Interjail access via public IPs

K

Klinki

FreeBSD 8.4-p1

Situation:

I have got one server with several jails and 4 routable external IPs. Each jail runs one service. I can access each service via the Internet as desired (e.g. a httpd server). I can access each jail internally via a 10.0.0.0/24 network. Each jail has one internal IP. I can download files etc from the Internet (e.g.. Patches or ports).

But what I can not achieve is to download from one jail to a another jail via curl and the public IP. It says connection refused.
curl [url=http://myserver/somfile]http://myserver/somfile[/url]

I can download using the mentioned URL above from my laptop at home with no problems. I think I misconfigured something in my pf.conf.

Any ideas?

Here is my pf.conf:

Code: 
#Interface declarations
ext_if="re0"
all_if="{re0, lo0}"

# Name and IP of our webserver
APACHE1_INTERNAL="10.10.10.1"
APACHE1_EXTERNAL="1.2.3.4"

APACHE2_INTERNAL="10.10.10.2"
APACHE2_EXTERNAL="1.2.3.5"


internal_net= "10.10.10.0/24"

# open ports
tcp_pass = "{ 53 223 }"
udp_pass = "{ 53 223 }"
icmp_type = "echoreq"

### Normalisation
scrub in all

# Allow traffic from apache1 jail to the Internet
nat on $ext_if from $APACHE1_INTERNAL to any -> $APACHE2_EXTERNAL
# Allow traffic from apache2 jail to the Internet
nat on $ext_if from $APACHE2_INTERNAL to any -> $APACHE2_EXTERNAL

### Tables
table <rfc1918> persist
table <spamd> persist
table <spamd-white> persist
table <whitelist> persist file "/etc/pf_files/whitelist.lst"
table <blacklist> persist file "/etc/pf_files/blacklist.lst"
#table <ssh_allowed> persist
table <sshguard> persist
table <internal_net> { 10.10.10.0/24 }
#table <bruteforce> persist

### Forward http traffic to apache1
rdr on $ext_if proto tcp from any to $APACHE1_EXTERNAL port http -> $APACHE1_INTERNAL port http
rdr on $ext_if proto tcp from any to $APACHE1_EXTERNAL port https -> $APACHE1_INTERNAL port https

### Forward http traffic to apache2
rdr on $ext_if proto tcp from any to $APACHE2_EXTERNAL port http -> $APACHE2_INTERNAL port http
rdr on $ext_if proto tcp from any to $APACHE2_EXTERNAL port https -> $APACHE2_INTERNAL port https
 
The problem is NAT and can't easily be solved. The packets get NAT'ed and travel out $ext_if. To make a connection back in the same interface and being redirected. Because the outside address is on $ext_if the packets never leave the interface so they never get translated.
 
That is what I would have guessed too - but I got a tip for a very easy solution: just add the public DNS name of the domain I want to access to the /etc/hosts of the jail I want to access from. It is so simple, sometimes one can't solve the easiest problems cause one things to complicated.
 
You must log in or register to reply here.
Back
Top