Tuesday, 27 August 2013

PF, redirecting SSH to internal VM

PF, redirecting SSH to internal VM

I run a FreeBSD server with VirtualBox on it. There's a VM in there I'd
like to contact via SSH directly using Port 20000.
Client and FreeBSD server are connected through OpenVPN via tun. The
following graphic illustrates what the setup is supposed to look like.

Explanation:
The OpenVPN client IP is 10.8.0.6. It connects without problems to the
Host at 10.8.0.1. When SSH is used through Port 20000 I'd like the
connection to be redirected to the internal VM 192.168.56.10 Port 22.
--
However, this does not work. When I try to connect like that ssh 10.8.0.1
-p 20000 I get the response: Network is unreachable.
The current pf.conf looks like this:
udp_services = "{ openvpn }"
tcp_services = "{ http, https, smtp }"
ip_public="<PRIVATE>"
ip_vpn="10.8.0.1"
net_vpn="10.8.0.0/24"
net_vbox1="192.168.56.0/24"
if_lcl="lo0"
if_public="re0"
if_vpn="tun0"
if_vbox1="vboxnet0"
table <blockedips> persist file "/etc/blocked_ips.conf"
## Default handling
set block-policy return
set skip on lo0
scrub in all
rdr pass on $if_vpn proto {udp, tcp} from any to any port 20000 ->
192.168.56.10 port 22
block all
block drop in log quick on $if_public from <blockedips> to any
## Outgoing traffic
pass out on $if_public inet from $ip_public to any
## VM Traffic
pass out on $if_vbox1 inet from $if_vbox1 to $net_vbox1
pass in on $if_vbox1 inet proto tcp from any to $net_vbox1
pass in on $if_vbox1 inet proto udp from any to $net_vbox1
pass in on $if_vbox1 inet proto icmp from any to $net_vbox1 icmp-type echoreq
## VPN traffic
pass in on $if_vpn inet proto tcp from any to any
pass in on $if_vpn inet proto udp from any to any
pass in on $if_vpn inet proto icmp from any to any
## Incoming public trafic
pass in on $if_public inet proto tcp from any to $ip_public port
$tcp_services
pass in on $if_public inet proto udp from any to $ip_public port
$udp_services
pass in on $if_public inet proto icmp from any to $ip_public icmp-type
echoreq
I've also tried redirecting HTTP via port 8080. That too didn't work. What
am I doing wrong here? Thank you very much for any advice you might have.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)