# Jail and NAT



## SacamantecaS (Sep 13, 2011)

Hello

I have 3 servers with public IPs, also with 3 network interface (switch) to communicate to internal. I am FreeBSD newbie and I have several days trying to run the scenario and read on to see if I find the problem, but I have much knowledge of routing.

On these servers, I have a few jails with private IPs (10.xxx/8) linked to the internal interface, but I want to nat some of the services from the public network. Since the jails I can access the public IPs of the different servers and private ips (I guess that will do routing for the internal network), but I canÂ´t install ports, not ping the router, not outside or anything. Does anyone can help or tell me where to go? thanks

Best regards

Diagram:


```
180.x.x.55          180.x.x.63
   ____|____           ____|____
  | SERVER1 |---em1---| SERVER2 |
   ---------           ---------
```


```
# sysctl
srv02# sysctl -a | grep jail
security.jail.param.cpuset.id: 0
security.jail.param.host.hostid: 0
security.jail.param.host.hostuuid: 64
security.jail.param.host.domainname: 256
security.jail.param.host.hostname: 256
security.jail.param.children.max: 0
security.jail.param.children.cur: 0
security.jail.param.enforce_statfs: 0
security.jail.param.securelevel: 0
security.jail.param.path: 1024
security.jail.param.name: 256
security.jail.param.parent: 0
security.jail.param.jid: 0
security.jail.enforce_statfs: 2
security.jail.mount_allowed: 0
security.jail.chflags_allowed: 0
security.jail.allow_raw_sockets: 1
security.jail.sysvipc_allowed: 0
security.jail.socket_unixiproute_only: 1
security.jail.set_hostname_allowed: 1
security.jail.jail_max_af_ips: 255
security.jail.jailed: 0

srv02# sysctl -a | grep forward
kern.smp.forward_signal_enabled: 1
net.inet.ip.forwarding: 1
net.inet.ip.fastforwarding: 0
net.inet6.ip6.forwarding: 0
```

# rc.conf


```
defaultrouter="180.X.X.1"
static_routes="internal"
route_internal="-net 10.0.0.0/8 10.0.0.1"

ifconfig_em0="inet 180.X.X.63 netmask 255.255.255.0"
ifconfig_em0_alias0="inet 180.X.X.64 netmask 255.255.255.0"

ifconfig_em1="inet 10.0.0.1 netmask 255.0.0.0"
ifconfig_em1_alias0="inet 10.0.0.5 netmask 255.0.0.0"

ipv6_enable="NO"
hostname="srv02.internal.local"

sshd_enable="YES"
pf_enable="YES"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
ezjail_enable="YES"
```

# pf.conf

```
# Interfaces
external="em0"
internal="em1"

intnet="{ 10.0.0.0/8 }"
table <dnsserver> const { 180.x.x.55, 188.x.x.63 }
table <dnsserver_int> const { 10.10.1.1, 10.10.2.1, 10.0.0.5 }
table <privnets> const { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }

icmp_types="echoreq"

set block-policy drop
set skip on lo0 

nat on $internal from $internal:network to any -> ($external)
#nat on $external from $internal:network to any -> ($external)

# DNS
rdr on $external inet proto {tcp, udp} from any to <dnsserver_int> port 53 -> <dnsserver>

block in log all

block drop quick on $external from <privnets> to any
block drop quick on $external from any to <privnets>

pass in on $external proto tcp from any to <dnsserver> port domain flags S/SA modulate state 
pass in on $external proto udp from any to <dnsserver> port domain keep state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in quick on $internal from $internal:network to any keep state
pass out quick on $internal from any to $internal:network keep state

pass out on $external proto tcp all flags S/SA modulate state
pass out on $external all keep state
```


----------



## ecazamir (Sep 14, 2011)

I assume that the rules:

```
set block-policy drop
and
block in log all
```
prevent your jail from connecting to the outside world. The "block in log all" reffers to reply packets. The default 'pass out all' will let a connection go out, bot your 'block in all' will block the reply packet, unless you create rules for the outbound connections with 'keep state'.

Perhaps this stripped ruleset will inspire you, even  if the setup is not identical

```
jail_dns="81.x.x.102"
block in log on $ext_if inet from any to $jail_dns
pass in on $ext_if inet proto icmp from any to $jail_dns keep state label "ICMP DNS"
pass in on $ext_if inet proto udp from any to $jail_dns port { 53 } label "DNS Queries DNS"
pass in on $ext_if inet proto tcp from any to $jail_dns port { 53 } label "DNS Transfers DNS"
pass out on $ext_if inet proto tcp from $jail_dns to any port { 53 } label "DNS Transfers DNS"
pass out on $ext_if inet proto udp from $jail_dns to any port { 53 } keep state 
pass out on $ext_if inet proto tcp from $jail_dns to any port { 80,443,5999 } keep state label "Outbound TCP allowed"
```
 


Use pflog to debug the firewall matches[and drops]:

```
# echo 'pflog_enable="YES"' >> /etc/rc.conf; /etc/rc.d/pflog start
```

And look to logs:

```
# tcpdump -n -e -ttt -i pflog0
```


----------



## SacamantecaS (Sep 20, 2011)

Hello

Thanks !! . Solved ! Error in pf rules and forwarding

Best regards


----------

