ipnat.conf - map and rdr won't work!
alexus at gmail.com
Tue Jul 20 20:23:34 UTC 2010
On Tue, Jul 20, 2010 at 2:54 PM, Erik Norgaard <norgaard at locolomo.org> wrote:
> On 20/07/10 20.07, alexus wrote:
>> On Tue, Jul 20, 2010 at 12:57 PM, Erik Norgaard<norgaard at locolomo.org>
>> plan b is to run natd, but i'd rather run ipnat especially that ipnat
>> used to work before no problem!
> Maybe move away from what used to work and towards what is working :)
> Whichever you prefer, just stick to one solution only.
right, yet I still would like to know where problem is :))
>> su-3.2# ping -c1 lama
>> PING lama (172.16.172.16): 56 data bytes
>> 64 bytes from 172.16.172.16: icmp_seq=0 ttl=64 time=0.075 ms
>> --- lama ping statistics ---
>> 1 packets transmitted, 1 packets received, 0.0% packet loss
>> round-trip min/avg/max/stddev = 0.075/0.075/0.075/0.000 ms
>> ip address tells me that this is in fact jail's IP
> Yes and no, if you shut down your jail you should still be able to ping that
> ip as I read your snippet from your rc.conf.
you right, i'm pinging ip that resides on another interface and
doesn't really belong to jail at the first place
you asked me if I can ping jail from host, I dont know how else I can
test it then
pinging ip is kind of pointless then, so i ssh in that seems to be
working, what else can I try?
>>> So I suppose that from your host environment you can ssh into the jail?
>>> ssh start up, netstat -l? From the jail, can you ping the host
>> su-3.2# jls
>> JID IP Address Hostname Path
>> 1 172.16.172.16 lama /usr/jail/lama
>> su-3.2# jexec 1 /etc/rc.d/sshd status
>> sshd is running as pid 1085.
>> su-3.2# ps -p 1085
>> PID TT STAT TIME COMMAND
>> 1085 ?? IsJ 0:00.00 /usr/sbin/sshd
> OK, but you didn't check where your ssh binds.
su-3.2# netstat -tan | grep LISTEN | grep 22
tcp4 0 0 172.16.172.16.22 *.* LISTEN
would that sufficient? I just don't know how else I can see ..
>> i know, i can run it that IP address as an alias on public interface,
>> but we on purpose added another NIC to be private NIC.
> Well, read the man jail(8):
> A comma-separated list of IPv4 addresses assigned to the prison.
> If this is set, the jail is restricted to using only these
> address. Any attempts to use other addresses fail, and attempts
> to use wildcard addresses silently use the jailed address
> instead. ...
> If I understand this correctly, remove the line
> from your rc.conf and your jail can then bind to port 22 on the external
> interface thus bypassing the need for nat. This is ok, since all you did was
> redirecting traffic. And the map rule shouldn't be necessary either, nor
> should the fxp interface.
> BR, Erik
i actually like this idea, i think i'm going give that a shot...
i'll let you know how that worked out...
More information about the freebsd-questions