Date: Tue, 13 Oct 2015 13:50:04 +1000 From: Nathan Aherne <nathan@reddog.com.au> To: Ian Smith <smithi@nimnet.asn.au> Cc: freebsd-ipfw@freebsd.org Subject: Re: Kernel NAT issues Message-ID: <C1C25100-FBD4-42F4-94F7-965B270D927F@reddog.com.au> In-Reply-To: <20151013142301.B67283@sola.nimnet.asn.au> References: <94B91F98-DE01-4A10-8AB5-4193FE11AF3F@reddog.com.au> <20151013142301.B67283@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Ian, Thank you for your response. I didn=E2=80=99t post my ruleset because I should be able to fix the = issue myself but I see now that my request to explain =E2=80=9Chow NAT = works=E2=80=9D was incorrect. I have now included my ruleset below (as well as my initial email). # Enable NAT ipfw nat 1 config ip $jip same_ports log 00005 allow ip from any to any via lo0 00006 deny ip from any to not me in via bce0 00100 nat 1 log ip from any to AAA.BBB.CCC.DDD recv bce0 00101 check-state 00110 allow icmp from any to WWW.XXX.YYY <http://www.xxx.yyy/>.ZZZ recv = bce0 keep-state 00111 allow tcp from any to WWW.XXX.YYY <http://www.xxx.yyy/>.ZZZ = dst-port 65222 recv bce0 setup keep-state 00112 allow icmp from WWW.XXX.YYY <http://www.xxx.yyy/>.ZZZ to any xmit = bce0 keep-state 00113 allow tcp from WWW.XXX.YYY <http://www.xxx.yyy/>.ZZZ to any = dst-port 53,80,443,22,65222 xmit bce0 setup keep-state 00114 allow udp from WWW.XXX.YYY <http://www.xxx.yyy/>.ZZZ to any = dst-port 53,123 xmit bce0 keep-state 00120 skipto 65501 log tcp from any to 10.0.0.0/16 recv bce0 setup = keep-state 00121 skipto 65501 log udp from any to 10.0.0.0/16 recv bce0 keep-state 00122 skipto 65501 log tcp from 10.0.0.0/16 to not 10.0.0.0/16 xmit bce0 = setup keep-state 00123 skipto 65501 log udp from 10.0.0.0/16 to not 10.0.0.0/16 xmit bce0 = keep-state 00200 allow log tcp from any to 10.0.0.1 dst-port 22,80,443 in setup = keep-state 00200 allow log tcp from 10.0.0.1 to any dst-port 22,80,443 out setup = keep-state 00200 allow log udp from 10.0.0.1 to any dst-port 53 out keep-state 00201 allow log tcp from any to 10.0.0.2 dst-port 22,80,443 in setup = keep-state 00201 allow log tcp from 10.0.0.2 to any dst-port 22,80,443 out setup = keep-state 00201 allow log udp from 10.0.0.2 to any dst-port 53 out keep-state 65500 deny log ip from any to any 65501 nat 1 log ip from 10.0.0.0/16 to not 10.0.0.0/16 xmit bce0 = keep-state 65502 allow log ip from AAA.BBB.CCC.DDD to any xmit bce0 keep-state 65534 deny log ip from any to any 65535 deny ip from any to any = **************************************************************************= ************ I sent through a question to this list a little while ago and have been = trying to get IPFW NAT working since then. I have had some success but = not the success I need, everything is working correctly except NAT rules = for my particular use case.=20 I have read every Google result on the first 50 pages when searching for = =E2=80=9CIPFW NAT=E2=80=9D or =E2=80=9CIPFW kernel NAT=E2=80=9D. I would = really appreciate it if someone could help me out. My use case is as follows: 1. I need to use hairpin NAT - I am using Jails behind a http proxy and = some jails need to be able to communicate with each other but only over = the WAN IP. This is why I have not use PF. 2. Some jails need to be able to communicate with each other on the = private interface (lo1) 3. IPFW is configured as default deny 4. Each jail has a list of allowed ports for incoming and outgoing = connections, these are set on the jails private IP (10.0.0.0/16) 5. I am using a stateful firewall. At the moment I am testing my IPFW ruleset using =E2=80=9Chost = google.com <http://google.com/>; <http://google.com/ = <http://google.com/>>=E2=80=9D I can see the traffic leave the Jail, get = natted, the response come back from 8.8.8.8 and the traffic is then = denied. It seems like the state is not being checked or my rules are in = the wrong place. I feel that I should be able to fix this but I am = obviously misunderstanding is how NAT works.=20 I was under the assumption that traffic flowed like this: 1. Traffic comes from Jail 10.0.0.1 on lo1 interface, if traffic is for = public IP, the traffic is natted, it goes out the WAN interface, comes = back, is natted and switched to lo1 interface, state is checked and it = passes as returning traffic. 2. Traffic comes from Jail 10.0.0.1 on lo1 interface, if traffic is for = private IP, the traffic is not natted, it stays on the lo1 interface and = goes directly to the 10.0.0.2 Jail. I know I could answer my last question if =E2=80=9CI read the code=E2=80=9D= and I have tried but am not getting it. Is my understanding of IPFW = kernel NAT correct? Regards, Nathan _______________________________________________ freebsd-ipfw@freebsd.org <mailto:freebsd-ipfw@freebsd.org> mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw = <https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>; To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org = <mailto:freebsd-ipfw-unsubscribe@freebsd.org>=E2=80=9D = **************************************************************************= ************ Regards, Nathan > On 13 Oct 2015, at 1:37 pm, Ian Smith <smithi@nimnet.asn.au> wrote: >=20 > On Tue, 13 Oct 2015 12:33:52 +1000, Nathan Aherne wrote: >=20 >> I sent through a question to this list a little while ago and have=20 >> been trying to get IPFW NAT working since then. I have had some=20 >> success but not the success I need, everything is working correctly=20= >> except NAT rules for my particular use case. >=20 > Unfortunately the rest of your message failed to quote properly here,=20= > i.e not quoted indented as above, so I'll leave it out for now; = perhaps=20 > it's my old mailer (pine) at fault. Maybe plain ASCII text would = help. >=20 > That said, without sharing your actual ruleset with us, sanitised if=20= > need be, it seems unlikely that anyone will be able to work out what=20= > might be happening here solely from your textual description. >=20 > cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C1C25100-FBD4-42F4-94F7-965B270D927F>