jails and outgoing traffic ip

miks

Member


Messages: 44

My host have 2 public ip (primary + 1 alias).
Aliased ip is used by jail.
The problem is - all traffic is seen as come from primary address.
For example, if I telnet to some remote SMTP server from jail, then in remote server log my ip seen as host primary address, not jail (aliased).
Is there some way to correct it?
 

vivek

Aspiring Daemon

Reaction score: 196
Messages: 805

That is weird, it should not use primary IP. Do you have firewall that on host that changes something like nat?
 
OP
OP
M

miks

Member


Messages: 44

ifconfig:
Code:
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=19b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4>
        ether 00:15:17:14:48:a6
        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
        media: Ethernet autoselect (1000baseTX <full-duplex>)
        status: active
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
        ether 00:0e:2e:8d:58:7e
        inet xxx.xxx.xxx.200 netmask 0xfffffff0 broadcast xxx.xxx.xxx.207
        inet xxx.xxx.xxx.201 netmask 0xffffffff broadcast xxx.xxx.xxx.201
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
        inet6 ::1 prefixlen 128
        inet 127.0.0.1 netmask 0xff000000
ipfw:
Code:
00050 divert 8668 ip4 from any to any via re0
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
65000 allow ip from any to any
65535 deny ip from any to any
and I also have natd. natd.conf content:
Code:
same_ports yes
use_sockets yes
deny_incoming yes
log_ipfw_denied yes
log yes
dynamic yes
interface re0
 

vivek

Aspiring Daemon

Reaction score: 196
Messages: 805

You are using NAT, so it is going to hide your real jail IP.
 
OP
OP
M

miks

Member


Messages: 44

hmm, so it isn't possible for box to act as router and same time have jail with real ip in outgoing traffic?
 

vivek

Aspiring Daemon

Reaction score: 196
Messages: 805

You can configure firewall to ignore your 2nd public IP from NAT. Provided that 2nd IP can route traffic to the Internet.
 
OP
OP
M

miks

Member


Messages: 44

Solved with adding: "ipfw add 00010 skipto 100 ip4 from xxx.xxx.xxx.xxx to any", where "xxx.xxx.xxx.xxx" is second public ip, used by jail.
 
Top