 6667 via rl0 > > > > Any attempt to connect to the IRC jail IP thus far, though, still > > fails with a "connection timed out." > > > > Thanks for your help thus far. Any additional ideas? > > > > On Mon, Mar 24, 2008 at 6:10 AM, Henri Hennebert <hlh@restart.be> wrote: > >> Kage wrote: > >> > Well, no, see it's hitting natd just fine as shown by my natd verbose > >> > logs, if you're assuming ipfw is blocking me from reaching natd. Are > >> > you talking about adding a firewall rule for each of my round-robin > >> > addresses, too? > >> > >> Yes > >> > >> > >> > How would that do any good? > >> > >> All response paquet to a paquet diverted to natd must also be diverted > >> to natd to be reverse translated. eg: > >> > >> incoming request from client (c) to server (s) redirected to server (S) > >> > >> c.c.c.c -> s.s.s.s nated as c.c.c.c -> S.S.S.S > >> > >> must have response paquetd reverse translated: > >> > >> S.S.S.S -> c.c.c.c nated as s.s.s.s -> c.c.c.c > >> > >> to be a valid response to client (c). > >> > >> > >> > >> > > >> > On Sat, Mar 22, 2008 at 9:27 AM, Henri Hennebert <hlh@restart.be> wrote: > >> >> Kage wrote: > >> >> > Hey guys, > >> >> > > >> >> > This is a fun one that's stumped people in Freenode ##freebsd. > >> >> > Basically, I have this layout: > >> >> > > >> >> > irc.domain.com -> DNS A -> IRC Jail > >> >> > > >> >> > When someone connects to irc.domain.com on IRC ports (6667, 8067, > >> >> > etc.), it round-robins them using natd, otherwise it sends all other > >> >> > port requests to the IRC jail as per normal (such as port 80, which is > >> >> > my primary concern). As for having it setup to have ipfw divert to > >> >> > natd, that's done and works, as shown by natd verbose mode: > >> >> > > >> >> > In {default}[TCP] [TCP] 72.65.73.23:2980 -> 207.210.114.45:6667 aliased to > >> >> > [TCP] 72.65.73.23:2980 -> 207.210.114.45:6667 > >> >> > > >> >> > (For reference) > >> >> > 207.210.114.45 = jail IP > >> >> > 72.20.28.202 = example target IP in the round-robin > >> >> > 72.65.73.23 = my IP > >> >> > > >> >> > Right now, my ipfw.rules file is as follows: > >> >> > > >> >> > [root@nub /etc]# cat ipfw.rules > >> >> > IPF="ipfw -q add" > >> >> > ipfw -f -q flush > >> >> > > >> >> > #loopback > >> >> > $IPF 10 allow all from any to any via lo0 > >> >> > $IPF 20 deny all from any to 127.0.0.0/8 > >> >> > $IPF 30 deny all from 127.0.0.0/8 to any > >> >> > $IPF 40 deny tcp from any to any frag > >> >> > > >> >> > # statefull > >> >> > $IPF 50 check-state > >> >> > $IPF 60 allow tcp from any to any established > >> >> > $IPF 70 allow all from any to any out keep-state > >> >> > $IPF 54999 allow icmp from any to any > >> >> > > >> >> > # Include the deny file > >> >> > . /etc/ipfw.deny > >> >> > > >> >> > [snip -- some allowed ports] > >> >> > # IRC (natd divert for IRC port-forwarding > >> >> > $IPF 50220 divert natd all from any to 207.210.114.45 6667 via rl0 > >> >> > $IPF 50230 divert natd all from any to 207.210.114.45 8067 via rl0 > >> >> > $IPF 50240 divert natd all from any to 207.210.114.45 8068 via rl0 > >> >> > $IPF 50250 divert natd all from any to 207.210.114.45 6697 via rl0 > >> >> > $IPF 50260 divert natd all from any to 207.210.114.45 7000 via rl0 > >> >> > >> >> > >> >> You must also divert the response trafic AFAIK eg: > >> >> > >> >> $IPF 50220 divert natd all from 72.20.28.202 6667 to 207.210.114.45 via rl0 > >> >> > >> >> > >> >> > >> >> > # keep these two IRC ports normally open for BNC > >> >> > $IPF 50270 allow all from any to any 31337 in > >> >> > $IPF 50380 allow all from any to any 31337 out > >> >> > [snip -- more allowed ports] > >> >> > # deny and log everything > >> >> > $IPF 55000 deny log all from any to any > >> >> > > >> >> > ----- > >> >> > > >> >> > Here's a dump of ipfw show, with some stuff cut out for space purposes > >> >> > (they're just denied DDoS IPs) > >> >> > > >> >> > [root@nub /etc]# ipfw show > >> >> > 00010 61124 16056802 allow ip from any to any via lo0 > >> >> > 00020 0 0 deny ip from any to 127.0.0.0/8 > >> >> > 00030 0 0 deny ip from 127.0.0.0/8 to any > >> >> > 00040 0 0 deny tcp from any to any frag > >> >> > 00050 0 0 check-state > >> >> > 00060 670616 455926379 allow tcp from any to any established > >> >> > 00070 16213 14071853 allow ip from any to any out keep-state > >> >> > [snip] > >> >> > 50220 468 22464 divert 8668 ip from any to 207.210.114.45 > >> >> > dst-port 6667 via rl0 > >> >> > 50230 0 0 divert 8668 ip from any to 207.210.114.45 > >> >> > dst-port 8067 via rl0 > >> >> > 50240 0 0 divert 8668 ip from any to 207.210.114.45 > >> >> > dst-port 8068 via rl0 > >> >> > 50250 0 0 divert 8668 ip from any to 207.210.114.45 > >> >> > dst-port 6697 via rl0 > >> >> > 50260 0 0 divert 8668 ip from any to 207.210.114.45 > >> >> > dst-port 7000 via rl0 > >> >> > 50270 1 60 allow ip from any to any dst-port 31337 in > >> >> > 54999 66 3991 allow icmp from any to any > >> >> > 55000 4364 343609 deny log logamount 100 ip from any to any > >> >> > 65535 29 4176 allow ip from any to any > >> >> > > >> >> > My natd.conf is as follows: > >> >> > > >> >> > [root@nub /etc]# cat natd.conf > >> >> > # Nub.Core NATd > >> >> > verbose > >> >> > alias_address 207.210.114.45 > >> >> > log > >> >> > log_denied > >> >> > log_ipfw_denied > >> >> > pid_file /var/run/natd.pid > >> >> > > >> >> > > >> >> > ### IRC Redirect Ports > >> >> > # 6667 > >> >> > >> >> > >> >> If I understand man natd > >> >> > >> >> > >> >>> redirect_port tcp 72.20.28.202:6667 207.210.114.45:6667 207.210.114.45:6667 > >> >> ^^^^^^^^^^^^^ > >> >> Trafic is comming from 72.65.73.23 - so the rule don't apply > >> >> > >> >> > >> >>> [root@nub /etc]# > >> >> > > >> >> > And, as stated above, I am showing connection diverts to natd. When I > >> >> > run the following three tcpdumps: > >> >> > > >> >> > tcpdump -s 0 -w me_to_nat.pcap -vvv -i rl0 src host 72.65.73.23 and > >> >> > dst host 207.210.114.45 and dst port 6667 > >> >> > tcpdump -s 0 -w nat_to_jail.pcap -vvv -i rl0 src host 72.20.28.202 and > >> >> > dst host 207.210.114.45 and dst port 6667 > >> >> > tcpdump -s 0 -w jail_to_nat.pcap -vvv -i rl0 src host 207.210.114.45 > >> >> > and dst host 72.20.28.202 and src port 6667 > >> >> > > >> >> > Only the "me_to_nat.pcap" gets any data. The rest are 0 bytes. Example: > >> >> > > >> >> > -rw-r--r-- 1 root wheel 0 Mar 21 14:57 jail_to_nat.pcap > >> >> > -rw-r--r-- 1 root wheel 16384 Mar 21 15:24 me_to_nat.pcap > >> >> > -rw-r--r-- 1 root wheel 0 Mar 21 14:57 nat_to_jail.pcap > >> >> > > >> >> > So, can anyone diagnose and fix this? Thanks. > >> >> > > >> >> > (P.S.: I'm aware of the DNS methods of doing round-robin, but please > >> >> > keep that from this discussion. I need to port-forward round-robin, > >> >> > not whole DNS) > >> >> > > >> >> > >> >> > >> >> _______________________________________________ > >> >> freebsd-net@freebsd.org mailing list > >> >> http://lists.freebsd.org/mailman/listinfo/freebsd-net > >> >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > >> >> > >> > > >> > > >> > > >> > >> > > > > > > > > -- ~ Kage http://vitund.com http://hackthissite.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d1556b2b0803241353s1a9b0977sf1218ae3a61e3c2c>