The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.
[ HOME | TOPICS | INDEX | WEB RESOURCES | BOOKS | CONTRIBUTE | SEARCH | FEEDBACK | FAQ | FORUMS ]
FreeBSD Support
 New Topic  |  Go to Top  |  Go to Topic  |  Search  |  Log In   Newer Topic  |  Older Topic 
 Having problems with NATD and internal Traffic back to localhost on private LAN
Author: bsddizzy 
Date:   05-12-05 18:43

Natd seems to be working properly as far as the outside world is concerned. I have port 80,22 forwarded to my web server which is on a private lan. My router/firewall is the freebsd with two interfaces. One we say WAN the other LAN. Machines on the LAN when trying to go http:publicaddress or ssh publicaddress for some reason get directed to the router. This causes problems on the webserver. I want local traffic for port 80 going to my webserver as well as public when using the public address.

Confused about my problem? It's why I call myself bsddizzy


My configuration:


6.0-RELEASE FreeBSD 6.0-RELEASE

# ipfw list
00150 divert 8668 ip from any to any via rl0
00200 skipto 400 ip from any to any recv rl0
00300 allow ip from any to any
00400 allow tcp from any to any established
00500 allow tcp from any to any tcpflags ack
00600 allow udp from any 53 to any dst-port 1024-65535
00700 allow icmp from any to any icmptypes 0,3,4,11,12
00750 allow udp from any to 10.10.0.80 dst-port 80
00775 allow tcp from any to 10.10.0.80 dst-port 80
00800 allow tcp from any to any dst-port 22
00900 allow tcp from any to any dst-port 113
01000 allow tcp from any to me dst-port 10000
01100 allow udp from any to any dst-port 520
01150 allow ip from any to 10.10.0.5
01200 allow ip from 129.37.0.113 to 10.10.0.5
65535 deny ip from any to any


# cat /etc/natd.conf
log yes
deny_incoming no
port 8668
#
use_sockets yes
#
# Avoid port changes if possible. Makes rlogin work
# in most cases.
#
same_ports yes
#
verbose no
interface rl0
unregistered_only yes
redirect_port udp 10.10.0.80:80 80
redirect_port tcp 10.10.0.80:80 80
redirect_port tcp 10.10.0.80:22 22


t# cat /etc/rc.conf

# -- sysinstall generated deltas -- # Mon Nov 21 03:23:04 2005
# Created: Mon Nov 21 03:23:04 2005
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
# defaultrouter="10.10.0.1"
# gateway_enable="YES"
hostname="littlebit.nc.rr.com"
ifconfig_dc0="inet 10.10.0.1 netmask 255.255.255.0"
ifconfig_rl0="DHCP"
inetd_enable="YES"
# kern_securelevel="3"
# kern_securelevel_enable="YES"
# router="/sbin/routed"
# router_enable="YES"
# router_flags="-s"
sshd_enable="YES"
usbd_enable="YES"
firewall_enable="YES"
gateway_enable="YES"


# ifconfig -a
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
inet6 fe80::208:2ff:fe4d:ce95%rl0 prefixlen 64 scopeid 0x1
inet 65.190.xxx.xxx netmask 0xfffff800 broadcast 255.255.255.255
ether 00:08:02:4d:ce:95
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
inet 127.0.0.1 netmask 0xff000000
dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
inet6 fe80::210:a4ff:fe94:97cb%dc0 prefixlen 64 scopeid 0x3
inet 10.10.0.1 netmask 0xffffff00 broadcast 10.10.0.255
ether 00:10:a4:94:97:cb
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active



Reply To This Message
 
 Re: Having problems with NATD and internal Traffic back to localhost on private
Author: halber_mensch 
Date:   06-12-05 17:11

Remember that natd is bound to your external interface (rl0), and never sees your LAN traffic hitting the internal interface (dc0).

This rule:
00150 divert 8668 ip from any to any via rl0

sticks only rl0 traffic into the natd divert socket.

Now you might think you would be able to divert incoming port 80 and 22 dc0 traffic destined for the bound external address to the natd divert socket, but that may break your routing. I've never tried this and I am not in a position that I can try it on my home network right now, but these rules:

divert 8668 tcp from any to publicaddress dst-port 22 in via dc0
divert 8668 udp from any to publicaddress dst-port 22 in via dc0
divert 8668 tcp from any to publicaddress dst-port 80 in via dc0

will force the router to push incoming port 80 and 22 traffic from the internal interface to first go through the natd daemon, which should then perform translation. But only this half of the connection works, though, because the webserver will respond to the router on a port that will not divert back to natd. Basically the setup you are attempting to acheive is too complicated to be easily done without fragmenting the network.

I would suggest that you create an alias for dc0 that exists on a separate logical network, say 10.10.1.1/24. This network is your "DMZ" that you can stick all of your servers in that the public system should use for forwarding services.

ifconfig dc0 alias inet 10.10.1.1/24 10.10.1.0

Re-address the webserver to bind to the address 10.10.1.80/24 and use 10.10.1.1 as its gateway, and change your current natd configuration to redirect ports 80 and 22 to this new address.

Next, create another configuration file for natd with the following options:

log yes
deny_incoming no
port 8669
use_sockets yes
same_ports yes
verbose no
alias_address 10.10.10.1
unregistered_only yes
redirect_port udp 10.10.1.80:80 80
redirect_port tcp 10.10.1.80:80 80
redirect_port tcp 10.10.1.80:22 22

This will be your internal network's natd configuration. Run a seperate instance of natd sourcing this configuration ( -f option ). Add these rules to ipfw:

divert 8669 tcp from any to publicaddress in via dc0 dst-port 80
divert 8669 tcp from any to publicaddress in via dc0 dst-port 22
divert 8669 udp from any to publicaddress in via dc0 dst-port 22

This may require tweaking, but it should force your lan traffic to port 80 and 22 on the router to be translated seamlessly to the web server and replies translated back to the correct addresses.

Now I'm a seasoned net vet, but I may have made mistakes in my theory here. It's highly possible I've made some oversights.

-=halber_mensch=-

Post Edited (06-12-05 10:59)

Reply To This Message
 
 Good job
Author: Dan 
Date:   06-12-05 18:10

Keep up the good work. Thanks.

--
Webmaster

Reply To This Message
 
 Re: Good job
Author: halber_mensch 
Date:   06-12-05 19:03

Dan wrote:

> Keep up the good work. Thanks.
>

Thanks for the kudos, I do my best ;)

Reply To This Message
 
 Re: Having problems with NATD and internal Traffic back to localhost on private
Author: bsddizzy 
Date:   07-12-05 22:54

Thanks. That worked



Reply To This Message
 
 Re: Having problems with NATD and internal Traffic back to localhost on private
Author: bsddizzy 
Date:   07-12-05 22:54

thanks it worked

beau



Reply To This Message
 
 Re: Having problems with NATD and internal Traffic back to localhost on private
Author: halber_mensch 
Date:   08-12-05 14:27

Wow, fantastic! I really didn't expect my first guess to work correctly!

-=halber_mensch=-

Reply To This Message
 Forum List  |  Threaded View   Newer Topic  |  Older Topic 


 Forum List  |  Need a Login? Register Here 
 User Login
 User Name:
 Password:
 Remember my login:
   
 Forgot Your Password?
Enter your email address or user name below and a new password will be sent to the email address associated with your profile.
How to get the most out of the forum

phorum.org