# Can't connect on my jail prosody server except outside him



## torlik (Aug 2, 2014)

Hello,

Here my configuration :


```
+--------+---+---+ 10.0.0.0/24 +------------------+
|main server -   |             |jail with prosody |
|with xmpp client+-----+-------+server            |
|                |     |       |IP : 10.0.0.1/24  |
+----------------+     |       +------------------+
                       |                           
                       |                           
                       |                           
                       v                           
              NAT and Redirection with PF
```

I've a domain for my iP_PUB. I use this for my prosody's virtualhost. All works : anywhere i can connect  with my prosody's account. But i have my xmpp client on my host server and i can't connect with my account :

Logfile of xmpp client (x.x.x.x my public ip)

```
ERROR:xmlstream:Could not connect to x.x.x.x:5222. Socket Error #61: Connection refused
```

if i try telnet anywhere :
`telnet x.x.x.x 5222`

```
Trying X
Connected to X
Escape character is '^]'.
```

On my host server :
`telnet x.x.x.x 5222`

```
Trying X...
telnet: connect to address X: Connection refused
telnet: Unable to connect to remote host
```

Here my pf rules :
/etc/pf.conf

```
#INTERFACES
ext_if="sis0"
int_if = "lo1"
jailnet = $int_if:network

# Name and IP of jails
PROSODY="10.0.0.1"

# NAT
nat on $ext_if from $jailnet to any -> ($ext_if)

# Redirect any packets requesting port (xmpp) 5222 or 5269 to jailed prosody
rdr pass on $ext_if inet proto tcp to port 5222 -> $PROSODY port 5222
rdr pass on $ext_if inet proto tcp to port 5269 -> $PROSODY port 5269

# Open prosody's ports to external network
pass in on $ext_if proto { tcp } from any to $ext_if port 5222
pass in on $ext_if proto { tcp } from any to $ext_if port 5269
```

`# ifconfig`

```
sis0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=82008<VLAN_MTU,WOL_MAGIC,LINKSTATE>
	ether 00:1c:c0xxx
	inet x.x.x.x netmask 0xffffff00 broadcast x.x.x.255 
	inet6 fe80::xxxx%sis0 prefixlen 64 scopeid 0x1 
	inet6 xxxxxx prefixlen 128 
	nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 
	inet 127.0.0.1 netmask 0xff000000 
	nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
	inet 10.0.0.1 netmask 0xffffff00 
	inet 10.0.0.2 netmask 0xffffff00 
	nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
```

`netstat -r`

```
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            vss-gw-6k.fr.eu    UGS         0 26753856   sis0
10.0.0.1           link#3             UH          0   173804    lo1
10.0.0.2           link#3             UH          0      336    lo1
x.x.x.x       link#1             U           0    12365   sis0
ns37xxx.ip-x.x- link#1             UHS         0   135700    lo0
localhost          link#2             UH          0    35208    lo0
```

How can i have open port 5222 too for my host server ?

Thank you all !


----------



## junovitch@ (Aug 3, 2014)

*Re: Can't connect on my jail prosody server except outside h*

Traffic from the host to the jail will use the loopback interface, which there are no rules assigned.  For that matter, a bunch of host to host communication is on the loopback so filtering it usually means something breaks.  This is the usual recommendation.

Add to /etc/pf.conf

```
set skip on lo
```


----------



## torlik (Aug 3, 2014)

*Re: Can't connect on my jail prosody server except outside h*

Thanks to reply
I've add this line just before nat line.

Flush and reload PF, restart jail. Nothing changes :/


----------



## junovitch@ (Aug 3, 2014)

*Re: Can't connect on my jail prosody server except outside h*

I figured the skip would be enough.  Allow outbound traffic maybe?
/etc/pf.conf

```
pass out
```


----------



## torlik (Aug 3, 2014)

*Re: Can't connect on my jail prosody server except outside h*

I add this at the end of pf.conf

and again :

```
2014-08-03 04:30:29,078 ERROR:xmlstream:Could not connect to x.x.x.x:5222. Socket Error #61: Connection refused
```
and with telnet same. Outside it's ok yet.
`pfctl -vnf /etc/pf.conf`

```
ext_if = "sis0"
int_if = "lo1"
jailnet = "lo1:network"
PROSODY = "10.0.0.1"
set skip on { lo }
nat on sis0 inet from 10.0.0.0/24 to any -> (sis0) round-robin
nat on sis0 inet from 10.0.0.0/24 to any -> (sis0) round-robin
rdr pass on sis0 inet proto tcp from any to any port = xmpp-client -> 10.0.0.1 port 5222
rdr pass on sis0 inet proto tcp from any to any port = xmpp-server -> 10.0.0.1 port 5269
pass in on sis0 inet6 proto tcp from any to fe80::xxx port = xmpp-client flags S/SA keep state
pass in on sis0 inet6 proto tcp from any to fe80::2xx port = xmpp-server flags S/SA keep state
pass in on sis0 inet6 proto tcp from any to 2001:xxx:2:120a::1 port = xmpp-client flags S/SA keep state
pass in on sis0 inet6 proto tcp from any to 2001:xxx0:2:120a::1 port = xmpp-server flags S/SA keep state
pass in on sis0 inet proto tcp from any to x.x.x.x port = xmpp-client flags S/SA keep state
pass in on sis0 inet proto tcp from any to x.x.x.x port = xmpp-server flags S/SA keep state
pass out all flags S/SA keep state
```


----------



## junovitch@ (Aug 4, 2014)

*Re: Can't connect on my jail prosody server except outside h*

How about another service?  What does this return when you sub in the address of the jail?
`nc -n 127.0.0.1 22`

```
SSH-2.0-OpenSSH_6.6.1_hpn13v11 FreeBSD-20140420
```

We at least have a clue with the "connection refused" aspect.  Anytime you see that you at least know the distant end is using a reject/return type policy that triggers an ICMP message back saying you can't access.  The SSH banner grab is a way to check with another service/port.  

Let's try this.  Add a default policy type rule pf.conf.  This will go first in your ruleset as last match will win and the behavior will be of that match.  This is just like a catch all for anything you don't have rules for.

```
# rdr rules here
block log all
# pass rules here
```

Now run `tcpdump -n -e -ttt -i pflog0` as shown in the examples section of the pflog() man page to see if that log rule is being it.  If not, try to run a `tcpdump -n -i lo1` while you do the connection to either port 22 or 5222 and post the result here.


----------

