Hello everyone, I'm a new FreeBSD user and I'd like to activate port forwarding for 2 services (pop3 & https) from my A host (which handles other services on other ports), to some other hosts that I'll call B and C from now on, respectively.
The situation is similar to the following (please forgive my sloppy ASCII art):
So far all services were given out by host A; I am now switching to host B and C certain services, but for different reasons, I'm the position where I can not simply ask my users to change the IP for the server they're using.
So, I have the "gateway" in my draft, which is actually the host currently dishing off services with external IF bge0, IP xx.xx.xx.248 and internal IF lagg0, IP 192.168.41.48; host B and C are both Linux boxes and have IP addresses 192.168.41.50 and 192.168.41.40 respectively. All hosts are both on the 192.168.41.0 network (private) and on the xx.xx.xx.0 network, which exposes them to the internet through Gateway, which I'll call G.
I'd like to send requests directed to A on port 80 and 110 to hosts B and C while customers update their configurations for the 2 new IPs.
After reading some documentation online (in particular http://snipurl.com/pl80g and http://snipurl.com/pl81h), I have done the following:
1] enabled forwarding support in A, thought sysctl:
and put gateway_enable="YES" on my /etc/rc.conf file, so that
forwarding support will be active after a reboot.
2] added the following rules to my pf.conf in A
NAT Rules Section:
FILTERING Section:
and then reloaded pf rules with pfctl -f.
The problem is that when I try to connect to A, on both ports 80 and 110, I get no valid responses; nmap from an external box moreover shows both ports in state filtered.
If I do telnet/lynx... from my host A to B and C, I am able to reach and use the services they provide though; tcpdump show moreover traces of connections on such hosts when I try to connect from another box through the redirection, even though, I get no access to the services, at the end.
Routing is configured like this on my C host (similar configuration holds for B) and I suspect it might have something to do with my problem:
I have spent the whole day documenting myself on pf, but I confess I am no network wizard and I'm sure I have left out some important detail.
I'd REALLY appreciate if some FreeBSD Guru could be so kind to give me some hint on this.
Thank you in advance,
Steve
The situation is similar to the following (please forgive my sloppy ASCII art):
Code:
...................../---\ .................
..Internet -->.......| G.| .................
.....................\___/......x.x.x.0 net.
...................... \....................
........................\...................
.........../---\......../---\........./---\.
...........| C.|..<--...| A.|...-->...| B.|.
...........\___/...80...\___/...110...\___/.
............................................
..............\--- 192.168.0.x net ---/....
So far all services were given out by host A; I am now switching to host B and C certain services, but for different reasons, I'm the position where I can not simply ask my users to change the IP for the server they're using.
So, I have the "gateway" in my draft, which is actually the host currently dishing off services with external IF bge0, IP xx.xx.xx.248 and internal IF lagg0, IP 192.168.41.48; host B and C are both Linux boxes and have IP addresses 192.168.41.50 and 192.168.41.40 respectively. All hosts are both on the 192.168.41.0 network (private) and on the xx.xx.xx.0 network, which exposes them to the internet through Gateway, which I'll call G.
I'd like to send requests directed to A on port 80 and 110 to hosts B and C while customers update their configurations for the 2 new IPs.
After reading some documentation online (in particular http://snipurl.com/pl80g and http://snipurl.com/pl81h), I have done the following:
1] enabled forwarding support in A, thought sysctl:
Code:
belfast# sysctl -a | grep forward
kern.smp.forward_roundrobin_enabled: 1
kern.smp.forward_signal_enabled: 1
net.inet.ip.forwarding: 1
net.inet.ip.fastforwarding: 1
and put gateway_enable="YES" on my /etc/rc.conf file, so that
forwarding support will be active after a reboot.
2] added the following rules to my pf.conf in A
NAT Rules Section:
Code:
rdr on $public_if proto tcp from any to xx.xx.xx.248 port 110 -> $popper port 110
rdr on $public_if proto tcp from any xx.xx.xx.248 port 80 -> $webserver port 80
FILTERING Section:
Code:
pass in on $public proto tcp from any to $public port 110
pass in on $public proto tcp from any to $public port 80
and then reloaded pf rules with pfctl -f.
The problem is that when I try to connect to A, on both ports 80 and 110, I get no valid responses; nmap from an external box moreover shows both ports in state filtered.
If I do telnet/lynx... from my host A to B and C, I am able to reach and use the services they provide though; tcpdump show moreover traces of connections on such hosts when I try to connect from another box through the redirection, even though, I get no access to the services, at the end.
Code:
17:56:35.579510 IP REMOTEIP.m3ua > 192.168.41.54.http: S 385207113:385207113(0) win 65520 <mss 1260,nop,nop,sackOK>
17:56:41.574961 IP REMOTEIP.m3ua > 192.168.41.54.http: S 385207113:385207113(0) win 65520 <mss 1260,nop,nop,sackOK>
Routing is configured like this on my C host (similar configuration holds for B) and I suspect it might have something to do with my problem:
Code:
[root@dallas tmp]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.41.0 * 255.255.255.0 U 0 0 0 eth0
x.x.x.0 * 255.255.224.0 U 0 0 0 eth2
169.254.0.0 * 255.255.0.0 U 0 0 0 eth2
default other-gateway 0.0.0.0 UG 0 0 0 eth2
I have spent the whole day documenting myself on pf, but I confess I am no network wizard and I'm sure I have left out some important detail.
I'd REALLY appreciate if some FreeBSD Guru could be so kind to give me some hint on this.
Thank you in advance,
Steve