Date: Tue, 22 Oct 2013 08:38:12 -0400 From: Alejandro Imass <aimass@yabarana.com> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Help with natd on a specific IP when multiple IPs on same interface Message-ID: <CAHieY7SP230z9WhXhUUcni0AvFdpio930bozv4VjRQGGpHAtJQ@mail.gmail.com> In-Reply-To: <CAHieY7ToJMEh6e4AErO3msBMrTj7TiJYgGg4wgyBO8m2sLxTrQ@mail.gmail.com> References: <CAHieY7ToJMEh6e4AErO3msBMrTj7TiJYgGg4wgyBO8m2sLxTrQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Oct 18, 2013 at 9:53 AM, Alejandro Imass <aimass@yabarana.com> wrote: > Hi, > > A while back I posted a problem related to natd on an single interface > with multiple IPs. We use use natd to enable Internet access to a > bunch of jails and also to redirect specific ports to some of the > jails, whilst other jails may be bound to public IPs as well. > > The problem is that once natd is in operation, all the outbound > traffic appears to come from the first public IP assigned to the > interface. > > Is there any way to more granularly configure natd (static nat > perhaps?) so that traffic that is bound to the other public IPs (i.e. > from a jail that is bound to another public IP of the same interface) > appears to come from the correct IP? > > Our overall set-up is pretty simple: > > a) A single nic (em0) with multiple public IPs > > b) All jails have one private IP in 192.168.101.x which are all aliases of lo0 > > c) Some jails may have both the private IP and also a public public > IP. Any public IP bound to a specific jail is unique to that jail. > > d) One public IP is reserved for the base system > > e) For those jails that don't have public IPs we redirect the shh port > with natd as well, using a port number scheme xxx22 where xxx is the > last digits of the private IP > > f) HTTP inbound traffic is reverse-proxied using Apache mod_proxy to > those jails that don't have public IP. The central proxy is also a > jail that is bound to the base system's public IP which traps port 80 > of the base system's IP. > > g) We make sure that nothing listens on * Every service is carefully > tailored to bind to a specific IP. For example, all sshd of every jail > listen specifically on their respective private IP. > > rc.conf > ----------- > natd_enable="YES" > natd_interface="em0" > natd_flags="-f /etc/natd.conf" > > natd.conf > -------------- > redirect_port tcp 192.168.101.123:22 12322 > etc... > > The specific objectives to fix are: > > 1) In the port redirect above to use the specific base system IP, > something like: > > redirect_port tcp 192.168.101.123:22 xxx.xxx.xxx.xxx:12322 > > 2) When a connection is made from inside a jail bound to a public IP, > that it appears to come from that public IP and not from the first IP > assigned to em0 > > 3) That ssh -b xxx.xxx.xxx.xxx actually works correctly per point 2 above > > 4) Should we switch to kernel-based nat instead of natd? > > Thanks in advance for any help! > > -- > Alejandro Imass Greetings FBSD crowd! Is anyone else experiencing this? Did I describe the issue correctly? Can I provide more information on the problem? Thanks, -- Alejandro Imass
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHieY7SP230z9WhXhUUcni0AvFdpio930bozv4VjRQGGpHAtJQ>