[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    RE: Port Redirection &^$&^$^%#^%&#@Q
From:       "P T Withington" <ptw () callitrope ! com>
Date:       1999-02-26 21:09:54
[Download RAW message or body]

> -----Original Message-----
> From: John Moore [mailto:john.moore@fvrl.bc.ca]
> Sent: Friday, February 26, 1999 3:41 PM
> To: P T Withington
> Cc: ipfilter@coombs.anu.edu.au
> Subject: RE: Port Redirection &^$&^$^%#^%&#@Q
> 
> 
> My problem is that I have a box on the internal net that needs to 
> act as a proxy to 
> clients on the outside.  I thought that if I could do this 
> redirection thingy ie ALL traffic 
> headed for 8080 on machine A (outside) gets rerouted to 8080 on 
> machine B (inside) 
> i'd be laughing. Machine B knows how to get out to the world and 
> do it's thing.  
> 
> I am testing it from the inside but I go thru a different NAT box 
> to get to the external 
> (valid ip) interface of the IP Filter box.  The reason that port 
> 80 is redirected is so that I 
> can see easily if the redirection is working (Web Server is up on 
> the internal box). The 
> reason UDPis redirected is tjhat I forgot ot remove it from the 
> config ( i have since).
> 
> Anyway, it doesn't work.  Like I said, when I point my browser at 
> the external interface 
> of the IP Filter box it times out..........just as an aside, the 
> NAT part work great.  Took 
> a couple of minutes to get it working right,  much less time than 
> it took to get ipfw/natd 
> working.

Someone who actually understands the code can prove me wrong but, I think when you \
come from your internal net to your filter box, unless your packets actually come \
over the wire that is connected to the external interface, I think rdr does not see \
them.

Your internal routers have presumably discovered that your filter box has several \
addresses, and the best route to it's external address from inside is over the \
internal interface.  When the packet arrives at the internal interface for the filter \
box...

Well duh!  I think I just figured it out.  You need to add a rule for your _internal_ \
interface too! (assuming vx0 is your internal interface):

rdr vx0 a.a.a.a/32 port 80 -> c.c.c.c port 80 tcp/udp
rdr vx0 a.a.a.a/32 port 8080 -> c.c.c.c port 8080 tcp/udp

...because the packets that arrive on your internal net for filter-boxes external \
interface don't go out the interface and back in, so are never seen by rdr -- they \
are just delivered up the ip stack, because they have reached their destination, but \
since you have no 80 or 8080 server on the filter box, they go nowhere.  Hm, \
shouldn't there be an icmp-reject sent back?

Anyways, I am going to try adding similar rules to my ipnat right now and see if that \
makes things work.


[prev in list] [next in list] [prev in thread] [next in thread]