Setup of jail bound to lo0

[GiZmen]

> Hi,
> 
> I need to have some jails configured, sharing single IP address (IPv6
> is a no-no for the time being:). Therefore I came up with an idea of
> binding them all to lo0 and assigning subsequent IP aliases as the
> addresses. The requirement for the jails is to let them to receive
> (the easy part) and *send* packets to the outside.
> 
> The jails cannot directly access the Internet as they cannot bind to
> the external IP address of course. Some translation needs to be made,
> I think. After wrestling with ipfw/ipf/pf for a couple of hours I
> don't have a working solution.
> 
> My last attempt to get outside from the jail with ipfw was:
> 
> # ipfw add 200 divert natd log tcp from 127.0.0.2 to 127.0.0.2 222 in via lo0
> 
> and for natd:
> 
> redirect_port tcp 192.168.153.2:22 127.0.0.2:222
> 
> I get this log from natd:
> 
> In  {default} 0000ffff[TCP]  [TCP] 127.0.0.2:53057 -> 127.0.0.2:301 aliased to
>           [TCP] 127.0.0.2:53057 -> 192.168.153.2:22
> 
> Which obviously doesn't work. I've tried to add alias IP, but then it
> stops the natd `rule' matching.
> 
---end quoted text---


I have setup my box in that way you want with pf and it works perfect.

I have cloned lo interface to lo1 and i have made aliases for every running jail.

lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 1500
        inet 127.1.1.1 netmask 0xff000000
        inet 127.0.0.53 netmask 0xffffffff
        inet 127.0.1.53 netmask 0xffffffff
        inet 127.0.0.67 netmask 0xffffffff
        inet 127.0.0.25 netmask 0xffffffff
        inet 127.0.0.80 netmask 0xffffffff
        inet 127.0.0.65 netmask 0xffffffff

my pf rules are like that:

nat on $ext_if inet from 127.1.1.1 to any -> $ext_addr static-port

pass out quick on $ext_if inet proto tcp from 127.1.1.1 to any flags S/SA modulate state

and it works

and this is only for nating this jail to get access to this jail from outside you have to put some
rdr rules in your packet filter.

if you have more questions PM me.