From owner-freebsd-net@FreeBSD.ORG Sat Mar 22 13:27:22 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CF656106564A for ; Sat, 22 Mar 2008 13:27:22 +0000 (UTC) (envelope-from hlh@restart.be) Received: from tignes.restart.be (unknown [IPv6:2001:41d0:1:2ad2::1]) by mx1.freebsd.org (Postfix) with ESMTP id 59F8D8FC17 for ; Sat, 22 Mar 2008 13:27:22 +0000 (UTC) (envelope-from hlh@restart.be) Received: from restart.be (avoriaz.tunnel.bel [IPv6:2001:41d0:1:2ad2::fffe:0]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "avoriaz.restart.be", Issuer "CA master" (verified OK)) by tignes.restart.be (Postfix) with ESMTPS id 2FEBE1BAC11 for ; Sat, 22 Mar 2008 14:27:21 +0100 (CET) Received: from morzine.restart.bel (morzine6.restart.bel [IPv6:2001:41d0:1:2ad2::1:2]) (authenticated bits=0) by restart.be (8.14.2/8.14.2) with ESMTP id m2MDRIdD082844 for ; Sat, 22 Mar 2008 14:27:18 +0100 (CET) (envelope-from hlh@restart.be) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=restart.be; s=avoriaz; t=1206192440; bh=rOpnuOLnOzAWhP4Ox4gF2Xx609Vdb+biKJ3Hpm2 YfeU=; h=DomainKey-Signature:Message-ID:Date:From:Organization: User-Agent:MIME-Version:To:Subject:References:In-Reply-To: Content-Type:Content-Transfer-Encoding:X-Scanned-By; b=aRxpCiTXLeN vvB2GQ9BLpUAfsDusZ+W3FyHFw1/l9NW5B9zgGXrrKT5Ps3ocy7mhfFYs/Q3qkgfwtY yeyVwp4Q== DomainKey-Signature: a=rsa-sha1; s=avoriaz; d=restart.be; c=nofws; q=dns; h=message-id:date:from:organization:user-agent:mime-version:to: subject:references:in-reply-to:content-type: content-transfer-encoding:x-scanned-by; b=ZKoIDudMLs0Qku3pQl/7YzpxScXEs86gOMPIUWvGtiPQ6ZmAlv11u4NR7oDzsBPkg ttqABoFYZRW8+NbsBiX6g== Message-ID: <47E50936.1010405@restart.be> Date: Sat, 22 Mar 2008 14:27:18 +0100 From: Henri Hennebert Organization: RestartSoft User-Agent: Thunderbird 2.0.0.12 (X11/20080316) MIME-Version: 1.0 To: freebsd-net@freebsd.org References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.63 on IPv6:2001:41d0:1:2ad2::1:1 Subject: Re: natd port forward times out, tcpdump yields nothing X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Mar 2008 13:27:22 -0000 Kage wrote: > Hey guys, > > This is a fun one that's stumped people in Freenode ##freebsd. > Basically, I have this layout: > > irc.domain.com -> DNS A -> IRC Jail > > When someone connects to irc.domain.com on IRC ports (6667, 8067, > etc.), it round-robins them using natd, otherwise it sends all other > port requests to the IRC jail as per normal (such as port 80, which is > my primary concern). As for having it setup to have ipfw divert to > natd, that's done and works, as shown by natd verbose mode: > > In {default}[TCP] [TCP] 72.65.73.23:2980 -> 207.210.114.45:6667 aliased to > [TCP] 72.65.73.23:2980 -> 207.210.114.45:6667 > > (For reference) > 207.210.114.45 = jail IP > 72.20.28.202 = example target IP in the round-robin > 72.65.73.23 = my IP > > Right now, my ipfw.rules file is as follows: > > [root@nub /etc]# cat ipfw.rules > IPF="ipfw -q add" > ipfw -f -q flush > > #loopback > $IPF 10 allow all from any to any via lo0 > $IPF 20 deny all from any to 127.0.0.0/8 > $IPF 30 deny all from 127.0.0.0/8 to any > $IPF 40 deny tcp from any to any frag > > # statefull > $IPF 50 check-state > $IPF 60 allow tcp from any to any established > $IPF 70 allow all from any to any out keep-state > $IPF 54999 allow icmp from any to any > > # Include the deny file > . /etc/ipfw.deny > > [snip -- some allowed ports] > # IRC (natd divert for IRC port-forwarding > $IPF 50220 divert natd all from any to 207.210.114.45 6667 via rl0 > $IPF 50230 divert natd all from any to 207.210.114.45 8067 via rl0 > $IPF 50240 divert natd all from any to 207.210.114.45 8068 via rl0 > $IPF 50250 divert natd all from any to 207.210.114.45 6697 via rl0 > $IPF 50260 divert natd all from any to 207.210.114.45 7000 via rl0 You must also divert the response trafic AFAIK eg: $IPF 50220 divert natd all from 72.20.28.202 6667 to 207.210.114.45 via rl0 > # keep these two IRC ports normally open for BNC > $IPF 50270 allow all from any to any 31337 in > $IPF 50380 allow all from any to any 31337 out > [snip -- more allowed ports] > # deny and log everything > $IPF 55000 deny log all from any to any > > ----- > > Here's a dump of ipfw show, with some stuff cut out for space purposes > (they're just denied DDoS IPs) > > [root@nub /etc]# ipfw show > 00010 61124 16056802 allow ip from any to any via lo0 > 00020 0 0 deny ip from any to 127.0.0.0/8 > 00030 0 0 deny ip from 127.0.0.0/8 to any > 00040 0 0 deny tcp from any to any frag > 00050 0 0 check-state > 00060 670616 455926379 allow tcp from any to any established > 00070 16213 14071853 allow ip from any to any out keep-state > [snip] > 50220 468 22464 divert 8668 ip from any to 207.210.114.45 > dst-port 6667 via rl0 > 50230 0 0 divert 8668 ip from any to 207.210.114.45 > dst-port 8067 via rl0 > 50240 0 0 divert 8668 ip from any to 207.210.114.45 > dst-port 8068 via rl0 > 50250 0 0 divert 8668 ip from any to 207.210.114.45 > dst-port 6697 via rl0 > 50260 0 0 divert 8668 ip from any to 207.210.114.45 > dst-port 7000 via rl0 > 50270 1 60 allow ip from any to any dst-port 31337 in > 54999 66 3991 allow icmp from any to any > 55000 4364 343609 deny log logamount 100 ip from any to any > 65535 29 4176 allow ip from any to any > > My natd.conf is as follows: > > [root@nub /etc]# cat natd.conf > # Nub.Core NATd > verbose > alias_address 207.210.114.45 > log > log_denied > log_ipfw_denied > pid_file /var/run/natd.pid > > > ### IRC Redirect Ports > # 6667 If I understand man natd > redirect_port tcp 72.20.28.202:6667 207.210.114.45:6667 207.210.114.45:6667 ^^^^^^^^^^^^^ Trafic is comming from 72.65.73.23 - so the rule don't apply > [root@nub /etc]# > > And, as stated above, I am showing connection diverts to natd. When I > run the following three tcpdumps: > > tcpdump -s 0 -w me_to_nat.pcap -vvv -i rl0 src host 72.65.73.23 and > dst host 207.210.114.45 and dst port 6667 > tcpdump -s 0 -w nat_to_jail.pcap -vvv -i rl0 src host 72.20.28.202 and > dst host 207.210.114.45 and dst port 6667 > tcpdump -s 0 -w jail_to_nat.pcap -vvv -i rl0 src host 207.210.114.45 > and dst host 72.20.28.202 and src port 6667 > > Only the "me_to_nat.pcap" gets any data. The rest are 0 bytes. Example: > > -rw-r--r-- 1 root wheel 0 Mar 21 14:57 jail_to_nat.pcap > -rw-r--r-- 1 root wheel 16384 Mar 21 15:24 me_to_nat.pcap > -rw-r--r-- 1 root wheel 0 Mar 21 14:57 nat_to_jail.pcap > > So, can anyone diagnose and fix this? Thanks. > > (P.S.: I'm aware of the DNS methods of doing round-robin, but please > keep that from this discussion. I need to port-forward round-robin, > not whole DNS) >