jail nat route

ProFTP

Active Member

Reaction score: 8
Messages: 137

hi

problem:
(without a jail a network works, well!!!)

Code:
                 INTERNET

                ++
               10.0.0.1 
194.xx.xx.xx <- Gateway -> 
from 10.7.0.100 
(NAT)

                ++
     rl0 10.7.0.100 jail
         <- server0 -> 
                ++

   <- jail 192.168.1.231 
      jail alias rlo
     192.168.1.231/32
194.xx.xx.xx =NAT= 10.7.0.100


did as here:
http://www.scottro.net/qnd/qnd-ezjail.html

Code:
ifconfig_rl0_alias0="inet 192.168.1.231/32" 

natd_enable="YES"
natd_interface="rl0"
natd_flags="-f /etc/natd.conf"

ezjail_enable="YES"

 jail_apachejail_hostname="apachejail"
 jail_apachejail_ip="192.168.1.231"
 jail_apachejail_rootdir="/home/jails/apachejail"
 jail_apachejail_exec="/bin/sh /etc/rc"
 jail_apachejail_mount_enable="YES"
 jail_apachejail_interface="rl0"
 jail_apachejail_devfs_enable="YES"
 jail_apachejail_devfs_ruleset="devfsrules_jail"
 jail_apachejail_procfs_enable="YES"
 jail_apachejail_fdescfs_enable="YES"
/etc/natd.conf
Code:
-redirect_address 192.168.1.231 10.7.0.100
or
ipfw is test:
Code:
#!/bin/sh
flush 

add 100 check-state
add divert 8668 ip from 192.168.1.231 to any in via rl0
#add divert natd all from any to any in via rl0
add allow  ip from any to any
jail:

/home/jails/apachejail/etc/rc.conf
Code:
rpc_bind_enable="NO"
inetd_enable="YES"
network_interfaces="rl0"
sshd_enable="YES"
sendmail_enable="NO"
defautrouter="10.7.0.100"
early_late_divider="NETWORKING"
/home/jails/apachejail/etc/host
Code:
127.0.0.1	apachejail.example.com		apachejail
reboot...

Code:
home# jail /home/jails/apachejail apachejail 192.168.1.231
to ok!

ping google.com it is not!!

changed
Code:
security.jail.socket_unixiproute_only=1
or
Code:
security.jail.socket_unixiproute_only=0
however:
Code:
jail# route add default 10.7.0.100
route: writing to routing socket: Operation not permitted

ifconfig:
Code:
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=48<VLAN_MTU,POLLING>
	ether 00:0e:
	inet 10. netmask 0xffff0000 broadcast 10.7.255.255
	inet 192.168.1.231 netmask 0xffffffff broadcast 192.168.1.231
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
jail:
apachejail# ifconfig
Code:
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=48<VLAN_MTU,POLLING>
        ether 00:0e:
        inet 192.168.1.231 netmask 0xffffffff broadcast 192.168.1.231
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
if forgot nothing, vs...
how do you see it is not ping, how to influence a network? how to decide a problem?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,181
Messages: 29,471

ProFTP said:
ping google.com it is not!!
Ok. What's the error message?

You probably forgot to set the DNS servers in /etc/resolv.conf inside the jail.
 
OP
OP
ProFTP

ProFTP

Active Member

Reaction score: 8
Messages: 137

Code:
jailtest # ping 74.125.67.100
PING 74.125.67.100 (74.125.67.100): 56 data bytes
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Reaction score: 2,773
Messages: 11,279

Do you actually have any routing / default gateway? [cmd=]netstat -rn[/cmd] on host and in the jail?
 
OP
OP
ProFTP

ProFTP

Active Member

Reaction score: 8
Messages: 137

basic machine:
Code:
#netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            10.8.0.1           UGS         0    40408    rl0
10.8.0.0/16        link#1             U           0      104    rl0
10.8.0.100          link#4             UHS         0      936    lo0
127.0.0.1          link#4             UH          0     5994    lo0
192.168.1.231      link#4             UHS         0      122    lo0 =>
192.168.1.231/32   link#1             U           0        0    rl0
jail:
Code:
apachejail# netstat -rn
netstat: kvm not available: /dev/mem: No such file or directory
Routing tables
rt_tables: symbol not in namelist
 
OP
OP
ProFTP

ProFTP

Active Member

Reaction score: 8
Messages: 137

Code:
apachejail# netstat -rn
netstat: kvm not available: /dev/mem: No such file or directory
Routing tables
rt_tables: symbol not in namelist
excuse me, what it after error? so must it be? or is it a vital error?
whether at all such in jail?
 

vivek

Aspiring Daemon

Reaction score: 194
Messages: 805

First, you cannot create or modify networking settings inside jail. This is security feature. You setup everything from host /etc/rc.conf file. I use pf rules as follows and it works without a problem (em1 is connected to the Internets):
Code:
lan_if="em0"
lan_if_subnet="10.0.0.0/8"
lan_if_ip="10.xx.yyy.zzz"
jail_vps_server_ip="123.xx.yyy.zz"
nat on $lan_if inet proto { tcp, udp, icmp } from $jail_vps_server_ip to $lan_if_subnet -> $lan_if_ip
 
OP
OP
ProFTP

ProFTP

Active Member

Reaction score: 8
Messages: 137

123.xx.yyy.zz public or local?

me local (I wanted to do a local address)

I use ipfw or natd...

how NAT to write on ipfw or on natd?

it -redirect_address 192.168.1.231 10.7.0.100 really not correctly?
 
OP
OP
ProFTP

ProFTP

Active Member

Reaction score: 8
Messages: 137

in my variant jail_vps_server_ip must be local adderess
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,181
Messages: 29,471

Check the default gateway on the host. It should probably not be pointing to 10.8.0.1.

Make sure the host is able to reach the internet before testing/configuring the jail.
 
OP
OP
ProFTP

ProFTP

Active Member

Reaction score: 8
Messages: 137

did not I understand as it to do?

to comment out?
/home/jails/apachejail/etc/rc.conf
# defautrouter="10.7.0.100"
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,181
Messages: 29,471

Forget about the jail for a minute and make sure the host itself is able to access the Internet.
 
OP
OP
ProFTP

ProFTP

Active Member

Reaction score: 8
Messages: 137

if not from jail, ping works...

without jail all works! from jail it is not ping

or what did you have because of, will explain? that to do?
(without jail all works)
 
OP
OP
ProFTP

ProFTP

Active Member

Reaction score: 8
Messages: 137

Code:
jail# route add default 10.7.0.100
route: writing to routing socket: Operation not permitted
and that to do with here by it?
must it be so?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,181
Messages: 29,471

You can't change an IP address or change the routing inside a jail. If the host is able to access the internet you should now concentrate on ipfw/nat.

It's quite likely your NAT isn't setup correctly. I don't use ipfw/natd (I use PF) so I can't really help with that.
 
OP
OP
ProFTP

ProFTP

Active Member

Reaction score: 8
Messages: 137

I need to write ipfw -f flush

and to add it in rc.conf or in pf.conf?


Code:
lan_if="em0"
lan_if_subnet="10.0.0.0/8"
lan_if_ip="10.xx.yyy.zzz"
jail_vps_server_ip="123.xx.yyy.zz"
nat on $lan_if inet proto { tcp, udp, icmp } from $jail_vps_server_ip to $lan_if_subnet -> $lan_if_ip
 
OP
OP
ProFTP

ProFTP

Active Member

Reaction score: 8
Messages: 137

but as to do, if jail_vps_server_ip="123.xx.yyy.zz" local address?
 
OP
OP
ProFTP

ProFTP

Active Member

Reaction score: 8
Messages: 137

Code:
lan_if_subnet="10.0.0.0/8"
lan_if_ip="10.xx.yyy.zzz"
it so is as in an example... ok...
 
OP
OP
ProFTP

ProFTP

Active Member

Reaction score: 8
Messages: 137

server:
Code:
ipfw -f flush
Code:
kldload pf.ko
Code:
lan_if="rl0"
lan_if_subnet="10.8.0.0/8"
lan_if_ip="10.8.0.100"
jail_vps_server_ip="192.168.1.231"
nat on $lan_if inet proto { tcp, udp, icmp } from $jail_vps_server_ip to $lan_if_subnet -> $lan_if_ip
Code:
# pfctl -e
No ALTQ support in kernel
ALTQ related functions disabled
pfctl: pf already enabled
Code:
# /usr/local/etc/rc.d/ezjail.sh restart
rcorder: could not open log: No such file or directory
Stopping jails: apachejail.
Configuring jails:.
Starting jails:/etc/rc.d/jail: INFO: Mounting fstab for jail apachejail (/etc/fstab.apachejail)
/etc/rc.d/jail: INFO: Mounting devfs on /home/jails/apachejail/dev
/etc/rc.d/jail: INFO: Mounting fdescfs on /home/jails/apachejail/dev/fd
/etc/rc.d/jail: INFO: Mounting procfs onto /home/jails/apachejail/proc

Code:
jail /home/jails/apachejail apachejail 192.168.1.231 /bin/csh
Code:
# ping 74.125.127.100
PING 74.125.127.100 (74.125.127.100): 56 data bytes
^C^C
--- 74.125.127.100 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
apachejail#
 
OP
OP
ProFTP

ProFTP

Active Member

Reaction score: 8
Messages: 137

Code:
apachejail # ping 10.8.0.100
PING 10.8.0.58 (10.8.0.58): 56 data bytes
64 bytes from 10.8.0.58: icmp_seq=0 ttl=128 time=0.085 ms
64 bytes from 10.8.0.58: icmp_seq=1 ttl=128 time=0.078 ms
64 bytes from 10.8.0.58: icmp_seq=2 ttl=128 time=0.077 ms
^C
--- 10.8.0.58 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.077/0.080/0.085/0.004 ms
 
OP
OP
ProFTP

ProFTP

Active Member

Reaction score: 8
Messages: 137

============

there is not an option of #device bpf in my kernel # Berkeley packet filter can it influence on NAT? does NAT can from it not to work?
 
Top