Date: Sat, 31 Jul 2010 22:06:48 +0800 From: Alexander Petrovsky <askjuise@gmail.com> To: Rick van der Zwet <info@rickvanderzwet.nl> Cc: freebsd-jail@freebsd.org Subject: Re: trouble getting Jail with IPFW+NAT to work Message-ID: <AANLkTimgsDa%2B1_JA86CeLefHnZQ2OaAB7RnFU8gVsFM=@mail.gmail.com> In-Reply-To: <AANLkTinfQrE=eRSQ1gEFQfoib=9=PC4einxBWTqFBhyj@mail.gmail.com> References: <AANLkTinfQrE=eRSQ1gEFQfoib=9=PC4einxBWTqFBhyj@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Show ifconfig plz! Show netstat -arn! 2010/7/31 Rick van der Zwet <info@rickvanderzwet.nl> > I like to run Jails on this system [FreeBSD 8.0-RELEASE-p4 (amd64)] > and the Jails should be enabled for access to the outside world using > NAT as I have only external IP address, The jails are connected to > ip's configured on the lo1 interfaces. > > ICMP packets seems to flow out and in looking at my tcpdump, but the > new got received by my Jail anymore. A natd setup does not work > either. if I use the pf firewall how-ever it works like a charm. > > Is this setup not supported by IPFW+NAT or am I doing something wrong? > > /Rick > > I test my connection using: > # ping -c 1 8.8.8.8 >/dev/null ; echo $? > 0 > # jls | grep 13 > 13 10.0.0.2 wleiden.vanderzwet.net /usr/jail/wleiden > # jexec 13 ping -c 1 10.0.0.1 > /dev/null ; echo $? > 0 > # jexec 13 ping 8.8.8.8 > ^C > --- 8.8.8.8 ping statistics --- > 15 packets transmitted, 0 packets received, 100.0% packet loss > > Tcpdump when looking at the last ping: > # tcpdump -i re0 ip proto 1 > 11:04:33.176393 IP 78.46.85.230 > 8.8.8.8: ICMP echo request, id > 43582, seq 313, length 64 > 11:04:33.183051 IP 8.8.8.8 > 78.46.85.230: ICMP echo reply, id > 43582, seq 313, length 64 > 11:04:34.186391 IP 78.46.85.230 > 8.8.8.8: ICMP echo request, id > 43582, seq 314, length 64 > 11:04:34.192663 IP 8.8.8.8 > 78.46.85.230: ICMP echo reply, id > 43582, seq 314, length 64 > > =3D /etc/rc.conf relevant snippets =3D > firewall_enable=3D"YES" > firewall_nat_enable=3D"YES" > firewall_script=3D"/etc/rc.firewall.local" > > cloned_interfaces=3D"lo1" > ifconfig_lo1=3D"inet 10.0.0.1 netmask 255.255.255.0" > ifconfig_lo1_alias0=3D"inet 10.0.0.2 netmask 255.255.255.0" > > gateway_enable=3D"YES" > > jail_enable=3D"YES" > jail_wleiden_rootdir=3D"/usr/jail/wleiden" > jail_wleiden_hostname=3D"wleiden.vanderzwet.net" > jail_wleiden_ip=3D"10.0.0.2" > jail_wleiden_devfs_enable=3D"YES" > jail_wleiden_devfs_ruleset=3D"devfsrules_jail" > > =3D relevant sysctl entries =3D > net.inet.ip.forwarding: 1 > security.jail.allow_raw_sockets: 1 > net.inet.ip.fw.enable: 1 > > =3D /etc/sysctl.conf =3D > security.jail.allow_raw_sockets=3D1 > > =3D Loaded modules =3D > %kldstat > Id Refs Address Size Name > 1 17 0xffffffff80100000 d188c0 kernel > 2 1 0xffffffff80e19000 20ab0 geom_mirror.ko > 4 1 0xffffffff8102d000 7f2 accf_http.ko > 5 1 0xffffffff8102e000 1ea accf_data.ko > 6 1 0xffffffff8102f000 1f3e nullfs.ko > 8 3 0xffffffff81022000 a1d1 ipfw.ko > 9 1 0xffffffff81031000 14d5 ipfw_nat.ko > 10 1 0xffffffff81033000 b39a libalias.ko > 11 1 0xffffffff8103f000 163f ipdivert.ko > > =3D /etc/rc.firewall.local =3D > #!/bin/sh - > fwcmd=3D"/sbin/ipfw" > > ############ > # Flush out the list before we begin. > ${fwcmd} -f flush > > ${fwcmd} add 100 pass all from any to any via lo0 > > # Also tested using the lines below > # natd -interface re0 -verbose | tee -i /tmp/natd.log & > # ${fwcmd} add divert natd all from 10.0.0.0/24 to any via re0 > ${fwcmd} add nat 200 all from 10.0.0.0/24 to any via re0 > ${fwcmd} nat 200 config if re0 > > ${fwcmd} add 65001 allow all from any to any > > > =3D=3D pf setup =3D=3D > > =3D Loaded modules =3D > %kldstat > Id Refs Address Size Name > 1 11 0xffffffff80100000 d188c0 kernel > 2 1 0xffffffff80e19000 20ab0 geom_mirror.ko > 4 1 0xffffffff8102d000 7f2 accf_http.ko > 5 1 0xffffffff8102e000 1ea accf_data.ko > 6 1 0xffffffff8102f000 1f3e nullfs.ko > 11 1 0xffffffff81031000 2bbc1 pf.ko > > =3D /etc/pf.conf =3D > nat on re0 from lo1:network to any -> (re0) > > ## FILTER RULES > pass in log all keep state > pass out log all keep state > > =3D /etc/rc.conf =3D > pf_enable=3D"YES" > > ... [snip: interface/route setup same as above] > ... [snip: jail setup same as above] > > =3D Output test =3D > jexec 13 ping -c 3 8.8.8.8 > PING 8.8.8.8 (8.8.8.8): 56 data bytes > 64 bytes from 8.8.8.8: icmp_seq=3D0 ttl=3D57 time=3D6.490 ms > 64 bytes from 8.8.8.8: icmp_seq=3D1 ttl=3D57 time=3D6.836 ms > 64 bytes from 8.8.8.8: icmp_seq=3D2 ttl=3D57 time=3D6.252 ms > > --- 8.8.8.8 ping statistics --- > 3 packets transmitted, 3 packets received, 0.0% packet loss > round-trip min/avg/max/stddev =3D 6.252/6.526/6.836/0.240 ms > > > -- > http://rickvanderzwet.nl > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > --=20 =D0=9F=D0=B5=D1=82=D1=80=D0=BE=D0=B2=D1=81=D0=BA=D0=B8=D0=B9 =D0=90=D0=BB= =D0=B5=D0=BA=D1=81=D0=B0=D0=BD=D0=B4=D1=80 / Alexander Petrovsky, ICQ: 350342118 Jabber: juise@jabber.ru Phone: +7 914 8 820 815
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTimgsDa%2B1_JA86CeLefHnZQ2OaAB7RnFU8gVsFM=>