ipnat.conf - map and rdr won't work!
alexus
alexus at gmail.com
Mon Jul 19 14:46:14 UTC 2010
On Sat, Jul 17, 2010 at 7:51 AM, Erik Norgaard <norgaard at locolomo.org> wrote:
> On 16/07/10 02.56, alexus wrote:
>
>>>>> su-3.2# cat /etc/ipnat.rules
>>>>> map fxp0 lama -> 0/32
>>>>> rdr fxp0 64.52.58.58 port ssh -> lama port ssh tcp
>>>
>>> What's that first rule supposed to do?
>>
>> provides a NAT within jail
>
> Just guessing, try to put the rdr rule first. Another thing, the
> firewall/nat may be loaded before starting the jail and thus unaware of
> interfaces etc assigned to the jail.
tried switching rules - didn't help
tried restarting ipnat after everything is started it
>>>>> su-3.2# ifconfig
>>>>> vr0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST>
>>>>> metric
>>>>> 0 mtu 1500
>>>>> inet 172.16.172.16 netmask 0xffffffff broadcast 172.16.172.16
>>>>> fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0
>>>>> mtu
>>>>> 1500
>>>>> inet 64.52.58.58 netmask 0xffffffe0 broadcast 64.52.58.63
>>>
>>> Where is this? this "su-3.2" is a bit confusing, would be useful to set
>>> your
>>> hostname to "jail" within the jail...
>>
>> su-3.2 is a host environment where jail is hosted
>
> And from within the jail, what do you see? From what I understand
> 172.16.172.16 is the jail IP?
from host's rc.conf
su-3.2# grep ^jail /etc/rc.conf
jail_enable="YES"
jail_lama_devfs_enable="YES"
jail_lama_hostname="lama"
jail_lama_ip="172.16.172.16"
jail_lama_rootdir="/usr/jail/lama"
jail_list="lama"
su-3.2#
this is within jail
-bash-3.2$ ifconfig
vr0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric
0 mtu 1500
options=2808<VLAN_MTU,WOL_UCAST,WOL_MAGIC>
ether 00:19:5b:68:9b:01
inet 172.16.172.16 netmask 0xffffffff broadcast 172.16.172.16
media: Ethernet autoselect (none)
status: no carrier
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=2009<RXCSUM,VLAN_MTU,WOL_MAGIC>
ether 00:0f:fe:aa:f4:61
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
-bash-3.2$
>>> I think it is typical for jails to clone the loopback interface for this
>>> setup.
>>
>> not sure what you mean by this...
>> if you referring this statement as if you though this is jail itself
>> then
>> this is not jail this is host environment (where jail is hosted)
>
>>> Use tcpdump, you should see if your rdr/map rules work as expected. Also,
>>> pfctl -ss and similar.
>>
>> su-3.2# pfctl -ss
>> pfctl: /dev/pf: No such file or directory
>> su-3.2#
>
> Ah, you use ipfilter?
yes, i use ipfilter & ipnat
su-3.2# grep ^ip /etc/rc.conf
ipfilter_enable="YES"
ipmon_enable="YES"
ipnat_enable="YES"
su-3.2#
>> i don't know how to use tcpdump, can you provide exact syntax so i can run
>> it?
>
> The man-page is excelent.
tried that, unfortunately not really sure what am i doing.. still
>>> anyone?
>>>
>>> If nobody replies, maybe try to rephrase your question, investigate
>>> further
>>> and provide additional information rather than just repost.
>>
>> i was under impression that i pretty much covered all basis, or at
>> least i thought i so ... apparently not...
>
> Honestly, I don't have a clear picture of what works and what doesn't or
> where. You haven't posted your jail config from rc.conf and you could help
> by making it clear when running any command that this is in the jail, jail#
> this is on the hosting system hostname# and this is the client client#
> etc...
>
> BR, Erik
>
>
>
lama is a jail environment (see rc.conf output from earlier)
su-3.2 is a host environment
any other questions? please just ask i'll provide you with whatever
information is needed
thanks again
--
http://alexus.org/
More information about the freebsd-questions
mailing list