Date: Sat, 31 Jul 2010 20:14:26 +0200 From: Rick van der Zwet <info@rickvanderzwet.nl> To: Ian Smith <smithi@nimnet.asn.au> Cc: freebsd-jail@freebsd.org Subject: Re: trouble getting Jail with IPFW+NAT to work Message-ID: <AANLkTint6%2Bg=qcaVp6K8H=L%2BwOzuuFkY%2Ba1GcV9rf-jh@mail.gmail.com> In-Reply-To: <20100801021347.O34284@sola.nimnet.asn.au> References: <AANLkTinfQrE=eRSQ1gEFQfoib=9=PC4einxBWTqFBhyj@mail.gmail.com> <20100801021347.O34284@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On 31 July 2010 18:44, Ian Smith <smithi@nimnet.asn.au> wrote:
> On Sat, 31 Jul 2010, Rick van der Zwet wrote:
>
> > I like to run Jails on this system [FreeBSD 8.0-RELEASE-p4 (amd64)]
> > and the Jails should be enabled for access to the outside world using
> > NAT as I have only external IP address, The jails are connected to
> > ip's configured on the lo1 interfaces.
> >
> > ICMP packets seems to flow out and in looking at my tcpdump, but the
> > new got received by my Jail anymore. A natd setup does not work
> > either. if I use the pf firewall how-ever it works like a charm.
> >
> > Is this setup not supported by IPFW+NAT or am I doing something wrong?
>
> The latter.
[snip: old test details]
> >
> > = /etc/rc.conf relevant snippets =
> > firewall_enable="YES"
> > firewall_nat_enable="YES"
> > firewall_script="/etc/rc.firewall.local"
> >
> > cloned_interfaces="lo1"
> > ifconfig_lo1="inet 10.0.0.1 netmask 255.255.255.0"
> > ifconfig_lo1_alias0="inet 10.0.0.2 netmask 255.255.255.0"
> >
> > gateway_enable="YES"
> >
> > jail_enable="YES"
> > jail_wleiden_rootdir="/usr/jail/wleiden"
> > jail_wleiden_hostname="wleiden.vanderzwet.net"
> > jail_wleiden_ip="10.0.0.2"
> > jail_wleiden_devfs_enable="YES"
> > jail_wleiden_devfs_ruleset="devfsrules_jail"
[snip: jail setup]
>
> I'll take all of your jail setup on faith, but ..
>
> > = /etc/rc.firewall.local =
> > #!/bin/sh -
> > fwcmd="/sbin/ipfw"
> >
> > ############
> > # Flush out the list before we begin.
> > ${fwcmd} -f flush
> >
> > ${fwcmd} add 100 pass all from any to any via lo0
> >
> > # Also tested using the lines below
> > # natd -interface re0 -verbose | tee -i /tmp/natd.log &
> > # ${fwcmd} add divert natd all from 10.0.0.0/24 to any via re0
> > ${fwcmd} add nat 200 all from 10.0.0.0/24 to any via re0
> > ${fwcmd} nat 200 config if re0
> >
> > ${fwcmd} add 65001 allow all from any to any
>
> .. here you're only doing NAT on the way out, ie packets from 10.x are
> only 'via re0' on the way out - they have no receive interface on the
> way in, being from the local host, see ipfw(8).
>
> But mainly, you have no nat rule for the response packets coming in on
> the outside interface, which is where they need to get mapped back to
> the internal address/es. Generally better to not use 'via' but be more
> specific (ie clear) about direction on nat rules:
>
> ${fwcmd} add nat 200 all from 10.0.0.0/24 to any out xmit re0
> ${fwcmd} add nat 200 all from any to ${outside_addr} in recv re0
>
> $outside_addr can be 'any', if you're not routing other addresses.
Both suggestions works like a charm.
> Perhaps also specify ip4 rather than all, if that's what's implied.
> Certainly passing ip6 packets to natd is bad news (panics, currently)
Hint taken and applied. Works oke now.
Thanks!
/Rick
--
http://rickvanderzwet.nl
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTint6%2Bg=qcaVp6K8H=L%2BwOzuuFkY%2Ba1GcV9rf-jh>