[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT or rdr or PPPoE with httpd requests

To: Big G <big_g_mlists@yahoo.com>
Subject: Re: NAT or rdr or PPPoE with httpd requests
From: Brian Somers <brian@Awfulhak.org>
Date: Wed, 31 Jan 2001 12:27:05 +0000
Cc: misc@openbsd.org, big_g@linuxfreak.com, brian@Awfulhak.org

I'd suggest that you upgrade your version of ppp or get the latest 
version from http://www.Awfulhak.org/ppp.html.

It sounds like you're suffering from MSS problems - these should be 
fixed in the latest version of ppp (see the TCPMSSfixup option).

Also, I'd suggest using ``nat enable yes'' or the -nat command line 
switch rather than using the ipf stuff.  With this you can just add

  nat port tcp 192.168.2.2:ssh ssh
  nat port tcp 192.168.2.2:80 80

to your config.  Non-passive ftp should work ok by default, and I'm 
not sure what the portmap rule you mentioned does :-/

> Here's my situation.  I have an OBSD 2.7 firewall
> running PPPoE
> (whatever version was available just before 2.8 came
> out) out to the net
> and a Linux Mandrake webserver behind it with 2 NICs
> although the 2nd
> runs to an empty switch for now.
> 
> PPPoE on the f/w seems to be working fine.  NAT
> mapping seems to be
> working fine.  From the net, NAT rdr of SSH to the
> firewall works fine.
> >From the net, NAT rdr of port 80 requests get to the
> webserver but don't
> make it back to the client.
> 
> What I can't figure out is what is stopping my
> webserver's packets. What am I missing?  Also possibly
> related, some larger web forms I submit while surfing
> die with a "document contains no data" and don't get
> submitted.  I just noticed medium sized text email
> never makes it out from my webserver into the Internet
> either. Have I fat-fingered some max outbound data
> limit?  My MTU = 1492.  
> 
> 
> ipf.rules: (simplified for testing)
> pass in quick from any to any port = 22
> pass in log from any to any
> pass out from any to any
> 
> 
> ipnat.rules:
> rdr tun0 0.0.0.0/0 port 80 -> 192.168.2.2 port 80
> rdr tun0 0.0.0.0/0 port ssh -> 192.168.2.2 port ssh
> map tun0 192.168.0.0/16 -> tun0/32 portmap tcp/udp
> auto
> map tun0 192.168.0.0/16 -> tun0/32
> map tun0 192.168.0.0/16 -> tun0/32 proxy port ftp
> ftp/tcp
> 
> 
> my test from another box on the net:
> # telnet BigG.penguinpowered.com 80
> Trying 199.174.238.27...
> Connected to BigG.penguinpowered.com.
> Escape character is '^]'.
> GET / HTTP/1.0
> Accept: */*
> 
> 
> Connection closed by foreign host.
> #
> (i.e. nothing is ever returned)
> 
> 
> ipmon -a
> 19/01/2001 00:11:06.866321 @1 NAT:RDR 192.168.2.2,80
> <- ->
> 199.174.238.27,80 [63.150.161.201,51011]
> 19/01/2001 00:11:27.855773             tun0 @0:2 p
> 63.150.161.201,51011
> -> 192.168.2.2,80 PR tcp len 20 42 -AP IN
> 19/01/2001 00:11:27.867174              ne4 @0:2 p
> 192.168.2.2,80 ->
> 63.150.161.201,51011 PR tcp len 20 40 -A IN
> 19/01/2001 00:11:27.929514 2x              ne4 @0:2 p
> 192.168.2.2,80 ->
> 63.150.161.201,51011 PR tcp len 20 1500 -AP IN
> 19/01/2001 00:11:27.933073             tun0 @0:2 p
> 199.174.238.27 ->
> 192.168.2.2 PR icmp len 20 56 icmp 3/4 for
> 199.174.238.27,80 -
> 199.174.238.27,80 PR tcp len 20 56325 IN
> 19/01/2001 00:11:27.930418 @4 NAT:MAP 192.168.2.1,0 <-
> ->
> 199.174.238.27,0 [199.174.238.27,0]
> 19/01/2001 00:11:30.430309 @4 NAT:EXPIRE 192.168.2.1,0
> <- ->
> 199.174.238.27,0 [199.174.238.27,0] Pkts 1 Bytes 56
> 19/01/2001 00:11:30.929535 @4 NAT:MAP 192.168.2.1,0 <-
> ->
> 199.174.238.27,0 [199.174.238.27,0]
> 19/01/2001 00:11:32.498351             tun0 @0:2 p
> 63.150.161.201,51011
> -> 192.168.2.2,80 PR tcp len 20 42 -AP IN
> 19/01/2001 00:11:32.499627              ne4 @0:2 p
> 192.168.2.2,80 ->
> 63.150.161.201,51011 PR tcp len 20 40 -R IN
> 19/01/2001 00:11:32.504706 2x             tun0 @0:2 p
> 198.62.160.219,22
> -> 192.168.2.2,2647 PR tcp len 20 92 -AP IN
> 19/01/2001 00:11:32.652139             tun0 @0:2 p
> 207.69.188.186,53 ->
> 199.174.238.27,48732 PR udp len 20 248  IN
> 19/01/2001 00:11:32.730677             tun0 @0:2 p
> 208.220.171.7,80 ->
> 199.174.238.27,33961 PR tcp len 20 40 -A IN
> 19/01/2001 00:11:33.430265 @4 NAT:EXPIRE 192.168.2.1,0
> <- ->
> 199.174.238.27,0 [199.174.238.27,0] Pkts 1 Bytes 56
> 19/01/2001 00:11:34.992751             tun0 @0:2 p
> 208.220.171.7,80 ->
> 199.174.238.27,15906 PR tcp len 20 107 -AFP IN
> 19/01/2001 00:11:35.430269 @1 NAT:EXPIRE
> 192.168.2.2,80 <- ->
> 199.174.238.27,80 [63.150.161.201,51011] Pkts 19 Bytes
> 3769
> 19/01/2001 00:11:37.119108             tun0 @0:2 p
> 208.220.171.7,80 ->
> 199.174.238.27,37926 PR tcp len 20 238 -AP IN
> 
> 
> Line from the webserver log:
> 63.150.161.201 - - [19/Jan/2001:00:13:04 -0700] "GET /
> HTTP/1.0" 200
> 1192 "-" "-"
> 
> Thanks much!
> G

-- 
Brian <brian@Awfulhak.org>                        <brian@[uk.]FreeBSD.org>
      <http://www.Awfulhak.org>                   <brian@[uk.]OpenBSD.org>
Don't _EVER_ lose your sense of humour !

References:
- NAT or rdr or PPPoE with httpd requests
  - From: Big G <big_g_mlists@yahoo.com>

Prev by Date: Re: PPPoE/DSL connection problems: pop, ssh
Next by Date: Re: apache,php,mysql
Prev by thread: NAT or rdr or PPPoE with httpd requests
Next by thread: how to verify ACVS patched
Index(es):
- Date
- Thread