From owner-freebsd-net@FreeBSD.ORG Wed Mar 16 10:13:59 2005 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A65EB16A4CE for ; Wed, 16 Mar 2005 10:13:59 +0000 (GMT) Received: from ints.mail.pike.ru (ints.mail.pike.ru [195.9.45.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 74B1943D55 for ; Wed, 16 Mar 2005 10:13:58 +0000 (GMT) (envelope-from babolo@cicuta.babolo.ru) Received: (qmail 4424 invoked from network); 16 Mar 2005 10:13:57 -0000 Received: from cicuta.babolo.ru (194.135.49.133) by ints.mail.pike.ru with SMTP; 16 Mar 2005 10:13:57 -0000 Received: (nullmailer pid 2860 invoked by uid 136); Wed, 16 Mar 2005 10:14:14 -0000 X-ELM-OSV: (Our standard violations) hdr-charset=KOI8-R; no-hdr-encoding=1 In-Reply-To: <787bbe1c050315152733f79e7c@mail.gmail.com> To: "S?awek ?ak" Date: Wed, 16 Mar 2005 13:14:14 +0300 (MSK) From: "."@babolo.ru X-Mailer: ELM [version 2.4ME+ PL99b (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Message-Id: <1110968054.782712.2859.nullmailer@cicuta.babolo.ru> cc: freebsd-net@freebsd.org Subject: Re: Setup of jail bound to lo0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Mar 2005 10:13:59 -0000 [ Charset ISO-8859-1 unsupported, converting... ] > Hi, > > I need to have some jails configured, sharing single IP address (IPv6 > is a no-no for the time being:). Therefore I came up with an idea of > binding them all to lo0 and assigning subsequent IP aliases as the > addresses. The requirement for the jails is to let them to receive > (the easy part) and *send* packets to the outside. > > The jails cannot directly access the Internet as they cannot bind to > the external IP address of course. Some translation needs to be made, > I think. After wrestling with ipfw/ipf/pf for a couple of hours I > don't have a working solution. > > My last attempt to get outside from the jail with ipfw was: > > # ipfw add 200 divert natd log tcp from 127.0.0.2 to 127.0.0.2 222 in via lo0 > > and for natd: > > redirect_port tcp 192.168.153.2:22 127.0.0.2:222 > > I get this log from natd: > > In {default} 0000ffff[TCP] [TCP] 127.0.0.2:53057 -> 127.0.0.2:301 aliased to > [TCP] 127.0.0.2:53057 -> 192.168.153.2:22 > > Which obviously doesn't work. I've tried to add alias IP, but then it > stops the natd `rule' matching. Try another addresses not in 0/8 and 127/8. >