[Solved] pf redirect for jail

falkman · #1 May 18th, 2012, 07:23

I'm simply trying to redirect all incoming traffic on port 23 to port 23 on one of my jails.

I have my current IP of my host 192.168.1.64, and the IP of my jail 192.168.1.65. I have SSH running on the host on port 22, and SSH on the jail running on port 23. My goal is to make it possible to connect to the jail's SSH via 192.168.1.64.

Here's my attempt:

rc.conf

Code:

pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""

pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""

gateway_enable="YES"

pf.conf

Code:

rdr on wlan0 inet proto { tcp, udp } from any to 192.168.1.64 port 23 \
        -> 192.168.1.65 port 23

How far off am I? I belong in the kernel, this networking stuff feels like a rats-nest (hopefully I learn soon).

Solution: Connect remotely, not locally. pf does not modify local connections, it must enter through the interface.

-Brandon

val · #2 May 18th, 2012, 13:39

You need separate pass rule or pass directive in rdr rule.

falkman · #3 May 18th, 2012, 16:38

I tried

Code:

rdr pass on wlan0 inet proto { tcp, udp } from any to 192.168.1.64 port 23 \
        -> 192.168.1.65 port 23

With no luck. Perhaps I'm not using pass properly?

-Brandon

bbzz · #4 May 18th, 2012, 17:32

First time was right. But you still need translation the other way.

falkman · #5 May 18th, 2012, 18:50

Ohhh, so I need it both ways... that makes sense.

Something like?

Code:

rdr on wlan0 inet proto { tcp, udp } from any to 192.168.1.64 port 23 \
        -> 192.168.1.65 port 23
rdr on wlan0 inet proto { tcp, udp } from 192.168.1.65 port 23 to any \
        -> 192.168.1.64 port 23

I'm so confused. Man I feel stupid. One of these days I will understand networking.

-Brandon

bbzz · #6 May 18th, 2012, 19:34

Actually, you shouldn't need since its same interface/subnet.

And source IP translation is done with nat command in pf.

What exactly in not working? Are you permitting packets to specific IP? Address translation is one thing, and filtering is another.

falkman · #7 May 18th, 2012, 19:37

What should I do then? The issue is that I have port 23 open on my router, but only for 192.168.1.64. I also do not have access to my router, so I need it make it pass through. Does that make sense?

-Brandon

bbzz · #8 May 18th, 2012, 19:45

Ah, I see. Try adding this then:

First, make sure you are permitting traffic explicitly to 192.168.1.64 AND 192.168.1.65 for ssh (pass). Then if that doesn't do it add this:

Code:

nat on wlan0 from 192.168.1.65 to any -> (wlan0:0)

falkman · #9 May 18th, 2012, 19:50

I tried that with no luck

. I'm able to ssh into my jail with ssh 192.168.1.65 -p 23 however I get 'connection refused' with ssh 192.168.1.64 -p 23

-Brandon

bbzz · #10 May 18th, 2012, 19:53

And you have rule that permits traffic explicitly to 192.168.1.64 port 23?

falkman · #11 May 18th, 2012, 19:55

I don't have any sort of firewall, and it's all open on my router if that's what you're saying.

-Brandon

bbzz · #12 May 18th, 2012, 20:02

Ok, you lost me now. You said you have router sitting before your computer which port-forwards 192.168.1.64 port 23 in. How did you connect then using IP 192.168.1.65? Where are you connecting from?

Moreover, what does you last post mean, you don't have firewall and it's all open on your router?

Communication breakdown

Anyway, can you post your /etc/pf.conf.

falkman · #13 May 18th, 2012, 20:04

I connected on the box itself, from the host to the jail (nothing went through the router).

Code:

# cat /etc/pf.conf
rdr on wlan0 inet proto { tcp, udp } from any to 192.168.1.64 port 23 \
        -> 192.168.1.65 port 23

nat on wlan0 from 192.168.1.65 to any -> (wlan0:0)

# cat /etc/rc.conf
hostname="localhost"
sshd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
wlans_ath0="wlan0"
ifconfig_wlan0="inet 192.168.1.64 netmask 255.255.255.0 ssid xxx wepmode on weptxkey 1 wepkey xxx"
defaultrouter="192.168.1.1"
dbus_enable="YES"
hald_enable="YES"
linux_enable="YES"

jail_enable="YES"
jail_list="ryan"

jail_ryan_interface="wlan0"
jail_ryan_rootdir="/jails/ryan"
jail_ryan_hostname="ryan"
jail_ryan_ip="192.168.1.65"
jail_ryan_devfs_enable="YES"

pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""

pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""

gateway_enable="YES"

This is just my personal computer, so there's really nothing sophisticated on this setup.

bbzz · #14 May 18th, 2012, 20:37

Redirection and filtering only works as packets enter an interface. Locally initiated connections are not subject to these rules.

falkman · #15 May 18th, 2012, 20:40

Well that's embarrassing, connected remotely and it works.

bbzz · #16 May 18th, 2012, 20:42

Hehe, as long as it works.

Thread Tools
Show Printable Version Email this Page
Display Modes
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
[Solved] Failed to redirect to jail outside host.	sixtydoses	Firewalls	4	March 2nd, 2012 10:53
[Solved] Problem with redirect	SacamantecaS	Firewalls	3	September 26th, 2011 09:58
IPFW Redirect	vpeleh	Firewalls	9	March 3rd, 2011 18:26
Redirect Traffic	kfarmer	Networking	3	February 11th, 2011 18:48
URL to redirect to is missing	nooobie123	Web & Network Services	1	October 4th, 2009 15:20