Date: Tue, 20 Jul 2010 16:23:32 -0400 From: alexus <alexus@gmail.com> To: Erik Norgaard <norgaard@locolomo.org> Cc: freebsd-questions@freebsd.org Subject: Re: ipnat.conf - map and rdr won't work! Message-ID: <AANLkTimFKATt4_4umseRhcrDl7BLkOuNvOfuXIGHrdJB@mail.gmail.com> In-Reply-To: <4C45F0F1.7010609@locolomo.org> References: <AANLkTilVTo36Fzdh2DKAQhRjyDj8MNUuV9dhwvQ7Gf-V@mail.gmail.com> <AANLkTinh0CykJ1Av3f2THPDFOLS0YtYLDvRMHXm_wD3w@mail.gmail.com> <4C3F91CF.5090206@locolomo.org> <AANLkTin6hYyHiG8taifkNHPBtKI0rKOkAaGRYodV1LLC@mail.gmail.com> <4C419944.8030702@locolomo.org> <AANLkTin8H47Z7suztGnWpa8fm-XIagQ6vzlxP85OIT-B@mail.gmail.com> <4C447F7F.6020308@locolomo.org> <AANLkTinM1E2Obrs8VqSsm3S_jcXqbw_Q1YLkc51tgJsS@mail.gmail.com> <4C45D57F.2020506@locolomo.org> <AANLkTinXjSXlL59mVU5bh-cIqxwHg5C3pgOsA7tcqFMk@mail.gmail.com> <4C45F0F1.7010609@locolomo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jul 20, 2010 at 2:54 PM, Erik Norgaard <norgaard@locolomo.org> wrot= e: > On 20/07/10 20.07, alexus wrote: >> >> On Tue, Jul 20, 2010 at 12:57 PM, Erik Norgaard<norgaard@locolomo.org> >> =C2=A0wrote: >> plan b is to run natd, but i'd rather run ipnat especially that ipnat >> used to work before no problem! > > Maybe move away from what used to work and towards what is working :) > Whichever you prefer, just stick to one solution only. right, yet I still would like to know where problem is :)) >> su-3.2# ping -c1 lama >> PING lama (172.16.172.16): 56 data bytes >> 64 bytes from 172.16.172.16: icmp_seq=3D0 ttl=3D64 time=3D0.075 ms >> >> --- lama ping statistics --- >> 1 packets transmitted, 1 packets received, 0.0% packet loss >> round-trip min/avg/max/stddev =3D 0.075/0.075/0.075/0.000 ms >> su-3.2# >> >> ip address tells me that this is in fact jail's IP > > Yes and no, if you shut down your jail you should still be able to ping t= hat > ip as I read your snippet from your rc.conf. you right, i'm pinging ip that resides on another interface and doesn't really belong to jail at the first place you asked me if I can ping jail from host, I dont know how else I can test it then pinging ip is kind of pointless then, so i ssh in that seems to be working, what else can I try? >>> So I suppose that from your host environment you can ssh into the jail? >>> Did >>> ssh start up, netstat -l? From the jail, can you ping the host >>> environment? >> >> su-3.2# jls >> =C2=A0 =C2=A0JID =C2=A0IP Address =C2=A0 =C2=A0 =C2=A0Hostname =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Path >> =C2=A0 =C2=A0 =C2=A01 =C2=A0172.16.172.16 =C2=A0 lama =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0/u= sr/jail/lama >> su-3.2# jexec 1 /etc/rc.d/sshd status >> sshd is running as pid 1085. >> su-3.2# ps -p 1085 >> =C2=A0 PID =C2=A0TT =C2=A0STAT =C2=A0 =C2=A0 =C2=A0TIME COMMAND >> =C2=A01085 =C2=A0?? =C2=A0IsJ =C2=A0 =C2=A00:00.00 /usr/sbin/sshd >> su-3.2# >> > > OK, but you didn't check where your ssh binds. su-3.2# netstat -tan | grep LISTEN | grep 22 tcp4 0 0 172.16.172.16.22 *.* LISTEN su-3.2# would that sufficient? I just don't know how else I can see .. >> i know, i can run it that IP address as an alias on public interface, >> but we on purpose added another NIC to be private NIC. > > Well, read the man jail(8): > > ip4.addr > =C2=A0 =C2=A0 =C2=A0A comma-separated list of IPv4 addresses assigned to = the prison. > =C2=A0 =C2=A0 =C2=A0If this is set, the jail is restricted to using only = these > =C2=A0 =C2=A0 =C2=A0address. =C2=A0Any attempts to use other addresses fa= il, and attempts > =C2=A0 =C2=A0 =C2=A0to use wildcard addresses silently use the jailed add= ress > =C2=A0 =C2=A0 =C2=A0instead. ... > > If I understand this correctly, remove the line > > =C2=A0jail_lama_ip=3D"172.16.172.16" > > from your rc.conf and your jail can then bind to port 22 on the external > interface thus bypassing the need for nat. This is ok, since all you did = was > redirecting traffic. And the map rule shouldn't be necessary either, nor > should the fxp interface. > > BR, Erik > i actually like this idea, i think i'm going give that a shot... i'll let you know how that worked out... --=20 http://alexus.org/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTimFKATt4_4umseRhcrDl7BLkOuNvOfuXIGHrdJB>