ipnat.conf - map and rdr won't work!

alexus alexus at gmail.com
Tue Jul 20 20:23:34 UTC 2010

On Tue, Jul 20, 2010 at 2:54 PM, Erik Norgaard <norgaard at locolomo.org> wrote:
> On 20/07/10 20.07, alexus wrote:
>> On Tue, Jul 20, 2010 at 12:57 PM, Erik Norgaard<norgaard at locolomo.org>
>>  wrote:
>> plan b is to run natd, but i'd rather run ipnat especially that ipnat
>> used to work before no problem!
> Maybe move away from what used to work and towards what is working :)
> Whichever you prefer, just stick to one solution only.

right, yet I still would like to know where problem is :))

>> su-3.2# ping -c1 lama
>> PING lama ( 56 data bytes
>> 64 bytes from icmp_seq=0 ttl=64 time=0.075 ms
>> --- lama ping statistics ---
>> 1 packets transmitted, 1 packets received, 0.0% packet loss
>> round-trip min/avg/max/stddev = 0.075/0.075/0.075/0.000 ms
>> su-3.2#
>> ip address tells me that this is in fact jail's IP
> Yes and no, if you shut down your jail you should still be able to ping that
> ip as I read your snippet from your rc.conf.

you right, i'm pinging ip that resides on another interface and
doesn't really belong to jail at the first place
you asked me if I can ping jail from host, I dont know how else I can
test it then
pinging ip is kind of pointless then, so i ssh in that seems to be
working, what else can I try?

>>> So I suppose that from your host environment you can ssh into the jail?
>>> Did
>>> ssh start up, netstat -l? From the jail, can you ping the host
>>> environment?
>> su-3.2# jls
>>    JID  IP Address      Hostname                      Path
>>      1   lama                          /usr/jail/lama
>> su-3.2# jexec 1 /etc/rc.d/sshd status
>> sshd is running as pid 1085.
>> su-3.2# ps -p 1085
>>  1085  ??  IsJ    0:00.00 /usr/sbin/sshd
>> su-3.2#
> OK, but you didn't check where your ssh binds.

su-3.2# netstat -tan | grep LISTEN | grep 22
tcp4       0      0       *.*                    LISTEN

would that sufficient? I just don't know how else I can see ..

>> i know, i can run it that IP address as an alias on public interface,
>> but we on purpose added another NIC to be private NIC.
> Well, read the man jail(8):
> ip4.addr
>      A comma-separated list of IPv4 addresses assigned to the prison.
>      If this is set, the jail is restricted to using only these
>      address.  Any attempts to use other addresses fail, and attempts
>      to use wildcard addresses silently use the jailed address
>      instead. ...
> If I understand this correctly, remove the line
>  jail_lama_ip=""
> from your rc.conf and your jail can then bind to port 22 on the external
> interface thus bypassing the need for nat. This is ok, since all you did was
> redirecting traffic. And the map rule shouldn't be necessary either, nor
> should the fxp interface.
> BR, Erik

i actually like this idea, i think i'm going give that a shot...
i'll let you know how that worked out...


More information about the freebsd-questions mailing list