# Problem with ssh port forwarding with jail



## nez (Aug 22, 2010)

Hi guys,

I'm having few problems with my jail and pf setup. I would need to connect to my jail's ssh port from the internet with other port like 22222. I also have sshd running on my server but I use other ports for that. The network works fine with the jail, but I just cannot connect there from the web.

The alias interface for jail is in the internal interface rl0, because my internal network doesn't work when I put it to the nfe0 interface.

internet -> server (with jail 192.168.0.60) -> 192.168.0.1 -> home computers (192.168.0.100-105)

Here are my rc.conf and pf.conf regarding this setup:

```
gateway_enable="YES"
hostname="xxx"
ifconfig_nfe0="DHCP"
# inet / 27.07.2010
ifconfig_rl0="inet 192.168.0.1 netmask 255.255.255.0"
dhcpd_enable="YES"
dhcpd_ifaces="rl0"

sshd_enable="YES"
sshd_port="22"

pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pf.log"
pflog_flags=""
noip_enable="YES"

jail_enable="YES"
jail_list="test"
jail_set_hostname_allow="NO"

sendmail_enable="NO"
ifconfig_rl0_alias0="inet 192.168.0.60 netmask 255.255.255.255"

jail_test_rootdir="/usr/jails/test"
jail_test_hostname="test.xxxxx.org"
jail_test_ip="192.168.0.60"
jail_test_exec_start="/bin/sh /etc/rc"
jail_test_devfs_enable="YES"
```


```
ext_if = "nfe0"
int_if = "rl0"

tcp_services = "{113, 21}"
icmp_types = "echoreq"

jail = "192.168.0.60"

main = "192.168.0.100"
xbox = "192.168.0.101"

allowssh = "{xxx xxx xxx}"

# xbox ports
x_udp = "{ 88, 3074 }"
x_tcp = "3074"

# tables
table <trusted> const { $main $xbox 192.168.0.0/24 }
table <badguys> persist file "/var/log/pf_badguys.log"

# options
set block-policy return
set loginterface $ext_if
set skip on lo

# scrub
scrub in all

# translation

# nat/rdr
no rdr on lo0 from any to any

# xbox
nat on $ext_if from $xbox to any -> ($ext_if:0) static-port
nat on $ext_if from !($ext_if) -> ($ext_if:0)
rdr-anchor "xbox"
no rdr

# jails
nat on $ext_if from $jail to any -> $ext_if
rdr on $ext_if proto tcp from any to any port 22222 -> $jail port 22

# ftp proxy
anchor "ftp-proxy/*"

# filter rules
block all
pass out quick keep state

antispoof quick for { lo $int_if }

pass in quick on $int_if from <trusted> to any keep state
block in log quick on $ext_if from <badguys> to any

pass in log quick on $ext_if inet proto tcp \
from any to ($ext_if) port $tcp_services \
flags S/SA keep state (max-src-conn-rate 3/60, overload <badguys> flush)

pass in log quick on $ext_if inet proto tcp \
from $allowssh to ($ext_if) port 22 \
flags S/SA keep state (max-src-conn-rate 3/60, overload <badguys> flush)

pass in inet proto icmp all icmp-type $icmp_types
```


```
$ ssh -p 22022 [email]xxxxx@xxxxxxx.org[/email]
ssh: connect to host xxxxxxx.org port 22022: Connection refused
```

I've gone through many threads on quite similar matters, but haven't solved this. Hopefully you can help, thank you.


----------



## Savagedlight (Aug 23, 2010)

It might just be me missing it.. but I don't see a nat entry for port 22022 anywhere?


----------



## nez (Aug 23, 2010)

Savagedlight said:
			
		

> It might just be me missing it.. but I don't see a nat entry for port 22022 anywhere?


Sorry for that, it should have been ssh to port 22222:


```
$ ssh -p 22222 [email]xxxxx@xxxxxxxxx.org[/email]
ssh: connect to host xxxxxxxxx.org port 22222: Connection refused
```


----------



## SirDice (Aug 23, 2010)

There's no rule allowing "any to $jail". 

The address gets translated before hitting any rules. So "any to $jail" is not the same as "any to ($ext_if)".


----------



## nez (Aug 25, 2010)

Thanks for the help so far, but still does not work. Here's more simple pf.conf

rc.conf

```
gateway_enable="YES"
hostname="xxx"
ifconfig_nfe0="DHCP"
ifconfig_rl0="inet 192.168.0.1 netmask 255.255.255.0"
dhcpd_enable="YES"
dhcpd_ifaces="rl0"

sshd_enable="YES"
sshd_port="22"

pf_enable="YES"
pf_rules="/etc/pf.conf"

jail_enable="YES"
jail_list="test"
jail_set_hostname_allow="NO"

sendmail_enable="NO"
ifconfig_rl0_alias0="inet 192.168.0.60 netmask 255.255.255.255"

jail_test_rootdir="/usr/jails/test"
jail_test_hostname="test.xxxxx.org"
jail_test_ip="192.168.0.60"
jail_test_exec_start="/bin/sh /etc/rc"
jail_test_devfs_enable="YES"
```

pf.conf

```
ext_if = "nfe0"
int_if = "rl0"

jail = "192.168.0.60"

rdr on $ext_if proto tcp from any to ($ext_if) port 22222 -> $jail port 22
nat on $ext_if inet from !($ext_if) to any -> ($ext_if:0)

pass in all
pass out all
```

1. Does it matter that I have my jail in rl0 (int_if) and not in nfe0 (ext_if) where it's usually set?

2. Do I need to do something more on my jail's host than to rdr port 22222 with pf to my jail's ssh port?

3. Does it matter that my internal network is also in 192.168.0.0/24 (192.168.0.100-106) space? Should I use totally different address space for my jail?


Thanks.


----------



## quintessence (Aug 25, 2010)

Hello,

nfe0 is your external interface which receive internet connection through DHCP ?

1.) if your external IP address is public where is set dyndns or any DNS because is the example you gave you wrote you try to connect to domain.com ( hostname ) not IP address ? 
2.) external and internal interface assume are NOT on the same switch ?

So , example config you may try 

nfe0 - external interface - the cable from your ISP is in it 
rl0 - internal interface - it is connected to switch 

pf.conf :

```
ext_if="nfe0"
int_if="rl0"

jail_ip="192.168.0.60"

nat on $ext_if from $int_if:network to any -> ($ext_if:0) static-port
rdr pass on $ext_if proto tcp from any to $ext_if port 22222 -> $jail_ip port 22

block in all

pass out all

pass in quick on $int_if
```

In /etc/rc.conf in jail you have to put 

```
sshd_enable="YES"
```

When you try to connect from the internet 

```
ssh username@your_public_ip -p 22222
```


---

1.) depends on your network topology, but private IP is OK on the private interface
2.) yes, you have to enable sshd in jail
3.) it is not so correct , but ... 

Just tested almost same config , it works , but I didn't restart DHCPD server :e

ext_if - public IP
int_if - 10.9.9.1/24
some router ( which I use for switch ) with IP 10.9.9.22 and alias 10.9.9.25 , DHCPD server offering small range 10.9.9.130-132 
so I can access 10.9.9.25:80 from outside on external IP_address:some_redirected_port


----------



## Savagedlight (Aug 26, 2010)

Keep in mind that some routers don't allow people on its internal network to connect using the port forwarding definitions for its public interface.


----------



## nez (Aug 26, 2010)

Thank you for your replys.

It seems to work now with quintessences help. I'm at work, so can't test it thoroughly now. I'll get back to you and paste the final setup later.


----------



## nez (Aug 29, 2010)

One problem that I had was, that even though the port 22222 was redirected, I couldn't connect to it from my server (192.168.0.1) with ssh -p 22022 xxxxxathostname.org. So I might have had working solution a bit earlier, but didn't test it properly.

I still need to do some tweaks (log these etc), so I don't directly pass traffic to these ports, but overall the configuration now works, and the jail is connectable to port 22222 and to port 22 from selected addresses.

pf.conf regarding jail.

```
# jail
rdr pass on $ext_if proto tcp from any to $ext_if port 22022 -> $jail port 22
rdr pass on $ext_if proto tcp from $boys to $ext_if port 22 -> $jail port 22
# home lan
nat on $ext_if from !($ext_if) -> ($ext_if:0)
```

Thanks for your help guys!


----------

