From owner-freebsd-questions@FreeBSD.ORG Tue Jul 20 16:32:37 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4F98F1065677 for ; Tue, 20 Jul 2010 16:32:37 +0000 (UTC) (envelope-from aiza21@comclark.com) Received: from mail-03.name-services.com (mail-03.name-services.com [69.64.155.195]) by mx1.freebsd.org (Postfix) with ESMTP id 218BB8FC0A for ; Tue, 20 Jul 2010 16:32:36 +0000 (UTC) Received: from [10.0.10.3] ([202.69.172.68]) by mail-03.name-services.com with Microsoft SMTPSVC(6.0.3790.4675); Tue, 20 Jul 2010 09:15:36 -0700 Message-ID: <4C45CBA3.9020800@comclark.com> Date: Wed, 21 Jul 2010 00:15:31 +0800 From: Aiza User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: google@alexus.org References: <4C3F91CF.5090206@locolomo.org> <4C419944.8030702@locolomo.org> <4C447F7F.6020308@locolomo.org> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 20 Jul 2010 16:15:37.0065 (UTC) FILETIME=[C9DB4590:01CB2826] X-Sender: fbsd8@a1poweruser.com Cc: freebsd-questions@freebsd.org Subject: Re: ipnat.conf - map and rdr won't work! X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Jul 2010 16:32:37 -0000 alexus wrote: > On Mon, Jul 19, 2010 at 12:38 PM, Erik Norgaard wrote: >> On 19/07/10 16.46, alexus wrote: >>>>>> Use tcpdump, you should see if your rdr/map rules work as expected. >>>>>> Also, >>>>>> pfctl -ss and similar. >>>>> i don't know how to use tcpdump, can you provide exact syntax so i can >>>>> run >>>>> it? >>>> The man-page is excelent. >>> tried that, unfortunately not really sure what am i doing.. still >> Can't help you more, really, you need to investigate where packets are >> dropped, tcpdump is a great tool and the man-page is excelent, can't explain >> it better, if you don't like tcpdump then use any other packet sniffing tool >> at hand, snort for example. > > ipmon: > > 20/07/2010 10:22:00.123106 @2 NAT:RDR 172.16.172.16,22 <- -> > 64.52.58.58,22 [69.10.67.106,6346 PR tcp] > 20/07/2010 10:26:00.340436 @2 NAT:EXPIRE 172.16.172.16,22 <- -> > 64.52.58.58,22 [69.10.67.106,6346 PR tcp] Pkts 11/0 Bytes 640/0 > > tcpdump: > > tcpdump: listening on fxp0, link-type EN10MB (Ethernet), capture size 96 bytes > 11:40:07.366519 IP (tos 0x0, ttl 49, id 48580, offset 0, flags [DF], > proto TCP (6), length 64) 69.10.67.106.9408 > 64.52.58.58.22: S, cksum > 0xc05d (correct), 208454974:208454974(0) win 65535 1380,nop,wscale 3,nop,nop,timestamp 91387932 0,sackOK,eol> > 11:40:08.346575 IP (tos 0x0, ttl 49, id 19079, offset 0, flags [DF], > proto TCP (6), length 64) 69.10.67.106.9408 > 64.52.58.58.22: S, cksum > 0xc054 (correct), 208454974:208454974(0) win 65535 1380,nop,wscale 3,nop,nop,timestamp 91387941 0,sackOK,eol> > 11:40:09.102442 IP (tos 0x0, ttl 49, id 28097, offset 0, flags [DF], > proto TCP (6), length 64) 69.10.67.106.9408 > 64.52.58.58.22: S, cksum > 0xc04a (correct), 208454974:208454974(0) win 65535 1380,nop,wscale 3,nop,nop,timestamp 91387951 0,sackOK,eol> > 11:40:10.108089 IP (tos 0x0, ttl 49, id 28130, offset 0, flags [DF], > proto TCP (6), length 64) 69.10.67.106.9408 > 64.52.58.58.22: S, cksum > 0xc040 (correct), 208454974:208454974(0) win 65535 1380,nop,wscale 3,nop,nop,timestamp 91387961 0,sackOK,eol> > 11:40:11.104669 IP (tos 0x0, ttl 49, id 27900, offset 0, flags [DF], > proto TCP (6), length 64) 69.10.67.106.9408 > 64.52.58.58.22: S, cksum > 0xc036 (correct), 208454974:208454974(0) win 65535 1380,nop,wscale 3,nop,nop,timestamp 91387971 0,sackOK,eol> > 11:40:12.110396 IP (tos 0x0, ttl 49, id 56214, offset 0, flags [DF], > proto TCP (6), length 64) 69.10.67.106.9408 > 64.52.58.58.22: S, cksum > 0xc02c (correct), 208454974:208454974(0) win 65535 1380,nop,wscale 3,nop,nop,timestamp 91387981 0,sackOK,eol> > 11:40:14.105642 IP (tos 0x0, ttl 49, id 41429, offset 0, flags [DF], > proto TCP (6), length 64) 69.10.67.106.9408 > 64.52.58.58.22: S, cksum > 0xc018 (correct), 208454974:208454974(0) win 65535 1380,nop,wscale 3,nop,nop,timestamp 91388001 0,sackOK,eol> > 11:40:18.114148 IP (tos 0x0, ttl 49, id 30423, offset 0, flags [DF], > proto TCP (6), length 48) 69.10.67.106.9408 > 64.52.58.58.22: S, cksum > 0x8b0d (correct), 208454974:208454974(0) win 65535 1380,sackOK,eol> > 11:40:21.899739 arp who-has 64.52.58.36 tell 64.52.58.33 > 11:40:24.830499 arp who-has 64.52.58.36 tell 64.52.58.33 > 11:40:26.125568 IP (tos 0x0, ttl 49, id 25515, offset 0, flags [DF], > proto TCP (6), length 48) 69.10.67.106.9408 > 64.52.58.58.22: S, cksum > 0x8b0d (correct), 208454974:208454974(0) win 65535 1380,sackOK,eol> > 11:40:42.157443 IP (tos 0x0, ttl 49, id 18773, offset 0, flags [DF], > proto TCP (6), length 48) 69.10.67.106.9408 > 64.52.58.58.22: S, cksum > 0x8b0d (correct), 208454974:208454974(0) win 65535 1380,sackOK,eol> > 11:41:14.193555 IP (tos 0x0, ttl 49, id 42007, offset 0, flags [DF], > proto TCP (6), length 48) 69.10.67.106.9408 > 64.52.58.58.22: S, cksum > 0x8b0d (correct), 208454974:208454974(0) win 65535 1380,sackOK,eol> > ^C180 packets captured > 182 packets received by filter > 0 packets dropped by kernel > >> Do packets can get dropped because of your firewall default policy? For >> stealth it may be set to simply drop packets which result in a connection >> time-out rather than send a TCP-RST. > > su-3.2# grep ^firewall /etc/rc.conf > firewall_enable="YES" > firewall_type="open" > su-3.2# ipfw show > 00100 5478 792380 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 65000 869903 554820708 allow ip from any to any > 65535 0 0 deny ip from any to any > su-3.2# grep ^ip /etc/rc.conf > ipfilter_enable="YES" > ipmon_enable="YES" > ipnat_enable="YES" > ipnat_flags="-d" > su-3.2# > > i even did this > > su-3.2# /etc/rc.d/ipfw stop > net.inet.ip.fw.enable: 1 -> 0 > su-3.2# > >> Do packets get dropped because of nat on the way in? or on the way out? > > i tried disabling map rule and leave only rdr, that didn't help > >> What if you just disable ipnat? What if you flush the firewall rules? >> (disconnect from the Internet first) > > if i disable ipnat then map or rdr wont work as they simply disabled > > i disabled ipfw, and i dont have any rules inside of ipfilter > >> Do you have any logs in the jail that indicate that the first packet is >> actually received? Do your firewall log connections? If not, see how you can >> enable logs on all rules to get more information. > > nothing gets to jail there for no logs inside of jail > >> Can you connect out from the jail, to external servers? only to the jail >> hosting server? Did the jail's ssh log tell anything? > > no i can not connect out from jail, as map doesn't work either > nothing gets to > >> You wrote you can connect with ssh from the hosting server to the jail, but >> it took a long time, did you investigate this? Is there some DNS issue that >> times out and causes the connection to fail? >> >> Can you ping your jail? Can you ping out? Default route is configured? > > i can ping my jail within host environment > once again nothing within jail works as map (nat) isn't working > > default router isn't configured in rc.conf (inside of jail) as per > jail's man page its not needed > it was working fine before without it > >> There are tons of tests you can do to figure out what's failing. >> >> BR, Erik >> > > > su-3.2# grep ^firewall /etc/rc.conf firewall_enable="YES" firewall_type="open" su-3.2# grep ^ip /etc/rc.conf ipfilter_enable="YES" ipmon_enable="YES" ipnat_enable="YES" ipnat_flags="-d" This is not good. You are running 2 different firewalls at the same time. comment out firewall_enable="YES" firewall_type="open" and reboot your system.