Date: Mon, 19 Jul 2010 10:46:11 -0400 From: alexus <alexus@gmail.com> To: Erik Norgaard <norgaard@locolomo.org> Cc: freebsd-questions@freebsd.org Subject: Re: ipnat.conf - map and rdr won't work! Message-ID: <AANLkTin8H47Z7suztGnWpa8fm-XIagQ6vzlxP85OIT-B@mail.gmail.com> In-Reply-To: <4C419944.8030702@locolomo.org> References: <AANLkTilVTo36Fzdh2DKAQhRjyDj8MNUuV9dhwvQ7Gf-V@mail.gmail.com> <AANLkTinh0CykJ1Av3f2THPDFOLS0YtYLDvRMHXm_wD3w@mail.gmail.com> <4C3F91CF.5090206@locolomo.org> <AANLkTin6hYyHiG8taifkNHPBtKI0rKOkAaGRYodV1LLC@mail.gmail.com> <4C419944.8030702@locolomo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jul 17, 2010 at 7:51 AM, Erik Norgaard <norgaard@locolomo.org> wrot= e: > On 16/07/10 02.56, alexus wrote: > >>>>> su-3.2# cat /etc/ipnat.rules >>>>> map fxp0 lama -> =C2=A0 =C2=A00/32 >>>>> rdr fxp0 64.52.58.58 port ssh -> =C2=A0 =C2=A0lama port ssh tcp >>> >>> What's that first rule supposed to do? >> >> provides a NAT within jail > > Just guessing, try to put the rdr rule first. Another thing, the > firewall/nat may be loaded before starting the jail and thus unaware of > interfaces etc assigned to the jail. tried switching rules - didn't help tried restarting ipnat after everything is started it >>>>> su-3.2# ifconfig >>>>> vr0: flags=3D8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> >>>>> =C2=A0metric >>>>> 0 mtu 1500 >>>>> =C2=A0 =C2=A0 =C2=A0 =C2=A0inet 172.16.172.16 netmask 0xffffffff broa= dcast 172.16.172.16 >>>>> fxp0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> =C2=A0 =C2= =A0metric 0 >>>>> mtu >>>>> 1500 >>>>> =C2=A0 =C2=A0 =C2=A0 =C2=A0inet 64.52.58.58 netmask 0xffffffe0 broadc= ast 64.52.58.63 >>> >>> Where is this? this "su-3.2" is a bit confusing, would be useful to set >>> your >>> hostname to "jail" within the jail... >> >> su-3.2 is a host environment where jail is hosted > > And from within the jail, what do you see? From what I understand > 172.16.172.16 is the jail IP? from host's rc.conf su-3.2# grep ^jail /etc/rc.conf jail_enable=3D"YES" jail_lama_devfs_enable=3D"YES" jail_lama_hostname=3D"lama" jail_lama_ip=3D"172.16.172.16" jail_lama_rootdir=3D"/usr/jail/lama" jail_list=3D"lama" su-3.2# this is within jail -bash-3.2$ ifconfig vr0: flags=3D8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=3D2808<VLAN_MTU,WOL_UCAST,WOL_MAGIC> ether 00:19:5b:68:9b:01 inet 172.16.172.16 netmask 0xffffffff broadcast 172.16.172.16 media: Ethernet autoselect (none) status: no carrier fxp0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 150= 0 options=3D2009<RXCSUM,VLAN_MTU,WOL_MAGIC> ether 00:0f:fe:aa:f4:61 media: Ethernet autoselect (100baseTX <full-duplex>) status: active plip0: flags=3D108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mt= u 1500 lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 -bash-3.2$ >>> I think it is typical for jails to clone the loopback interface for thi= s >>> setup. >> >> not sure what you mean by this... >> if you referring this statement as if you though this is jail itself >> then >> this is not jail this is host environment (where jail is hosted) > >>> Use tcpdump, you should see if your rdr/map rules work as expected. Als= o, >>> pfctl -ss and similar. >> >> su-3.2# pfctl -ss >> pfctl: /dev/pf: No such file or directory >> su-3.2# > > Ah, you use ipfilter? yes, i use ipfilter & ipnat su-3.2# grep ^ip /etc/rc.conf ipfilter_enable=3D"YES" ipmon_enable=3D"YES" ipnat_enable=3D"YES" su-3.2# >> i don't know how to use tcpdump, can you provide exact syntax so i can r= un >> it? > > The man-page is excelent. tried that, unfortunately not really sure what am i doing.. still >>> anyone? >>> >>> If nobody replies, maybe try to rephrase your question, investigate >>> further >>> and provide additional information rather than just repost. >> >> i was under impression that i pretty much covered all basis, or at >> least i thought i so ... apparently not... > > Honestly, I don't have a clear picture of what works and what doesn't or > where. You haven't posted your jail config from rc.conf and you could hel= p > by making it clear when running any command that this is in the jail, jai= l# > this is on the hosting system hostname# and this is the client client# > etc... > > BR, Erik > > > lama is a jail environment (see rc.conf output from earlier) su-3.2 is a host environment any other questions? please just ask i'll provide you with whatever information is needed thanks again --=20 http://alexus.org/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTin8H47Z7suztGnWpa8fm-XIagQ6vzlxP85OIT-B>