ipnat redirects

ipnat redirects

Post by Han » Tue, 13 Feb 2001 10:15:25



Hi,

No don't seek any patterns please... ;)

I got my firewall and ipnat working. Now for the final redirection
mysteries.

For completeness I would like to add my rulesets once more. So if any
guru might have some comments...
--------------------------------------------------------------------
#ipf.config
#start commando: ipf -Fa -vf /etc/ipf.rules ; ipf -y

# *** packets we don't want to allow near us at all!
# Short packets which are packets fragmented too short to be real.
block in log quick all with short
block in log quick all with frag
block in log quick all with ipopts

# Default policy.
block in on ne3

# Antispoofing.
block in quick on ne3 from 192.168.0.0/16  to any
block in quick on ne3 from 172.16.0.0/12   to any
block in quick on ne3 from 10.0.0.0/8      to any
block in quick on ne3 from 127.0.0.0/8     to any
block in quick on ne3 from 0.0.0.0/8       to any
block in quick on ne3 from 169.254.0.0/16  to any
block in quick on ne3 from 192.0.2.0/24    to any
block in quick on ne3 from 204.152.64.0/23 to any
block in quick on ne3 from 224.0.0.0/3     to any

# This is the list with specific services that are allowed on my machine

# Joost can get in. We have to make a ipnat rule for him as well.
pass in quick on ne3 proto tcp from 212.204.168.72/32 to 212.204.168.74/32 port = 22   flags S keep state
pass in quick on ne3 proto tcp from 212.204.168.72/32 to 212.204.168.74/32 port = 3456 flags S keep state

# ******* THIS line should let the connection from xs4all in
pass in quick on ne3 proto tcp from 194.109.6.44/32 to 212.204.168.74/32 port = 22   flags S keep state

# This one is for the mailserver.
pass in quick on ne3 proto tcp from any to 212.204.168.74/32 port = 25 flags S keep state

# Irc-server Diemen can identd.
pass in quick on ne3 proto tcp from 195.121.6.196/32 to 212.204.168.74/32 port = 113 flags S keep state

# Allow outgoing DNS requests (no named on firewall)
pass in quick proto udp from any to any port = 53 keep state

# Now all the rest off you STAY OUT.
block in     quick on ne3 from 212.204.168.0/22 to any
block in log quick on ne3 from any              to 212.204.168.74/32
block in     quick on ne3 from any              to 212.204.168.255/32

# Off course we are allowed to do things on the firewall
pass out quick on ne3 proto tcp/udp from 212.204.168.74/32 to any keep state
pass out quick on ne3 proto icmp    from 212.204.168.74/32 to any keep state

# And everybody from 192.168.1.0/24 (my subnet) can also go outside.
pass out quick on ne3 proto tcp/udp from 192.168.1.0/24 to any keep state
pass out quick on ne3 proto icmp    from 192.168.1.0/24 to any keep state

--------------------------------------------------------------------------
########/etc/ipnat.rules
# startcommand : /sbin/ipnat -CF -f /etc/ipnat.rules ; ipf -y

# **** THIS is the line about which the question goes ****
# it supposed to redirect ssh inputs from xs4all to my desktop machine.

rdr ne3 194.109.6.44/32 port 22 -> 192.168.1.2 port 22

map ne3 192.168.1.0/24 -> ne3/32 portmap tcp/udp 10000:20000
map ne3 192.168.1.0/24 -> ne3/32
-----------------------------------------------------------------------------
Now my question...

Why doesn't that silly redirect line work. Changing the order by putting
the rdr lines under the map lines didn't help either. Nor closing or
opening the firewall. When it is openened the connection arrives on the
firewall-server; If it is closed it is blocked.

Groetjes, Han.
--
For all ya       |\      _,,,---,,_      What this country needs is a
untamed Daemons  /,`.-'`'    -.  ;-;;,_  good five cent ANYTHING!
OpenBSD 2.8     |,4-  ) )-,_..;\ (  `'-'
on a i386      '---''(_/--'  `-'\_)      

 
 
 

ipnat redirects

Post by Han » Tue, 13 Feb 2001 15:25:51


En Han schreef:

Quote:> rdr ne3 194.109.6.44/32 port 22 -> 192.168.1.2 port 22

Got it figured out once more. Yes I do tend to think out aloud on usenet-
groups. Though the answer was not quite satisfactory :(

The correct solution is:
rdr outerif outerip/32 port 22 -> innerip port 22
making it:
rdr 212.204.168.74/32 port 22 -> 192.168.1.2 port 22

Now I am missing a feature. I must have overlooked it. Does anybody know how I
can redirect traffice based on the from adres ?

Example: I would like to redirect ssh connections from 1.2.3.4 to 192.168.1.2
and ssh connections from 5.6.7.8 to 192.168.1.4.

Groetjes, Han.
--
For all ya       |\      _,,,---,,_      If you didn't get caught, did
untamed Daemons  /,`.-'`'    -.  ;-;;,_  you really do it?
OpenBSD 2.8     |,4-  ) )-,_..;\ (  `'-'
on a i386      '---''(_/--'  `-'\_)      

 
 
 

ipnat redirects

Post by Han » Tue, 13 Feb 2001 15:43:11


En Han schreef:

Quote:> rdr ne3 194.109.6.44/32 port 22 -> 192.168.1.2 port 22

Got it figured out once more. Yes I do tend to think out aloud on usenet-
groups. Though the answer was not quite satisfactory :(

The correct solution is:
rdr outerif outerip/32 port 22 -> innerip port 22
making it:
rdr ne3 212.204.168.74/32 port 22 -> 192.168.1.2 port 22

Now I am missing a feature. I must have overlooked it. Does anybody know how I
can redirect traffice based on the from adres ?

Example: I would like to redirect ssh connections from 1.2.3.4 to 192.168.1.2
and ssh connections from 5.6.7.8 to 192.168.1.4.

Groetjes, Han.
--
For all ya       |\      _,,,---,,_      If you didn't get caught, did
untamed Daemons  /,`.-'`'    -.  ;-;;,_  you really do it?
OpenBSD 2.8     |,4-  ) )-,_..;\ (  `'-'
on a i386      '---''(_/--'  `-'\_)      

 
 
 

ipnat redirects

Post by John Vincen » Wed, 14 Feb 2001 11:10:36




> block in quick on ne3 from 192.168.0.0/16  to any block in quick on ne3
> Why doesn't that silly redirect line work. Changing the order by putting
> the rdr lines under the map lines didn't help either. Nor closing or
> opening the firewall. When it is openened the connection arrives on the
> firewall-server; If it is closed it is blocked.

I figured this out the other day. Reread the line again that you have
blocking spoofing.

block in quick on ne3 from 192.168.0.0/16  to any

The quick directive says don't look any further in the rules. I figured
this out after about two days of trying and rereading my rules with a
magnifying glass. Take out the quick and give it a shot. This will create
a bit more overhead as it has to proccess the rest of the rules but
should fix the problem.

Can some ipf guru please explain this to me? None of the examples I came
across mentioned this and I sort of stumbled across it. Admitedly I
should have KNOWN this but that doesn't help me any ;)

Quote:

> Groetjes, Han.

--
John E. Vincent
---------------
http://www.lusis.org - "Better than a swift kick in the ass"
 
 
 

ipnat redirects

Post by Darren Ree » Wed, 14 Feb 2001 15:08:16



> En Han schreef:
>> rdr ne3 194.109.6.44/32 port 22 -> 192.168.1.2 port 22
> Got it figured out once more. Yes I do tend to think out aloud on usenet-
> groups. Though the answer was not quite satisfactory :(
> The correct solution is:
> rdr outerif outerip/32 port 22 -> innerip port 22
> making it:
> rdr ne3 212.204.168.74/32 port 22 -> 192.168.1.2 port 22
> Now I am missing a feature. I must have overlooked it. Does anybody know how I
> can redirect traffice based on the from adres ?

rdr ne3 from foo 212.204.168.74/32 port 22 -> 192.168.1.2 port 22
 
 
 

ipnat redirects

Post by Han » Wed, 14 Feb 2001 19:45:39


En Darren Reed schreef:

Quote:>> Now I am missing a feature. I must have overlooked it. Does anybody know how
>> I can redirect traffice based on the from adres ?
> rdr ne3 from foo 212.204.168.74/32 port 22 -> 192.168.1.2 port 22

Keeper, you nocturnal percervirance has earned you a hidden * tip.
http://www.veryComputer.com/~avalon/ipfil-new.html on the 7th dot.

And I got current OBSD.

ipf: IP Filter: v3.4.16 (256)

rdr ne3 194.109.6.44/32 212.204.168.74/32 port 22 -> 192.168.1.2 port 22
6: missing fields - 1st port
6: syntax error in "rdr"

rdr ne3 from 194.109.6.44/32 212.204.168.74/32 port 22 -> 192.168.1.2 port 22
6: unexpected keyword (212.204.168.74/32) - to
6: syntax error in "rdr"

rdr ne3 from 194.109.6.44/32 to 212.204.168.74/32 port 22 -> 192.168.1.2 port 22
6: unknown range operator (->)
6: syntax error in "rdr"

Groetjes, Han.
--
For all ya       |\      _,,,---,,_      You know you have a small
untamed Daemons  /,`.-'`'    -.  ;-;;,_  apartment when Rice Krispies
OpenBSD 2.8     |,4-  ) )-,_..;\ (  `'-' echo.   -- S. Rickly Christian
on a i386      '---''(_/--'  `-'\_)      

 
 
 

ipnat redirects

Post by John E. Vincen » Wed, 14 Feb 2001 23:35:40



says...


> > block in quick on ne3 from 192.168.0.0/16  to any block in quick on ne3

> > Why doesn't that silly redirect line work. Changing the order by putting
> > the rdr lines under the map lines didn't help either. Nor closing or
> > opening the firewall. When it is openened the connection arrives on the
> > firewall-server; If it is closed it is blocked.

> I figured this out the other day. Reread the line again that you have
> blocking spoofing.

> block in quick on ne3 from 192.168.0.0/16  to any

> The quick directive says don't look any further in the rules. I figured
> this out after about two days of trying and rereading my rules with a
> magnifying glass. Take out the quick and give it a shot. This will create
> a bit more overhead as it has to proccess the rest of the rules but
> should fix the problem.

> Can some ipf guru please explain this to me? None of the examples I came
> across mentioned this and I sort of stumbled across it. Admitedly I
> should have KNOWN this but that doesn't help me any ;)

> > Groetjes, Han.

Ignore me as I'm a dumbass. I really wanted my answer to be right ;) I
just went straight to the ipf.rules and didn't even bother to read the
ipnat ones.
--
--
--
John
"Some people call me crazy but I prefere to think of myself as a
* lunatic"
------------------------
Forge Greybrook of Compassion
Scribe Greybrook (Clan Greybrook)
Chesapeake
 
 
 

1. Transparent Proxy (IPnat redirect) not for same host?

Hello

This MIGHT also concern NetBSD, I don't know if NetBSD uses the same IPnat as
OpenBSD, I just suppose it... so I wrote it in both newsgroups.

I tried to build up a transparent proxy using IPnat the rdr-directive) and
transproxy, as described in the description of the transproxy-package.

The problem: when I'm working on the _same_ machine where I set up the
transparent proxy and try to telnet to my local IP on the port I redirected,
then everything works fine, it goes through my transparent proxy.

But, connections outside my network won't pass through the transparent proxy,
at least not if I'm trying it from the same box (my workstation and
transparent proxy in one). I am yet unable to try it from another machine,
using the gateway as a transparent proxy, I suppose it might work then.

So I suppose that IP NAT redirecting only works for incoming packets (which
would then work for packets destinated to the transparent proxy itself and for
packets coming from my network, beeing forwarded) but not for outgoing packets
(which means that packets coming from the transparent proxy host are not going
through the transparent proxy itself)...

This isn't such a big mess, since I'm soon going to make a separate Internet
Gateway computer in my private "network" (it consists of only one computer for
now), as soon as I've got a new power supply, but in the meantime I would
anyway like to use my transparent proxy, only with one host...

Is there a way to enable the IPnat redirect system to process packets beeing
generated from the host itself? Maybe a small kernel patch would help?

--
  /--/ Julien Oster /---/ www.fuzzys.org <---> www.sysadm.cc /---/
 /--/ OpenBSD  2.5 /---/ Greetings  from  Munich,   Germany /---/

2. portforward/VirtualHost problem

3. IPNAT and redirecting...

4. Salvia Divinorum is a Powerful Psycoactive Herb and its LEGAL...!!! 7520

5. Easily redirecting a large number of ports with ipnat?

6. Cnews history file

7. firewall (ipf + ipnat) doesn't redirect packets

8. need advice

9. ipnat question for ipnat hacker

10. Apache Redirect/ReWrite for redirecting old->new domains?

11. redirect sound card redirected to /dev/null

12. .redirect not redirecting to some places

13. : Weird ">" redirect behavior vs. ">>" redirect behavior