Date: Fri, 18 Oct 2013 09:53:11 -0400 From: Alejandro Imass <aimass@yabarana.com> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Help with natd on a specific IP when multiple IPs on same interface Message-ID: <CAHieY7ToJMEh6e4AErO3msBMrTj7TiJYgGg4wgyBO8m2sLxTrQ@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi, A while back I posted a problem related to natd on an single interface with multiple IPs. We use use natd to enable Internet access to a bunch of jails and also to redirect specific ports to some of the jails, whilst other jails may be bound to public IPs as well. The problem is that once natd is in operation, all the outbound traffic appears to come from the first public IP assigned to the interface. Is there any way to more granularly configure natd (static nat perhaps?) so that traffic that is bound to the other public IPs (i.e. from a jail that is bound to another public IP of the same interface) appears to come from the correct IP? Our overall set-up is pretty simple: a) A single nic (em0) with multiple public IPs b) All jails have one private IP in 192.168.101.x which are all aliases of lo0 c) Some jails may have both the private IP and also a public public IP. Any public IP bound to a specific jail is unique to that jail. d) One public IP is reserved for the base system e) For those jails that don't have public IPs we redirect the shh port with natd as well, using a port number scheme xxx22 where xxx is the last digits of the private IP f) HTTP inbound traffic is reverse-proxied using Apache mod_proxy to those jails that don't have public IP. The central proxy is also a jail that is bound to the base system's public IP which traps port 80 of the base system's IP. g) We make sure that nothing listens on * Every service is carefully tailored to bind to a specific IP. For example, all sshd of every jail listen specifically on their respective private IP. rc.conf ----------- natd_enable="YES" natd_interface="em0" natd_flags="-f /etc/natd.conf" natd.conf -------------- redirect_port tcp 192.168.101.123:22 12322 etc... The specific objectives to fix are: 1) In the port redirect above to use the specific base system IP, something like: redirect_port tcp 192.168.101.123:22 xxx.xxx.xxx.xxx:12322 2) When a connection is made from inside a jail bound to a public IP, that it appears to come from that public IP and not from the first IP assigned to em0 3) That ssh -b xxx.xxx.xxx.xxx actually works correctly per point 2 above 4) Should we switch to kernel-based nat instead of natd? Thanks in advance for any help! -- Alejandro Imass
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHieY7ToJMEh6e4AErO3msBMrTj7TiJYgGg4wgyBO8m2sLxTrQ>