Date: Tue, 20 Jul 2010 20:54:41 +0200 From: Erik Norgaard <norgaard@locolomo.org> To: google@alexus.org Cc: alexus <alexus@gmail.com>, freebsd-questions@freebsd.org Subject: Re: ipnat.conf - map and rdr won't work! Message-ID: <4C45F0F1.7010609@locolomo.org> In-Reply-To: <AANLkTinXjSXlL59mVU5bh-cIqxwHg5C3pgOsA7tcqFMk@mail.gmail.com> References: <AANLkTilVTo36Fzdh2DKAQhRjyDj8MNUuV9dhwvQ7Gf-V@mail.gmail.com> <AANLkTinh0CykJ1Av3f2THPDFOLS0YtYLDvRMHXm_wD3w@mail.gmail.com> <4C3F91CF.5090206@locolomo.org> <AANLkTin6hYyHiG8taifkNHPBtKI0rKOkAaGRYodV1LLC@mail.gmail.com> <4C419944.8030702@locolomo.org> <AANLkTin8H47Z7suztGnWpa8fm-XIagQ6vzlxP85OIT-B@mail.gmail.com> <4C447F7F.6020308@locolomo.org> <AANLkTinM1E2Obrs8VqSsm3S_jcXqbw_Q1YLkc51tgJsS@mail.gmail.com> <4C45D57F.2020506@locolomo.org> <AANLkTinXjSXlL59mVU5bh-cIqxwHg5C3pgOsA7tcqFMk@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 20/07/10 20.07, alexus wrote:
> On Tue, Jul 20, 2010 at 12:57 PM, Erik Norgaard<norgaard@locolomo.org> wrote:
> plan b is to run natd, but i'd rather run ipnat especially that ipnat
> used to work before no problem!
Maybe move away from what used to work and towards what is working :)
Whichever you prefer, just stick to one solution only.
> su-3.2# ping -c1 lama
> PING lama (172.16.172.16): 56 data bytes
> 64 bytes from 172.16.172.16: icmp_seq=0 ttl=64 time=0.075 ms
>
> --- lama ping statistics ---
> 1 packets transmitted, 1 packets received, 0.0% packet loss
> round-trip min/avg/max/stddev = 0.075/0.075/0.075/0.000 ms
> su-3.2#
>
> ip address tells me that this is in fact jail's IP
Yes and no, if you shut down your jail you should still be able to ping
that ip as I read your snippet from your rc.conf.
>> So I suppose that from your host environment you can ssh into the jail? Did
>> ssh start up, netstat -l? From the jail, can you ping the host environment?
>
> su-3.2# jls
> JID IP Address Hostname Path
> 1 172.16.172.16 lama /usr/jail/lama
> su-3.2# jexec 1 /etc/rc.d/sshd status
> sshd is running as pid 1085.
> su-3.2# ps -p 1085
> PID TT STAT TIME COMMAND
> 1085 ?? IsJ 0:00.00 /usr/sbin/sshd
> su-3.2#
>
OK, but you didn't check where your ssh binds.
> i know, i can run it that IP address as an alias on public interface,
> but we on purpose added another NIC to be private NIC.
Well, read the man jail(8):
ip4.addr
A comma-separated list of IPv4 addresses assigned to the prison.
If this is set, the jail is restricted to using only these
address. Any attempts to use other addresses fail, and attempts
to use wildcard addresses silently use the jailed address
instead. ...
If I understand this correctly, remove the line
jail_lama_ip="172.16.172.16"
from your rc.conf and your jail can then bind to port 22 on the external
interface thus bypassing the need for nat. This is ok, since all you did
was redirecting traffic. And the map rule shouldn't be necessary either,
nor should the fxp interface.
BR, Erik
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C45F0F1.7010609>