Date: Thu, 5 Aug 2010 16:12:43 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Michael <mlmichael70@gmail.com> Cc: freebsd-jail@freebsd.org Subject: Re: trouble getting Jail with IPFW+NAT to work Message-ID: <20100805144424.P34284@sola.nimnet.asn.au> In-Reply-To: <4C59D871.1010506@gmail.com> References: <AANLkTinfQrE=eRSQ1gEFQfoib=9=PC4einxBWTqFBhyj@mail.gmail.com> <20100801021347.O34284@sola.nimnet.asn.au> <4C59D871.1010506@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 4 Aug 2010, Michael wrote:
> On 31/07/2010 17:44, Ian Smith wrote:
> > On Sat, 31 Jul 2010, Rick van der Zwet wrote:
> >
> > But mainly, you have no nat rule for the response packets coming in on
> > the outside interface, which is where they need to get mapped back to
> > the internal address/es. Generally better to not use 'via' but be more
> > specific (ie clear) about direction on nat rules:
> >
> > ${fwcmd} add nat 200 all from 10.0.0.0/24 to any out xmit re0
> > ${fwcmd} add nat 200 all from any to ${outside_addr} in recv re0
> >
> > $outside_addr can be 'any', if you're not routing other addresses.
>
> I have run into some troubles using above rules. At first it looks all good
> (to me) and works fine. Here are my rules:
>
> $cmd_nat nat 1 config reset if $if_ext log same_ports
> $cmd_nat 10 add nat 1 udp from $jail_ip to $dns out xmit $if_ext jail $jail_jid
> $cmd_nat 20 add nat 1 udp from $dns to me in recv $if_ext
>
> The problem is that rule 20 can not distinguish between replies to jail and
> replies to localhost. In other words it catches answers both to host system
> and to jailed system.
>
> I can tell that after checking counters on rule 20. They go up even when I
> run "host freebsd.org" on localhost (host environment for jails).
>
> Note that this problem doesn't applies to rule 10 because of "jail" match
> pattern. Unfortunately this rule option doesn't work for incoming packets,
> i.e. this rule is not working:
>
> $cmd_nat 20 add nat 1 udp from $dns to me in recv $if_ext jail $jail_jid
>
> What am I missing? How can ipfw distinguish between incoming packets for
> jailed system (in which case they should be NATed) and incoming packets for
> host system (in which case they shouldn't be NATed)?
First checking your assumptions: you want the jail, ie packets from
$jail_ip, to be able to communicate to the outside only on UDP, and only
to address $dns? (or dns="$address 53")?
If you pass incoming packets to NAT that match with its table of source
address/port, destination address/port and protocol, established when an
outgoing packet was mapped from an inside to the outside address, then
they will be mapped back to the original address/port. Otherwise, they
will be unaffected and so delivered to the address specified (here, to
the current address of $if_ext).
It should be clear that rule 20 can't distinguish on $jail_jid _before_
the NAT translation; at this stage all packets are addressed to $extIP
and nothing else is known, so it's not "doesn't work" but "couldn't".
You need another rule _after_ doing inbound NAT to allow/deny/whatever
packets that are NOW from $dns destined for $jail_ip (plus $jail_jid if
you like, but that's implied by $jail_ip anyway).
Basically, using NAT you have to pass all inbound ip4 packets received
on your external interface to NAT (unless you're receiving packets for
more than one external IP); only after NAT can you distinguish packets
then destined for different addresses. Only on packets going out from
your external address can you restrict NATing to only certain flows.
HTH, Ian
PS if it gets more complicated, maybe freebsd-ipfw is the better list?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100805144424.P34284>