From owner-freebsd-net@FreeBSD.ORG Wed Mar 26 07:47:31 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2DEEB106566B for ; Wed, 26 Mar 2008 07:47:31 +0000 (UTC) (envelope-from hlh@restart.be) Received: from tignes.restart.be (unknown [IPv6:2001:41d0:1:2ad2::1]) by mx1.freebsd.org (Postfix) with ESMTP id 55A128FC32 for ; Wed, 26 Mar 2008 07:47:30 +0000 (UTC) (envelope-from hlh@restart.be) Received: from restart.be (avoriaz.tunnel.bel [IPv6:2001:41d0:1:2ad2::fffe:0]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "avoriaz.restart.be", Issuer "CA master" (verified OK)) by tignes.restart.be (Postfix) with ESMTPS id CB6871BAC11; Wed, 26 Mar 2008 08:47:28 +0100 (CET) Received: from morzine.restart.bel (morzine6.restart.bel [IPv6:2001:41d0:1:2ad2::1:2]) (authenticated bits=0) by restart.be (8.14.2/8.14.2) with ESMTP id m2Q7lMop088828; Wed, 26 Mar 2008 08:47:22 +0100 (CET) (envelope-from hlh@restart.be) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=restart.be; s=avoriaz; t=1206517648; bh=gVVPXHl1tCp32vOWV1rCcdEfwT5md5rxs+auq4j iTGA=; h=Message-ID:Date:From:MIME-Version:To:CC:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=YqezNfhG1Ath gB4w0tCpoCU6k9FEXXgOGjkbwvpPOwwm+H1QaoHEQ6mfwfsDAnw8lzxkaU7fbuNjpJt 5ZOS2KA== DomainKey-Signature: a=rsa-sha1; s=avoriaz; d=restart.be; c=nofws; q=dns; h=message-id:date:from:organization:user-agent:mime-version:to:cc: subject:references:in-reply-to:content-type: content-transfer-encoding:x-scanned-by; b=ECjZycS9rDCs7fgAlo+MRuKtkCD+mdYKEJEgAwdkcDN5FQfkob6/8Fz7YxGg2aPct 3yRzulRZEfX/xG0IbcGjg== Message-ID: <47E9FF8A.8000405@restart.be> Date: Wed, 26 Mar 2008 08:47:22 +0100 From: Henri Hennebert Organization: RestartSoft User-Agent: Thunderbird 2.0.0.12 (X11/20080316) MIME-Version: 1.0 To: Kage References: <47E50936.1010405@restart.be> <47E77E1C.7090000@restart.be> <47E80E01.4060605@restart.be> <47E918DF.7060005@restart.be> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.63 on IPv6:2001:41d0:1:2ad2::1:1 Cc: freebsd-net@freebsd.org Subject: Re: natd port forward times out, tcpdump yields nothing X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Mar 2008 07:47:31 -0000 Kage wrote: > I'm sorry, I did not understand what you just asked. When the request hit the real server [72.20.28.202], the response from this server must go back to the natd server so the reverse translation can take place. You can check by running tcpdump on [207.210.114.45] and see if the response came back from [72.20.28.202]. > > On Tue, Mar 25, 2008 at 11:23 AM, Henri Hennebert wrote: >> Kage wrote: >> > I changed my rules, and it's still not working: >> > >> > $IPF 50220 divert natd all from 72.20.28.202 6667 to any via rl0 >> > $IPF 50221 divert natd all from any to 207.210.114.45 6667 via rl0 >> > >> > It's still timing connections out. >> >> >> Does the server hosting natd is the default route for 72.20.28.202 ? >> >> Henri >> > >> >> >>> On Mon, Mar 24, 2008 at 4:24 PM, Henri Hennebert wrote: >> >> Kage wrote: >> >> > Still not working, but I DO have natd aliasing properly. Here's my >> >> > natd output (remember which IP is mine, the IRC jail, and the example >> >> > round-robin IP): >> >> > >> >> > [root@nub /etc]# natd -f /etc/natd.conf >> >> > In {default}[TCP] [TCP] 72.65.73.23:2897 -> 207.210.114.45:6667 aliased to >> >> > [TCP] 72.65.73.23:2897 -> 72.20.28.202:6667 >> >> > In {default}[TCP] [TCP] 72.65.73.23:2897 -> 207.210.114.45:6667 aliased to >> >> > [TCP] 72.65.73.23:2897 -> 72.20.28.202:6667 >> >> > In {default}[TCP] [TCP] 72.65.73.23:2897 -> 207.210.114.45:6667 aliased to >> >> > [TCP] 72.65.73.23:2897 -> 72.20.28.202:6667 >> >> > >> >> > 72...23 (me) is hitting the natd on the jail IP (207...45), which is >> >> > getting correctly aliased to 72...202 (example round-robin IP). So it >> >> > appears the natd is working properly. >> >> >> >> In the client -> server direction only for now -- see bellow. >> >> >> >> >> >> >> >> > Here's my natd configuration as >> >> > it exists now: >> >> > >> >> > # Nub.Core NATd >> >> > verbose >> >> > alias_address 207.210.114.45 >> >> > log >> >> > log_denied >> >> > log_ipfw_denied >> >> > pid_file /var/run/natd.pid >> >> > >> >> > ### IRC Redirect Ports >> >> > # 6667 >> >> > redirect_port tcp 72.20.28.202:6667 207.210.114.45:6667 >> >> > >> >> > And for more record, here's my ipfw.rules file up until the divert: >> >> > >> >> > [root@nub /etc]# cat ipfw.rules >> >> > IPF="ipfw -q add" >> >> > ipfw -f -q flush >> >> > >> >> > #loopback >> >> > $IPF 10 allow all from any to any via lo0 >> >> > $IPF 20 deny all from any to 127.0.0.0/8 >> >> > $IPF 30 deny all from 127.0.0.0/8 to any >> >> > $IPF 40 deny tcp from any to any frag >> >> > >> >> > # statefull >> >> > $IPF 50 check-state >> >> > $IPF 60 allow tcp from any to any established >> >> > $IPF 70 allow all from any to any out keep-state >> >> > $IPF 54999 allow icmp from any to any >> >> > >> >> > [snip -- Some allowed ports (port 80, 443, etc.), and some denied IPs] >> >> > >> >> > # IRC (natd divert for IRC port-forwarding >> >> > $IPF 50220 divert natd all from 72.20.28.202 6667 to 207.210.114.45 6667 via rl0 >> >> ^^^^ >> >> The destination port must not be given (ie any destination port >> >> corresponding to any source port greater than 1023 for the request) - in >> >> this test the source port is 2897, in the next one it may be anything > >> >> 1023. Moreover `any' in place of 207.210.114.45 would be nice to allow >> >> others to chat. So the rule should be: >> >> >> >> $IPF 50220 divert natd all from 72.20.28.202 6667 to any via rl0 >> >> >> >> Henri >> >> >> >> >> >> >> >> > $IPF 50221 divert natd all from any to 207.210.114.45 6667 via rl0 >> >> > >> >> > Any attempt to connect to the IRC jail IP thus far, though, still >> >> > fails with a "connection timed out." >> >> > >> >> > Thanks for your help thus far. Any additional ideas? >> >> > >> >> > On Mon, Mar 24, 2008 at 6:10 AM, Henri Hennebert wrote: >> >> >> Kage wrote: >> >> >> > Well, no, see it's hitting natd just fine as shown by my natd verbose >> >> >> > logs, if you're assuming ipfw is blocking me from reaching natd. Are >> >> >> > you talking about adding a firewall rule for each of my round-robin >> >> >> > addresses, too? >> >> >> >> >> >> Yes >> >> >> >> >> >> >> >> >> > How would that do any good? >> >> >> >> >> >> All response paquet to a paquet diverted to natd must also be diverted >> >> >> to natd to be reverse translated. eg: >> >> >> >> >> >> incoming request from client (c) to server (s) redirected to server (S) >> >> >> >> >> >> c.c.c.c -> s.s.s.s nated as c.c.c.c -> S.S.S.S >> >> >> >> >> >> must have response paquetd reverse translated: >> >> >> >> >> >> S.S.S.S -> c.c.c.c nated as s.s.s.s -> c.c.c.c >> >> >> >> >> >> to be a valid response to client (c). >> >> >> >> >> >> >> >> >> >> >> >> > >> >> >> > On Sat, Mar 22, 2008 at 9:27 AM, Henri Hennebert wrote: >> >> >> >> Kage wrote: >> >> >> >> > Hey guys, >> >> >> >> > >> >> >> >> > This is a fun one that's stumped people in Freenode ##freebsd. >> >> >> >> > Basically, I have this layout: >> >> >> >> > >> >> >> >> > irc.domain.com -> DNS A -> IRC Jail >> >> >> >> > >> >> >> >> > When someone connects to irc.domain.com on IRC ports (6667, 8067, >> >> >> >> > etc.), it round-robins them using natd, otherwise it sends all other >> >> >> >> > port requests to the IRC jail as per normal (such as port 80, which is >> >> >> >> > my primary concern). As for having it setup to have ipfw divert to >> >> >> >> > natd, that's done and works, as shown by natd verbose mode: >> >> >> >> > >> >> >> >> > In {default}[TCP] [TCP] 72.65.73.23:2980 -> 207.210.114.45:6667 aliased to >> >> >> >> > [TCP] 72.65.73.23:2980 -> 207.210.114.45:6667 >> >> >> >> > >> >> >> >> > (For reference) >> >> >> >> > 207.210.114.45 = jail IP >> >> >> >> > 72.20.28.202 = example target IP in the round-robin >> >> >> >> > 72.65.73.23 = my IP >> >> >> >> > >> >> >> >> > Right now, my ipfw.rules file is as follows: >> >> >> >> > >> >> >> >> > [root@nub /etc]# cat ipfw.rules >> >> >> >> > IPF="ipfw -q add" >> >> >> >> > ipfw -f -q flush >> >> >> >> > >> >> >> >> > #loopbackpg_dumpall >all.dmp >> >> >>>> >> >> > $IPF 10 allow all from any to any via lo0 >> >> >> >> > $IPF 20 deny all from any to 127.0.0.0/8 >> >> >> >> > $IPF 30 deny all from 127.0.0.0/8 to any >> >> >> >> > $IPF 40 deny tcp from any to any frag >> >> >> >> > >> >> >> >> > # statefull >> >> >> >> > $IPF 50 check-state >> >> >> >> > $IPF 60 allow tcp from any to any established >> >> >> >> > $IPF 70 allow all from any to any out keep-state >> >> >> >> > $IPF 54999 allow icmp from any to any >> >> >> >> > >> >> >> >> > # Include the deny file >> >> >> >> > . /etc/ipfw.deny >> >> >> >> > >> >> >> >> > [snip -- some allowed ports] >> >> >> >> > # IRC (natd divert for IRC port-forwarding >> >> >> >> > $IPF 50220 divert natd all from any to 207.210.114.45 6667 via rl0 >> >> >> >> > $IPF 50230 divert natd all from any to 207.210.114.45 8067 via rl0 >> >> >> >> > $IPF 50240 divert natd all from any to 207.210.114.45 8068 via rl0 >> >> >> >> > $IPF 50250 divert natd all from any to 207.210.114.45 6697 via rl0 >> >> >> >> > $IPF 50260 divert natd all from any to 207.210.114.45 7000 via rl0 >> >> >> >> >> >> >> >> >> >> >> >> You must also divert the response trafic AFAIK eg: >> >> >> >> >> >> >> >> $IPF 50220 divert natd all from 72.20.28.202 6667 to 207.210.114.45 via rl0 >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> > # keep these two IRC ports normally open for BNC >> >> >> >> > $IPF 50270 allow all from any to any 31337 in >> >> >> >> > $IPF 50380 allow all from any to any 31337 out >> >> >> >> > [snip -- more allowed ports] >> >> >> >> > # deny and log everything >> >> >> >> > $IPF 55000 deny log all from any to any >> >> >> >> > >> >> >> >> > ----- >> >> >> >> > >> >> >> >> > Here's a dump of ipfw show, with some stuff cut out for space purposes >> >> >> >> > (they're just denied DDoS IPs) >> >> >> >> > >> >> >> >> > [root@nub /etc]# ipfw show >> >> >> >> > 00010 61124 16056802 allow ip from any to any via lo0 >> >> >> >> > 00020 0 0 deny ip from any to 127.0.0.0/8 >> >> >> >> > 00030 0 0 deny ip from 127.0.0.0/8 to any >> >> >> >> > 00040 0 0 deny tcp from any to any frag >> >> >> >> > 00050 0 0 check-state >> >> >> >> > 00060 670616 455926379 allow tcp from any to any established >> >> >> >> > 00070 16213 14071853 allow ip from any to any out keep-state >> >> >> >> > [snip] >> >> >> >> > 50220 468 22464 divert 8668 ip from any to 207.210.114.45 >> >> >> >> > dst-port 6667 via rl0 >> >> >> >> > 50230 0 0 divert 8668 ip from any to 207.210.114.45 >> >> >> >> > dst-port 8067 via rl0 >> >> >> >> > 50240 0 0 divert 8668 ip from any to 207.210.114.45 >> >> >> >> > dst-port 8068 via rl0 >> >> >> >> > 50250 0 0 divert 8668 ip from any to 207.210.114.45 >> >> >> >> > dst-port 6697 via rl0 >> >> >> >> > 50260 0 0 divert 8668 ip from any to 207.210.114.45 >> >> >> >> > dst-port 7000 via rl0 >> >> >> >> > 50270 1 60 allow ip from any to any dst-port 31337 in >> >> >> >> > 54999 66 3991 allow icmp from any to any >> >> >> >> > 55000 4364 343609 deny log logamount 100 ip from any to any >> >> >> >> > 65535 29 4176 allow ip from any to any >> >> >> >> > >> >> >> >> > My natd.conf is as follows: >> >> >> >> > >> >> >> >> > [root@nub /etc]# cat natd.conf >> >> >> >> > # Nub.Core NATd >> >> >> >> > verbose >> >> >> >> > alias_address 207.210.114.45 >> >> >> >> > log >> >> >> >> > log_denied >> >> >> >> > log_ipfw_denied >> >> >> >> > pid_file /var/run/natd.pid >> >> >> >> > >> >> >> >> > >> >> >> >> > ### IRC Redirect Ports >> >> >> >> > # 6667 >> >> >> >> >> >> >> >> >> >> >> >> If I understand man natd >> >> >> >> >> >> >> >> >> >> >> >>> redirect_port tcp 72.20.28.202:6667 207.210.114.45:6667 207.210.114.45:6667 >> >> >> >> ^^^^^^^^^^^^^ >> >> >> >> Trafic is comming from 72.65.73.23 - so the rule don't apply >> >> >> >> >> >> >> >> >> >> >> >>> [root@nub /etc]# >> >> >> >> > >> >> >> >> > And, as stated above, I am showing connection diverts to natd. When I >> >> >> >> > run the following three tcpdumps: >> >> >> >> > >> >> >> >> > tcpdump -s 0 -w me_to_nat.pcap -vvv -i rl0 src host 72.65.73.23 and >> >> >> >> > dst host 207.210.114.45 and dst port 6667 >> >> >> >> > tcpdump -s 0 -w nat_to_jail.pcap -vvv -i rl0 src host 72.20.28.202 and >> >> >> >> > dst host 207.210.114.45 and dst port 6667 >> >> >> >> > tcpdump -s 0 -w jail_to_nat.pcap -vvv -i rl0 src host 207.210.114.45 >> >> >> >> > and dst host 72.20.28.202 and src port 6667 >> >> >> >> > >> >> >> >> > Only the "me_to_nat.pcap" gets any data. The rest are 0 bytes. Example: >> >> >> >> > >> >> >> >> > -rw-r--r-- 1 root wheel 0 Mar 21 14:57 jail_to_nat.pcap >> >> >> >> > -rw-r--r-- 1 root wheel 16384 Mar 21 15:24 me_to_nat.pcap >> >> >> >> > -rw-r--r-- 1 root wheel 0 Mar 21 14:57 nat_to_jail.pcap >> >> >> >> > >> >> >> >> > So, can anyone diagnose and fix this? Thanks. >> >> >> >> > >> >> >> >> > (P.S.: I'm aware of the DNS methods of doing round-robin, but please >> >> >> >> > keep that from this discussion. I need to port-forward round-robin, >> >> >> >> > not whole DNS) >> >> >> >> > >> >> >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> >> >> >> freebsd-net@freebsd.org mailing list >> >> >> >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> >> >> >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >> >> >> >> >> >> >> > >> >> >> > >> >> >> > >> >> >> >> >> >> >> >> > >> >> > >> >> > >> >> >> >> >> > >> > >> > >> >> >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >> > > >