# redirecting host port to jail port



## ta0kira (Mar 19, 2013)

There are a lot of threads here, and elsewhere, dealing with this issue in its various forms. I've tried to adapt the suggestions in these three threads, with no success:
http://forums.freebsd.org/showthread.php?t=10565
http://forums.freebsd.org/showthread.php?t=38351
http://forums.freebsd.org/showthread.php?t=17172

I have sshd running on port 2022 in the jail, and on port 22 in the host environment. Both are only bound to their respective IP addresses (host: 192.168.1.4, jail: 192.168.0.1.) I want to forward port 2022 from the host to 2022 in the jail.

/etc/rc.conf (with the irrelevant things removed):
	
	



```
ifconfig_re0="DHCP"
sshd_enable="YES"
ntpd_enable="YES"
gateway_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
```

pf.conf (the second rule is there just to see if it works from the host to itself):
	
	



```
nat pass on re0 inet proto tcp from any to 192.168.1.4 port 2022 -> 192.168.0.1 port 2022
nat pass on re0 inet proto tcp from any to 192.168.1.4 port 3022 -> 192.168.1.4 port 22

pass in all
pass out all
```
`ifconfig re0` (jail sets up the alias 192.168.0.1):
	
	



```
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
        ether XX:XX:XX:XX:XX:XX
        inet 192.168.1.4 netmask 0xffffff00 broadcast 192.168.1.255
        inet 192.168.0.1 netmask 0xffffffff broadcast 192.168.0.1
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        maclabel biba/equal(equal-equal),mls/low(low-low)
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
```
sshd is definitely running on 192.168.0.1:2022 because I can ssh to it from the host. `sudo pfctl -sa -P` also shows the two forwarding rules. `ssh 192.168.1.4 -p 2022` and `ssh 192.168.1.4 -p 3022` both fail, however (the latter isn't important; it's just there for additional debugging.) I get an immediate "Connection refused", which to me means nothing is there to receive the connection.

I don't really have experience with routing and firewall configuration, so I'm not sure if there's a problem with my network configuration, with my jail, or with something else (like MAC, which I have enabled.) In any case, it obviously doesn't work from the host to itself, either, so I'm guessing I missed an important configuration step somewhere.

I also tried natd, but that wasn't helpful and I couldn't figure out how to show the status of what it was forwarding.

Thanks!

Kevin Barry


----------



## SirDice (Mar 19, 2013)

ta0kira said:
			
		

> ```
> nat pass on re0 inet proto tcp from any to 192.168.1.4 port 3022 -> 192.168.1.4 port 22
> ```


This isn't going to work. If you want to change the port why don't you simply edit /etc/ssh/sshd_config?


----------



## ta0kira (Mar 19, 2013)

SirDice said:
			
		

> This isn't going to work. If you want to change the port why don't you simply edit /etc/ssh/sshd_config?


You missed my comment about that being there for testing purposes only. I'm really trying to get 192.168.1.4:2022 -> 192.168.0.1:2022 working, but I had that other one there in case it had something to do with the jail's IP address.

Could you give me a hint about _why_ that line won't work, though? That might help me solve the other problem, since the problem seems to be my own ignorance about networking.

Thanks!

Kevin Barry


----------



## SirDice (Mar 19, 2013)

It's the wrong way around. And there's really no need to NAT. If you do want to use NAT, I'd clone a lo1 and bind the services to that. 

In that case it's going to be something like:

```
# This is for [i]outgoing[/i] traffic
nat on re0 from any to any -> (re0)

# This is for [i]incoming[/i] traffic
rdr on re0 inet proto tcp from any to 192.168.1.4 port 2022 -> 192.168.0.1 port 2022
```


----------



## ta0kira (Mar 19, 2013)

SirDice said:
			
		

> ```
> # This is for [i]incoming[/i] traffic
> rdr on re0 inet proto tcp from any to 192.168.1.4 port 2022 -> 192.168.0.1 port 2022
> ```


Thanks! This actually worked. I had something similar before, but your comments made me realize that I need to test it from _outside_ the host! I was doing that to start with, but after several solutions failed, I just started trying to ssh from the host in between service restarts. That being said, why wouldn't the NAT have let me `ssh 192.168.1.4 -p 2022` from a session run on 192.168.1.4?

Thanks again!

Kevin Barry


----------



## kpa (Mar 19, 2013)

That's because pf(4) in FreeBSD lacks the ability to "bounce" the connection back to the interface it originates from.


----------



## ta0kira (Mar 19, 2013)

SirDice said:
			
		

> ```
> # This is for [i]outgoing[/i] traffic
> nat on re0 from any to any -> (re0)
> ```


I also needed to add a variation of this for outbound connections, in case someone else comes across this thread and wants the complete solution:
	
	



```
#redirect outbound connections from the jail to the real IP
nat on re0 from 192.168.0.1 to any -> 192.168.1.4

#redirect inbound connections to the real IP to the jail's IP
rdr on re0 inet proto tcp from any to 192.168.1.4 port 2022 -> 192.168.0.1 port 22

pass in keep state
pass out keep state
```


----------

