jail nat route

hi

problem:
(without a jail a network works, well!!!)

Code:
                 INTERNET

                ++
               10.0.0.1 
194.xx.xx.xx <- Gateway -> 
from 10.7.0.100 
(NAT)

                ++
     rl0 10.7.0.100 jail
         <- server0 -> 
                ++

   <- jail 192.168.1.231 
      jail alias rlo
     192.168.1.231/32

194.xx.xx.xx =NAT= 10.7.0.100


did as here:
http://www.scottro.net/qnd/qnd-ezjail.html

Code:
ifconfig_rl0_alias0="inet 192.168.1.231/32" 

natd_enable="YES"
natd_interface="rl0"
natd_flags="-f /etc/natd.conf"

ezjail_enable="YES"

 jail_apachejail_hostname="apachejail"
 jail_apachejail_ip="192.168.1.231"
 jail_apachejail_rootdir="/home/jails/apachejail"
 jail_apachejail_exec="/bin/sh /etc/rc"
 jail_apachejail_mount_enable="YES"
 jail_apachejail_interface="rl0"
 jail_apachejail_devfs_enable="YES"
 jail_apachejail_devfs_ruleset="devfsrules_jail"
 jail_apachejail_procfs_enable="YES"
 jail_apachejail_fdescfs_enable="YES"

/etc/natd.conf
Code:
-redirect_address 192.168.1.231 10.7.0.100

or
ipfw is test:
Code:
#!/bin/sh
flush 

add 100 check-state
add divert 8668 ip from 192.168.1.231 to any in via rl0
#add divert natd all from any to any in via rl0
add allow  ip from any to any

jail:

/home/jails/apachejail/etc/rc.conf
Code:
rpc_bind_enable="NO"
inetd_enable="YES"
network_interfaces="rl0"
sshd_enable="YES"
sendmail_enable="NO"
defautrouter="10.7.0.100"
early_late_divider="NETWORKING"

/home/jails/apachejail/etc/host
Code:
127.0.0.1	apachejail.example.com		apachejail

reboot...

Code:
home# jail /home/jails/apachejail apachejail 192.168.1.231

to ok!

ping google.com it is not!!

changed
Code:
security.jail.socket_unixiproute_only=1
or
Code:
security.jail.socket_unixiproute_only=0

however:
Code:
jail# route add default 10.7.0.100
route: writing to routing socket: Operation not permitted


ifconfig:
Code:
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=48<VLAN_MTU,POLLING>
	ether 00:0e:
	inet 10. netmask 0xffff0000 broadcast 10.7.255.255
	inet 192.168.1.231 netmask 0xffffffff broadcast 192.168.1.231
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active

jail:
apachejail# ifconfig
Code:
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=48<VLAN_MTU,POLLING>
        ether 00:0e:
        inet 192.168.1.231 netmask 0xffffffff broadcast 192.168.1.231
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active

if forgot nothing, vs...
how do you see it is not ping, how to influence a network? how to decide a problem?
 
ProFTP said:
ping google.com it is not!!
Ok. What's the error message?

You probably forgot to set the DNS servers in /etc/resolv.conf inside the jail.
 
Code:
jailtest # ping 74.125.67.100
PING 74.125.67.100 (74.125.67.100): 56 data bytes
 
Do you actually have any routing / default gateway? [cmd=]netstat -rn[/cmd] on host and in the jail?
 
basic machine:
Code:
#netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            10.8.0.1           UGS         0    40408    rl0
10.8.0.0/16        link#1             U           0      104    rl0
10.8.0.100          link#4             UHS         0      936    lo0
127.0.0.1          link#4             UH          0     5994    lo0
192.168.1.231      link#4             UHS         0      122    lo0 =>
192.168.1.231/32   link#1             U           0        0    rl0

jail:
Code:
apachejail# netstat -rn
netstat: kvm not available: /dev/mem: No such file or directory
Routing tables
rt_tables: symbol not in namelist
 
Code:
apachejail# netstat -rn
netstat: kvm not available: /dev/mem: No such file or directory
Routing tables
rt_tables: symbol not in namelist

excuse me, what it after error? so must it be? or is it a vital error?
whether at all such in jail?
 
First, you cannot create or modify networking settings inside jail. This is security feature. You setup everything from host /etc/rc.conf file. I use pf rules as follows and it works without a problem (em1 is connected to the Internets):
Code:
lan_if="em0"
lan_if_subnet="10.0.0.0/8"
lan_if_ip="10.xx.yyy.zzz"
jail_vps_server_ip="123.xx.yyy.zz"
nat on $lan_if inet proto { tcp, udp, icmp } from $jail_vps_server_ip to $lan_if_subnet -> $lan_if_ip
 
123.xx.yyy.zz public or local?

me local (I wanted to do a local address)

I use ipfw or natd...

how NAT to write on ipfw or on natd?

it -redirect_address 192.168.1.231 10.7.0.100 really not correctly?
 
Check the default gateway on the host. It should probably not be pointing to 10.8.0.1.

Make sure the host is able to reach the internet before testing/configuring the jail.
 
did not I understand as it to do?

to comment out?
/home/jails/apachejail/etc/rc.conf
# defautrouter="10.7.0.100"
 
Forget about the jail for a minute and make sure the host itself is able to access the Internet.
 
if not from jail, ping works...

without jail all works! from jail it is not ping

or what did you have because of, will explain? that to do?
(without jail all works)
 
Code:
jail# route add default 10.7.0.100
route: writing to routing socket: Operation not permitted
and that to do with here by it?
must it be so?
 
You can't change an IP address or change the routing inside a jail. If the host is able to access the internet you should now concentrate on ipfw/nat.

It's quite likely your NAT isn't setup correctly. I don't use ipfw/natd (I use PF) so I can't really help with that.
 
I need to write ipfw -f flush

and to add it in rc.conf or in pf.conf?


Code:
lan_if="em0"
lan_if_subnet="10.0.0.0/8"
lan_if_ip="10.xx.yyy.zzz"
jail_vps_server_ip="123.xx.yyy.zz"
nat on $lan_if inet proto { tcp, udp, icmp } from $jail_vps_server_ip to $lan_if_subnet -> $lan_if_ip
 
Code:
lan_if_subnet="10.0.0.0/8"
lan_if_ip="10.xx.yyy.zzz"
it so is as in an example... ok...
 
server:
Code:
ipfw -f flush

Code:
kldload pf.ko

Code:
lan_if="rl0"
lan_if_subnet="10.8.0.0/8"
lan_if_ip="10.8.0.100"
jail_vps_server_ip="192.168.1.231"
nat on $lan_if inet proto { tcp, udp, icmp } from $jail_vps_server_ip to $lan_if_subnet -> $lan_if_ip

Code:
# pfctl -e
No ALTQ support in kernel
ALTQ related functions disabled
pfctl: pf already enabled

Code:
# /usr/local/etc/rc.d/ezjail.sh restart
rcorder: could not open log: No such file or directory
Stopping jails: apachejail.
Configuring jails:.
Starting jails:/etc/rc.d/jail: INFO: Mounting fstab for jail apachejail (/etc/fstab.apachejail)
/etc/rc.d/jail: INFO: Mounting devfs on /home/jails/apachejail/dev
/etc/rc.d/jail: INFO: Mounting fdescfs on /home/jails/apachejail/dev/fd
/etc/rc.d/jail: INFO: Mounting procfs onto /home/jails/apachejail/proc


Code:
jail /home/jails/apachejail apachejail 192.168.1.231 /bin/csh

Code:
# ping 74.125.127.100
PING 74.125.127.100 (74.125.127.100): 56 data bytes
^C^C
--- 74.125.127.100 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
apachejail#
 
Code:
apachejail # ping 10.8.0.100
PING 10.8.0.58 (10.8.0.58): 56 data bytes
64 bytes from 10.8.0.58: icmp_seq=0 ttl=128 time=0.085 ms
64 bytes from 10.8.0.58: icmp_seq=1 ttl=128 time=0.078 ms
64 bytes from 10.8.0.58: icmp_seq=2 ttl=128 time=0.077 ms
^C
--- 10.8.0.58 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.077/0.080/0.085/0.004 ms
 
============

there is not an option of #device bpf in my kernel # Berkeley packet filter can it influence on NAT? does NAT can from it not to work?
 
Back
Top