Date: Wed, 21 Jul 2010 00:15:31 +0800 From: Aiza <aiza21@comclark.com> To: google@alexus.org Cc: freebsd-questions@freebsd.org Subject: Re: ipnat.conf - map and rdr won't work! Message-ID: <4C45CBA3.9020800@comclark.com> In-Reply-To: <AANLkTinM1E2Obrs8VqSsm3S_jcXqbw_Q1YLkc51tgJsS@mail.gmail.com> References: <AANLkTilVTo36Fzdh2DKAQhRjyDj8MNUuV9dhwvQ7Gf-V@mail.gmail.com> <AANLkTinh0CykJ1Av3f2THPDFOLS0YtYLDvRMHXm_wD3w@mail.gmail.com> <4C3F91CF.5090206@locolomo.org> <AANLkTin6hYyHiG8taifkNHPBtKI0rKOkAaGRYodV1LLC@mail.gmail.com> <4C419944.8030702@locolomo.org> <AANLkTin8H47Z7suztGnWpa8fm-XIagQ6vzlxP85OIT-B@mail.gmail.com> <4C447F7F.6020308@locolomo.org> <AANLkTinM1E2Obrs8VqSsm3S_jcXqbw_Q1YLkc51tgJsS@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
alexus wrote: > On Mon, Jul 19, 2010 at 12:38 PM, Erik Norgaard <norgaard@locolomo.org> wrote: >> On 19/07/10 16.46, alexus wrote: >>>>>> Use tcpdump, you should see if your rdr/map rules work as expected. >>>>>> Also, >>>>>> pfctl -ss and similar. >>>>> i don't know how to use tcpdump, can you provide exact syntax so i can >>>>> run >>>>> it? >>>> The man-page is excelent. >>> tried that, unfortunately not really sure what am i doing.. still >> Can't help you more, really, you need to investigate where packets are >> dropped, tcpdump is a great tool and the man-page is excelent, can't explain >> it better, if you don't like tcpdump then use any other packet sniffing tool >> at hand, snort for example. > > ipmon: > > 20/07/2010 10:22:00.123106 @2 NAT:RDR 172.16.172.16,22 <- -> > 64.52.58.58,22 [69.10.67.106,6346 PR tcp] > 20/07/2010 10:26:00.340436 @2 NAT:EXPIRE 172.16.172.16,22 <- -> > 64.52.58.58,22 [69.10.67.106,6346 PR tcp] Pkts 11/0 Bytes 640/0 > > tcpdump: > > tcpdump: listening on fxp0, link-type EN10MB (Ethernet), capture size 96 bytes > 11:40:07.366519 IP (tos 0x0, ttl 49, id 48580, offset 0, flags [DF], > proto TCP (6), length 64) 69.10.67.106.9408 > 64.52.58.58.22: S, cksum > 0xc05d (correct), 208454974:208454974(0) win 65535 <mss > 1380,nop,wscale 3,nop,nop,timestamp 91387932 0,sackOK,eol> > 11:40:08.346575 IP (tos 0x0, ttl 49, id 19079, offset 0, flags [DF], > proto TCP (6), length 64) 69.10.67.106.9408 > 64.52.58.58.22: S, cksum > 0xc054 (correct), 208454974:208454974(0) win 65535 <mss > 1380,nop,wscale 3,nop,nop,timestamp 91387941 0,sackOK,eol> > 11:40:09.102442 IP (tos 0x0, ttl 49, id 28097, offset 0, flags [DF], > proto TCP (6), length 64) 69.10.67.106.9408 > 64.52.58.58.22: S, cksum > 0xc04a (correct), 208454974:208454974(0) win 65535 <mss > 1380,nop,wscale 3,nop,nop,timestamp 91387951 0,sackOK,eol> > 11:40:10.108089 IP (tos 0x0, ttl 49, id 28130, offset 0, flags [DF], > proto TCP (6), length 64) 69.10.67.106.9408 > 64.52.58.58.22: S, cksum > 0xc040 (correct), 208454974:208454974(0) win 65535 <mss > 1380,nop,wscale 3,nop,nop,timestamp 91387961 0,sackOK,eol> > 11:40:11.104669 IP (tos 0x0, ttl 49, id 27900, offset 0, flags [DF], > proto TCP (6), length 64) 69.10.67.106.9408 > 64.52.58.58.22: S, cksum > 0xc036 (correct), 208454974:208454974(0) win 65535 <mss > 1380,nop,wscale 3,nop,nop,timestamp 91387971 0,sackOK,eol> > 11:40:12.110396 IP (tos 0x0, ttl 49, id 56214, offset 0, flags [DF], > proto TCP (6), length 64) 69.10.67.106.9408 > 64.52.58.58.22: S, cksum > 0xc02c (correct), 208454974:208454974(0) win 65535 <mss > 1380,nop,wscale 3,nop,nop,timestamp 91387981 0,sackOK,eol> > 11:40:14.105642 IP (tos 0x0, ttl 49, id 41429, offset 0, flags [DF], > proto TCP (6), length 64) 69.10.67.106.9408 > 64.52.58.58.22: S, cksum > 0xc018 (correct), 208454974:208454974(0) win 65535 <mss > 1380,nop,wscale 3,nop,nop,timestamp 91388001 0,sackOK,eol> > 11:40:18.114148 IP (tos 0x0, ttl 49, id 30423, offset 0, flags [DF], > proto TCP (6), length 48) 69.10.67.106.9408 > 64.52.58.58.22: S, cksum > 0x8b0d (correct), 208454974:208454974(0) win 65535 <mss > 1380,sackOK,eol> > 11:40:21.899739 arp who-has 64.52.58.36 tell 64.52.58.33 > 11:40:24.830499 arp who-has 64.52.58.36 tell 64.52.58.33 > 11:40:26.125568 IP (tos 0x0, ttl 49, id 25515, offset 0, flags [DF], > proto TCP (6), length 48) 69.10.67.106.9408 > 64.52.58.58.22: S, cksum > 0x8b0d (correct), 208454974:208454974(0) win 65535 <mss > 1380,sackOK,eol> > 11:40:42.157443 IP (tos 0x0, ttl 49, id 18773, offset 0, flags [DF], > proto TCP (6), length 48) 69.10.67.106.9408 > 64.52.58.58.22: S, cksum > 0x8b0d (correct), 208454974:208454974(0) win 65535 <mss > 1380,sackOK,eol> > 11:41:14.193555 IP (tos 0x0, ttl 49, id 42007, offset 0, flags [DF], > proto TCP (6), length 48) 69.10.67.106.9408 > 64.52.58.58.22: S, cksum > 0x8b0d (correct), 208454974:208454974(0) win 65535 <mss > 1380,sackOK,eol> > ^C180 packets captured > 182 packets received by filter > 0 packets dropped by kernel > >> Do packets can get dropped because of your firewall default policy? For >> stealth it may be set to simply drop packets which result in a connection >> time-out rather than send a TCP-RST. > > su-3.2# grep ^firewall /etc/rc.conf > firewall_enable="YES" > firewall_type="open" > su-3.2# ipfw show > 00100 5478 792380 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 65000 869903 554820708 allow ip from any to any > 65535 0 0 deny ip from any to any > su-3.2# grep ^ip /etc/rc.conf > ipfilter_enable="YES" > ipmon_enable="YES" > ipnat_enable="YES" > ipnat_flags="-d" > su-3.2# > > i even did this > > su-3.2# /etc/rc.d/ipfw stop > net.inet.ip.fw.enable: 1 -> 0 > su-3.2# > >> Do packets get dropped because of nat on the way in? or on the way out? > > i tried disabling map rule and leave only rdr, that didn't help > >> What if you just disable ipnat? What if you flush the firewall rules? >> (disconnect from the Internet first) > > if i disable ipnat then map or rdr wont work as they simply disabled > > i disabled ipfw, and i dont have any rules inside of ipfilter > >> Do you have any logs in the jail that indicate that the first packet is >> actually received? Do your firewall log connections? If not, see how you can >> enable logs on all rules to get more information. > > nothing gets to jail there for no logs inside of jail > >> Can you connect out from the jail, to external servers? only to the jail >> hosting server? Did the jail's ssh log tell anything? > > no i can not connect out from jail, as map doesn't work either > nothing gets to > >> You wrote you can connect with ssh from the hosting server to the jail, but >> it took a long time, did you investigate this? Is there some DNS issue that >> times out and causes the connection to fail? >> >> Can you ping your jail? Can you ping out? Default route is configured? > > i can ping my jail within host environment > once again nothing within jail works as map (nat) isn't working > > default router isn't configured in rc.conf (inside of jail) as per > jail's man page its not needed > it was working fine before without it > >> There are tons of tests you can do to figure out what's failing. >> >> BR, Erik >> > > > su-3.2# grep ^firewall /etc/rc.conf firewall_enable="YES" firewall_type="open" su-3.2# grep ^ip /etc/rc.conf ipfilter_enable="YES" ipmon_enable="YES" ipnat_enable="YES" ipnat_flags="-d" This is not good. You are running 2 different firewalls at the same time. comment out firewall_enable="YES" firewall_type="open" and reboot your system.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C45CBA3.9020800>