Re: [OpenIndiana-discuss] IPNAT redirection.
Actually in the real system I am trying to forward a port from an external address (on the internet, the address I hid) to an internal RDP server (port 3389 tcp) ... but for testing I forwarded to an internal IMAP server iprb0 is the external interface, bge0 is the internal. I added bge0 to see if it was a problem with my external connection. I enabled the telnet server on the local machine and used ipnat to redirect 143 to 23 and that worked ... I was just surprised that I couldn't connect to any port on another host. Anyway, to cut your explanation down, you are basically saying that I cannot do port forwarding with ipnat? Jon ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] IPNAT redirection.
more specific addresses to forward: root@oldfluffy:/etc/ipf# ipnat -l List of active MAP/Redirect filters: rdr iprb0 n.n.62.35/32 port 143 - 192.168.0.12 port 143 tcp rdr bge0 192.168.0.65/32 port 143 - 192.168.0.12 port 143 tcp List of active sessions: RDR 192.168.0.12 143 - -n.n.62.35143 [n.n.180.45 34032] and even if I change the port so there is no possibility of conflict: root@oldfluffy:/etc/ipf# ipnat -l List of active MAP/Redirect filters: rdr iprb0 n.n.62.35/32 port 144 - 192.168.0.12 port 143 tcp rdr bge0 192.168.0.65/32 port 144 - 192.168.0.12 port 143 tcp List of active sessions: RDR 192.168.0.12 143 - - n.n.62.35144 [n.n.180.45 36138] neither worked ... I can only assume that I can't port forward in this way, and will just go back to using delegate. Jon On 19 April 2013 10:22, Jonathan Adams t12nsloo...@gmail.com wrote: Actually in the real system I am trying to forward a port from an external address (on the internet, the address I hid) to an internal RDP server (port 3389 tcp) ... but for testing I forwarded to an internal IMAP server iprb0 is the external interface, bge0 is the internal. I added bge0 to see if it was a problem with my external connection. I enabled the telnet server on the local machine and used ipnat to redirect 143 to 23 and that worked ... I was just surprised that I couldn't connect to any port on another host. Anyway, to cut your explanation down, you are basically saying that I cannot do port forwarding with ipnat? Jon ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] IPNAT redirection.
Jon, I redirect ports fine using nat. I'm trying to understand what's different between your and my setup. For example in my ipnat.conf file I have: rdr bge0 0.0.0.0/0 port 2022 - 10.101.1.9 port 22 tcp/udp Where bge0 is my external nic (bge1 is my internal nic). BTW, I use 0.0.0.0/0 so it automatically picks up my external nic's ip address (I've have pseudo-dynamic IP from my ISP). Gary On 04/19/2013 05:22 AM, Jonathan Adams wrote: Actually in the real system I am trying to forward a port from an external address (on the internet, the address I hid) to an internal RDP server (port 3389 tcp) ... but for testing I forwarded to an internal IMAP server iprb0 is the external interface, bge0 is the internal. I added bge0 to see if it was a problem with my external connection. I enabled the telnet server on the local machine and used ipnat to redirect 143 to 23 and that worked ... I was just surprised that I couldn't connect to any port on another host. Anyway, to cut your explanation down, you are basically saying that I cannot do port forwarding with ipnat? Jon ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] IPNAT redirection.
On 19 April 2013 11:45, Gary Gendel g...@genashor.com wrote: Jon, I redirect ports fine using nat. I'm trying to understand what's different between your and my setup. For example in my ipnat.conf file I have: rdr bge0 0.0.0.0/0 port 2022 - 10.101.1.9 port 22 tcp/udp Where bge0 is my external nic (bge1 is my internal nic). BTW, I use 0.0.0.0/0 so it automatically picks up my external nic's ip address (I've have pseudo-dynamic IP from my ISP). I originally used 0.0.0.0/0 but was wondering if it was capturing packets coming through so limited to the external IP address ... I use ipnat happily on another machine for transparent proxying: # redirect all port 80 transactions to squid rdr internal2 any port 80 - 192.168.0.82 port 3128 # NAT all port 443 (https) to the external address directly. map external2 from any to 83.138.182.145 port = 443 - 94.136.227.100/32 and that works a charm. I modified ipf.conf to allow and log everything ... then lines from ipmon are: 19/04/2013 12:53:30.895801 iprb0 @0:2 p n.n.180.45,46135 - 192.168.0.12,143 PR tcp len 20 40 -R IN NAT 19/04/2013 12:53:30.895818 bge0 @0:1 p n.n.180.45,46135 - 192.168.0.12,143 PR tcp len 20 40 -R OUT 19/04/2013 12:53:32.799328 iprb0 @0:2 p n.n.180.45,46607 - 192.168.0.12,143 PR tcp len 20 52 -S IN NAT 19/04/2013 12:53:32.799344 bge0 @0:1 p n.n.180.45,46607 - 192.168.0.12,143 PR tcp len 20 52 -S OUT 19/04/2013 12:53:36.176407 iprb0 @0:2 p n.n.180.45,46607 - 192.168.0.12,143 PR tcp len 20 52 -S IN NAT 19/04/2013 12:53:36.176423 bge0 @0:1 p n.n.180.45,46607 - 192.168.0.12,143 PR tcp len 20 52 -S OUT 19/04/2013 12:53:42.239530 bge0 @0:1 p 192.168.0.20,138 - 192.168.0.255,138 PR udp len 20 267 IN mbcast 19/04/2013 12:53:42.935736 iprb0 @0:2 p n.n.180.45,46607 - 192.168.0.12,143 PR tcp len 20 52 -S IN NAT 19/04/2013 12:53:42.935752 bge0 @0:1 p n.n.180.45,46607 - 192.168.0.12,143 PR tcp len 20 52 -S OUT but if I snoop from 192.168.0.12 there are no packets coming in. strange ... I'm sure I'm just missing something little. Jon ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] IPNAT redirection.
We've all been there. :( On 04/19/2013 08:08 AM, Jonathan Adams wrote: ignore me, i'm just being stupid! on the accelerated host I needed to add the route to the external server :( On 19 April 2013 12:58, Jonathan Adams t12nsloo...@gmail.com wrote: On 19 April 2013 11:45, Gary Gendel g...@genashor.com wrote: Jon, I redirect ports fine using nat. I'm trying to understand what's different between your and my setup. For example in my ipnat.conf file I have: rdr bge0 0.0.0.0/0 port 2022 - 10.101.1.9 port 22 tcp/udp Where bge0 is my external nic (bge1 is my internal nic). BTW, I use 0.0.0.0/0 so it automatically picks up my external nic's ip address (I've have pseudo-dynamic IP from my ISP). I originally used 0.0.0.0/0 but was wondering if it was capturing packets coming through so limited to the external IP address ... I use ipnat happily on another machine for transparent proxying: # redirect all port 80 transactions to squid rdr internal2 any port 80 - 192.168.0.82 port 3128 # NAT all port 443 (https) to the external address directly. map external2 from any to 83.138.182.145 port = 443 - 94.136.227.100/32 and that works a charm. I modified ipf.conf to allow and log everything ... then lines from ipmon are: 19/04/2013 12:53:30.895801 iprb0 @0:2 p n.n.180.45,46135 - 192.168.0.12,143 PR tcp len 20 40 -R IN NAT 19/04/2013 12:53:30.895818 bge0 @0:1 p n.n.180.45,46135 - 192.168.0.12,143 PR tcp len 20 40 -R OUT 19/04/2013 12:53:32.799328 iprb0 @0:2 p n.n.180.45,46607 - 192.168.0.12,143 PR tcp len 20 52 -S IN NAT 19/04/2013 12:53:32.799344 bge0 @0:1 p n.n.180.45,46607 - 192.168.0.12,143 PR tcp len 20 52 -S OUT 19/04/2013 12:53:36.176407 iprb0 @0:2 p n.n.180.45,46607 - 192.168.0.12,143 PR tcp len 20 52 -S IN NAT 19/04/2013 12:53:36.176423 bge0 @0:1 p n.n.180.45,46607 - 192.168.0.12,143 PR tcp len 20 52 -S OUT 19/04/2013 12:53:42.239530 bge0 @0:1 p 192.168.0.20,138 - 192.168.0.255,138 PR udp len 20 267 IN mbcast 19/04/2013 12:53:42.935736 iprb0 @0:2 p n.n.180.45,46607 - 192.168.0.12,143 PR tcp len 20 52 -S IN NAT 19/04/2013 12:53:42.935752 bge0 @0:1 p n.n.180.45,46607 - 192.168.0.12,143 PR tcp len 20 52 -S OUT but if I snoop from 192.168.0.12 there are no packets coming in. strange ... I'm sure I'm just missing something little. Jon ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] IPNAT redirection.
I kinda assumed that the packets would have been translated to be from the machine on the firewall ... it was only after snooping from the firewall that I noticed the originator ... I'm going to have to delegate because I don't trust the windows server to know anything about the outside world. Ahh well ... another thing to write up on the internal wiki. Thanks everyone. On 19 April 2013 13:10, Gary Gendel g...@genashor.com wrote: We've all been there. :( On 04/19/2013 08:08 AM, Jonathan Adams wrote: ignore me, i'm just being stupid! on the accelerated host I needed to add the route to the external server :( On 19 April 2013 12:58, Jonathan Adams t12nsloo...@gmail.com wrote: On 19 April 2013 11:45, Gary Gendel g...@genashor.com wrote: Jon, I redirect ports fine using nat. I'm trying to understand what's different between your and my setup. For example in my ipnat.conf file I have: rdr bge0 0.0.0.0/0 port 2022 - 10.101.1.9 port 22 tcp/udp Where bge0 is my external nic (bge1 is my internal nic). BTW, I use 0.0.0.0/0 so it automatically picks up my external nic's ip address (I've have pseudo-dynamic IP from my ISP). I originally used 0.0.0.0/0 but was wondering if it was capturing packets coming through so limited to the external IP address ... I use ipnat happily on another machine for transparent proxying: # redirect all port 80 transactions to squid rdr internal2 any port 80 - 192.168.0.82 port 3128 # NAT all port 443 (https) to the external address directly. map external2 from any to 83.138.182.145 port = 443 - 94.136.227.100/32 and that works a charm. I modified ipf.conf to allow and log everything ... then lines from ipmon are: 19/04/2013 12:53:30.895801 iprb0 @0:2 p n.n.180.45,46135 - 192.168.0.12,143 PR tcp len 20 40 -R IN NAT 19/04/2013 12:53:30.895818 bge0 @0:1 p n.n.180.45,46135 - 192.168.0.12,143 PR tcp len 20 40 -R OUT 19/04/2013 12:53:32.799328 iprb0 @0:2 p n.n.180.45,46607 - 192.168.0.12,143 PR tcp len 20 52 -S IN NAT 19/04/2013 12:53:32.799344 bge0 @0:1 p n.n.180.45,46607 - 192.168.0.12,143 PR tcp len 20 52 -S OUT 19/04/2013 12:53:36.176407 iprb0 @0:2 p n.n.180.45,46607 - 192.168.0.12,143 PR tcp len 20 52 -S IN NAT 19/04/2013 12:53:36.176423 bge0 @0:1 p n.n.180.45,46607 - 192.168.0.12,143 PR tcp len 20 52 -S OUT 19/04/2013 12:53:42.239530 bge0 @0:1 p 192.168.0.20,138 - 192.168.0.255,138 PR udp len 20 267 IN mbcast 19/04/2013 12:53:42.935736 iprb0 @0:2 p n.n.180.45,46607 - 192.168.0.12,143 PR tcp len 20 52 -S IN NAT 19/04/2013 12:53:42.935752 bge0 @0:1 p n.n.180.45,46607 - 192.168.0.12,143 PR tcp len 20 52 -S OUT but if I snoop from 192.168.0.12 there are no packets coming in. strange ... I'm sure I'm just missing something little. Jon __**_ OpenIndiana-discuss mailing list OpenIndiana-discuss@**openindiana.orgOpenIndiana-discuss@openindiana.org http://openindiana.org/**mailman/listinfo/openindiana-**discusshttp://openindiana.org/mailman/listinfo/openindiana-discuss __**_ OpenIndiana-discuss mailing list OpenIndiana-discuss@**openindiana.orgOpenIndiana-discuss@openindiana.org http://openindiana.org/**mailman/listinfo/openindiana-**discusshttp://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] IPNAT redirection.
In the past I have used delegate to do port forwarding on our internal servers, forwarding from a server directly connected to the internet, to one that has no direct connection. I was about to set up delegate to do the same job, when it struck me that I should be able to use ipfilter, via ipnat to redirect the ports. I have had success in the past with ipnat on another server, using map to send connections for https, and rdr to redirect to a proxy server running on the same machine. I came to set up forwarding and although it says it's working, no packets are being forwarded internally. my ipnat.conf rdr iprb0 any port 143 - 192.168.0.12 port 143 tcp rdr bge0 any port 143 - 192.168.0.12 port 143 tcp If I try connecting using telnet the client stays trying, and the ipnat -l shows that a connection is established, but if I snoop from 192.168.0.12 there are no packets coming in. I'm sure I'm just missing 1 tiny detail. Can anyone see what I'm missing, or point me in the correct direction? Jon root@fluffy:/etc/ipf# ipnat -vC -f /etc/ipf/ipnat.conf 4 entries flushed from NAT list rdr iprb0,bge0 0.0.0.0/0 port 143 - 192.168.0.12 port 143 tcp root@oldfluffy:/etc/ipf# ipadm show-if IFNAME STATECURRENT PERSISTENT lo0ok -m-v--46 --- bge0 ok bm46 -46 iprb0 ok bm46 -46 root@oldfluffy:/etc/ipf# ipadm show-addr ADDROBJ TYPE STATEADDR lo0/v4static ok 127.0.0.1/8 bge0/v4 static ok 192.168.0.65/24 iprb0/v4 static ok external address/28 lo0/v6static ok ::1/128 root@oldfluffy:/etc/ipf# ipadm show-ifprop bge0 IFNAME PROPERTYPROTO PERM CURRENTPERSISTENT DEFAULT POSSIBLE bge0arp ipv4 rw on -- on on,off bge0forwarding ipv4 rw on on off on,off bge0metric ipv4 rw 0 -- 0 -- bge0mtu ipv4 rw 1500 -- 1500 68-1500 bge0exchange_routes ipv4 rw offoffon on,off bge0usesrc ipv4 rw none -- none -- bge0forwarding ipv6 rw off-- off on,off bge0metric ipv6 rw 0 -- 0 -- bge0mtu ipv6 rw 1500 -- 1500 1280-1500 bge0nud ipv6 rw on -- on on,off bge0exchange_routes ipv6 rw on -- on on,off bge0usesrc ipv6 rw none -- none -- root@oldfluffy:/etc/ipf# ipadm show-ifprop iprb0 IFNAME PROPERTYPROTO PERM CURRENTPERSISTENT DEFAULT POSSIBLE iprb0 arp ipv4 rw on -- on on,off iprb0 forwarding ipv4 rw on on off on,off iprb0 metric ipv4 rw 0 -- 0 -- iprb0 mtu ipv4 rw 1500 -- 1500 68-1500 iprb0 exchange_routes ipv4 rw offoffon on,off iprb0 usesrc ipv4 rw none -- none -- iprb0 forwarding ipv6 rw off-- off on,off iprb0 metric ipv6 rw 0 -- 0 -- iprb0 mtu ipv6 rw 1500 -- 1500 1280-1500 iprb0 nud ipv6 rw on -- on on,off iprb0 exchange_routes ipv6 rw on -- on on,off iprb0 usesrc ipv6 rw none -- none -- root@oldfluffy:/etc/ipf# routeadm Configuration Current Current Option ConfigurationSystem State --- IPv4 routing disabled disabled IPv6 routing disabled disabled IPv4 forwarding enabled enabled IPv6 forwarding disabled disabled Routing services route:default ripng:default Routing daemons: STATE FMRI disabled svc:/network/routing/ripng:default disabled svc:/network/routing/legacy-routing:ipv4 disabled svc:/network/routing/legacy-routing:ipv6 online svc:/network/routing/ndp:default disabled svc:/network/routing/rdisc:default disabled svc:/network/routing/route:default ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] IPNAT redirection.
On Apr 18, 2013, at 2:15 PM, Jonathan Adams wrote: In the past I have used delegate to do port forwarding on our internal servers, forwarding from a server directly connected to the internet, to one that has no direct connection. I was about to set up delegate to do the same job, when it struck me that I should be able to use ipfilter, via ipnat to redirect the ports. I have had success in the past with ipnat on another server, using map to send connections for https, and rdr to redirect to a proxy server running on the same machine. I came to set up forwarding and although it says it's working, no packets are being forwarded internally. my ipnat.conf rdr iprb0 any port 143 - 192.168.0.12 port 143 tcp rdr bge0 any port 143 - 192.168.0.12 port 143 tcp If I try connecting using telnet the client stays trying, and the ipnat -l shows that a connection is established, but if I snoop from 192.168.0.12 there are no packets coming in. I'm sure I'm just missing 1 tiny detail. Can anyone see what I'm missing, or point me in the correct direction? Jon root@fluffy:/etc/ipf# ipnat -vC -f /etc/ipf/ipnat.conf 4 entries flushed from NAT list rdr iprb0,bge0 0.0.0.0/0 port 143 - 192.168.0.12 port 143 tcp root@oldfluffy:/etc/ipf# ipadm show-if IFNAME STATECURRENT PERSISTENT lo0ok -m-v--46 --- bge0 ok bm46 -46 iprb0 ok bm46 -46 root@oldfluffy:/etc/ipf# ipadm show-addr ADDROBJ TYPE STATEADDR lo0/v4static ok 127.0.0.1/8 bge0/v4 static ok 192.168.0.65/24 iprb0/v4 static ok external address/28 lo0/v6static ok ::1/128 root@oldfluffy:/etc/ipf# ipadm show-ifprop bge0 IFNAME PROPERTYPROTO PERM CURRENTPERSISTENT DEFAULT POSSIBLE bge0arp ipv4 rw on -- on on,off bge0forwarding ipv4 rw on on off on,off bge0metric ipv4 rw 0 -- 0 -- bge0mtu ipv4 rw 1500 -- 1500 68-1500 bge0exchange_routes ipv4 rw offoffon on,off bge0usesrc ipv4 rw none -- none -- bge0forwarding ipv6 rw off-- off on,off bge0metric ipv6 rw 0 -- 0 -- bge0mtu ipv6 rw 1500 -- 1500 1280-1500 bge0nud ipv6 rw on -- on on,off bge0exchange_routes ipv6 rw on -- on on,off bge0usesrc ipv6 rw none -- none -- root@oldfluffy:/etc/ipf# ipadm show-ifprop iprb0 IFNAME PROPERTYPROTO PERM CURRENTPERSISTENT DEFAULT POSSIBLE iprb0 arp ipv4 rw on -- on on,off iprb0 forwarding ipv4 rw on on off on,off iprb0 metric ipv4 rw 0 -- 0 -- iprb0 mtu ipv4 rw 1500 -- 1500 68-1500 iprb0 exchange_routes ipv4 rw offoffon on,off iprb0 usesrc ipv4 rw none -- none -- iprb0 forwarding ipv6 rw off-- off on,off iprb0 metric ipv6 rw 0 -- 0 -- iprb0 mtu ipv6 rw 1500 -- 1500 1280-1500 iprb0 nud ipv6 rw on -- on on,off iprb0 exchange_routes ipv6 rw on -- on on,off iprb0 usesrc ipv6 rw none -- none -- root@oldfluffy:/etc/ipf# routeadm Configuration Current Current Option ConfigurationSystem State --- IPv4 routing disabled disabled IPv6 routing disabled disabled IPv4 forwarding enabled enabled IPv6 forwarding disabled disabled Routing services route:default ripng:default Routing daemons: STATE FMRI disabled svc:/network/routing/ripng:default disabled svc:/network/routing/legacy-routing:ipv4 disabled svc:/network/routing/legacy-routing:ipv6 online svc:/network/routing/ndp:default disabled svc:/network/routing/rdisc:default disabled svc:/network/routing/route:default ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss From what I
Re: [OpenIndiana-discuss] IPNAT redirection.
BTW - My solution was to make etherstubs, and create a virtual router, with my working zones in another network segment. Then everything works fine. See: http://www.c0t0d0s0.org/archives/5355-Upcoming-Solaris-Features-Crossbow-Part-1-Virtualisation.html It's actually simple to do. If I can do it, anybody can. The big thing I don't like about it is that if I want direct access to my global zone (without going through the virtual router), it eats up an extra public IP Address. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss