From owner-freebsd-questions@FreeBSD.ORG Fri Jul 16 00:56:54 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F1CB31065670 for ; Fri, 16 Jul 2010 00:56:54 +0000 (UTC) (envelope-from alexus@gmail.com) Received: from mail-gy0-f182.google.com (mail-gy0-f182.google.com [209.85.160.182]) by mx1.freebsd.org (Postfix) with ESMTP id A27EF8FC1C for ; Fri, 16 Jul 2010 00:56:54 +0000 (UTC) Received: by gyd8 with SMTP id 8so1229243gyd.13 for ; Thu, 15 Jul 2010 17:56:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:reply-to :in-reply-to:references:date:message-id:subject:from:to:cc :content-type:content-transfer-encoding; bh=czZ/G/8OFgpCI8rg1CgNHRGem64MnJUwfvCpCi5WOhE=; b=AUR+Vot/TgkefRAyCTvkzFwp2m+AHGvgwtNP767IunUCx/G6Q82QL2Q3uIAIqx7hKs mkqr94yEbsyi8rYWl4V2Baya8uzj0PYnApQ0wuoKo4FlxjK/0f11TosZh20JMWfOxv37 KtppAdMQQrCpNwkmDNshYyqWbdjvHr4PQrcP8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:content-transfer-encoding; b=R6/ToFZliWZw2UAca651ZPgGZ/dINDOlx5FTaYMUOzDaljnbw07wvvoyDKk67emUQH O/kAfs0wZgasPJYWroGTc+xa4cYHOhT7ofXMAR2g5RYGb8b5lVRAFuQZqyVl7Xt2uCoA f1oCTMODOorXDnSA1cMGncxjjE/Qnir8oZpnE= MIME-Version: 1.0 Received: by 10.151.122.3 with SMTP id z3mr643822ybm.279.1279241811803; Thu, 15 Jul 2010 17:56:51 -0700 (PDT) Received: by 10.150.53.5 with HTTP; Thu, 15 Jul 2010 17:56:51 -0700 (PDT) In-Reply-To: <4C3F91CF.5090206@locolomo.org> References: <4C3F91CF.5090206@locolomo.org> Date: Thu, 15 Jul 2010 20:56:51 -0400 Message-ID: From: alexus To: Erik Norgaard Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-questions@freebsd.org Subject: Re: ipnat.conf - map and rdr won't work! X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: google@alexus.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Jul 2010 00:56:55 -0000 On Thu, Jul 15, 2010 at 6:55 PM, Erik Norgaard wrot= e: > On 15/07/10 21.17, alexus wrote: >> >> On Wed, Jul 14, 2010 at 10:32 PM, alexus =C2=A0wrote: >>> >>> I can't put my mind around it, before reboot I was able to ssh in from >>> outside to my jail and right now I can't! > > What did you change? as far as know nothing was changed, that's why i can't wrap my mind around it why did it stop working all of the sudden and i reboot my box in the past yet everything was working as expected. >>> su-3.2# cat /etc/ipnat.rules >>> map fxp0 lama -> =C2=A00/32 >>> rdr fxp0 64.52.58.58 port ssh -> =C2=A0lama port ssh tcp > > What's that first rule supposed to do? provides a NAT within jail >>> su-3.2# grep lama /etc/hosts >>> 172.16.172.16 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 lama > >>> su-3.2# ifconfig >>> vr0: flags=3D8943 =C2= =A0metric >>> 0 mtu 1500 >>> =C2=A0 =C2=A0 =C2=A0 =C2=A0options=3D2808 >>> =C2=A0 =C2=A0 =C2=A0 =C2=A0ether 00:19:5b:68:9b:01 >>> =C2=A0 =C2=A0 =C2=A0 =C2=A0inet 172.16.172.16 netmask 0xffffffff broadc= ast 172.16.172.16 >>> =C2=A0 =C2=A0 =C2=A0 =C2=A0media: Ethernet autoselect (none) >>> =C2=A0 =C2=A0 =C2=A0 =C2=A0status: no carrier >>> fxp0: flags=3D8843 =C2=A0metric= 0 mtu >>> 1500 >>> =C2=A0 =C2=A0 =C2=A0 =C2=A0options=3D2009 >>> =C2=A0 =C2=A0 =C2=A0 =C2=A0ether 00:0f:fe:aa:f4:61 >>> =C2=A0 =C2=A0 =C2=A0 =C2=A0inet 64.52.58.58 netmask 0xffffffe0 broadcas= t 64.52.58.63 >>> =C2=A0 =C2=A0 =C2=A0 =C2=A0media: Ethernet autoselect (100baseTX) >>> =C2=A0 =C2=A0 =C2=A0 =C2=A0status: active > > Where is this? this "su-3.2" is a bit confusing, would be useful to set y= our > hostname to "jail" within the jail... su-3.2 is a host environment where jail is hosted > I think it is typical for jails to clone the loopback interface for this > setup. not sure what you mean by this... if you referring this statement as if you though this is jail itself then this is not jail this is host environment (where jail is hosted) >>> su-3.2# jls >>> =C2=A0 JID =C2=A0IP Address =C2=A0 =C2=A0 =C2=A0Hostname =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Path >>> =C2=A0 =C2=A0 1 =C2=A0172.16.172.16 =C2=A0 lama =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0/usr/j= ail/lama >>> >>> and this is me from outside trying to ssh to my box and getting time >>> out... >>> >>> mp:~ alexus$ ssh -v jothost.com >>> OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009 >>> debug1: Reading configuration data /etc/ssh_config >>> debug1: Connecting to jothost.com [64.52.58.58] port 22. >>> debug1: connect to address 64.52.58.58 port 22: Operation timed out >>> ssh: connect to host jothost.com port 22: Operation timed out > > Use tcpdump, you should see if your rdr/map rules work as expected. Also, > pfctl -ss and similar. su-3.2# pfctl -ss pfctl: /dev/pf: No such file or directory su-3.2# i don't know how to use tcpdump, can you provide exact syntax so i can run = it? whenever I try to ssh from outside ipnat -l shows following (last line under active sessions): su-3.2# ipnat -l List of active MAP/Redirect filters: map fxp0 172.16.172.16/32 -> 0.0.0.0/32 rdr fxp0 64.52.58.58/32 port 22 -> 172.16.172.16 port 22 tcp List of active sessions: RDR 172.16.172.16 22 <- -> 64.52.58.58 22 [24.190.74.126 50715] su-3.2# > Can you ssh from the host system to the jail? yes, it takes a bit long but that's due to map rule inside of ipnat.conf isn't working either as rdr doesn't work >> anyone? > > If nobody replies, maybe try to rephrase your question, investigate furth= er > and provide additional information rather than just repost. i was under impression that i pretty much covered all basis, or at least i thought i so ... apparently not... but if you do feel that you need any additional information i'll be more then happy to provide it for you. thanks in advance > BR, Erik > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.o= rg" > --=20 http://alexus.org/