From owner-freebsd-questions@FreeBSD.ORG Wed Sep 27 17:04:30 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D503D16A4F1 for ; Wed, 27 Sep 2006 17:04:30 +0000 (UTC) (envelope-from snagit@cbpratt.prohosting.com) Received: from n120.sc0.cp.net (smtpout1081.sc0.he.tucows.com [64.97.144.81]) by mx1.FreeBSD.org (Postfix) with ESMTP id 84C5043DA9 for ; Wed, 27 Sep 2006 17:01:43 +0000 (GMT) (envelope-from snagit@cbpratt.prohosting.com) Received: from [192.168.1.100] (67.47.213.85) by n120.sc0.cp.net (7.2.069.1) (authenticated as eagletree@hughes.net) id 451A9B4700005A36 for freebsd-questions@freebsd.org; Wed, 27 Sep 2006 17:00:48 +0000 Mime-Version: 1.0 (Apple Message framework v752.2) In-Reply-To: References: Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Chris Date: Wed, 27 Sep 2006 10:00:35 -0700 To: FreeBSD Questions X-Mailer: Apple Mail (2.752.2) Subject: Re: rewrite of multiple incoming IPs into a single IP X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Sep 2006 17:04:31 -0000 On Sep 26, 2006, at 6:49 PM, Chris wrote: > I have spent the day trying to get multiple IP addresses rewritten > to a single address using IPFW and NATD. Is there a simple So as not to leave a hanging post in case someone else searches on this issue, I'm going to answer myself. I am now successfully using natd to internally rewrite multiple IPs to a single jail and then back to their real address, it does seem to be identical to configuring a private IP network but instead of an interface, I'm using the alias_address bound to the primary interface. Within the jail, NameVirtualHost is able to service the various sites by name through http client/server banter. This will not work if someone uses unregistered sites unless host tables are created for the http clients due to the jailed httpd responding from the default site. This makes the jail very useful to me without disrupting the environment of the companies web space and the human ramifications that can cause. If there is a superior way to do this, please correct me. I also now realize, this should have been posted to FreeBSD-IPFW, apologies. (note, these private IPs are really simulating my public IPs) Addresses on bge0 host IP 192.168.1.222 host alias and jail IP 192.168.1.223 second host alias 192.168.1.224 (simulates a different public address to be served by the jail after rewriting to 223) IPFW Pertinent Commands divert 8668 ip from any to any via bge0 (packets all follow this path) allow tcp from any to 192.168.1.223 dst-port 80 setup (packets are rewritten on the way in and follow this path to jail) allow ip from 192.168.1.223 to 192.168.1.0/24 (packets coming from the outside on 223 return on this path) allow ip from 192.168.1.224 to 192.168.1.0/24 (packets coming from the outside on 224 return on this path) NATD commands alias_address 192.168.1.223 redirect_address 192.168.1.223 192.168.1.224