redirecting host port to jail port

T

ta0kira

There are a lot of threads here, and elsewhere, dealing with this issue in its various forms. I've tried to adapt the suggestions in these three threads, with no success:
http://forums.freebsd.org/showthread.php?t=10565
http://forums.freebsd.org/showthread.php?t=38351
http://forums.freebsd.org/showthread.php?t=17172

I have sshd running on port 2022 in the jail, and on port 22 in the host environment. Both are only bound to their respective IP addresses (host: 192.168.1.4, jail: 192.168.0.1.) I want to forward port 2022 from the host to 2022 in the jail.

/etc/rc.conf (with the irrelevant things removed):
Code: 
ifconfig_re0="DHCP"
sshd_enable="YES"
ntpd_enable="YES"
gateway_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"

pf.conf (the second rule is there just to see if it works from the host to itself):
Code: 
nat pass on re0 inet proto tcp from any to 192.168.1.4 port 2022 -> 192.168.0.1 port 2022
nat pass on re0 inet proto tcp from any to 192.168.1.4 port 3022 -> 192.168.1.4 port 22

pass in all
pass out all
ifconfig re0 (jail sets up the alias 192.168.0.1):
Code: 
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
        ether XX:XX:XX:XX:XX:XX
        inet 192.168.1.4 netmask 0xffffff00 broadcast 192.168.1.255
        inet 192.168.0.1 netmask 0xffffffff broadcast 192.168.0.1
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        maclabel biba/equal(equal-equal),mls/low(low-low)
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
sshd is definitely running on 192.168.0.1:2022 because I can ssh to it from the host. sudo pfctl -sa -P also shows the two forwarding rules. ssh 192.168.1.4 -p 2022 and ssh 192.168.1.4 -p 3022 both fail, however (the latter isn't important; it's just there for additional debugging.) I get an immediate "Connection refused", which to me means nothing is there to receive the connection.

I don't really have experience with routing and firewall configuration, so I'm not sure if there's a problem with my network configuration, with my jail, or with something else (like MAC, which I have enabled.) In any case, it obviously doesn't work from the host to itself, either, so I'm guessing I missed an important configuration step somewhere.

I also tried natd, but that wasn't helpful and I couldn't figure out how to show the status of what it was forwarding.

Thanks!

Kevin Barry
 
ta0kira said:
Code: 
nat pass on re0 inet proto tcp from any to 192.168.1.4 port 3022 -> 192.168.1.4 port 22
Click to expand...
This isn't going to work. If you want to change the port why don't you simply edit /etc/ssh/sshd_config?
 
SirDice said:
This isn't going to work. If you want to change the port why don't you simply edit /etc/ssh/sshd_config?
Click to expand...
You missed my comment about that being there for testing purposes only. I'm really trying to get 192.168.1.4:2022 -> 192.168.0.1:2022 working, but I had that other one there in case it had something to do with the jail's IP address.

Could you give me a hint about why that line won't work, though? That might help me solve the other problem, since the problem seems to be my own ignorance about networking.

Thanks!

Kevin Barry
 
It's the wrong way around. And there's really no need to NAT. If you do want to use NAT, I'd clone a lo1 and bind the services to that.

In that case it's going to be something like:
Code: 
# This is for [i]outgoing[/i] traffic
nat on re0 from any to any -> (re0)

# This is for [i]incoming[/i] traffic
rdr on re0 inet proto tcp from any to 192.168.1.4 port 2022 -> 192.168.0.1 port 2022
 
SirDice said:
Code: 
# This is for [i]incoming[/i] traffic
rdr on re0 inet proto tcp from any to 192.168.1.4 port 2022 -> 192.168.0.1 port 2022
Click to expand...
Thanks! This actually worked. I had something similar before, but your comments made me realize that I need to test it from outside the host! I was doing that to start with, but after several solutions failed, I just started trying to ssh from the host in between service restarts. That being said, why wouldn't the NAT have let me ssh 192.168.1.4 -p 2022 from a session run on 192.168.1.4?

Thanks again!

Kevin Barry
 
SirDice said:
Code: 
# This is for [i]outgoing[/i] traffic
nat on re0 from any to any -> (re0)
Click to expand...
I also needed to add a variation of this for outbound connections, in case someone else comes across this thread and wants the complete solution:
Code: 
#redirect outbound connections from the jail to the real IP
nat on re0 from 192.168.0.1 to any -> 192.168.1.4

#redirect inbound connections to the real IP to the jail's IP
rdr on re0 inet proto tcp from any to 192.168.1.4 port 2022 -> 192.168.0.1 port 22

pass in keep state
pass out keep state
 
You must log in or register to reply here.
Back
Top