On 5/4/2017 13:47, Rodney W. Grimes wrote: >> On 5/4/2017 12:12, Rodney W. Grimes wrote: >>>> Consider the following network configuration. >>>> >>>> >>>> Internet ------- Gateway/Firewall ---------- Inside network (including a >>>> web host) >>>> 70.16.10.1/28 192.168.0.0/24 >>>> >>>> The address of the outside is FICTIONAL, by the way. >>>> >>>> For policy reasons I do NOT want the gateway machine to actually have >>>> the host on it. There may be a number of things running on there but >>>> for the instant moment let's assume a standard pedestrian web host on >>>> port 80. >>>> >>>> I have DNS pointing at "webhost.domain" @ 70.16.10.1. >>>> >>>> I have NAT on the gateway (NAT internal to the kernel), and a "hole >>>> punch" in there with redirect_port tcp 192.168.1.1:80 70.16.10.1:80 as >>>> pat of the nat configuration statement. >>>> >>>> This works fine for anyone on the outside. HOWEVER, anyone on the >>>> INTERNAL network cannot see the host. >>>> >>>> My NAT configuration looks like this: >>>> >>>> # >>>> # Now divert all inbound packets that should go through NAT. Since this >>>> is NAT >>>> # it can only match a packet that previously was NATted on the way out. >>>> # >>>> ${fwcmd} add 6000 nat 100 ip4 from any to me recv ${oif} >>>> # >>>> # Check stateful rules; we want to go there directly if there is a match >>>> # >>>> ${fwcmd} add 7000 check-state >>>> # >>>> # Now pick up all *outbound* packets that originated from an inside address >>>> # and put them through NAT. We then have >>>> # a packet with a local source address and we can allow it to be sent. >>>> # Therefore, if the packet is outbound let it pass and be done with it. >>>> # >>>> ${fwcmd} add 8000 nat 100 ip4 from 192.168.0.0/16 to any xmit >>>> ${oif} >>>>>> ${fwcmd} add 8001 nat 100 ip4 from 192.168.0.0/16 to ${oip} >>>> ${fwcmd} add 8009 deny log ip4 from 192.168.0.0/16 to any xmit >>>> ${oif} >>>> ${fwcmd} add 8010 pass ip4 from ${onet} to any xmit ${oif} >>>> >>>> Without the ">>" line I get nothing; the packets get to the gateway and >>>> disappear. >>>> >>>> With the ">>" line I DO get the packets re-emitted on the internal >>>> interface HOWEVER there is no translation to the internal interface IP >>>> on the gateway box. So what I see on the internal box is this: >>>> >>>> 11:19:16.369634 IP 192.168.10.40.60924 > 192.168.10.100.11443: Flags >>>> [S], seq 292171178, win 8192, options [mss 1460,nop,wscale >>>> 8,nop,nop,sackOK], length 0 >>>> 11:19:16.369662 IP 192.168.10.100.11443 > 192.168.10.40.60924: Flags >>>> [S.], seq 3088872007, ack 292171179, win 65535, options [mss >>>> 1460,nop,wscale 6,sackOK,eol], length 0 >>>> >>>> Which won't work because the internal box got and sent this: >>> What is the NAT command running at instance 100? >>> Does it have an -alias_address of inside IP of router? >>> Are you tryint to use the same Nat instance to do both >>> the global internet acess translation and this special >>> inside loop back translation? If so that usually can >>> not be made to work. >> Aha. That's probably the problem -- I need a second instance. >> >> Here's the entire salient section: >> >> >> # Set up the NAT configuration; there are multiple entries that have to >> be here >> # because we redirect a bunch of ports around so we can see things from the >> # outside -- specifically, webcams and the HomeDaemon server. >> # >> ${fwcmd} nat 100 config ip ${oip} log same_ports reset >> redirect_port tcp.... (whole bunch of stuff) >> >> # >> # Stop spoofing >> # >> ${fwcmd} add 2010 deny log all from ${inet} to any not ipsec in >> via ${oif} >> ${fwcmd} add 2020 deny log all from ${onet} to any in via ${iif} >> if [ -n "$inet6" ]; then >> ${fwcmd} add 2040 deny all from ${inet6} to any in via >> ${oif6} >> if [ -n "$onet6" ]; then >> ${fwcmd} add 2050 deny log all from ${onet6} to >> any in \ >> via ${iif6} >> fi >> fi >> >> ${fwcmd} add 3000 deny log all from ${onet} to any recv ${iif} >> >> # >> # This table is a list of denied addresses that tried to attack us. Updated >> # by sshguard. Anything coming inbound from the outside is blocked. We >> also >> # block anything on the "screw you" lists (two) >> # >> ${fwcmd} add 4000 deny log all from table\(22\) to any recv ${oif} >> ${fwcmd} add 4010 deny all from any to ${foscam} >> ${fwcmd} add 4020 deny log all from ${china} to any via ${oif} >> # >> # Anything related to RFC1918 or the Manning range that comes in on >> # the external interface (shouldn't happen) gets tossed immediately, EXCEPT >> # for RFC1918 stuff coming in via IPSEC. That we must pass or our IPSEC >> # gateway will not work. >> # >> ${fwcmd} add 5000 deny log all from ${rfc1918} to any not ipsec >> recv ${oif} >> ${fwcmd} add 5010 deny log all from ${manning} to any recv ${oif} >> >> # >> # Now divert all inbound packets that should go through NAT. Since this >> is NAT >> # it can only match a packet that previously was NATted on the way out. >> # >> ${fwcmd} add 6000 nat 100 ip4 from any to me recv ${oif} >> # >> # Check stateful rules; we want to go there directly if there is a match >> # >> ${fwcmd} add 7000 check-state >> # >> # Now pick up all *outbound* packets that originated from an inside address >> # (including IPSEC tunneled stuff) and put them through NAT. We $then have >> # a packet with a local source address and we can allow it to be sent. >> # Therefore, if the packet is outbound let it pass and be done with it. >> # >> ${fwcmd} add 8000 nat 100 ip4 from 192.168.0.0/16 to any xmit ${oif} >> ${fwcmd} add 8001 nat 100 ip4 from 192.168.0.0/16 to ${oip} >> ${fwcmd} add 8009 deny log ip4 from 192.168.0.0/16 to any xmit >> ${oif} >> ${fwcmd} add 8010 pass ip4 from ${onet} to any xmit ${oif} >> >> From the above I assume I need to direct 8001 through a nat 200, and >> define that as "twist anything that comes through there to be aliased >> from the INTERNAL IP address", yes? >> >> So I changed the above to be this: >> >> ${fwcmd} add 8000 nat 200 ip4 from 192.168.0.0/16 to ${oip} >> ${fwcmd} add 8001 nat 100 ip4 from 192.168.0.0/16 to any xmit ${oif} >> >> So the first one would catch any inside packet that was headed to the >> outside IP before the other gets ahold of it. > What is your net.inet.ip.fw.one_pass set to? 0. (This config on the host IS working generally for NAT) > > Are we getting counts on rule 8000 from a ipfw -a list 8000? Yes. >> And added: >> >> ipfw nat 200 config ip ${iip} same_ports reset >> >> Up above for the second NAT channel; "iip" is the gateway's internal IP >> address. > Yep yep, that looks good. > >> But that winds up doing nothing; I get no packets back out on the inside >> interface at all (just as if the "200" nat stuff was not there at all) > Lets see if there are packets matching the rule, and if so maybe add log to > the rule, > and add a log rule after it to catch what the packets may look like after > that nat. > You may also be falling on down and denying the packet it some future rule, > like > a keep state rule???? Don't think so. There's a rule right under it that should pass it (and thus terminate.) > It is almost impossible to remotly debug this type of stuff without a > complete and full picture of all elements involved. > As a minimum: > ifconfig -a > ipfw -a list > sysctl net.inet.ip.fw.one_pass > sysctl net.inet.ip.forwarding > > I know this can be made to work, I think even dd-wrt has it right.... > And here is a good jumping off point from a very quick google: > http://www.nycnetworkers.com/real-world/nat-reflectionnat-loopbacknat-hairpinning/ > root@IPGw:/usr/local/etc # ifconfig -a lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 inet 127.0.0.1 netmask 0xff000000 groups: lo nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> ue0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=80009<RXCSUM,VLAN_MTU,LINKSTATE> ether b8:27:eb:4e:88:64 inet 192.168.10.200 netmask 0xffffff00 broadcast 192.168.10.255 media: Ethernet autoselect (100baseTX <full-duplex>) status: active nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> ue1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=8000b<RXCSUM,TXCSUM,VLAN_MTU,LINKSTATE> ether 00:50:b6:5d:1d:9f inet 70.169.168.7 netmask 0xffffff80 broadcast 70.169.168.127 media: Ethernet autoselect (100baseTX <full-duplex>) status: active nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> ue0.3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 ether b8:27:eb:4e:88:64 inet 192.168.4.200 netmask 0xffffff00 broadcast 192.168.4.255 groups: vlan vlan: 3 vlanpcp: 0 parent interface: ue0 media: Ethernet autoselect (100baseTX <full-duplex>) status: active nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
root@IPGw:/usr/local/etc # ipfw -a list 00100 14 1042 allow ip from any to any via lo0 00200 0 0 deny log ip from any to 127.0.0.0/8 00300 0 0 deny log ip from 127.0.0.0/8 to any 00400 0 0 deny log ip from any to ::1 00500 0 0 deny log ip from ::1 to any 02000 0 0 allow ip from 192.168.100.1 to any in via ue1 02010 0 0 deny log ip from 192.168.0.0/16 to any not ipsec in via ue1 02020 0 0 deny log ip from 70.169.168.0/25 to any in via ue0 03000 0 0 deny log ip from 70.169.168.0/25 to any recv ue0 04000 0 0 deny log ip from table(22) to any recv ue1 04010 0 0 deny ip from any to 114.215.179.104,122.226.84.253,122.248.234.207,167.206.87.147,168.1.83.89,175.41.238.100,176.58.116.160,202.96.134.133,203.143.89.106,220.181.111.147,23.234.53.61,23.234.53.67,46.137.188.54,50.19.254.134,50.7.114.59,50.7.124.48,50.7.176.18,50.7.235.90,50.7.44.82,61.188.37.216,68.192.249.119,74.125.31.99 04020 0 0 deny log ip from 218.90.0.0/16,218.91.0.0/16,218.92.0.0/16,218.93.0.0/16,218.94.0.0/16 to any via ue1 05000 0 0 deny log ip from 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 to any not ipsec recv ue1 05010 0 0 deny log ip from 0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,224.0.0.0/4,240.0.0.0/4 to any recv ue1 06000 8726 10333291 nat 100 ip4 from any to me recv ue1 07000 0 0 check-state :default 08000 21 1064 nat 200 ip4 from 192.168.0.0/16 to 70.169.168.7 08001 4834 264258 nat 100 ip4 from 192.168.0.0/16 to any xmit ue1 08009 0 0 deny log ip4 from 192.168.0.0/16 to any xmit ue1 08010 4836 264410 allow ip4 from 70.169.168.0/25 to any xmit ue1 08011 0 0 allow log ip from 192.168.10.200 to 192.168.0.0/16 dst-port 2552 08020 5374 306553 allow ip from 192.168.0.0/16 to any recv ue0 08030 2 104 allow ip from 192.168.4.0/25 to any recv ue0.3 08500 0 0 deny log ip from 192.168.0.0/16 to any xmit ue1 09000 17823 20712366 allow ip from any to 192.168.0.0/16 22000 0 0 allow tcp from any to any established 22700 0 0 allow tcp from any to me dst-port 2200 setup 22710 0 0 allow tcp from any to me dst-port 22 setup 22800 0 0 allow icmp from any to me 23100 0 0 allow udp from any to me dst-port 33434-34000 23110 0 0 allow udp from any 33434-34000 to me 23410 0 0 allow udp from any to me dst-port 53 23420 0 0 allow udp from me 53 to any 23430 4 545 allow udp from any 53 to me 23500 0 0 allow tcp from any to 192.168.1.214 dst-port 8080 setup 23510 0 0 allow tcp from any to 192.168.4.210 dst-port 443 setup 23520 0 0 allow tcp from any to 192.168.4.211 dst-port 443 setup 23530 0 0 allow tcp from any to 192.168.4.211 dst-port 554 setup 24430 0 0 allow udp from any 123 to me dst-port 123 24500 0 0 allow udp from any to me dst-port 500 24510 0 0 allow udp from me 500 to any 24520 0 0 allow udp from any to me dst-port 4500 24530 0 0 allow udp from me 4500 to any 24600 46 2760 deny tcp from 192.168.4.211 to any dst-port 80 setup 29999 5 272 deny log ip from any to any 65535 2603 379766 deny ip from any to any onepass is 0, forwarding is 1 of course. root@IPGw:/usr/local/etc # sysctl -a|grep forwarding net.inet.ip.forwarding: 1 net.inet6.ip6.forwarding: 0 root@IPGw:/usr/local/etc # sysctl -a | grep one_pass net.inet.ip.fw.one_pass: 0 If it matters this is running on -HEAD (it's running on a PI3, so -HEAD is a mandate at this point.) The 0.3 interface is a VLAN for things that I have DMZd off so they can't play "send back data to poppa and scan the LAN" games (think consumer appliances.) Line 8000 does have packets that match. There IS a "check-state" right above it, but that shouldn't kill the output side -- and I moved it to 10000 (below the pass lines) without effect, just in case it was. NAT is working perfectly well for someone on the internal network but connecting to something outside on the Internet and the "hole punches" for a connection outside to the interior host work as well. Note that the line 8011, which SHOULD trap a "telnet 70.169.168.7 2552" from the inside network (and which DOES generate the packet counts on line 8000) does NOT register counts nor log anything, so whatever is nailing it it's happening before it gets there -- which is why I'm confused here. -- Karl Denninger k...@denninger.net <mailto:k...@denninger.net> /The Market Ticker/ /[S/MIME encrypted email preferred]/
smime.p7s
Description: S/MIME Cryptographic Signature