Re: desperate! can't get port forwarding to work on debian testing 2.6.15

To: debian-firewall@lists.debian.org
Subject: Re: desperate! can't get port forwarding to work on debian testing 2.6.15
From: "Mike Garey" <random52k@gmail.com>
Date: Thu, 13 Apr 2006 13:34:18 -0400
Message-id: <[🔎] cf5039fc0604131034u7ff23c5x16e1859a74d7c08b@mail.gmail.com>
In-reply-to: <[🔎] 443E7F0C.6040903@plouf.fr.eu.org>
References: <[🔎] cf5039fc0604122148i58dd240fy9d7998e8c7876fb7@mail.gmail.com> <[🔎] 443E27CC.3000209@plouf.fr.eu.org> <[🔎] cf5039fc0604130843t312ac26av1e2a9bbbf495fd2a@mail.gmail.com> <[🔎] 443E7F0C.6040903@plouf.fr.eu.org>

On 4/13/06, Pascal Hambourg <pascal.mail@plouf.fr.eu.org> wrote:
> [Short answer before I have to go out for a while]
>
> Mike Garey a écrit :
> [...]
> > dev is a freebsd machine and has the following config:
> >
> > [11:04AM][mike@dev]% ifconfig
> > em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
> >         options=b<RXCSUM,TXCSUM,VLAN_MTU>
> >         inet6 fe80::215:f2ff:fe04:9bd0%em0 prefixlen 64 scopeid 0x1
> >         inet 192.168.1.120 netmask 0xffffff00 broadcast 192.168.1.255
> >         ether 00:15:f2:04:9b:d0
> >         media: Ethernet autoselect (100baseTX <full-duplex>)
> >         status: active
> > vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> >         inet6 fe80::20d:88ff:fe4e:1f09%vr0 prefixlen 64 scopeid 0x2
> >         inet 216.125.24.46 netmask 0xfffffff8 broadcast 216.58.85.39
> >         ether 00:0d:88:4e:1f:09
> >         media: Ethernet autoselect (100baseTX <full-duplex>)
> >         status: active
> >
> > and the routing table is as follows:
> >
> > [11:21AM][mike@dev]% netstat -r -n -f inet
> > Routing tables
> >
> > Internet:
> > Destination        Gateway            Flags    Refs      Use  Netif Expire
> > default            216.125.24.33       UGS         0      272    vr0
> [...]
>
> OK, I think I got it.
>
> > now, both dev and asterisk machines have their internal NIC connected
> > to the same switch.
>
> I guess you mean "the same pair of switches" ?

well, they're physically attached to the same switch..

> [...]
> >>Maybe your BSD box has no default route to the NAT gateway, or it has a
> >>firewall filtering out packets originated from outside the internal network.
> >
> > as can be seen from the BSD routing table for dev, the firewall is set
> > to allow everything, and it does have a default route to the NAT
> > gateway
> > (192.168.1.121      00:11:2f:38:52:8d  UHLW        1    17540   em0)
>
> That's an explicit route, not a "default" route (route to 0.0.0.0/0).
> IMHO, the problem is that the default route sets the default gateway
> 216.125.25.33 instead of the NAT box internal address. So here's what I
> think that happens :
> 1) The NAT box receives a request packet from the internet on its
> external interface.
> 2) The NAT box translates the destination address and forwards it to the
> internal server.
> 3) The server receives the packet on its internal interface em0. So far
> so good.
> 4) The server replies. It looks up its routing table how to reach the
> packet source address. This address is not covered by any specific
> route, so the default route is used. So the reply is sent to the
> 216.125.24.33 instead of the NAT box as it should, and its source
> address is not un-NATed properly. The packet may make its way back to
> the client, but it has the wrong source address, the client does not
> recognize it as a reply to its request.

yes, you're right, as soon as I removed the default gw of
216.125.24.33 and added 192.168.1.121 in its place, it started working
(although, I did do this before sending my last message, and it didn't
work - perhaps I should've waited longer, maybe the arp tables needed
to be udpated and I didn't give them a chance?).  In any case, this
solves the problem.

> If I'm right, you need to make sure that the reply packet from the
> server goes back to the NAT box so its source address is un-NATed
> properly. One way to do this is to masquerade the source address in the
> NAT box unsing SNAT or MASQUERADE. But you lose the real source address
> information on the server :
>
> iptables -t nat -A POSTROUTING -o $INTIF -d $PORTFWIP \
>    -p tcp --dport 8090 -j SNAT --to $INTIP

so the above command isn't really useful, since the real source
address is stripped, so the NAT box has no idea where to send the
packet back to, correct?

> Other ways may include advanced routing on the server to send the reply
> packets back to the NAT box. But I don't know *BSD, so I can't help you
> on this.

for now, I'll just set the default gw to the NAT box, this works fine.
 But out of curiosity, how would you go about implementing this type
of routing on the BSD box (in a high level of course, since you're not
familiar with BSD..).

Thanks again for all your help!

Mike

Reply to:

Follow-Ups:
- Re: desperate! can't get port forwarding to work on debian testing 2.6.15
  - From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>

References:
- desperate! can't get port forwarding to work on debian testing 2.6.15
  - From: "Mike Garey" <random52k@gmail.com>
- Re: desperate! can't get port forwarding to work on debian testing 2.6.15
  - From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
- Re: desperate! can't get port forwarding to work on debian testing 2.6.15
  - From: "Mike Garey" <random52k@gmail.com>
- Re: desperate! can't get port forwarding to work on debian testing 2.6.15
  - From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>

Prev by Date: Re: desperate! can't get port forwarding to work on debian testing 2.6.15
Next by Date: Re: desperate! can't get port forwarding to work on debian testing 2.6.15
Previous by thread: Re: desperate! can't get port forwarding to work on debian testing 2.6.15
Next by thread: Re: desperate! can't get port forwarding to work on debian testing 2.6.15
Index(es):
- Date
- Thread