Multiple domains inside of jails on a VPS

[larynx]

I'm new to FreeBSD. I have a VPS running FreeBSD 10.1 and I'm trying to setup a few small websites running Wordpress with nginx, each in their separate jail.

I followed this guide to setup internal IPs for each of the jails but I can't seem to access them from a browser. I can ping them inside the host when connected via SSH and when I look at the open ports via sockstat -4l I can see that port 80 is open on the jails but they are not reachable from outside of the VPS.

Thanks

 

[junovitch@]

At first glance I'm thinking this may be a firewall issue. If so I'll go ahead and move this to the appropriate place for the widest audience. Can you check and post the output of pfctl -vs nat? That will show your nat and rdr rules with some detail.

Here's an example. Mainly I'm looking to sanity check that the rules do appear to be correct and are actually triggering some matches in the packets field and state creations.

nat on em3 inet from ! (em3) to any -> (em3:0)
  [ Evaluations: 204130    Packets: 1710368   Bytes: 1406851229  States: 281   ]
  [ Inserted: uid 0 pid 43218 State Creations: 24022 ]
rdr on em3 inet proto tcp from any to <firewall> port = 2222 tag SSH -> (em3:0) port 22
  [ Evaluations: 52268     Packets: 24        Bytes: 4522        States: 0     ]
  [ Inserted: uid 0 pid 43218 State Creations: 3     ]

It may be helpful to post your entire /etc/pf.conf as well. The how to guide shown uses an example that is very bare, to the point where there are no rules to allow normal outbound or inbound traffic and also does not include the skip filtering on loop-back directive that is very typical.

It would likely be desirable to not filter on the loop-back to allow your jails to talk to each other and communication on the host between processes to not be effected. The pf.conf() man page describes this. You can just use the keyword lo in the rule for both loop-backs.

set skip on <ifspec>
List interfaces for which packets should not be filtered. Packets
passing in or out on such interfaces are passed as if pf was dis-
abled, i.e. pf does not process them in any way. This can be use-
ful on loopback and other virtual interfaces, when packet filtering
is not desired and can have unexpected effects. For example:

set skip on lo0

 

[larynx]

Thanks for replying.

Here is the output from running pfctl -vs nat

No ALTQ support in kernel
ALTQ related functions disabled
nat pass on vtnet0 inet from 192.168.1.0/24 to any -> 114.216.17.210
  [ Evaluations: 170184    Packets: 41011     Bytes: 40253544    States: 0     ]
  [ Inserted: uid 0 pid 383 State Creations: 209   ]
rdr pass on vtnet0 inet proto tcp from any to 114.216.17.210 port = http -> 192.168.1.1
  [ Evaluations: 194657    Packets: 105       Bytes: 4740        States: 0     ]
  [ Inserted: uid 0 pid 383 State Creations: 51    ]

And here is my /etc/pf.conf file

IP_PUB="114.216.17.210"
IP_JAIL="192.168.1.1"
NET_JAIL="192.168.1.0/24"
PORT_JAIL="{80}"
scrub in all
nat pass on vtnet0 from $NET_JAIL to any -> $IP_PUB
rdr pass on vtnet0 proto tcp from any to $IP_PUB port $PORT_JAIL -> $IP_JAIL

# for fail2ban
ext_if="vtnet0" # your interface !
table <fail2ban> persist
block quick proto tcp from <fail2ban> to $ext_if

# Ipv4 Open outgoing port TCP 123 (NTP)
pass out on $ext_if proto tcp to any port ntp

# Ipv6 Open outgoing port TCP 123 (NTP)
pass out on $ext_if inet6 proto tcp to any port ntp

# Ipv4 Open outgoing port UDP 123 (NTP)
pass out on $ext_if proto udp to any port ntp

# Ipv6 Open outgoing port UDP 123 (NTP)
pass out on $ext_if inet6 proto udp to any port ntp

It's a little messy because I wasn't sure about the format so that is what I collected from several different tutorials

 

[junovitch@]

Well the rules look fine. They are making state entries on both which is good. From outside your VPS, what does nc -nvvz <VPS_IP_ADDR> 80 say? Does it just hang there, say connection refused, or say succeeded?

After that, is there anything at all in the web server logs that show it received an incoming connection?

For the rules bit, see pf.conf(5) for all the details. Little things like not using the inet and inet6 implying both and being able to combine things by using tags like proto { tcp, udp } help shorten things down a bit.

 

[larynx]

It's working now. I put the wrong jail IP address by mistake in pf.conf.

Thanks for all your help.