Date: Sat, 31 Jul 2010 20:14:26 +0200 From: Rick van der Zwet <info@rickvanderzwet.nl> To: Ian Smith <smithi@nimnet.asn.au> Cc: freebsd-jail@freebsd.org Subject: Re: trouble getting Jail with IPFW+NAT to work Message-ID: <AANLkTint6%2Bg=qcaVp6K8H=L%2BwOzuuFkY%2Ba1GcV9rf-jh@mail.gmail.com> In-Reply-To: <20100801021347.O34284@sola.nimnet.asn.au> References: <AANLkTinfQrE=eRSQ1gEFQfoib=9=PC4einxBWTqFBhyj@mail.gmail.com> <20100801021347.O34284@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On 31 July 2010 18:44, Ian Smith <smithi@nimnet.asn.au> wrote: > On Sat, 31 Jul 2010, Rick van der Zwet wrote: > > > I like to run Jails on this system [FreeBSD 8.0-RELEASE-p4 (amd64)] > > and the Jails should be enabled for access to the outside world using > > NAT as I have only external IP address, The jails are connected to > > ip's configured on the lo1 interfaces. > > > > ICMP packets seems to flow out and in looking at my tcpdump, but the > > new got received by my Jail anymore. A natd setup does not work > > either. if I use the pf firewall how-ever it works like a charm. > > > > Is this setup not supported by IPFW+NAT or am I doing something wrong? > > The latter. [snip: old test details] > > > > = /etc/rc.conf relevant snippets = > > firewall_enable="YES" > > firewall_nat_enable="YES" > > firewall_script="/etc/rc.firewall.local" > > > > cloned_interfaces="lo1" > > ifconfig_lo1="inet 10.0.0.1 netmask 255.255.255.0" > > ifconfig_lo1_alias0="inet 10.0.0.2 netmask 255.255.255.0" > > > > gateway_enable="YES" > > > > jail_enable="YES" > > jail_wleiden_rootdir="/usr/jail/wleiden" > > jail_wleiden_hostname="wleiden.vanderzwet.net" > > jail_wleiden_ip="10.0.0.2" > > jail_wleiden_devfs_enable="YES" > > jail_wleiden_devfs_ruleset="devfsrules_jail" [snip: jail setup] > > I'll take all of your jail setup on faith, but .. > > > = /etc/rc.firewall.local = > > #!/bin/sh - > > fwcmd="/sbin/ipfw" > > > > ############ > > # Flush out the list before we begin. > > ${fwcmd} -f flush > > > > ${fwcmd} add 100 pass all from any to any via lo0 > > > > # Also tested using the lines below > > # natd -interface re0 -verbose | tee -i /tmp/natd.log & > > # ${fwcmd} add divert natd all from 10.0.0.0/24 to any via re0 > > ${fwcmd} add nat 200 all from 10.0.0.0/24 to any via re0 > > ${fwcmd} nat 200 config if re0 > > > > ${fwcmd} add 65001 allow all from any to any > > .. here you're only doing NAT on the way out, ie packets from 10.x are > only 'via re0' on the way out - they have no receive interface on the > way in, being from the local host, see ipfw(8). > > But mainly, you have no nat rule for the response packets coming in on > the outside interface, which is where they need to get mapped back to > the internal address/es. Generally better to not use 'via' but be more > specific (ie clear) about direction on nat rules: > > ${fwcmd} add nat 200 all from 10.0.0.0/24 to any out xmit re0 > ${fwcmd} add nat 200 all from any to ${outside_addr} in recv re0 > > $outside_addr can be 'any', if you're not routing other addresses. Both suggestions works like a charm. > Perhaps also specify ip4 rather than all, if that's what's implied. > Certainly passing ip6 packets to natd is bad news (panics, currently) Hint taken and applied. Works oke now. Thanks! /Rick -- http://rickvanderzwet.nl
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTint6%2Bg=qcaVp6K8H=L%2BwOzuuFkY%2Ba1GcV9rf-jh>