# Inaccessible connection network in Jail.



## bryn1u (Jan 16, 2013)

Hi.

I have a small dedicated server in ovh. I've installed FreeBSD 9.1 and jail configured. I don't get it, why *I* still haven't got connection from jail.

*ifconfig*:

```
root@ks3290849:/home/bryn1u # ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL      _MAGIC,VLAN_HWTSO>
        ether 00:22:4d:87:b3:3a
        inet 5.135.184.12 netmask 0xffffff00 broadcast 5.135.184.255
        inet6 fe80::222:4dff:fe87:b33a%em0 prefixlen 64 scopeid 0x1
        inet 192.168.0.111 netmask 0xffffff00 broadcast 192.168.0.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
```
*cat /etc/rc.conf*

```
root@ks3290849:/home/bryn1u # cat /etc/rc.conf
sshd_enable="YES"
ntpdate_enable="YES"
ntpdate_hosts="213.186.33.99"
fsck_y_enable="YES"
named_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"

ifconfig_em0="inet 5.135.184.12 netmask 255.255.255.0 broadcast 5.135.184.255"
defaultrouter="5.135.184.254"

# IPv6 configuration
ipv6_static_routes="ovhgw"
ipv6_route_ovhgw="2001:41D0:8:C1ff:ff:ff:ff:ff -prefixlen 128 -interface em0"
ipv6_defaultrouter="2001:41D0:8:C1ff:ff:ff:ff:ff"
hostname="ks3290849.kimsufi.com"


# JAIL #

ezjail_enable="YES"
ifconfig_em0_alias0="inet 192.168.0.111/24"
```
*jls*

```
root@ks3290849:/home/bryn1u # jls
   JID  IP Address      Hostname                      Path
     1  192.168.0.111   http                          /usr/jail/http
```
*cat /etc/resolv.conf*

```
root@ks3290849:/home/bryn1u # cat /etc/resolv.conf
search ovh.net
nameserver 213.186.33.99
```

Of course I copied resolv.conf to /etc/resolv.conf in jail.


```
root@ks3290849:/home/bryn1u # cat /etc/resolv.conf
search ovh.net
nameserver 213.186.33.99
root@ks3290849:/home/bryn1u #
root@ks3290849:/home/bryn1u # js
js: Command not found.
root@ks3290849:/home/bryn1u # jls
   JID  IP Address      Hostname                      Path
     1  192.168.0.111   http                          /usr/jail/http
root@ks3290849:/home/bryn1u # jexec 1 csh
root@http:/ # ping wp.pl
^C
root@http:/ # ping google.pl
^C
root@http:/ # ping 213.186.33.99
PING 213.186.33.99 (213.186.33.99): 56 data bytes
^C
--- 213.186.33.99 ping statistics ---
5 packets transmitted, 0 packets received, 100.0% packet loss
```

What's wrong with it?


----------



## SirDice (Jan 16, 2013)

First, you can't ping from inside a jail. At all. 

Second, you have defined an RFC 1918 (private range) address to your jail, how would a host on the internet be able to respond?


----------



## bryn1u (Jan 16, 2013)

I can ping from jail, *I* allowed in sysctl.conf. Always could. Is there any way to share internet in jail in this case?


----------



## SirDice (Jan 16, 2013)

Bind the jail to a clone of lo0 and set up NAT on em0.


----------



## fonz (Jan 16, 2013)

bryn1u said:
			
		

> ```
> root@ks3290849:/home/bryn1u # cat /etc/rc.conf
> [snip]
> ifconfig_em0_alias0="inet 192.168.0.111[del]/24[/del]"
> ...


First, lose the /24 netmask.

Second, I seem to also need the following line in the jail's /etc/rc.conf:
	
	



```
default_router="xxx.xxx.xxx.xxx"
```
 where _xxx.xxx.xxx.xxx_ is the IP address of the host, but I don't specify a default gateway on the host. So in your case I'd try 5.135.184.254 or 5.135.184.12 and see if one of them makes it work.

Third, I also need to run a small firewall on the host in order to connect the jail to the outside world. Apparently that's not always necessary, but in my case it is and it might be in yours.

Fonz

Edited to add: if you want, I can show you exactly how I set my jail(s) up. However, I manage them manually instead of with sysutils/ezjail, so you'd have to figure out for yourself how to adjust my manual procedure for use with ezjail.


----------



## fonz (Jan 16, 2013)

SirDice said:
			
		

> First, you can't ping from inside a jail. At all.


On the host: `# sysctl security.jail.allow_raw_sockets=1` and ping(8) your heart out  (as far as I can tell running jails need to be restarted for the change to take effect)

Fonz


----------



## bryn1u (Jan 16, 2013)

> Edited to add: if you want, I can show you exactly how I set my jail(s) up. However, I manage them manually instead of with sysutils/ezjail, so you'd have to figure out for yourself how to adjust my manual procedure for use with ezjail.



I would be greatfull


----------



## fonz (Jan 16, 2013)

bryn1u said:
			
		

> I would be greatfull[sic]


Very well, here goes.

Note that, as I said, I manage my jails manually. So adjust for use with sysutils/ezjail if you have/want to. The following example comes from my netbook, which runs 9-STABLE and uses one jail for port/kernel/world building.

*Parameters (adjust accordingly, I'll try to mark them blue)*

The host's network interface is lagg0.
The host's IP address is 192.168.*178*.21 (it's behind a NAT that runs on my modem).
The jail is located at /jail.
The jail's IP address is 192.168.*0*.1.
The jail's hostname is gargamel.skysmurf.nl (yes, it's a Smurfs reference).
*Create the jail* (adjust for sysutils/ezjail usage if necessary)

```
# cd /usr/src
# setenv JAILDIR [color=blue]/jail[/color]
# mkdir -p $JAILDIR
# make buildworld
# make installworld DESTDIR=$JAILDIR
# make distribution DESTDIR=$JAILDIR
```

*Configure the host* (adjust for sysutils/ezjail usage if necessary)

Add the following to /etc/rc.conf:

```
jail_enable="YES"
jail_list="[color=blue]gargamel[/color]"
jail_set_hostname_allow="NO"
jail_[color=blue]gargamel[/color]_rootdir="[color=blue]/jail[/color]"
jail_[color=blue]gargamel[/color]_hostname="[color=blue]gargamel.skysmurf.nl[/color]"
jail_[color=blue]gargamel[/color]_ip="[color=blue]lagg0|192.168.0.1,lo0|127.0.0.2[/color]"
jail_[color=blue]gargamel[/color]_interface="[color=blue]lagg0[/color]"
jail_[color=blue]gargamel[/color]_devfs_enable="YES"
jail_[color=blue]gargamel[/color]_devfs_ruleset="devfsrules_jail"
```

*Test the jail itself (without networking)* (adjust for sysutils/ezjail usage if necessary)

```
# /etc/rc.d/jail start [color=blue]gargamel[/color]
# jls
   JID  IP Address      Hostname                      Path
[color=blue]     1  192.168.0.1     gargamel.skysmurf.nl          /jail[/color]
# jexec [color=blue]1[/color] tcsh
jail# fool around a bit
jail# exit
# /etc/rc.d/jail stop [color=blue]gargamel[/color]
```

*Configure the jail* (from the host)

`# cp /etc/resolv.conf $JAILDIR/etc/`

Add to the jail's /etc/rc.conf:

```
defaultrouter="[color=blue]192.168.178.21[/color]"[del] # or perhaps what your host's default router is[/del]
```

*Setup the firewall*

Add to the host's /etc/rc.conf:
	
	



```
pf_enable="YES"
```

Add to the host's /etc/pf.conf: (create if necessary)

```
IP_PUB="[color=blue]192.168.178.21[/color]"
NET_JAIL="[color=blue]192.168.0.[b]0[/b]/24[/color]"
scrub in all
nat pass on [color=blue]lagg0[/color] from $NET_JAIL to any -> $IP_PUB
```
`# /etc/rc.d/pf start`
If you use a GENERIC kernel you may get some ALTQ-related messages but that's nothing to worry about.

*Finish up*

You should now have a working jail with network connectivity. To test, (temporarily) enable raw sockets if you haven't done so already so that you can ping(8): `# sysctl security.jail.allow_raw_sockets=1`

Start the jail again, enter and try to ping:
	
	



```
# /etc/rc.d/jail start [color=blue]gargamel[/color]
# jls
   JID  IP Address      Hostname                      Path
[color=blue]     2  192.168.0.1     gargamel.skysmurf.nl          /jail[/color]
# jexec [color=blue]2[/color] tcsh
jail# ping [i]some.known.ip.address[/i]
jail# ping [i]some.external.known.host[/i] (e.g. www.google.com)
jail# [i]etc...[/i]
```
As said several times, adjust for sysutils/ezjail usage yourself. But the above works for me, hope it helps.

Fonz

P.S. This only allows the jail to connect to the outside world. To allow the outside world to connect to the jail (on specific ports) you'll need one or two additional steps in order to setup port forwarding. Ask if you need help with that.


----------



## bryn1u (Jan 16, 2013)

Thank u for motivated me. Works great. I used to little other way, but almost the same as u did.

/etc/rc.conf


```
pf_enable="YES"
cloned_interfaces="lo1"
ipv4_addrs_lo1="192.168.0.1-9/29"
```
/etc/pf.conf

```
IP_PUB="5.135.184.12"
IP_JAIL="192.168.0.2"
NET_JAIL="192.168.0.0/24"
PORT_JAIL="{80,443,31337}"
scrub in all
nat pass on em0 from $NET_JAIL to any -> $IP_PUB
rdr pass on em0 proto tcp from any to $IP_PUB port $PORT_JAIL -> $IP_JAIL
```
And we have to start.

```
root@ks3290849:/home/bryn1u #pfctl -nf /etc/pf.conf
root@ks3290849:/home/bryn1u #service pf start
```
And I tested how it works:

```
root@ks3290849:/home/bryn1u # jls
   JID  IP Address      Hostname                      Path
     1  192.168.0.2     www                           /usr/jail/www
root@ks3290849:/home/bryn1u # jexec 1 csh
root@www:/ # ping freebsd.org
PING freebsd.org (8.8.178.135): 56 data bytes
64 bytes from 8.8.178.135: icmp_seq=0 ttl=55 time=145.651 ms
64 bytes from 8.8.178.135: icmp_seq=1 ttl=55 time=144.417 ms
64 bytes from 8.8.178.135: icmp_seq=2 ttl=55 time=149.310 ms
64 bytes from 8.8.178.135: icmp_seq=3 ttl=55 time=144.369 ms
64 bytes from 8.8.178.135: icmp_seq=4 ttl=55 time=144.875 ms
--- freebsd.org ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 144.369/145.724/149.310/1.851 ms
```
Works great! Thanks for help mate. It could be great tutorial from this posts for another people )


----------



## fonz (Jan 16, 2013)

bryn1u said:
			
		

> I used to little other way, but almost the same as u did.
> [snip]
> Works great ! Thanks for help mate.


And thank *you* for reporting what you did differently (like the port forwarding part). That might help others too and warrants a click of the "thanks" button.

Fonz


----------

