ipnat.conf - map and rdr won't work!
alexus at gmail.com
Mon Jul 19 14:46:14 UTC 2010
On Sat, Jul 17, 2010 at 7:51 AM, Erik Norgaard <norgaard at locolomo.org> wrote:
> On 16/07/10 02.56, alexus wrote:
>>>>> su-3.2# cat /etc/ipnat.rules
>>>>> map fxp0 lama -> 0/32
>>>>> rdr fxp0 18.104.22.168 port ssh -> lama port ssh tcp
>>> What's that first rule supposed to do?
>> provides a NAT within jail
> Just guessing, try to put the rdr rule first. Another thing, the
> firewall/nat may be loaded before starting the jail and thus unaware of
> interfaces etc assigned to the jail.
tried switching rules - didn't help
tried restarting ipnat after everything is started it
>>>>> su-3.2# ifconfig
>>>>> vr0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST>
>>>>> 0 mtu 1500
>>>>> inet 172.16.172.16 netmask 0xffffffff broadcast 172.16.172.16
>>>>> fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0
>>>>> inet 22.214.171.124 netmask 0xffffffe0 broadcast 126.96.36.199
>>> Where is this? this "su-3.2" is a bit confusing, would be useful to set
>>> hostname to "jail" within the jail...
>> su-3.2 is a host environment where jail is hosted
> And from within the jail, what do you see? From what I understand
> 172.16.172.16 is the jail IP?
from host's rc.conf
su-3.2# grep ^jail /etc/rc.conf
this is within jail
vr0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric
0 mtu 1500
inet 172.16.172.16 netmask 0xffffffff broadcast 172.16.172.16
media: Ethernet autoselect (none)
status: no carrier
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
media: Ethernet autoselect (100baseTX <full-duplex>)
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
>>> I think it is typical for jails to clone the loopback interface for this
>> not sure what you mean by this...
>> if you referring this statement as if you though this is jail itself
>> this is not jail this is host environment (where jail is hosted)
>>> Use tcpdump, you should see if your rdr/map rules work as expected. Also,
>>> pfctl -ss and similar.
>> su-3.2# pfctl -ss
>> pfctl: /dev/pf: No such file or directory
> Ah, you use ipfilter?
yes, i use ipfilter & ipnat
su-3.2# grep ^ip /etc/rc.conf
>> i don't know how to use tcpdump, can you provide exact syntax so i can run
> The man-page is excelent.
tried that, unfortunately not really sure what am i doing.. still
>>> If nobody replies, maybe try to rephrase your question, investigate
>>> and provide additional information rather than just repost.
>> i was under impression that i pretty much covered all basis, or at
>> least i thought i so ... apparently not...
> Honestly, I don't have a clear picture of what works and what doesn't or
> where. You haven't posted your jail config from rc.conf and you could help
> by making it clear when running any command that this is in the jail, jail#
> this is on the hosting system hostname# and this is the client client#
> BR, Erik
lama is a jail environment (see rc.conf output from earlier)
su-3.2 is a host environment
any other questions? please just ask i'll provide you with whatever
information is needed
More information about the freebsd-questions