Date: Tue, 20 Jul 2010 16:23:32 -0400 From: alexus <alexus@gmail.com> To: Erik Norgaard <norgaard@locolomo.org> Cc: freebsd-questions@freebsd.org Subject: Re: ipnat.conf - map and rdr won't work! Message-ID: <AANLkTimFKATt4_4umseRhcrDl7BLkOuNvOfuXIGHrdJB@mail.gmail.com> In-Reply-To: <4C45F0F1.7010609@locolomo.org> References: <AANLkTilVTo36Fzdh2DKAQhRjyDj8MNUuV9dhwvQ7Gf-V@mail.gmail.com> <AANLkTinh0CykJ1Av3f2THPDFOLS0YtYLDvRMHXm_wD3w@mail.gmail.com> <4C3F91CF.5090206@locolomo.org> <AANLkTin6hYyHiG8taifkNHPBtKI0rKOkAaGRYodV1LLC@mail.gmail.com> <4C419944.8030702@locolomo.org> <AANLkTin8H47Z7suztGnWpa8fm-XIagQ6vzlxP85OIT-B@mail.gmail.com> <4C447F7F.6020308@locolomo.org> <AANLkTinM1E2Obrs8VqSsm3S_jcXqbw_Q1YLkc51tgJsS@mail.gmail.com> <4C45D57F.2020506@locolomo.org> <AANLkTinXjSXlL59mVU5bh-cIqxwHg5C3pgOsA7tcqFMk@mail.gmail.com> <4C45F0F1.7010609@locolomo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jul 20, 2010 at 2:54 PM, Erik Norgaard <norgaard@locolomo.org> wrote: > On 20/07/10 20.07, alexus wrote: >> >> On Tue, Jul 20, 2010 at 12:57 PM, Erik Norgaard<norgaard@locolomo.org> >> wrote: >> plan b is to run natd, but i'd rather run ipnat especially that ipnat >> used to work before no problem! > > Maybe move away from what used to work and towards what is working :) > Whichever you prefer, just stick to one solution only. right, yet I still would like to know where problem is :)) >> su-3.2# ping -c1 lama >> PING lama (172.16.172.16): 56 data bytes >> 64 bytes from 172.16.172.16: icmp_seq=0 ttl=64 time=0.075 ms >> >> --- lama ping statistics --- >> 1 packets transmitted, 1 packets received, 0.0% packet loss >> round-trip min/avg/max/stddev = 0.075/0.075/0.075/0.000 ms >> su-3.2# >> >> ip address tells me that this is in fact jail's IP > > Yes and no, if you shut down your jail you should still be able to ping that > ip as I read your snippet from your rc.conf. you right, i'm pinging ip that resides on another interface and doesn't really belong to jail at the first place you asked me if I can ping jail from host, I dont know how else I can test it then pinging ip is kind of pointless then, so i ssh in that seems to be working, what else can I try? >>> So I suppose that from your host environment you can ssh into the jail? >>> Did >>> ssh start up, netstat -l? From the jail, can you ping the host >>> environment? >> >> su-3.2# jls >> JID IP Address Hostname Path >> 1 172.16.172.16 lama /usr/jail/lama >> su-3.2# jexec 1 /etc/rc.d/sshd status >> sshd is running as pid 1085. >> su-3.2# ps -p 1085 >> PID TT STAT TIME COMMAND >> 1085 ?? IsJ 0:00.00 /usr/sbin/sshd >> su-3.2# >> > > OK, but you didn't check where your ssh binds. su-3.2# netstat -tan | grep LISTEN | grep 22 tcp4 0 0 172.16.172.16.22 *.* LISTEN su-3.2# would that sufficient? I just don't know how else I can see .. >> i know, i can run it that IP address as an alias on public interface, >> but we on purpose added another NIC to be private NIC. > > Well, read the man jail(8): > > ip4.addr > A comma-separated list of IPv4 addresses assigned to the prison. > If this is set, the jail is restricted to using only these > address. Any attempts to use other addresses fail, and attempts > to use wildcard addresses silently use the jailed address > instead. ... > > If I understand this correctly, remove the line > > jail_lama_ip="172.16.172.16" > > from your rc.conf and your jail can then bind to port 22 on the external > interface thus bypassing the need for nat. This is ok, since all you did was > redirecting traffic. And the map rule shouldn't be necessary either, nor > should the fxp interface. > > BR, Erik > i actually like this idea, i think i'm going give that a shot... i'll let you know how that worked out... -- http://alexus.org/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTimFKATt4_4umseRhcrDl7BLkOuNvOfuXIGHrdJB>