Replace PF rule + inetd Proxy with 2 PF rules

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Replace PF rule + inetd Proxy with 2 PF rules

Fabio Martins

Hi,

I am trying to redirect + NAT incoming packets without the need of a TCP
Proxy.

Currently I have the following setup to redirect hosts abusing SMTP to an
email trap:

inetd listening in 127.0.0.1:8000 and redirecting to an external host

# inetd.conf
127.0.0.1:8000  stream tcp nowait _inetd_proxy /usr/bin/nc nc -w 20
200.200.200.200 2222

and <table> + pf rule redirecting the hosts:

# pf.conf

table <spammers> persist file "/etc/pf/tables/spammers.txt

pass in log on egress proto tcp from <spammers> to any port 25 \
 rdr-to 127.0.0.1 port 8000

I am trying to remove the inetd from the setup.
With Linux iptables I would do a DNAT + MASQUERADE, but with PF I already
tried:

# pf.conf

#1
pass in log on xnf0 proto tcp from <spammers> to any port 2222 nat-to xnf0

#2
pass in log on egress proto tcp from <spammers> to any port 25 \
 rdr-to 200.200.200.200 port 2222


Rule #2 is correctly applied and changes the destination address to
200.200.200.200, but rule #1 (NAT) isnt applied.

I believe it is possible to NAT an external connection without using a TCP
Proxy.

Tried also the example from here: https://www.openbsd.org/faq/pf/rdr.html

pass in on $int_if proto tcp from $int_net to egress port 80 rdr-to $server
pass out on $int_if proto tcp to $server port 80 received-on $int_if
nat-to $int_if

Without success.

Thanks!

--
Fabio Martins


Reply | Threaded
Open this post in threaded view
|

Re: Replace PF rule + inetd Proxy with 2 PF rules

Nick Gustas-9
Hi Fabio,

I believe this will do what you want, seemed to work in quick testing
here, adjust to suit your environment.


match in on $ext_if proto tcp from <spammers> to ($ext_if) port 25
rdr-to 200.200.200.200 port 2222
match out on $ext_if proto tcp to 200.200.200.200 port 2222 received-on
$ext_if nat-to ($ext_if)



On 2/13/2020 11:56 AM, Fabio Martins wrote:

> Hi,
>
> I am trying to redirect + NAT incoming packets without the need of a TCP
> Proxy.
>
> Currently I have the following setup to redirect hosts abusing SMTP to an
> email trap:
>
> inetd listening in 127.0.0.1:8000 and redirecting to an external host
>
> # inetd.conf
> 127.0.0.1:8000  stream tcp nowait _inetd_proxy /usr/bin/nc nc -w 20
> 200.200.200.200 2222
>
> and <table> + pf rule redirecting the hosts:
>
> # pf.conf
>
> table <spammers> persist file "/etc/pf/tables/spammers.txt
>
> pass in log on egress proto tcp from <spammers> to any port 25 \
>   rdr-to 127.0.0.1 port 8000
>
> I am trying to remove the inetd from the setup.
> With Linux iptables I would do a DNAT + MASQUERADE, but with PF I already
> tried:
>
> # pf.conf
>
> #1
> pass in log on xnf0 proto tcp from <spammers> to any port 2222 nat-to xnf0
>
> #2
> pass in log on egress proto tcp from <spammers> to any port 25 \
>   rdr-to 200.200.200.200 port 2222
>
>
> Rule #2 is correctly applied and changes the destination address to
> 200.200.200.200, but rule #1 (NAT) isnt applied.
>
> I believe it is possible to NAT an external connection without using a TCP
> Proxy.
>
> Tried also the example from here: https://www.openbsd.org/faq/pf/rdr.html
>
> pass in on $int_if proto tcp from $int_net to egress port 80 rdr-to $server
> pass out on $int_if proto tcp to $server port 80 received-on $int_if
> nat-to $int_if
>
> Without success.
>
> Thanks!
>

Reply | Threaded
Open this post in threaded view
|

Re: Replace PF rule + inetd Proxy with 2 PF rules

Fabio Martins

Hi Nick,

Thanks. I applied both rules below, unfortunately I am still only hitting
rule number #1 (rdr-to). nat-to is never reached (added "log" on each to
test). I tried inverting the order, too, but no luck.

#1
match in on $ext_if proto tcp from <spammers> to ($ext_if) port 25 \
rdr-to 200.200.200.200 port 2222

#2
match out on $ext_if proto tcp to 200.200.200.200 port 2222 received-on \
$ext_if nat-to ($ext_if)

--
Fabio Martins

> Hi Fabio,
>
> I believe this will do what you want, seemed to work in quick testing
> here, adjust to suit your environment.
>
>
> match in on $ext_if proto tcp from <spammers> to ($ext_if) port 25
> rdr-to 200.200.200.200 port 2222
> match out on $ext_if proto tcp to 200.200.200.200 port 2222 received-on
> $ext_if nat-to ($ext_if)
>


Reply | Threaded
Open this post in threaded view
|

Re: Replace PF rule + inetd Proxy with 2 PF rules

Nick Gustas-9


On 2/14/2020 6:30 AM, Fabio Martins wrote:

> Hi Nick,
>
> Thanks. I applied both rules below, unfortunately I am still only hitting
> rule number #1 (rdr-to). nat-to is never reached (added "log" on each to
> test). I tried inverting the order, too, but no luck.
>
> #1
> match in on $ext_if proto tcp from <spammers> to ($ext_if) port 25 \
> rdr-to 200.200.200.200 port 2222
>
> #2
> match out on $ext_if proto tcp to 200.200.200.200 port 2222 received-on \
> $ext_if nat-to ($ext_if)
>
> --
> Fabio Martins
>

Odd, are you allowing the traffic with an appropriate pass rule later?

I use tagging for rules related to rdr and nat to keep things simple,
here is the full working setup I used to bounce port 8099 on the
external interface to www.openbsd.org port 80.

#Fun reverse redirection of www.openbsd.org
match in on $ext_if proto tcp from any to ($ext_if) port 8099 tag RDR
rdr-to 129.128.5.194 port 80
match out on $ext_if proto tcp to 129.128.5.194 port 80 received-on
$ext_if nat-to $ext_if

#block all to start
block log all
pass quick tagged RDR
pass out on $ext_if


Make sure you are testing from an external host of course.




Reply | Threaded
Open this post in threaded view
|

Re: Replace PF rule + inetd Proxy with 2 PF rules

Mentesan
In reply to this post by Fabio Martins
Hi Fabio (xarĂ¡),
Apparently I achieved this with these rules:
--
pass out log on hvn0 inet proto tcp from any port 1024:65535 to 8.8.8.8
port = 3333 flags S/SA label "TESTE LISTA"
pass in on hvn0 inet proto tcp from any port 1024:65535 to 10.101.0.17 port
= 25 flags S/SA label "TESTE LISTA" tag TESTE rdr-to 8.8.8.8 port 3333
match out log quick on hvn0 inet all label "TESTE LISTA" tagged TESTE
nat-to 10.101.0.17
--
Of course there's room for improvement, be it simplify the rules or make it
more specific.
Maybe I needed three rules because I use "block log" as a default rule so:
"block in" and "block out" by default.
Here is the tcpdump output:
--
rule 0/(match) match in on hvn0: 10.101.0.24.47964 > 10.101.0.17.25: S
3824310731:3824310731(0) win 42340 <mss 1460,sackOK,timestamp 3963849164
0,nop,wscale 9> (DF)
rule 53/(match) match out on hvn0: 10.101.0.17.60331 > 8.8.8.8.3333: S
3824310731:3824310731(0) win 42340 <mss 1460,sackOK,timestamp 3862692560
0,nop,wscale 9>
rule 16/(match) pass out on hvn0: 10.101.0.17.60331 > 8.8.8.8.3333: S
3824310731:3824310731(0) win 42340 <mss 1460,sackOK,timestamp 3862692560
0,nop,wscale 9>
--
Regards,
Fabio Almeida

On Fri, Feb 14, 2020 at 8:33 AM Fabio Martins <
[hidden email]> wrote:

>
> Hi Nick,
>
> Thanks. I applied both rules below, unfortunately I am still only hitting
> rule number #1 (rdr-to). nat-to is never reached (added "log" on each to
> test). I tried inverting the order, too, but no luck.
>
> #1
> match in on $ext_if proto tcp from <spammers> to ($ext_if) port 25 \
> rdr-to 200.200.200.200 port 2222
>
> #2
> match out on $ext_if proto tcp to 200.200.200.200 port 2222 received-on \
> $ext_if nat-to ($ext_if)
>
> --
> Fabio Martins
>
> > Hi Fabio,
> >
> > I believe this will do what you want, seemed to work in quick testing
> > here, adjust to suit your environment.
> >
> >
> > match in on $ext_if proto tcp from <spammers> to ($ext_if) port 25
> > rdr-to 200.200.200.200 port 2222
> > match out on $ext_if proto tcp to 200.200.200.200 port 2222 received-on
> > $ext_if nat-to ($ext_if)
> >
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Replace PF rule + inetd Proxy with 2 PF rules

Fabio Martins
In reply to this post by Nick Gustas-9

I am trying now only with the redirect to www.openbsd.org, if it works, I
am sure it can be adapted to my case.

Unfortunately still no success.

# pf.conf:

ext_if="xnf0"

match in log on $ext_if proto tcp from any to ($ext_if) port 8099 tag RDR \
rdr-to 129.128.5.194 port 80

match out log on $ext_if proto tcp to 129.128.5.194 port 80 received-on \
$ext_if nat-to $ext_if

match out log quick on $ext_if inet all tagged RDR \
nat-to $ext_if

server_open="{ 80,110,443,25,587,465 }"

pass in log on $ext_if inet proto tcp from any port 1024:65535 to $ext_if
port $server_open tag n_traffic

#block all to start
block all
pass quick tagged RDR
pass quick tagged n_traffic
pass out on $ext_if


>
>
> On 2/14/2020 6:30 AM, Fabio Martins wrote:
>> Hi Nick,
>>
>> Thanks. I applied both rules below, unfortunately I am still only
>> hitting
>> rule number #1 (rdr-to). nat-to is never reached (added "log" on each to
>> test). I tried inverting the order, too, but no luck.
>>
>> #1
>> match in on $ext_if proto tcp from <spammers> to ($ext_if) port 25 \
>> rdr-to 200.200.200.200 port 2222
>>
>> #2
>> match out on $ext_if proto tcp to 200.200.200.200 port 2222 received-on
>> \
>> $ext_if nat-to ($ext_if)
>>
>> --
>> Fabio Martins
>>
>
> Odd, are you allowing the traffic with an appropriate pass rule later?
>
> I use tagging for rules related to rdr and nat to keep things simple,
> here is the full working setup I used to bounce port 8099 on the
> external interface to www.openbsd.org port 80.
>
> #Fun reverse redirection of www.openbsd.org
> match in on $ext_if proto tcp from any to ($ext_if) port 8099 tag RDR
> rdr-to 129.128.5.194 port 80
> match out on $ext_if proto tcp to 129.128.5.194 port 80 received-on
> $ext_if nat-to $ext_if
>
> #block all to start
> block log all
> pass quick tagged RDR
> pass out on $ext_if
>
>
> Make sure you are testing from an external host of course.
>
>
>
>
>


Reply | Threaded
Open this post in threaded view
|

Re: Replace PF rule + inetd Proxy with 2 PF rules

Nick Gustas-9


On 2/14/2020 11:21 AM, Fabio Martins wrote:

> I am trying now only with the redirect to www.openbsd.org, if it works, I
> am sure it can be adapted to my case.
>
> Unfortunately still no success.
>
> # pf.conf:
>
> ext_if="xnf0"
>
> match in log on $ext_if proto tcp from any to ($ext_if) port 8099 tag RDR \
> rdr-to 129.128.5.194 port 80
>
> match out log on $ext_if proto tcp to 129.128.5.194 port 80 received-on \
> $ext_if nat-to $ext_if
>
> match out log quick on $ext_if inet all tagged RDR \
> nat-to $ext_if
>
> server_open="{ 80,110,443,25,587,465 }"
>
> pass in log on $ext_if inet proto tcp from any port 1024:65535 to $ext_if
> port $server_open tag n_traffic
>
> #block all to start
> block all
> pass quick tagged RDR
> pass quick tagged n_traffic
> pass out on $ext_if
>
>
>>
>> On 2/14/2020 6:30 AM, Fabio Martins wrote:
>>> Hi Nick,
>>>
>>> Thanks. I applied both rules below, unfortunately I am still only
>>> hitting
>>> rule number #1 (rdr-to). nat-to is never reached (added "log" on each to
>>> test). I tried inverting the order, too, but no luck.
>>>
>>> #1
>>> match in on $ext_if proto tcp from <spammers> to ($ext_if) port 25 \
>>> rdr-to 200.200.200.200 port 2222
>>>
>>> #2
>>> match out on $ext_if proto tcp to 200.200.200.200 port 2222 received-on
>>> \
>>> $ext_if nat-to ($ext_if)
>>>
>>> --
>>> Fabio Martins
>>>
>> Odd, are you allowing the traffic with an appropriate pass rule later?
>>
>> I use tagging for rules related to rdr and nat to keep things simple,
>> here is the full working setup I used to bounce port 8099 on the
>> external interface to www.openbsd.org port 80.
>>
>> #Fun reverse redirection of www.openbsd.org
>> match in on $ext_if proto tcp from any to ($ext_if) port 8099 tag RDR
>> rdr-to 129.128.5.194 port 80
>> match out on $ext_if proto tcp to 129.128.5.194 port 80 received-on
>> $ext_if nat-to $ext_if
>>
>> #block all to start
>> block log all
>> pass quick tagged RDR
>> pass out on $ext_if
>>
>>
>> Make sure you are testing from an external host of course.
>>
>>
>>
>>
>>
>

May be a dumb question, but do you have net.inet.ip.forwarding=1 set?


tcpdump of a successful test connection:
c.c.c.c = remote test client on internet
r.r.r.r = firewall external IP

pf# tcpdump -ni vmx1 port 8099 or host 129.128.5.194
tcpdump: listening on vmx1, link-type EN10MB
14:34:09.270237 c.c.c.c.63091 > r.r.r.r.8099: S 3178148684:3178148684(0)
win 64240 <mss 1460,nop,wscale 8,nop,nop,sackOK> [tos 0x20]
14:34:09.270303 r.r.r.r.62530 > 129.128.5.194.80: S
3178148684:3178148684(0) win 64240 <mss 1460,nop,wscale
8,nop,nop,sackOK> [tos 0x20]
14:34:09.342800 129.128.5.194.80 > r.r.r.r.62530: S
3355699325:3355699325(0) ack 3178148685 win 16384 <mss
1460,nop,nop,sackOK,nop,wscale 6> (DF) [tos 0x20]
14:34:09.342830 r.r.r.r.8099 > c.c.c.c.63091: S 3355699325:3355699325(0)
ack 3178148685 win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 6> [tos 0x20]
14:34:09.372450 c.c.c.c.63091 > r.r.r.r.8099: . ack 1 win 1026 [tos 0x20]
14:34:09.372461 c.c.c.c.63091 > r.r.r.r.8099: P 1:436(435) ack 1 win
1026 [tos 0x20]
14:34:09.372477 r.r.r.r.62530 > 129.128.5.194.80: . ack 1 win 1026 [tos
0x20]
14:34:09.372500 r.r.r.r.62530 > 129.128.5.194.80: P 1:436(435) ack 1 win
1026 [tos 0x20]
14:34:09.450714 129.128.5.194.80 > r.r.r.r.62530: P 1:197(196) ack 436
win 273 (DF) [tos 0x20]
14:34:09.450716 129.128.5.194.80 > r.r.r.r.62530: . 197:1657(1460) ack
436 win 273 (DF) [tos 0x20]
14:34:09.450759 r.r.r.r.8099 > c.c.c.c.63091: P 1:197(196) ack 436 win
273 [tos 0x20]
14:34:09.450774 r.r.r.r.8099 > c.c.c.c.63091: . 197:1657(1460) ack 436
win 273 [tos 0x20]


Reply | Threaded
Open this post in threaded view
|

Re: Replace PF rule + inetd Proxy with 2 PF rules

Fabio Martins
>
> May be a dumb question, but do you have net.inet.ip.forwarding=1 set?
>

Neither can I believe had forgotten it, but I think you nailed it.
Will test monday and let know.

Thanks in advance.

-fm

>
> tcpdump of a successful test connection:
> c.c.c.c = remote test client on internet
> r.r.r.r = firewall external IP
>
> pf# tcpdump -ni vmx1 port 8099 or host 129.128.5.194
> tcpdump: listening on vmx1, link-type EN10MB
> 14:34:09.270237 c.c.c.c.63091 > r.r.r.r.8099: S 3178148684:3178148684(0)
> win 64240 <mss 1460,nop,wscale 8,nop,nop,sackOK> [tos 0x20]
> 14:34:09.270303 r.r.r.r.62530 > 129.128.5.194.80: S
> 3178148684:3178148684(0) win 64240 <mss 1460,nop,wscale
> 8,nop,nop,sackOK> [tos 0x20]
> 14:34:09.342800 129.128.5.194.80 > r.r.r.r.62530: S
> 3355699325:3355699325(0) ack 3178148685 win 16384 <mss
> 1460,nop,nop,sackOK,nop,wscale 6> (DF) [tos 0x20]
> 14:34:09.342830 r.r.r.r.8099 > c.c.c.c.63091: S 3355699325:3355699325(0)
> ack 3178148685 win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 6> [tos 0x20]
> 14:34:09.372450 c.c.c.c.63091 > r.r.r.r.8099: . ack 1 win 1026 [tos 0x20]
> 14:34:09.372461 c.c.c.c.63091 > r.r.r.r.8099: P 1:436(435) ack 1 win
> 1026 [tos 0x20]
> 14:34:09.372477 r.r.r.r.62530 > 129.128.5.194.80: . ack 1 win 1026 [tos
> 0x20]
> 14:34:09.372500 r.r.r.r.62530 > 129.128.5.194.80: P 1:436(435) ack 1 win
> 1026 [tos 0x20]
> 14:34:09.450714 129.128.5.194.80 > r.r.r.r.62530: P 1:197(196) ack 436
> win 273 (DF) [tos 0x20]
> 14:34:09.450716 129.128.5.194.80 > r.r.r.r.62530: . 197:1657(1460) ack
> 436 win 273 (DF) [tos 0x20]
> 14:34:09.450759 r.r.r.r.8099 > c.c.c.c.63091: P 1:197(196) ack 436 win
> 273 [tos 0x20]
> 14:34:09.450774 r.r.r.r.8099 > c.c.c.c.63091: . 197:1657(1460) ack 436
> win 273 [tos 0x20]
>
>
>



Reply | Threaded
Open this post in threaded view
|

Re: Replace PF rule + inetd Proxy with 2 PF rules

Fabio Martins

Nick,

Indeed Working.
Thanks.

>>
>> May be a dumb question, but do you have net.inet.ip.forwarding=1 set?
>>
>
> Neither can I believe had forgotten it, but I think you nailed it.
> Will test monday and let know.
>
> Thanks in advance.
>
> -fm
>
>>
>> tcpdump of a successful test connection:
>> c.c.c.c = remote test client on internet