Solved How to redirect public IP to jail IP

fred974

Daemon

Reaction score: 49
Messages: 1,628

Hi guys,

I am scratching my head in creating a pf rules to redirect my external public IP to my jails IPs.
I have been given 8 IP addresses of which 5 are usable:96.205.75.242 /29
Code:
96.205.75.242 255.255.255.248 Subnet Address
96.205.75.243 255.255.255.248 Default Gateway
96.205.75.244 255.255.255.248
96.205.75.245 255.255.255.248
96.205.75.246 255.255.255.248
96.205.75.247 255.255.255.248
96.205.75.248 255.255.255.248
96.205.75.249 255.255.255.248 Broadcast Address
I have used my first IP 96.205.75.244 to connect my Dell iDRAC remote access and set my network in my /etc/rc.conf file as follow:
Code:
hostname="FreeBSD.mydomain.co.uk"
ip6addrctl_enable="NO"
ip6addrctl_policy="ipv4_prefer"
ipv6_activate_all_interfaces="NO"
ifconfig_bce0="inet 96.205.75.245 netmask 255.255.255.248"
defaultrouter="96.205.75.243"

### Jail network interface aliases ###
cloned_interfaces="${cloned_interfaces} lo1"
ipv4_addrs_lo1="10.8.20.10-49/29"
As far as my jails are concern, I use iocage and the the jails has been created using
Code:
iocage create tag=webjail.mydomain.co.uk ip4_addr="lo1|10.8.20.10"
iocage create tag=mailjail.mydomain.co.uk ip4_addr="lo1|10.8.20.11"
Now I want to redirect my public IP 96.205.75.245 to my webjail IP 10.8.20.10
How can I achive this using pf??
As I NEVER managed to get this setup working, I have chnaged the IP address of my jail to
Code:
iocage set ip4_addr="bce0|96.205.75.245" <bignumber>
So my webjail has curently got my public IP 96.205.75.245.
Using the /etc/pf.conf rule bellow, I have a good working webserver but this is not what I want as Using OpenVPN is not easy with that setup
/etc/pf.conf
Code:
################ Macros ###################################
### Interfaces ###
ExtIf   = "bce0"
JailIf  = "lo1"

### Hosts ###
#WebProxy    = "10.8.20.10"
WebProxy    = "96.205.75.245"


### Queues, States and Types ###
IcmpPing ="icmp-type 8 code 0"
SshQueue ="(ssh_bulk, ssh_login)"
SynState ="flags S/UAPRSF synproxy state"
TcpState ="flags S/UAPRSF modulate state"
UdpState ="keep state"


### Stateful Tracking Options (STO) ###
OpenSTO ="(max 90000, source-track rule, max-src-conn 1000, max-src-nodes 256)"
SmtpSTO ="(max   200, source-track rule, max-src-conn   10, max-src-nodes 256, max-src-conn-rate 200/30)"
SshSTO  ="(max   100, source-track rule, max-src-conn   10, max-src-nodes 100, max-src-conn-rate 100/30,  overload <BLOCKTEMP> flush global)"
WebSTO  ="(max  4096, source-track rule, max-src-conn   64, max-src-nodes 512, max-src-conn-rate 500/100, overload <BLOCKTEMP> flush global)"

### Tables ###
#table <spamd-white>
#table <BLACKLIST> persist persist "/etc/pf-files/blacklist.zone"
table <TRUSTED> persist file "/etc/pf-files/trusted.pftable"
table <BLOCKEDZONE> persist file "/etc/pf-files/blockedzones.pftable"
table <BLOCKTEMP> counters file "/etc/pf-files/fail2ban.pftable"
table <BLOCKNETS> {224.0.0.22, 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
                    169.254.0.0/16, 192.0.2.0/24, \
                    192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, \
                    169.254.0.0/16, 0.0.0.0/8, 240.0.0.0/4, 255.255.255.255/32}

################ Options ######################################################
### Misc Options
set skip on lo
set debug urgent
set block-policy drop
set loginterface $ExtIf
set state-policy if-bound
set fingerprints "/etc/pf.os"
set ruleset-optimization none

### Timeout Options
set optimization normal
set timeout { tcp.closing 60, tcp.established 7200}

################ Normalization ###############################################
# set-tos 0x1c is Maximize-Reliability + Minimize-Delay + Maximize-Throughput
scrub     log on $ExtIf all reassemble tcp fragment reassemble

################ Translation #################################################
### NAT and Redirection rules are first match

# NAT all jail traffic
nat on $ExtIf from $JailIf:network  to any -> ($ExtIf)

# Hiawatha web proxy server
rdr on $ExtIf inet proto tcp from  !($ExtIf) to ($ExtIf) port https -> $WebProxy
rdr on $ExtIf inet proto tcp from  !($ExtIf) to ($ExtIf) port http  -> $WebProxy

# Anchors
nat-anchor "openvpn"
rdr-anchor "openvpn"

# DENY rogue redirection
#no rdr

################ Filtering ###################################################
# Rules are best (closest) match. Rules are optimized so external
# interface parsing is first followed by the internal interface.

### $ExtIf block abusive hosts in temp and blacklist tables
#block in quick on $ExtIf from                     <BLACKLIST> to any
block drop in log quick from { <BLOCKNETS> urpf-failed no-route } to any
block out quick on $ExtIf from any to { <BLOCKNETS> no-route }
block drop in log quick on $ExtIf proto udp from <BLOCKTEMP> to any
block drop in log quick on $ExtIf proto tcp from <BLOCKTEMP> to any port != ssh
block drop in log quick on $ExtIf proto tcp from <BLOCKEDZONE> to any port { 22 80 443 }
anchor "openvpn"

### $ExtIf default block with drop
block drop in log on $ExtIf
antispoof quick log for $ExtIf inet
block quick inet6

### $ExtIf inbound
pass in log on $ExtIf inet proto tcp  from !($ExtIf)      to $WebProxy      port https $TcpState $WebSTO
pass in log on $ExtIf inet proto tcp  from !($ExtIf)      to $WebProxy      port www   $TcpState $WebSTO
pass in quick log on $ExtIf proto tcp from <TRUSTED>      to $ExtIf         port ssh   $TcpState $SshSTO

### $ExtIf outbound
pass out log on $ExtIf inet proto tcp  from ($ExtIf) to !($ExtIf) $TcpState $OpenSTO
pass out log on $ExtIf inet proto udp  from ($ExtIf) to !($ExtIf) $UdpState $OpenSTO
pass out log on $ExtIf inet proto icmp from ($ExtIf) to !($ExtIf) $UdpState $OpenSTO

Thank you in advance
 

scottro

Daemon

Reaction score: 969
Messages: 2,121

If I get your question (heh, sounds like those those poor English speaking help desks), you want to redirect your public IP on 80 and 443 to your private IP. I cover this slightly on my page https://srobb.net/pf.html.

Something like this?
Code:
IP_PUB="5.6.7.8"
NETJAIL="192.168.1.1"
WEBPORT="{ 80, 443 }"

scrub in all
nat pass on bce0 proto tcp from $NETJAIL to any -> $IP_PUB  [IMG]https://srobb.net/1.png[/IMG]
rdr pass on bce0 proto tcp from any to $IP_PUB port $WEBPORT -> $NETJAIL

[IMG]https://srobb.net/1.png[/IMG] This allows things from the jail to go out through the public interface, in case that wasn't clear. It may not even be necessary.
 
OP
fred974

fred974

Daemon

Reaction score: 49
Messages: 1,628

Hi scottro ,
Do I need to add the public IPs into /etc/rc.conf or is it dynamic?
 
Last edited by a moderator:

scottro

Daemon

Reaction score: 969
Messages: 2,121

You'd have to adapt it to your situation. I made up addresses there, and as the page mentions, that would be if I have a public IP and created private ones by cloning lo1.

If you have address A as the outside and Address B as the inside, you substitute those for the IP_PUB and NET_JAIL or whatever you want to call them. If the outside address is changing--though even with dynamic addresses, that isn't that frequently, you may have to modify the value of IP_PUB when it changes. (To be honest, I"ve never used it that sort of of situation, so I'm not sure.)
 
OP
fred974

fred974

Daemon

Reaction score: 49
Messages: 1,628

scottro ,
I have changed my /etc/rc.conf to
Code:
## Set gateway
ifconfig_bce0="inet 96.205.75.245 netmask 255.255.255.248"
defaultrouter="96.205.75.243"

## Declare ExtIF public IPs
ifconfig_bce0_alias0="inet 96.205.75.246 netmask 255.255.255.255"
ifconfig_bce0_alias1="inet 96.205.75.247 netmask 255.255.255.255"
ifconfig_bce0_alias2="inet 96.205.75.248 netmask 255.255.255.255"

### Jail network interface aliases ###
cloned_interfaces="${cloned_interfaces} lo1"
ipv4_addrs_lo1="10.8.20.10-49/29"
Now since all my public IPs are on the same bce0 interface.. will the following be ok?
Code:
rdr on $ExtIf inet proto tcp from  !($ExtIf) to ($ExtIf) port http  -> $WebProxyIntIf
pass in log on $ExtIf inet proto tcp  from !($ExtIf)      to $WebProxyIntIf      port https $TcpState $WebSTO
Or is this one better:
Code:
rdr on $ExtIf inet proto tcp from  !($ExtIf) to ($WebProxyExtIf) port http -> $WebProxyIntIf
pass in log on $ExtIf inet proto tcp  from !($ExtIf)      to $WebProxyExtIf      port www   $TcpState $WebSTO
 

scottro

Daemon

Reaction score: 969
Messages: 2,121

Again, I'm not an expert on this, hopefully, someone with more knowledge will step in, but I would try to make it as simple as possible at first. Use one address for external and one for an internal web server and see if you can get that working. I've only done it in a very simplified way, with say, one external address, and perhaps two internal, one doing web and one doing MySQL.
 

wblock@

Beastie Himself
Developer

Reaction score: 3,779
Messages: 13,851

I don't understand the logic of giving the jails public IP addresses. If the request comes in from the gateway, that seems pretty pointless. Give them private addresses and let the redirect send outside traffic to them.
And then there is assigning non-loopback addresses to the lo1 interface. I really don't understand that.
 
OP
fred974

fred974

Daemon

Reaction score: 49
Messages: 1,628

Hi wblock@
I am learning it all as I go...
My logic to give public IP is to make sure the FreeBSD host is not know to the public.
So ping mydomain.com will not return the FreeBSD host Ip but the web proxy which in turn redirect to internal IP.
I also have a production mail server in a jail and thos request public IP..

But I am willing to listen and learn from other why my logic is wrong .. So please any advise are welcome..

I modified the code from calomel.org to get my system running.
Please get back to me
 

wblock@

Beastie Himself
Developer

Reaction score: 3,779
Messages: 13,851

Looking back at the first message, you do actually have outside addresses. It is really hard to tell what you are trying to do.

Let's solve some basic problems first. lo0 or lo1 or whatever are loopback interfaces, supposed to have addresses in the 127.0.0.0/8 range. Using them for anything else is likely to be a problem.

Do you want the five outside IP addresses to do different things, or to just ignore them and have all traffic come to .245? This is nothing to do with a web proxy, which is a whole other level of complication and inconvenience.

So: please state exactly what you want the system to do.
 

scottro

Daemon

Reaction score: 969
Messages: 2,121

wblock@ the first part isn't, to my knowledge, that uncommon. Say we have a public interface, 1.2.3.4 on bce0. Then one creates a private IP. This page talks about doing it with a single instance.
http://kbeezie.com/freebsd-jail-single-ip/ and that's not the only place I've seen such a howto.

We've used such a method from public to private IPs, with said IPs being cloned on lo1, without any issues. (Not very heavy traffic though.)
 

wblock@

Beastie Himself
Developer

Reaction score: 3,779
Messages: 13,851

Hmm. Okay, so lo1 is being used as a loopback, but with the internal LAN address. Just to make sure, is the intent to have the five public addresses actually be used for different jails?
 

scottro

Daemon

Reaction score: 969
Messages: 2,121

In the OP's case, I don't know. I have done it in the past (with one as a web server and one as a MySQL server.) I never really looked into how one would redirect with pf or haproxy to several different jails if they were all being used for the same thing.
 
OP
fred974

fred974

Daemon

Reaction score: 49
Messages: 1,628

is the intent to have the five public addresses actually be used for different jails
please state exactly what you want the system to do.

Ok let me be more specific..
I use FreeBSD 10.2 zfs to host web services for joomla, magento and wordpress and each doamin is hosted inside its own jail.
So we have curently 8 jails for 8 different domains..

The server has 5 main servers jails
* Webserver/proxy
* Mysql Server
* Email Server
* FTP Server

The web proxy is use as the public incoming entry and it then dispatch the domains to the corect jail..
The FTP Server is use purely has mount points for the www directory via nullfs(5).

What I would like to do is set the following IPs
Code:
96.205.75.245 # FreeBSD Host / gateway(no rdr)
96.205.75.246 # Mail Server rdr to jail 10.8.20.10
96.205.75.247 # Web proxy rdr to jail 10.8.20.11
96.205.75.248 # Ftp Server rdr to jail 10.8.20.12
The reason behind it is so tird party can ftp to a different IP address then my FreeBSD host and nobody is aware of the host details

lo1 is being used as a loopback for the jail
Code:
cloned_interfaces="${cloned_interfaces} lo1"
ipv4_addrs_lo1="10.8.20.10-49/29"
wblock@ I hope to have provided all the info you need t understand my setup.

I will provide more info you required

Thank you
Fred
 
OP
fred974

fred974

Daemon

Reaction score: 49
Messages: 1,628

Hi everyone,
My last attempt to get my public IP redirected to my jails Ip is
Code:
rdr on $ExtIf inet proto tcp from  !($ExtIf) to $WebProxyExtIf port http -> $WebProxyIntIf
pass in log on $ExtIf inet proto tcp  from !($ExtIf)      to $WebProxyExtIf port www   $TcpState $WebSTO
but that's not working either.
I am really sorry to bug you all but i'm getting desperate in solving this problem.

Any help from anyone is welcome
 
OP
fred974

fred974

Daemon

Reaction score: 49
Messages: 1,628

... and many days and many test later I finally got it working..
So I am updating this post for other people in same situation..

The pass rule need point to the internal jail ip.
The redirect rule will translate the external ip, WebProxyExtIf, to the internal ip, WebProxyIntIf.
The pass rule would then accept the connection from any ip not on ExtIf to the jail ip, WebProxyIntIf

Code:
rdr on $ExtIf inet proto tcp from !($ExtIf) to ($WebProxyExtIf) port http -> $WebProxyIntIf
pass in log on $ExtIf inet proto tcp  from !($ExtIf) to $WebProxyIntIf


Hope this helps!
 
Top