I have spent days trying to get what I thought should be a simple set of ipfw nat rules set up. With less than zero success. I have read the documentation and scoured the web, and I assume I am just missing something.
Scenario: I have one NIC card with four public IPs. I am running a bunch of jails that each handle specific tasks. (i.e. dns, mysql, apache, etc.) I do not want my jails to have public IPs for a bunch of reasons. So I am trying to set up the jails on clones of lo0, and then use ipfw nat rules to handle port redirection. Seems pretty straight forward but I am screwing something up here. The net effect of everything below is that
High Level System Info:
FreeBSD 11.1-RELEASE
/etc/rc.conf
/etc/sysctl.conf
/etc/firewall.rules
In short, all traffic seems to be going through 00051 even if it was originally destined for one of the other three public IP addresses.
Scenario: I have one NIC card with four public IPs. I am running a bunch of jails that each handle specific tasks. (i.e. dns, mysql, apache, etc.) I do not want my jails to have public IPs for a bunch of reasons. So I am trying to set up the jails on clones of lo0, and then use ipfw nat rules to handle port redirection. Seems pretty straight forward but I am screwing something up here. The net effect of everything below is that
ipfw show
shows EVERYTHING going through the nat rule. For instance, i run SSH on A.B.C.D on port 22 (not A.B.C.G which is what I am trying to NAT) and all traffic is going thrugh the NAT 1. What am I missing here?!?!High Level System Info:
FreeBSD 11.1-RELEASE
/etc/rc.conf
Code:
hostname="XYZ"
dumpdev="AUTO"
# NETWORK INITIALIZATION
ifconfig_em1="inet A.B.C.D netmask 255.255.255.0"
defaultrouter="A.B.C.1"
gateway_enable="YES"
# IPV6 INITIALIZATION
ifconfig_em1_ipv6="inet6 1.2.3.4.5.6.7.8:0 prefixlen 64"
ipv6_defaultrouter="1.2.3.4::a"
ipv6_gateway_enable="YES"
firewall_enable="YES"
firewall_nat_enable="YES"
firewall_script="/etc/firewall.rules"
firewall_logging="YES"
ipv6_firewall_logging="YES"
sendmail_enable="NO"
syslogd_enable="YES"
syslogd_flags="-b A.B.C.D -4"
ifconfig_em1_alias0="inet A.B.C.E netmask 255.255.255.255 broadcast A.B.C.E"
ifconfig_em1_alias1="inet A.B.C.F netmask 255.255.255.255 broadcast A.B.C.F"
ifconfig_em1_alias2="inet A.B.C.G netmask 255.255.255.255 broadcast A.B.C.G"
ifconfig_em1_alias3="inet6 1.2.3.4.5.6.7.9 prefixlen 64"
# ^^^^A BUNCH MORE IPV6 ALIASES ARE HERE - OMITTED FOR BREVITY
ifconfig_em1_alias20="inet6 1.2.3.4.5.6.7.8.15 prefixlen 64"
# LOCAL IPV4 ADDRESSING FOR JAILS
cloned_interfaces="lo1 lo2 lo3 lo4"
ipv4_addrs_lo1="10.0.0.1/8"
ipv4_addrs_lo2="10.0.0.1/16"
ipv4_addrs_lo3="10.0.0.1/24"
ipv4_addrs_lo4="10.0.1.1/24"
# THIS WILL SERVE AS THE NET WORK OF DEV SERVERS
ifconfig_lo3_alias0="inet 10.0.0.1 netmask 255.255.255.255 broadcast 10.0.0.1"
ifconfig_lo3_alias1="inet 10.0.0.2 netmask 255.255.255.255 broadcast 10.0.0.2"
ifconfig_lo3_alias2="inet 10.0.0.3 netmask 255.255.255.255 broadcast 10.0.0.3"
ifconfig_lo3_alias3="inet 10.0.0.4 netmask 255.255.255.255 broadcast 10.0.0.4"
ifconfig_lo3_alias4="inet 10.0.0.5 netmask 255.255.255.255 broadcast 10.0.0.5"
ifconfig_lo3_alias5="inet 10.0.0.6 netmask 255.255.255.255 broadcast 10.0.0.6"
ifconfig_lo3_alias6="inet 10.0.0.7 netmask 255.255.255.255 broadcast 10.0.0.7"
#THIS WILL SERVE AS THE NETWORK OF PROD SERVERS
ifconfig_lo4_alias0="inet 10.0.1.1 netmask 255.255.255.255 broadcast 10.0.1.1"
ifconfig_lo4_alias1="inet 10.0.1.2 netmask 255.255.255.255 broadcast 10.0.1.2"
ifconfig_lo4_alias2="inet 10.0.1.3 netmask 255.255.255.255 broadcast 10.0.1.3"
ifconfig_lo4_alias3="inet 10.0.1.4 netmask 255.255.255.255 broadcast 10.0.1.4"
ifconfig_lo4_alias4="inet 10.0.1.5 netmask 255.255.255.255 broadcast 10.0.1.5"
ifconfig_lo4_alias5="inet 10.0.1.6 netmask 255.255.255.255 broadcast 10.0.1.6"
ifconfig_lo4_alias6="inet 10.0.1.7 netmask 255.255.255.255 broadcast 10.0.1.7"
jail_enable="YES"
Code:
security.bsd.see_other_uids=0
net.inet.ip.fw.one_pass=0
net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=5
net.inet.ip6.fw.verbose=1
net.inet.ip6.fw.verbose_limit=5
Code:
# NOTE THAT A.B.C.G below corresponds to fourth public ip address on external facing NIC
ipfw nat 1 config ip A.B.C.G same_ports unreg_only redirect_port tcp 10.0.0.5:80 80
#################################################################
# No restrictions on Loopback Interface
#################################################################
$cmd 00030 allow all from any to any via lo0
$cmd 00050 check-state
$cmd 00051 nat 1 all from any to any;
# A WHOLE BUNCH OF RULES HAPPEN HEAR