Date: Sat, 31 Jul 2010 14:02:46 +0200 From: Rick van der Zwet <info@rickvanderzwet.nl> To: freebsd-jail@freebsd.org Subject: trouble getting Jail with IPFW+NAT to work Message-ID: <AANLkTinfQrE=eRSQ1gEFQfoib=9=PC4einxBWTqFBhyj@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
I like to run Jails on this system [FreeBSD 8.0-RELEASE-p4 (amd64)]
and the Jails should be enabled for access to the outside world using
NAT as I have only external IP address, The jails are connected to
ip's configured on the lo1 interfaces.
ICMP packets seems to flow out and in looking at my tcpdump, but the
new got received by my Jail anymore. A natd setup does not work
either. if I use the pf firewall how-ever it works like a charm.
Is this setup not supported by IPFW+NAT or am I doing something wrong?
/Rick
I test my connection using:
# ping -c 1 8.8.8.8 >/dev/null ; echo $?
0
# jls | grep 13
13 10.0.0.2 wleiden.vanderzwet.net /usr/jail/wleiden
# jexec 13 ping -c 1 10.0.0.1 > /dev/null ; echo $?
0
# jexec 13 ping 8.8.8.8
^C
--- 8.8.8.8 ping statistics ---
15 packets transmitted, 0 packets received, 100.0% packet loss
Tcpdump when looking at the last ping:
# tcpdump -i re0 ip proto 1
11:04:33.176393 IP 78.46.85.230 > 8.8.8.8: ICMP echo request, id
43582, seq 313, length 64
11:04:33.183051 IP 8.8.8.8 > 78.46.85.230: ICMP echo reply, id
43582, seq 313, length 64
11:04:34.186391 IP 78.46.85.230 > 8.8.8.8: ICMP echo request, id
43582, seq 314, length 64
11:04:34.192663 IP 8.8.8.8 > 78.46.85.230: ICMP echo reply, id
43582, seq 314, length 64
= /etc/rc.conf relevant snippets =
firewall_enable="YES"
firewall_nat_enable="YES"
firewall_script="/etc/rc.firewall.local"
cloned_interfaces="lo1"
ifconfig_lo1="inet 10.0.0.1 netmask 255.255.255.0"
ifconfig_lo1_alias0="inet 10.0.0.2 netmask 255.255.255.0"
gateway_enable="YES"
jail_enable="YES"
jail_wleiden_rootdir="/usr/jail/wleiden"
jail_wleiden_hostname="wleiden.vanderzwet.net"
jail_wleiden_ip="10.0.0.2"
jail_wleiden_devfs_enable="YES"
jail_wleiden_devfs_ruleset="devfsrules_jail"
= relevant sysctl entries =
net.inet.ip.forwarding: 1
security.jail.allow_raw_sockets: 1
net.inet.ip.fw.enable: 1
= /etc/sysctl.conf =
security.jail.allow_raw_sockets=1
= Loaded modules =
%kldstat
Id Refs Address Size Name
1 17 0xffffffff80100000 d188c0 kernel
2 1 0xffffffff80e19000 20ab0 geom_mirror.ko
4 1 0xffffffff8102d000 7f2 accf_http.ko
5 1 0xffffffff8102e000 1ea accf_data.ko
6 1 0xffffffff8102f000 1f3e nullfs.ko
8 3 0xffffffff81022000 a1d1 ipfw.ko
9 1 0xffffffff81031000 14d5 ipfw_nat.ko
10 1 0xffffffff81033000 b39a libalias.ko
11 1 0xffffffff8103f000 163f ipdivert.ko
= /etc/rc.firewall.local =
#!/bin/sh -
fwcmd="/sbin/ipfw"
############
# Flush out the list before we begin.
${fwcmd} -f flush
${fwcmd} add 100 pass all from any to any via lo0
# Also tested using the lines below
# natd -interface re0 -verbose | tee -i /tmp/natd.log &
# ${fwcmd} add divert natd all from 10.0.0.0/24 to any via re0
${fwcmd} add nat 200 all from 10.0.0.0/24 to any via re0
${fwcmd} nat 200 config if re0
${fwcmd} add 65001 allow all from any to any
== pf setup ==
= Loaded modules =
%kldstat
Id Refs Address Size Name
1 11 0xffffffff80100000 d188c0 kernel
2 1 0xffffffff80e19000 20ab0 geom_mirror.ko
4 1 0xffffffff8102d000 7f2 accf_http.ko
5 1 0xffffffff8102e000 1ea accf_data.ko
6 1 0xffffffff8102f000 1f3e nullfs.ko
11 1 0xffffffff81031000 2bbc1 pf.ko
= /etc/pf.conf =
nat on re0 from lo1:network to any -> (re0)
## FILTER RULES
pass in log all keep state
pass out log all keep state
= /etc/rc.conf =
pf_enable="YES"
... [snip: interface/route setup same as above]
... [snip: jail setup same as above]
= Output test =
jexec 13 ping -c 3 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=57 time=6.490 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=57 time=6.836 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=57 time=6.252 ms
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 6.252/6.526/6.836/0.240 ms
--
http://rickvanderzwet.nl
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTinfQrE=eRSQ1gEFQfoib=9=PC4einxBWTqFBhyj>