PF Unable to DNAT to jail

S

sorressean

All,
I have been fighting with this for a couple days now with no luck; I would greatly appreciate any help.

I have my server listening on 10.21.96.200 and my jails, which are ran from within IOCage are listening on 192.168.0.1/24.
I am able to telnet to 192.168.0.2 445 (samba) just to insure that the port is open, but am unable to telnet to 10.21.96.200 port 445. I have tried various different setups, but I'm hoping that someone can help point me in the right direction. I am providing various configurations here in the hopes that they will be helpful.

Thanks,

pf.conf:
Code: 
if="igb0"
addr="10.21.96.200"
samba_addr="192.168.0.2"
dlna_addr="192.168.0.3"
unbound_addr="192.168.0.4"

#port groupings
tcp_services="{53 netbios-ns netbios-dgm netbios-ssn microsoft-ds 22}"
udp_services="{53 netbios-ns netbios-dgm netbios-ssn microsoft-ds}"
samba_services="{netbios-dgm netbios-ns netbios-ssn microsoft-ds}"

set skip on lo
set loginterface $if
scrub in all

#allow jails through
nat on $if inet from $samba_addr to any tag jail_samba -> $addr
nat on $if inet from $dlna_addr to any tag jail_dlna -> $addr
nat on $if inet from $unbound_addr to any tag jail_unbound -> $addr
#portforward to jails.
#unbound
rdr pass on $if proto tcp from any to $addr port 53 -> $unbound_addr port 53
rdr pass on $if proto udp from any to $addr port 53 -> $unbound_addr port 53
#samba
rdr pass on $if proto tcp from any to any port $samba_services -> $samba_addr
rdr pass on $if proto udp from any to any port $samba_services -> $samba_addr

#rules
pass quick on lo1
pass from igb0 to any keep state
#default policy: deny
antispoof quick for { $if lo }
block in all

#accept TCP ports.
pass in on $if proto tcp from any to any port $tcp_services
pass in on $if proto udp from any to any port $udp_services

rc.conf:
Code: 
hostname="giraffe"
sendmail_enable="NONE"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
cloned_interfaces="lo1"
ipv4_addrs_lo1="192.168.0.1-9/29"
ifconfig_igb0="inet 10.21.96.200 netmask 0xffffff00"
defaultrouter="10.21.96.254"
sshd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
zfs_enable="YES"
syslogd_flags="-c -ss"
pf_enable="YES"
pflog_enable="YES"
gateway_enable="yes"

IOCage samba properties:
Code: 
interfaces:vnet0:bridge0,vnet1:bridge1
vnet:off
host_hostname:d85297a6-f118-11e5-8823-0cc47a73621c
hostname:lh-samba
ip4_addr:lo1|192.168.0.2
ip4_autostart:none
ip4_autoend:none
ip4_autosubnet:none
ip4_saddrsel:1
ip4:new
ip6_addr:none
ip6_saddrsel:1
ip6:new
defaultrouter:none
defaultrouter6:none
resolver:none
exec_fib:0
vnet0_mac:none
vnet1_mac:none
vnet2_mac:none
vnet3_mac:none
devfs_ruleset:4
mount_devfs:1
exec_start:/bin/sh /etc/rc
exec_stop:/bin/sh /etc/rc.shutdown
exec_prestart:/usr/bin/true
exec_prestop:/usr/bin/true
exec_poststop:/usr/bin/true
exec_poststart:/usr/bin/true
exec_clean:1
exec_timeout:60
stop_timeout:30
exec_jail_user:root
exec_system_jail_user:0
exec_system_user:root
mount_fdescfs:1
mount_procfs:0
enforce_statfs:2
children_max:0
login_flags:-f root
securelevel:2
allow_set_hostname:0
allow_sysvipc:0
allow_raw_sockets:0
allow_chflags:0
allow_mount:0
allow_mount_devfs:0
allow_mount_nullfs:0
allow_mount_procfs:0
allow_mount_tmpfs:0
allow_mount_zfs:0
allow_quotas:0
allow_socket_af:0
host_hostuuid:d85297a6-f118-11e5-8823-0cc47a73621c
memoryuse:8G:log
memorylocked:off
vmemoryuse:off
maxproc:off
cputime:off
pcpu:off
datasize:off
stacksize:off
coredumpsize:off
openfiles:off
pseudoterminals:off
swapuse:off
nthr:off
msgqqueued:off
msgqsize:off
nmsgq:off
nsemop:off
nshm:off
shmsize:off
wallclock:off
tag:samba
template:no
rlimits:off
boot:on
notes:none
owner:root
priority:99
last_started:2016-03-30_07:19:49
type:jail
hostid:00000000-0000-0000-0000-0cc47a73621c
cpuset:off
jail_zfs:off
jail_zfs_dataset:iocage/jails/d85297a6-f118-11e5-8823-0cc47a73621c/root/data
release:10.2-RELEASE
hack88:0
sync_stat:-
sync_target:none
sync_tgt_zpool:none
ftphost:-
ftpdir:-
gitlocation:https://github.com
branch:-
 
Redirection only works when packets travel through an interface. If you are on the host itself the packets never even touch the interface.
From pf.conf(5)
Code: 
     Translation rules apply only to packets that pass through the specified
     interface, and if no interface is specified, translation is applied to
     packets on all interfaces.  For instance, redirecting port 80 on an
     external interface to an internal web server will only work for connec-
     tions originating from the outside.  Connections to the address of the
     external interface from local hosts will not be redirected, since such
     packets do not actually pass through the external interface.  Redirec-
     tions cannot reflect packets back through the interface they arrive on,
     they can only be redirected to hosts connected to different interfaces or
     to the firewall itself.
 
SirDice said:
Redirection only works when packets travel through an interface. If you are on the host itself the packets never even touch the interface.
Click to expand...

Hello,
I understand that. From the host, I access the jails from their private addresses. From the network however, (my client to the host) I am still unable to connect to 10.21.96.200 445. I know that the port is open at 192.168.0.2 but it's not open externally. I haven't been able to figure that out.

Thanks,
 
Ah, right. As long as you're aware this needs to be tested from the outside.

I'm not sure this does what's expected:
Code: 
rdr pass on $if proto tcp from any to any port $samba_services -> $samba_addr
rdr pass on $if proto udp from any to any port $samba_services -> $samba_addr

Can you post the output of pfctl -s nat? That will show the exact rules after they've been 'translated'.
 
SirDice said:
Ah, right. As long as you're aware this needs to be tested from the outside.

I'm not sure this does what's expected:
Code: 
rdr pass on $if proto tcp from any to any port $samba_services -> $samba_addr
rdr pass on $if proto udp from any to any port $samba_services -> $samba_addr

Can you post the output of pfctl -s nat? That will show the exact rules after they've been 'translated'.
Click to expand...
This all looks normal, hopefully you can spot something. there are two rules, 53 (which accepts from any to addr) and samba which is more open any to any. Neither of these work.
Code: 
nat on igb0 inet from 192.168.0.2 to any tag jail_samba -> 10.21.96.200
nat on igb0 inet from 192.168.0.3 to any tag jail_dlna -> 10.21.96.200
nat on igb0 inet from 192.168.0.4 to any tag jail_unbound -> 10.21.96.200
rdr pass on igb0 inet proto tcp from any to 10.21.96.200 port = domain -> 192.16
8.0.4 port 53
rdr pass on igb0 inet proto udp from any to 10.21.96.200 port = domain -> 192.16
8.0.4 port 53
rdr pass on igb0 inet proto tcp from any to any port = netbios-dgm -> 192.168.0.2
rdr pass on igb0 inet proto tcp from any to any port = netbios-ns -> 192.168.0.2
rdr pass on igb0 inet proto tcp from any to any port = netbios-ssn -> 192.168.0.2
rdr pass on igb0 inet proto tcp from any to any port = microsoft-ds -> 192.168.0.2
rdr pass on igb0 inet proto udp from any to any port = netbios-dgm -> 192.168.0.2
rdr pass on igb0 inet proto udp from any to any port = netbios-ns -> 192.168.0.2
rdr pass on igb0 inet proto udp from any to any port = netbios-ssn -> 192.168.0.2
rdr pass on igb0 inet proto udp from any to any port = microsoft-ds -> 192.168.0.2
 
Are you testing the connections from another host in the 10.21.96.0/24 network? Or is it from another network? If it's the latter there might be a routing or firewall issue somewhere in between the test host and the FreeBSD host.

If you run a tcpdump -ni igb0 port 445 are you able to see the connections come in? Packets should arrive regardless if they're allowed or not. But if there's nothing coming in the problem may be somewhere else.
 
SirDice said:
Are you testing the connections from another host in the 10.21.96.0/24 network? Or is it from another network? If it's the latter there might be a routing or firewall issue somewhere in between the test host and the FreeBSD host.

If you run a tcpdump -ni igb0 port 445 are you able to see the connections come in?
Click to expand...
Hello,
Yes, I am connecting from 10.21.96.50. When I dcpdump I can see the handshake begin (client->server syn, server->client syn, client->server ack) and then it just hangs.
I am connecting to the same server on port 22 via SSH on the same network.
Thanks,
 
sorressean said:
Hello,
Yes, I am connecting from 10.21.96.50. When I dcpdump I can see the handshake begin (client->server syn, server->client syn, client->server ack) and then it just hangs.
Click to expand...
Yes, but that means the forwarding and the connection works (there won't be a handshake if it wasn't working). As it's not a telnet service you won't be able to do or type anything. The service that listens on port 445 requires a specific protocol.

Don't use telnet(1) to test connections, use nc -zv <ip> <port> instead.
 
You must log in or register to reply here.
Back
Top