From owner-freebsd-questions@FreeBSD.ORG Tue Oct 22 12:38:18 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id CBD1410B for ; Tue, 22 Oct 2013 12:38:18 +0000 (UTC) (envelope-from aimass@yabarana.com) Received: from mail-pa0-f49.google.com (mail-pa0-f49.google.com [209.85.220.49]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id A74F427F2 for ; Tue, 22 Oct 2013 12:38:18 +0000 (UTC) Received: by mail-pa0-f49.google.com with SMTP id lj1so7762048pab.8 for ; Tue, 22 Oct 2013 05:38:12 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=bwdjC6wAIday2MKH905Jqv+wU1ToIe8HJ/iBBpNc8Lk=; b=D2wxW7WlOpEc1pJm/BvOwd9AOySBTCeZVbqRsawZmYh/dr484X/kQwO1/cdBjpsjMo HRxYvEneDIpX9IFBXdXTcSPQ8uA1exR0gp1i9k5bFAbIpJtZm8aGPQsvpLoqg9a5A245 yX20m+OPDorI8h3k3DzvD62vVOqS39C7vAiZR6o6qLzgx2u41OowyB8WGoa+rOfG2A17 MI0kBMUf5b+fewnT48UO6KC+GLT9TSaZe/DW6RG35IRgYzLoDi24iZvVemcaQWeM74M4 Eye0LLiPKFds6KfJ9LigHZykGxRB7kNDzQRIAtWOgLDz8rzbWXfougsbUjzXTvEQf+3d GfVw== X-Gm-Message-State: ALoCoQkLHVWd6T1wt0oYz9TS/ZiMeXXQBcXJH3Sb/a7ENtXvzNNvsxtEf5bVyzqIlUWGNIiUG4RU MIME-Version: 1.0 X-Received: by 10.68.171.164 with SMTP id av4mr22957237pbc.94.1382445492519; Tue, 22 Oct 2013 05:38:12 -0700 (PDT) Received: by 10.66.240.5 with HTTP; Tue, 22 Oct 2013 05:38:12 -0700 (PDT) In-Reply-To: References: Date: Tue, 22 Oct 2013 08:38:12 -0400 Message-ID: Subject: Re: Help with natd on a specific IP when multiple IPs on same interface From: Alejandro Imass To: FreeBSD Questions Content-Type: text/plain; charset=ISO-8859-1 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Oct 2013 12:38:19 -0000 On Fri, Oct 18, 2013 at 9:53 AM, Alejandro Imass wrote: > Hi, > > A while back I posted a problem related to natd on an single interface > with multiple IPs. We use use natd to enable Internet access to a > bunch of jails and also to redirect specific ports to some of the > jails, whilst other jails may be bound to public IPs as well. > > The problem is that once natd is in operation, all the outbound > traffic appears to come from the first public IP assigned to the > interface. > > Is there any way to more granularly configure natd (static nat > perhaps?) so that traffic that is bound to the other public IPs (i.e. > from a jail that is bound to another public IP of the same interface) > appears to come from the correct IP? > > Our overall set-up is pretty simple: > > a) A single nic (em0) with multiple public IPs > > b) All jails have one private IP in 192.168.101.x which are all aliases of lo0 > > c) Some jails may have both the private IP and also a public public > IP. Any public IP bound to a specific jail is unique to that jail. > > d) One public IP is reserved for the base system > > e) For those jails that don't have public IPs we redirect the shh port > with natd as well, using a port number scheme xxx22 where xxx is the > last digits of the private IP > > f) HTTP inbound traffic is reverse-proxied using Apache mod_proxy to > those jails that don't have public IP. The central proxy is also a > jail that is bound to the base system's public IP which traps port 80 > of the base system's IP. > > g) We make sure that nothing listens on * Every service is carefully > tailored to bind to a specific IP. For example, all sshd of every jail > listen specifically on their respective private IP. > > rc.conf > ----------- > natd_enable="YES" > natd_interface="em0" > natd_flags="-f /etc/natd.conf" > > natd.conf > -------------- > redirect_port tcp 192.168.101.123:22 12322 > etc... > > The specific objectives to fix are: > > 1) In the port redirect above to use the specific base system IP, > something like: > > redirect_port tcp 192.168.101.123:22 xxx.xxx.xxx.xxx:12322 > > 2) When a connection is made from inside a jail bound to a public IP, > that it appears to come from that public IP and not from the first IP > assigned to em0 > > 3) That ssh -b xxx.xxx.xxx.xxx actually works correctly per point 2 above > > 4) Should we switch to kernel-based nat instead of natd? > > Thanks in advance for any help! > > -- > Alejandro Imass Greetings FBSD crowd! Is anyone else experiencing this? Did I describe the issue correctly? Can I provide more information on the problem? Thanks, -- Alejandro Imass