Can't connect on my jail prosody server except outside him

[torlik]

Hello,

Here my configuration :

+--------+---+---+ 10.0.0.0/24 +------------------+
|main server -   |             |jail with prosody |
|with xmpp client+-----+-------+server            |
|                |     |       |IP : 10.0.0.1/24  |
+----------------+     |       +------------------+
                       |                           
                       |                           
                       |                           
                       v                           
              NAT and Redirection with PF

I've a domain for my iP_PUB. I use this for my prosody's virtualhost. All works : anywhere i can connect with my prosody's account. But i have my xmpp client on my host server and i can't connect with my account :

Logfile of xmpp client (x.x.x.x my public ip)

ERROR:xmlstream:Could not connect to x.x.x.x:5222. Socket Error #61: Connection refused

if i try telnet anywhere :
telnet x.x.x.x 5222

Trying X
Connected to X
Escape character is '^]'.

On my host server :
telnet x.x.x.x 5222

Trying X...
telnet: connect to address X: Connection refused
telnet: Unable to connect to remote host

Here my pf rules :
/etc/pf.conf

#INTERFACES
ext_if="sis0"
int_if = "lo1"
jailnet = $int_if:network

# Name and IP of jails
PROSODY="10.0.0.1"

# NAT
nat on $ext_if from $jailnet to any -> ($ext_if)

# Redirect any packets requesting port (xmpp) 5222 or 5269 to jailed prosody
rdr pass on $ext_if inet proto tcp to port 5222 -> $PROSODY port 5222
rdr pass on $ext_if inet proto tcp to port 5269 -> $PROSODY port 5269

# Open prosody's ports to external network
pass in on $ext_if proto { tcp } from any to $ext_if port 5222
pass in on $ext_if proto { tcp } from any to $ext_if port 5269

# ifconfig

sis0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=82008<VLAN_MTU,WOL_MAGIC,LINKSTATE>
	ether 00:1c:c0xxx
	inet x.x.x.x netmask 0xffffff00 broadcast x.x.x.255 
	inet6 fe80::xxxx%sis0 prefixlen 64 scopeid 0x1 
	inet6 xxxxxx prefixlen 128 
	nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 
	inet 127.0.0.1 netmask 0xff000000 
	nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
	inet 10.0.0.1 netmask 0xffffff00 
	inet 10.0.0.2 netmask 0xffffff00 
	nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160

netstat -r

Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            vss-gw-6k.fr.eu    UGS         0 26753856   sis0
10.0.0.1           link#3             UH          0   173804    lo1
10.0.0.2           link#3             UH          0      336    lo1
x.x.x.x       link#1             U           0    12365   sis0
ns37xxx.ip-x.x- link#1             UHS         0   135700    lo0
localhost          link#2             UH          0    35208    lo0

How can i have open port 5222 too for my host server ?

Thank you all !

 

[junovitch@]

Re: Can't connect on my jail prosody server except outside h

Traffic from the host to the jail will use the loopback interface, which there are no rules assigned. For that matter, a bunch of host to host communication is on the loopback so filtering it usually means something breaks. This is the usual recommendation.

Add to /etc/pf.conf

set skip on lo

 

[torlik]

Re: Can't connect on my jail prosody server except outside h

Thanks to reply
I've add this line just before nat line.

Flush and reload PF, restart jail. Nothing changes :/

 

[junovitch@]

Re: Can't connect on my jail prosody server except outside h

I figured the skip would be enough. Allow outbound traffic maybe?
/etc/pf.conf

pass out

 

[torlik]

Re: Can't connect on my jail prosody server except outside h

I add this at the end of pf.conf

and again :

2014-08-03 04:30:29,078 ERROR:xmlstream:Could not connect to x.x.x.x:5222. Socket Error #61: Connection refused

and with telnet same. Outside it's ok yet.
pfctl -vnf /etc/pf.conf

ext_if = "sis0"
int_if = "lo1"
jailnet = "lo1:network"
PROSODY = "10.0.0.1"
set skip on { lo }
nat on sis0 inet from 10.0.0.0/24 to any -> (sis0) round-robin
nat on sis0 inet from 10.0.0.0/24 to any -> (sis0) round-robin
rdr pass on sis0 inet proto tcp from any to any port = xmpp-client -> 10.0.0.1 port 5222
rdr pass on sis0 inet proto tcp from any to any port = xmpp-server -> 10.0.0.1 port 5269
pass in on sis0 inet6 proto tcp from any to fe80::xxx port = xmpp-client flags S/SA keep state
pass in on sis0 inet6 proto tcp from any to fe80::2xx port = xmpp-server flags S/SA keep state
pass in on sis0 inet6 proto tcp from any to 2001:xxx:2:120a::1 port = xmpp-client flags S/SA keep state
pass in on sis0 inet6 proto tcp from any to 2001:xxx0:2:120a::1 port = xmpp-server flags S/SA keep state
pass in on sis0 inet proto tcp from any to x.x.x.x port = xmpp-client flags S/SA keep state
pass in on sis0 inet proto tcp from any to x.x.x.x port = xmpp-server flags S/SA keep state
pass out all flags S/SA keep state

 

[junovitch@]

Re: Can't connect on my jail prosody server except outside h

How about another service? What does this return when you sub in the address of the jail?
nc -n 127.0.0.1 22

SSH-2.0-OpenSSH_6.6.1_hpn13v11 FreeBSD-20140420

We at least have a clue with the "connection refused" aspect. Anytime you see that you at least know the distant end is using a reject/return type policy that triggers an ICMP message back saying you can't access. The SSH banner grab is a way to check with another service/port.

Let's try this. Add a default policy type rule pf.conf. This will go first in your ruleset as last match will win and the behavior will be of that match. This is just like a catch all for anything you don't have rules for.

# rdr rules here
block log all
# pass rules here

Now run tcpdump -n -e -ttt -i pflog0 as shown in the examples section of the pflog() man page to see if that log rule is being it. If not, try to run a tcpdump -n -i lo1 while you do the connection to either port 22 or 5222 and post the result here.