From owner-freebsd-questions@FreeBSD.ORG Tue Jul 20 16:02:13 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 07428106567D for ; Tue, 20 Jul 2010 16:02:13 +0000 (UTC) (envelope-from alexus@gmail.com) Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com [209.85.161.54]) by mx1.freebsd.org (Postfix) with ESMTP id 7E6DA8FC08 for ; Tue, 20 Jul 2010 16:02:12 +0000 (UTC) Received: by fxm13 with SMTP id 13so3226717fxm.13 for ; Tue, 20 Jul 2010 09:02:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:reply-to :in-reply-to:references:date:message-id:subject:from:to:cc :content-type; bh=ii+SGpKNt8s7PJHfepYNGkQR3wPW8Z3aBbcw7XrhnI8=; b=vk6iMQTnrT62RCJ9SnvsWzOSLiXgmf8gato7AR6MPSEe1/sxwW2Vi462mtzhL/W3jn qOw/fV9hJKQAGP/Kp4sPdbKNKCTga4izB0fMdkDu/reCgo/Uz0qEmpQ6MEUVe4Lkpntx RLjH2jZj3mGknTBGUx6sB+B6BY5W8BNstQbUE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; b=UJCzsrCRTp7NipaPCNea1YtRsCMb23wp723HxE2h/88LZZbSFaXKyeZqvit8SwYp5z u0RqttuY2abFp7fYzsV7hk7n4UDIFq7qnUeBN/+40fhsMpmTmfMbn2DLZ1D41QM2Z/cn fhUkdq7WA06nNxBTOVDMhXFjv02b71xeq1FVk= MIME-Version: 1.0 Received: by 10.216.169.80 with SMTP id m58mr5542207wel.79.1279641729722; Tue, 20 Jul 2010 09:02:09 -0700 (PDT) Received: by 10.216.229.202 with HTTP; Tue, 20 Jul 2010 09:02:09 -0700 (PDT) In-Reply-To: <4C447F7F.6020308@locolomo.org> References: <4C3F91CF.5090206@locolomo.org> <4C419944.8030702@locolomo.org> <4C447F7F.6020308@locolomo.org> Date: Tue, 20 Jul 2010 12:02:09 -0400 Message-ID: From: alexus To: Erik Norgaard Content-Type: text/plain; charset=UTF-8 Cc: freebsd-questions@freebsd.org Subject: Re: ipnat.conf - map and rdr won't work! X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: google@alexus.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Jul 2010 16:02:13 -0000 On Mon, Jul 19, 2010 at 12:38 PM, Erik Norgaard wrote: > On 19/07/10 16.46, alexus wrote: >>>>> >>>>> Use tcpdump, you should see if your rdr/map rules work as expected. >>>>> Also, >>>>> pfctl -ss and similar. >>>> >>>> i don't know how to use tcpdump, can you provide exact syntax so i can >>>> run >>>> it? >>> >>> The man-page is excelent. >> >> tried that, unfortunately not really sure what am i doing.. still > > Can't help you more, really, you need to investigate where packets are > dropped, tcpdump is a great tool and the man-page is excelent, can't explain > it better, if you don't like tcpdump then use any other packet sniffing tool > at hand, snort for example. ipmon: 20/07/2010 10:22:00.123106 @2 NAT:RDR 172.16.172.16,22 <- -> 64.52.58.58,22 [69.10.67.106,6346 PR tcp] 20/07/2010 10:26:00.340436 @2 NAT:EXPIRE 172.16.172.16,22 <- -> 64.52.58.58,22 [69.10.67.106,6346 PR tcp] Pkts 11/0 Bytes 640/0 tcpdump: tcpdump: listening on fxp0, link-type EN10MB (Ethernet), capture size 96 bytes 11:40:07.366519 IP (tos 0x0, ttl 49, id 48580, offset 0, flags [DF], proto TCP (6), length 64) 69.10.67.106.9408 > 64.52.58.58.22: S, cksum 0xc05d (correct), 208454974:208454974(0) win 65535 11:40:08.346575 IP (tos 0x0, ttl 49, id 19079, offset 0, flags [DF], proto TCP (6), length 64) 69.10.67.106.9408 > 64.52.58.58.22: S, cksum 0xc054 (correct), 208454974:208454974(0) win 65535 11:40:09.102442 IP (tos 0x0, ttl 49, id 28097, offset 0, flags [DF], proto TCP (6), length 64) 69.10.67.106.9408 > 64.52.58.58.22: S, cksum 0xc04a (correct), 208454974:208454974(0) win 65535 11:40:10.108089 IP (tos 0x0, ttl 49, id 28130, offset 0, flags [DF], proto TCP (6), length 64) 69.10.67.106.9408 > 64.52.58.58.22: S, cksum 0xc040 (correct), 208454974:208454974(0) win 65535 11:40:11.104669 IP (tos 0x0, ttl 49, id 27900, offset 0, flags [DF], proto TCP (6), length 64) 69.10.67.106.9408 > 64.52.58.58.22: S, cksum 0xc036 (correct), 208454974:208454974(0) win 65535 11:40:12.110396 IP (tos 0x0, ttl 49, id 56214, offset 0, flags [DF], proto TCP (6), length 64) 69.10.67.106.9408 > 64.52.58.58.22: S, cksum 0xc02c (correct), 208454974:208454974(0) win 65535 11:40:14.105642 IP (tos 0x0, ttl 49, id 41429, offset 0, flags [DF], proto TCP (6), length 64) 69.10.67.106.9408 > 64.52.58.58.22: S, cksum 0xc018 (correct), 208454974:208454974(0) win 65535 11:40:18.114148 IP (tos 0x0, ttl 49, id 30423, offset 0, flags [DF], proto TCP (6), length 48) 69.10.67.106.9408 > 64.52.58.58.22: S, cksum 0x8b0d (correct), 208454974:208454974(0) win 65535 11:40:21.899739 arp who-has 64.52.58.36 tell 64.52.58.33 11:40:24.830499 arp who-has 64.52.58.36 tell 64.52.58.33 11:40:26.125568 IP (tos 0x0, ttl 49, id 25515, offset 0, flags [DF], proto TCP (6), length 48) 69.10.67.106.9408 > 64.52.58.58.22: S, cksum 0x8b0d (correct), 208454974:208454974(0) win 65535 11:40:42.157443 IP (tos 0x0, ttl 49, id 18773, offset 0, flags [DF], proto TCP (6), length 48) 69.10.67.106.9408 > 64.52.58.58.22: S, cksum 0x8b0d (correct), 208454974:208454974(0) win 65535 11:41:14.193555 IP (tos 0x0, ttl 49, id 42007, offset 0, flags [DF], proto TCP (6), length 48) 69.10.67.106.9408 > 64.52.58.58.22: S, cksum 0x8b0d (correct), 208454974:208454974(0) win 65535 ^C180 packets captured 182 packets received by filter 0 packets dropped by kernel > Do packets can get dropped because of your firewall default policy? For > stealth it may be set to simply drop packets which result in a connection > time-out rather than send a TCP-RST. su-3.2# grep ^firewall /etc/rc.conf firewall_enable="YES" firewall_type="open" su-3.2# ipfw show 00100 5478 792380 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 65000 869903 554820708 allow ip from any to any 65535 0 0 deny ip from any to any su-3.2# grep ^ip /etc/rc.conf ipfilter_enable="YES" ipmon_enable="YES" ipnat_enable="YES" ipnat_flags="-d" su-3.2# i even did this su-3.2# /etc/rc.d/ipfw stop net.inet.ip.fw.enable: 1 -> 0 su-3.2# > Do packets get dropped because of nat on the way in? or on the way out? i tried disabling map rule and leave only rdr, that didn't help > What if you just disable ipnat? What if you flush the firewall rules? > (disconnect from the Internet first) if i disable ipnat then map or rdr wont work as they simply disabled i disabled ipfw, and i dont have any rules inside of ipfilter > Do you have any logs in the jail that indicate that the first packet is > actually received? Do your firewall log connections? If not, see how you can > enable logs on all rules to get more information. nothing gets to jail there for no logs inside of jail > Can you connect out from the jail, to external servers? only to the jail > hosting server? Did the jail's ssh log tell anything? no i can not connect out from jail, as map doesn't work either nothing gets to > You wrote you can connect with ssh from the hosting server to the jail, but > it took a long time, did you investigate this? Is there some DNS issue that > times out and causes the connection to fail? > > Can you ping your jail? Can you ping out? Default route is configured? i can ping my jail within host environment once again nothing within jail works as map (nat) isn't working default router isn't configured in rc.conf (inside of jail) as per jail's man page its not needed it was working fine before without it > There are tons of tests you can do to figure out what's failing. > > BR, Erik > -- http://alexus.org/