From owner-freebsd-ipfw@FreeBSD.ORG  Fri Mar 21 20:04:41 2008
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B1956106566C
	for <freebsd-ipfw@freebsd.org>; Fri, 21 Mar 2008 20:04:41 +0000 (UTC)
	(envelope-from kagekonjou@gmail.com)
Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.186])
	by mx1.freebsd.org (Postfix) with ESMTP id 7BD918FC29
	for <freebsd-ipfw@freebsd.org>; Fri, 21 Mar 2008 20:04:41 +0000 (UTC)
	(envelope-from kagekonjou@gmail.com)
Received: by rv-out-0910.google.com with SMTP id g13so966988rvb.43
	for <freebsd-ipfw@freebsd.org>; Fri, 21 Mar 2008 13:04:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta;
	h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:mime-version:content-type:content-transfer-encoding:content-disposition;
	bh=BhcTLU9uHaltvrd5Ixdyp7PuRZTorwf9QkknZcvAoic=;
	b=ivbhYA80OvTWebExSTqFd/At8KRnjo23qIYQtBQI+cWK5ApUwx3Pmud35GTTM87fWpBCd+HhJW9Uv4PtnXbSokmurOjyzFoZd7wvmN4F4Wpv5SScLl7Mbikg8pQHM3KGbcSkSE62CRod+aaXPFKDpq622ZewVk2AxRyYYG+abbs=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta;
	h=message-id:date:from:to:subject:cc:mime-version:content-type:content-transfer-encoding:content-disposition;
	b=dabEzUXByDd2z2Cg43dfXfnzb56gmtbdzD2wdCO7lzdlsfQ9YnSEvcv5OiJLYNiwyntYCFCVMWAhJqnTm6JF3Con5tRoOlsWpRsq/EhqTuqDWES5x3xiPZJspaSMwlUGSK0UFx/IzFfPUSIBgWW1zv40QkM2yESKEyI6CiAhWug=
Received: by 10.141.76.21 with SMTP id d21mr1585925rvl.270.1206128359537;
	Fri, 21 Mar 2008 12:39:19 -0700 (PDT)
Received: by 10.70.110.17 with HTTP; Fri, 21 Mar 2008 12:39:19 -0700 (PDT)
Message-ID: <d1556b2b0803211239r598e66eqf2adf04662201a76@mail.gmail.com>
Date: Fri, 21 Mar 2008 15:39:19 -0400
From: Kage <kagekonjou@gmail.com>
To: freebsd-net@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Cc: freebsd-ipfw@freebsd.org
Subject: natd port forward times out, tcpdump yields nothing
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Mar 2008 20:04:41 -0000

Hey guys,

   This is a fun one that's stumped people in Freenode ##freebsd.
Basically, I have this layout:

irc.domain.com -> DNS A -> IRC Jail

When someone connects to irc.domain.com on IRC ports (6667, 8067,
etc.), it round-robins them using natd, otherwise it sends all other
port requests to the IRC jail as per normal (such as port 80, which is
my primary concern).  As for having it setup to have ipfw divert to
natd, that's done and works, as shown by natd verbose mode:

In  {default}[TCP]  [TCP] 72.65.73.23:2980 -> 207.210.114.45:6667 aliased to
           [TCP] 72.65.73.23:2980 -> 207.210.114.45:6667

(For reference)
207.210.114.45 = jail IP
72.20.28.202 = example target IP in the round-robin
72.65.73.23 = my IP

Right now, my ipfw.rules file is as follows:

[root@nub /etc]# cat ipfw.rules
IPF="ipfw -q add"
ipfw -f -q flush

#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 54999 allow icmp from any to any

# Include the deny file
. /etc/ipfw.deny

[snip -- some allowed ports]
# IRC (natd divert for IRC port-forwarding
$IPF 50220 divert natd all from any to 207.210.114.45 6667 via rl0
$IPF 50230 divert natd all from any to 207.210.114.45 8067 via rl0
$IPF 50240 divert natd all from any to 207.210.114.45 8068 via rl0
$IPF 50250 divert natd all from any to 207.210.114.45 6697 via rl0
$IPF 50260 divert natd all from any to 207.210.114.45 7000 via rl0
# keep these two IRC ports normally open for BNC
$IPF 50270 allow all from any to any 31337 in
$IPF 50380 allow all from any to any 31337 out
[snip -- more allowed ports]
# deny and log everything
$IPF 55000 deny log all from any to any

-----

Here's a dump of ipfw show, with some stuff cut out for space purposes
(they're just denied DDoS IPs)

[root@nub /etc]# ipfw show
00010  61124  16056802 allow ip from any to any via lo0
00020      0         0 deny ip from any to 127.0.0.0/8
00030      0         0 deny ip from 127.0.0.0/8 to any
00040      0         0 deny tcp from any to any frag
00050      0         0 check-state
00060 670616 455926379 allow tcp from any to any established
00070  16213  14071853 allow ip from any to any out keep-state
[snip]
50220    468     22464 divert 8668 ip from any to 207.210.114.45
dst-port 6667 via rl0
50230      0         0 divert 8668 ip from any to 207.210.114.45
dst-port 8067 via rl0
50240      0         0 divert 8668 ip from any to 207.210.114.45
dst-port 8068 via rl0
50250      0         0 divert 8668 ip from any to 207.210.114.45
dst-port 6697 via rl0
50260      0         0 divert 8668 ip from any to 207.210.114.45
dst-port 7000 via rl0
50270      1        60 allow ip from any to any dst-port 31337 in
54999     66      3991 allow icmp from any to any
55000   4364    343609 deny log logamount 100 ip from any to any
65535     29      4176 allow ip from any to any

My natd.conf is as follows:

[root@nub /etc]# cat natd.conf
# Nub.Core NATd
verbose
alias_address 207.210.114.45
log
log_denied
log_ipfw_denied
pid_file /var/run/natd.pid


### IRC Redirect Ports
# 6667
redirect_port tcp 72.20.28.202:6667 207.210.114.45:6667 207.210.114.45:6667
[root@nub /etc]#

And, as stated above, I am showing connection diverts to natd.  When I
run the following three tcpdumps:

tcpdump -s 0 -w me_to_nat.pcap -vvv -i rl0 src host 72.65.73.23 and
dst host 207.210.114.45 and dst port 6667
tcpdump -s 0 -w nat_to_jail.pcap -vvv -i rl0 src host 72.20.28.202 and
dst host 207.210.114.45 and dst port 6667
tcpdump -s 0 -w jail_to_nat.pcap -vvv -i rl0 src host 207.210.114.45
and dst host 72.20.28.202 and src port 6667

Only the "me_to_nat.pcap" gets any data.  The rest are 0 bytes.  Example:

-rw-r--r--     1 root  wheel      0 Mar 21 14:57 jail_to_nat.pcap
-rw-r--r--     1 root  wheel  16384 Mar 21 15:24 me_to_nat.pcap
-rw-r--r--     1 root  wheel      0 Mar 21 14:57 nat_to_jail.pcap

So, can anyone diagnose and fix this?  Thanks.

(P.S.: I'm aware of the DNS methods of doing round-robin, but please
keep that from this discussion.  I need to port-forward round-robin,
not whole DNS)

-- 
~ Kage
http://vitund.com
http://hackthissite.org