Solved IPFW for forwarding to my Webserver inside jail: syn_rcvd but no webpage!

[ArashTheKID]

Hi there,

I've been trying and changing almost everything I could think of to make this work, until now without any success. I even asked google(!), but no luck there. Sorry to ask, but would anybody please take a look at my configs and tell me, what am I missing?

I have a piece of hardware at my provider's place and intend to use it for different purposes, though everything should only be installed in jails.

I can access any website from inside the jail and have already installed ports without difficulty. Then I've installed lighttpd and php-fpm inside jail as webserver and I got port 80 opened.

Cheers and thanks in advance,
A.

/etc/rc.conf:

# IPFW:
firewall_enable="YES"
firewall_nat_enable="YES"
firewall_type="filename"
firewall_script="/etc/ipfw.rules"
firewall_logging="YES"
firewall_quite="NO"
gateway_enable="YES"
## NAT
natd_enable="YES"
natd_interface="re0"
natd_flags="-f /etc/natd.rules"

/etc/rc.conf.local:

ifconfig_re0="inet x.y.z.76 netmask 0xffffffe0 media 1000baseT mediaopt full-duplex"
defaultrouter="x.y.z.65"                        # Server from Provider
ifconfig_re0_ipv6="inet6 accept_rtadv"
ifconfig_re0_alias0="inet 10.0.1.1 netmask 0xffffff00"
ifconfig_re0_alias1="inet 10.0.1.2 netmask 0xffffff00"
ifconfig_re0_alias2="inet 10.0.1.3 netmask 0xffffff00"
ifconfig_re0_alias3="inet 10.0.1.4 netmask 0xffffff00"

ipfw list

00010 allow ip from any to any via lo0
00050 divert 8668 ip from any to any in via re0
00100 check-state
00110 skipto 800 tcp from any to any dst-port 37,43,67,119,25,110,53,80,443,2022 out via re0 setup keep-state
00112 skipto 800 icmp from any to any out via re0 keep-state
00114 skipto 800 tcp from any to xx.xx.xx.xx1 dst-port 53 out via re0 setup keep-state
00115 skipto 800 udp from any to xx.xx.xx.xx1 out via re0 keep-state
00116 skipto 800 tcp from any to xx.xx.xx.xx2 dst-port 53 out via re0 setup keep-state
00117 skipto 800 udp from any to xx.xx.xx.xx2 out via re0 keep-state
00118 skipto 800 tcp from any to xx.xx.xx.xx3 dst-port 53 out via re0 setup keep-state
00119 skipto 800 udp from any to xx.xx.xx.xx3 out via re0 keep-state
00130 skipto 800 udp from any to any dst-port 123 out via re0 keep-state
00140 skipto 800 log logamount 10 udp from any to any dst-port 67 out via re0 keep-state
00150 skipto 800 tcp from me to any out via re0 setup uid root keep-state
00299 deny log logamount 10 tcp from any to any out via re0
00300 deny ip from 192.168.0.0/16 to any in via re0
00301 deny ip from 172.16.0.0/12 to any in via re0
00302 deny ip from 10.0.0.0/8 to any in via re0
00303 deny ip from 127.0.0.0/8 to any in via re0
00304 deny ip from 0.0.0.0/8 to any in via re0
00305 deny ip from 169.254.0.0/16 to any in via re0
00306 deny ip from 192.0.2.0/24 to any in via re0
00307 deny ip from 204.152.64.0/23 to any in via re0
00308 deny ip from 224.0.0.0/3 to any in via re0
00315 deny tcp from any to any dst-port 113 in via re0
00320 deny tcp from any to any dst-port 137 in via re0
00321 deny tcp from any to any dst-port 138 in via re0
00322 deny tcp from any to any dst-port 139 in via re0
00323 deny tcp from any to any dst-port 81 in via re0
00330 deny ip from any to any frag in via re0
00335 deny tcp from any to any established in via re0
00350 allow tcp from any to me dst-port 80 in via re0 setup limit src-addr 4
00355 allow tcp from any to me dst-port 443 in via re0 setup limit src-addr 4
00410 allow tcp from any to me dst-port 2022 in via re0 setup limit src-addr 8
00420 allow icmp from any to any in via re0 icmptypes 0,3,8,11
00440 deny log logamount 10 ip from any to any in via re0
00450 deny log logamount 10 ip from any to any out via re0
00800 divert 8668 ip from any to any out via re0
00810 allow ip from any to any
00999 deny log logamount 10 ip from any to any
65535 deny ip from any to any

/etc/natd.rules:

dynamic yes
redirect_port tcp 10.0.1.1:80 80
redirect_port tcp 10.0.1.1:443 443

netstat -rfinet

Routing tables

Internet:
Destination  Gateway  Flags  Netif Expire
default  static.65.82.9.5.c UGS  re0
5.9.82.64/27  link#1  U  re0
static.76.82.9.5.c link#1  UHS  lo0
10.0.1.0  link#1  U  re0
10.0.1.1  link#1  UHS  lo0
10.0.1.2  link#1  UHS  lo0
10.0.1.3  link#1  UHS  lo0
10.0.1.4  link#1  UHS  lo0
localhost  link#2  UH  lo0

BTW: I wasn't sure if the problem is with Firewall or my routing, so I've posted here.

 

[ArashTheKID]

Well, still nobody took a look, so I just wanted to say yes, I enabled the forwarding in sysctl as well:
/etc/sysctl.conf

net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
net.inet.ip.fw.enable=1
net.inet6.ip6.fw.enable=1
net.inet.ip.fw.one_pass=1
net.inet.ip.fw.verbose_limit=10

What am I missing?...

 

[junovitch@]

I'm not an expert here but I thought the syntax for diverting to natd(8) was a bit different. See here for some examples on using natd(8) as well as doing in kernel NAT.

http://blog.pcbsd.org/2015/01/using-trueos-as-a-ipfw-based-home-router/

 

[ArashTheKID]

Well, thanks to the post, I've finally solved the problem! Using kernel-based nat + tcpproxy solved the problem for me. And something else, since everything is been blocked unless it is specifically opened, many of the rules were unnecessary. I've got rid of my /etc/natd.conf and /etc/ipfw.rules changed to this one:

#!/bin/sh
# Flush out the list before we begin.
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"
pif="re0"  # interface name of NIC attached to Internet
me="x.y.z.76"
ks="keep-state"
skip="skipto 800"
###########################################
# 25: SMTP, 37: NTP, 43: Whois, 53: DNS
# 67: DHCP, 110: IMAP, 119: NNTP, 80: HTTP
# 443: HTTPS, 2022: SSH, 123: TimeServer
###########################################
good_http="53,80,443"
good_mail="25,110"
good_tcpo="37,43,67,119,$good_mail,$good_http,2022"

ipfw -q nat 1 config if $pif unreg_only reset \
  redirect_port tcp 10.0.1.1:80 80 \
  redirect_port tcp 10.0.1.1:443 443

####################### Loopback Device
# No restrictions on Loopback Interface
$cmd 00002 fwd 127.0.0.1,50080 tcp from 10.0.0.0/16 to $me 80 in via lo0
$cmd 00010 allow all from any to any via lo0
$cmd 00050 deny ip from any to any not antispoof in
$cmd 00090 nat 1 ip from any to any in via $pif

# Dynamic state checking
$cmd 00100 check-state
$cmd 00110 $skip tcp from any to any $good_tcpo out via $pif setup $ks
$cmd 00120 $skip icmp from any to any out via $pif $ks
$cmd 00150 $skip udp from any to any out via $pif $ks

####################### NIC - Internet
# Deny all inbound traffic from non-routable reserved address spaces
$cmd 00300 deny all from 192.168.0.0/16 to any in via $pif  #RFC 1918 private IP
$cmd 00301 deny all from 172.16.0.0/12 to any in via $pif  #RFC 1918 private IP
$cmd 00302 deny all from 10.0.0.0/8 to any in via $pif  #RFC 1918 private IP
$cmd 00303 deny all from 127.0.0.0/8 to any in via $pif  #loopback
$cmd 00304 deny all from 0.0.0.0/8 to any in via $pif  #loopback
$cmd 00305 deny all from 169.254.0.0/16 to any in via $pif  #DHCP auto-config
$cmd 00306 deny all from 192.0.2.0/24 to any in via $pif  #reserved for docs
$cmd 00307 deny all from 204.152.64.0/23 to any in via $pif  #Sun cluster interconnect
$cmd 00308 deny all from 224.0.0.0/3 to any in via $pif  #Class D & E multicast

####################### NIC - Incoming
# Allow HTTP connections to internal web server
$cmd 00350 $skip tcp from any to any 80 in via $pif setup limit src-addr 4
$cmd 00355 $skip tcp from any to any 443 in via $pif setup limit src-addr 4

# Allow inbound SSH connections
$cmd 00410 allow tcp from any to $me 2022 in via $pif setup limit src-addr 8

$cmd 00420 $skip icmp from any to any in via $pif icmptypes 0,3,8,11

# Reject and log all other incoming connections
$cmd 00440 deny log all from any to any in via $pif
$cmd 00450 deny log all from any to any out via $pif

####################### Dynamic Rules
$cmd 00800 nat 1 ip from any to any out via $pif
$cmd 00810 allow ip from any to any

Now, next step, setting up my jails for different domains and using nginx as a proxy to do so.

Cheers,
A.