[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How to rdr back into a private network?

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: How to rdr back into a private network?
From: Darik Horn <darik_(_at_)_gulf_(_dot_)_waterways_(_dot_)_geeky_(_dot_)_net>
Date: Tue, 31 Oct 2000 15:12:09 -0500 (EST)

Thanks for the private messages regarding my problem.  It would appear
that people are as hesitant to post replies to the mailing list as they
are to post questions.  <grin>

I'll reply to myself so that there might be something in the mail archive
regarding the [non]resolution of this problem.

I opened up the IPF rules to allow all traffic, disabled NAT, and
restricted the scope of my experiments to only the one private subnet.  
Various applications of bimap yielded no better results than rdr.  Map
didn't do much at all.  Aliasing 299.299.299.102 to both vr0 and vr1
prevented anybody from talking to 299.299.299.102.

This single NAT rule produced the best results:
"rdr vr1 299.299.299.102/32 port ssh -> 192.168.72.2 port ssh"

Where `ipnat -l` returned:

/"
List of active MAP/Redirect filters:
rdr vr1 209.202.76.102/32 port 22 -> 192.168.72.2 port 22 tcp

List of active sessions:
RDR 192.168.72.2  22  <- -> 299.299.299.102  22  [192.168.72.132 1061]
"/

The connection still does not get past the OpenBSD box.  (Generic 2.7
kernel, BTW.)

The best alternative solution seems to be a DNS trick, where machines on
the private network get a different response to 'cvs.mydomain.tld'.  
Unfortunately this can't happen because we have people using laptops
(win32 w/ cygwin for ssh and cvs) on both sides of the OpenBSD box, and
wish to avoid screwing with the DNS.

Additional tips and ideas would be much appreciated, or an indication
about whether this is a peculiar limitation of IPF/NAT.

[]


On Mon, 30 Oct 2000, Darik Horn wrote:

> 
> Is it possible to redirect connections back into a private network if that
> private network is being NAT'd?
> 
> I have an OpenBSD box that is doing NAT for two private networks.  There
> is a CVS server on one private network that I have made available to the
> outside world.
> 
> This is my rule in '/etc/ipnat.rules':
> "rdr vr0 299.299.299.102/32 port ssh -> 192.168.72.2 port ssh"
> 
> The CVS server is accessible from the Internet.  The vr0 interface is
> external with address 299.299.299.98, and 299.299.299.102 is an alias.
> 
> However, users on the 192.168.72.0 private network can not connect to the
> CVS server by resolving 299.299.299.102 through the DNS because their
> connections are going to the OpenBSD machine instead of the CVS machine.
> 
> I tried adding this line to '/etc/ipnat.rules':
> "rdr vr1 299.299.299.102/32 port ssh -> 192.168.72.2 port ssh"
> 
> Instead of going to the OpenBSD machine, sessions are now timing out after
> several minutes.  Sessions are never redirected to the CVS server if they
> originate on the 192.168.72.0 private network.
> 
> 'ipnat -l' shows this:
> "RDR 192.168.72.2  22  <- ->  299.299.299.102  22 [192.168.72.132 1912]"
> 
> The vr1 interface has address 192.168.72.1 on the private network.  I am
> sitting at 192.168.72.132 trying to access the CVS server through
> 299.299.299.102,
> 
> I have been playing with the rules but I have been unable to figure it
> out.  -- Can anybody offer hints as to how I might make this work?
> 
> Here are the plain '/etc/ipnat.rules' and '/etc/ipf.rules' files that I am
> using at the moment:
> 
> ###########################################################################
> # See /usr/share/ipf/nat.1 for examples.
> # edit the ipnat= line in /etc/rc.conf to enable Network Address Translation
> 
> # Redirection for the CVS server.
> rdr vr0 299.299.299.102/32 port ssh -> 192.168.72.2 port ssh
> rdr vr1 299.299.299.102/32 port ssh -> 192.168.72.2 port ssh
> 
> # Active FTP portmapping.
> map vr0 192.168.72.0/24 -> vr0/32 proxy port ftp ftp/tcp
> map vr0 192.168.144.0/24 -> vr0/32 proxy port ftp ftp/tcp
> 
> # Regular TCP and UDP traffic.
> map vr0 192.168.72.0/24 -> vr0/32 portmap tcp/udp 10000:20000
> map vr0 192.168.144.0/24 -> vr0/32 portmap tcp/udp 10000:20000
> 
> # ICMP traffic, for stuff like ping.
> map vr0 192.168.72.0/24 -> vr0/32
> map vr0 192.168.144.0/24 -> vr0/32
> 
> ############################################################
> # IP filtering rules.  See the ipf(5) man page for more
> # information on the format of this file, and /usr/share/ipf
> # for example configuration files.
> 
> # Pass all packets by default.
> pass in from any to any
> pass out from any to any
> 
> []
> 
>

References:
- How to rdr back into a private network?
  - From: Darik Horn

Prev by Date: Re: How do you mount a Win98 drive under OpenBSD
Next by Date: Re: QT-1.45 from ports not working
Previous by thread: Re: How to rdr back into a private network?
Next by thread: Tecra 8100 and 2.8 snapshot
Index(es):
- Date
- Thread

Visit your host, monkey.org