pf redirect for jail

F

falkman

I'm simply trying to redirect all incoming traffic on port 23 to port 23 on one of my jails.

I have my current IP of my host 192.168.1.64, and the IP of my jail 192.168.1.65. I have SSH running on the host on port 22, and SSH on the jail running on port 23. My goal is to make it possible to connect to the jail's SSH via 192.168.1.64.

Here's my attempt:

rc.conf
Code: 
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""

pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""

gateway_enable="YES"

pf.conf
Code: 
rdr on wlan0 inet proto { tcp, udp } from any to 192.168.1.64 port 23 \
        -> 192.168.1.65 port 23

How far off am I? I belong in the kernel, this networking stuff feels like a rats-nest (hopefully I learn soon).

Solution: Connect remotely, not locally. pf does not modify local connections, it must enter through the interface.

-Brandon
 
I tried

Code: 
rdr pass on wlan0 inet proto { tcp, udp } from any to 192.168.1.64 port 23 \
        -> 192.168.1.65 port 23

With no luck. Perhaps I'm not using pass properly?

-Brandon
 
Ohhh, so I need it both ways... that makes sense.

Something like?

Code: 
rdr on wlan0 inet proto { tcp, udp } from any to 192.168.1.64 port 23 \
        -> 192.168.1.65 port 23
rdr on wlan0 inet proto { tcp, udp } from 192.168.1.65 port 23 to any \
        -> 192.168.1.64 port 23

I'm so confused. Man I feel stupid. One of these days I will understand networking.

-Brandon
 
Actually, you shouldn't need since its same interface/subnet.

And source IP translation is done with nat command in pf.

What exactly in not working? Are you permitting packets to specific IP? Address translation is one thing, and filtering is another.
 
What should I do then? The issue is that I have port 23 open on my router, but only for 192.168.1.64. I also do not have access to my router, so I need it make it pass through. Does that make sense?

-Brandon
 
Ah, I see. Try adding this then:

First, make sure you are permitting traffic explicitly to 192.168.1.64 AND 192.168.1.65 for ssh (pass). Then if that doesn't do it add this:

Code: 
nat on wlan0 from 192.168.1.65 to any -> (wlan0:0)
 
I tried that with no luck :\. I'm able to ssh into my jail with [cmd=]ssh 192.168.1.65 -p 23[/cmd] however I get 'connection refused' with [cmd=]ssh 192.168.1.64 -p 23[/cmd]

-Brandon
 
I don't have any sort of firewall, and it's all open on my router if that's what you're saying.

-Brandon
 
Ok, you lost me now. You said you have router sitting before your computer which port-forwards 192.168.1.64 port 23 in. How did you connect then using IP 192.168.1.65? Where are you connecting from?

Moreover, what does you last post mean, you don't have firewall and it's all open on your router?

Communication breakdown :D

Anyway, can you post your /etc/pf.conf.
 
I connected on the box itself, from the host to the jail (nothing went through the router).

Code: 
# cat /etc/pf.conf
rdr on wlan0 inet proto { tcp, udp } from any to 192.168.1.64 port 23 \
        -> 192.168.1.65 port 23

nat on wlan0 from 192.168.1.65 to any -> (wlan0:0)

# cat /etc/rc.conf
hostname="localhost"
sshd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
wlans_ath0="wlan0"
ifconfig_wlan0="inet 192.168.1.64 netmask 255.255.255.0 ssid xxx wepmode on weptxkey 1 wepkey xxx"
defaultrouter="192.168.1.1"
dbus_enable="YES"
hald_enable="YES"
linux_enable="YES"

jail_enable="YES"
jail_list="ryan"

jail_ryan_interface="wlan0"
jail_ryan_rootdir="/jails/ryan"
jail_ryan_hostname="ryan"
jail_ryan_ip="192.168.1.65"
jail_ryan_devfs_enable="YES"

pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""

pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""

gateway_enable="YES"

This is just my personal computer, so there's really nothing sophisticated on this setup.
 
Redirection and filtering only works as packets enter an interface. Locally initiated connections are not subject to these rules.
 
You must log in or register to reply here.
Back
Top