From owner-freebsd-questions@FreeBSD.ORG Fri Oct 18 13:53:17 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id D7EBB2CB for ; Fri, 18 Oct 2013 13:53:17 +0000 (UTC) (envelope-from aimass@yabarana.com) Received: from mail-pa0-f42.google.com (mail-pa0-f42.google.com [209.85.220.42]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id B4EB022E1 for ; Fri, 18 Oct 2013 13:53:17 +0000 (UTC) Received: by mail-pa0-f42.google.com with SMTP id kx10so4593420pab.15 for ; Fri, 18 Oct 2013 06:53:11 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=YUE4DDKZMV93SaCC7s3CPETKMp4pNTG+yDbWCCYILzc=; b=iaI0EphctxzIupDmtTF3VbvSESRjEJK0jI1KL63g2W3fqZ56NpbtjA8LB9t4CqSSRh gK1LQySmvWoAGStBYwpvGc79CqCO0UN4gEZqfIp3vO55vRmcyi4x9xR5NljILbu8b93M 7BUP5IMR/sSox8qjb+tX5IsCqrfRBuAjsgMWK44gDmuVwPxC1AjqdggtyMeDX5hgbAOW +vdaFCdk+/bfjuURw478V7aLLKNEQYoQFe+Zr/fi6PRTfRvUWG/yNwUBjPfnoIhqHzOK 6BEjEvAYiaJulMzKs6jbykBIv1+5ZLctcCYUV94T4VsfmKAvk4zyF9whBCzQSQYNV3/z cJaA== X-Gm-Message-State: ALoCoQkN5Tcfefqeawy8/dUVjhrPZNJDhxqsa+lrssjt2nL6FsT5znfaeRaCMT2KPuXG2Wkhy3UG MIME-Version: 1.0 X-Received: by 10.68.171.164 with SMTP id av4mr3276080pbc.94.1382104391631; Fri, 18 Oct 2013 06:53:11 -0700 (PDT) Received: by 10.66.240.5 with HTTP; Fri, 18 Oct 2013 06:53:11 -0700 (PDT) Date: Fri, 18 Oct 2013 09:53:11 -0400 Message-ID: Subject: Help with natd on a specific IP when multiple IPs on same interface From: Alejandro Imass To: FreeBSD Questions Content-Type: text/plain; charset=ISO-8859-1 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Oct 2013 13:53:18 -0000 Hi, A while back I posted a problem related to natd on an single interface with multiple IPs. We use use natd to enable Internet access to a bunch of jails and also to redirect specific ports to some of the jails, whilst other jails may be bound to public IPs as well. The problem is that once natd is in operation, all the outbound traffic appears to come from the first public IP assigned to the interface. Is there any way to more granularly configure natd (static nat perhaps?) so that traffic that is bound to the other public IPs (i.e. from a jail that is bound to another public IP of the same interface) appears to come from the correct IP? Our overall set-up is pretty simple: a) A single nic (em0) with multiple public IPs b) All jails have one private IP in 192.168.101.x which are all aliases of lo0 c) Some jails may have both the private IP and also a public public IP. Any public IP bound to a specific jail is unique to that jail. d) One public IP is reserved for the base system e) For those jails that don't have public IPs we redirect the shh port with natd as well, using a port number scheme xxx22 where xxx is the last digits of the private IP f) HTTP inbound traffic is reverse-proxied using Apache mod_proxy to those jails that don't have public IP. The central proxy is also a jail that is bound to the base system's public IP which traps port 80 of the base system's IP. g) We make sure that nothing listens on * Every service is carefully tailored to bind to a specific IP. For example, all sshd of every jail listen specifically on their respective private IP. rc.conf ----------- natd_enable="YES" natd_interface="em0" natd_flags="-f /etc/natd.conf" natd.conf -------------- redirect_port tcp 192.168.101.123:22 12322 etc... The specific objectives to fix are: 1) In the port redirect above to use the specific base system IP, something like: redirect_port tcp 192.168.101.123:22 xxx.xxx.xxx.xxx:12322 2) When a connection is made from inside a jail bound to a public IP, that it appears to come from that public IP and not from the first IP assigned to em0 3) That ssh -b xxx.xxx.xxx.xxx actually works correctly per point 2 above 4) Should we switch to kernel-based nat instead of natd? Thanks in advance for any help! -- Alejandro Imass