# jail nat route



## ProFTP (Jul 21, 2009)

hi

problem:
(without a jail a network works, well!!!)


```
INTERNET

                ++
               10.0.0.1 
194.xx.xx.xx <- Gateway -> 
from 10.7.0.100 
(NAT)

                ++
     rl0 10.7.0.100 jail
         <- server0 -> 
                ++

   <- jail 192.168.1.231 
      jail alias rlo
     192.168.1.231/32
```

194.xx.xx.xx =NAT= 10.7.0.100


did as here:
http://www.scottro.net/qnd/qnd-ezjail.html


```
ifconfig_rl0_alias0="inet 192.168.1.231/32" 

natd_enable="YES"
natd_interface="rl0"
natd_flags="-f /etc/natd.conf"

ezjail_enable="YES"

 jail_apachejail_hostname="apachejail"
 jail_apachejail_ip="192.168.1.231"
 jail_apachejail_rootdir="/home/jails/apachejail"
 jail_apachejail_exec="/bin/sh /etc/rc"
 jail_apachejail_mount_enable="YES"
 jail_apachejail_interface="rl0"
 jail_apachejail_devfs_enable="YES"
 jail_apachejail_devfs_ruleset="devfsrules_jail"
 jail_apachejail_procfs_enable="YES"
 jail_apachejail_fdescfs_enable="YES"
```

/etc/natd.conf

```
-redirect_address 192.168.1.231 10.7.0.100
```

or
ipfw is test:

```
#!/bin/sh
flush 

add 100 check-state
add divert 8668 ip from 192.168.1.231 to any in via rl0
#add divert natd all from any to any in via rl0
add allow  ip from any to any
```

*jail:*

/home/jails/apachejail/etc/rc.conf

```
rpc_bind_enable="NO"
inetd_enable="YES"
network_interfaces="rl0"
sshd_enable="YES"
sendmail_enable="NO"
defautrouter="10.7.0.100"
early_late_divider="NETWORKING"
```

/home/jails/apachejail/etc/host

```
127.0.0.1	apachejail.example.com		apachejail
```

reboot...


```
home# jail /home/jails/apachejail apachejail 192.168.1.231
```

to ok!

ping google.com it is not!!

changed

```
security.jail.socket_unixiproute_only=1
```
or

```
security.jail.socket_unixiproute_only=0
```

however:

```
jail# route add default 10.7.0.100
route: writing to routing socket: Operation not permitted
```


ifconfig:

```
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=48<VLAN_MTU,POLLING>
	ether 00:0e:
	inet 10. netmask 0xffff0000 broadcast 10.7.255.255
	inet 192.168.1.231 netmask 0xffffffff broadcast 192.168.1.231
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
```

jail:
apachejail# ifconfig

```
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=48<VLAN_MTU,POLLING>
        ether 00:0e:
        inet 192.168.1.231 netmask 0xffffffff broadcast 192.168.1.231
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
```

if forgot nothing, vs...
how do you see it is not ping, how to influence a network? how to decide a problem?


----------



## SirDice (Jul 21, 2009)

ProFTP said:
			
		

> ping google.com it is not!!


Ok. What's the error message?

You probably forgot to set the DNS servers in /etc/resolv.conf inside the jail.


----------



## ProFTP (Jul 21, 2009)

```
jailtest # ping 74.125.67.100
PING 74.125.67.100 (74.125.67.100): 56 data bytes
```


----------



## DutchDaemon (Jul 21, 2009)

Do you actually have any routing / default gateway? [cmd=]netstat -rn[/cmd] on host and in the jail?


----------



## ProFTP (Jul 22, 2009)

basic machine:

```
#netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            10.8.0.1           UGS         0    40408    rl0
10.8.0.0/16        link#1             U           0      104    rl0
10.8.0.100          link#4             UHS         0      936    lo0
127.0.0.1          link#4             UH          0     5994    lo0
192.168.1.231      link#4             UHS         0      122    lo0 =>
192.168.1.231/32   link#1             U           0        0    rl0
```

jail:

```
apachejail# netstat -rn
netstat: kvm not available: /dev/mem: No such file or directory
Routing tables
rt_tables: symbol not in namelist
```


----------



## ProFTP (Jul 22, 2009)

```
apachejail# netstat -rn
netstat: kvm not available: /dev/mem: No such file or directory
Routing tables
rt_tables: symbol not in namelist
```

excuse me, what it after error? so must it be? or is it a vital error?
whether at all such in jail?


----------



## vivek (Jul 23, 2009)

First, you cannot create or modify networking settings inside jail. This is security feature. You setup everything from host /etc/rc.conf file. I use pf rules as follows and it works without a problem (em1 is connected to the Internets):

```
lan_if="em0"
lan_if_subnet="10.0.0.0/8"
lan_if_ip="10.xx.yyy.zzz"
jail_vps_server_ip="123.xx.yyy.zz"
nat on $lan_if inet proto { tcp, udp, icmp } from $jail_vps_server_ip to $lan_if_subnet -> $lan_if_ip
```


----------



## ProFTP (Jul 23, 2009)

123.xx.yyy.zz public or local?

me local (I wanted to do a local address)

I use ipfw or natd...

how NAT to write on ipfw or on natd?

it *-redirect_address 192.168.1.231 10.7.0.100*  really not correctly?


----------



## ProFTP (Jul 23, 2009)

in my variant *jail_vps_server_ip* must be local adderess


----------



## SirDice (Jul 23, 2009)

Check the default gateway on the host. It should probably not be pointing to 10.8.0.1.

Make sure the host is able to reach the internet before testing/configuring the jail.


----------



## ProFTP (Jul 23, 2009)

did not I understand as it to do?

to comment out?
/home/jails/apachejail/etc/rc.conf
*# defautrouter="10.7.0.100"*


----------



## SirDice (Jul 23, 2009)

Forget about the jail for a minute and make sure the host itself is able to access the Internet.


----------



## ProFTP (Jul 23, 2009)

if not from jail, ping works...

without jail all works! from jail it is not ping

or what did you have because of, will explain? that to do?
(without jail all works)


----------



## ProFTP (Jul 23, 2009)

```
jail# route add default 10.7.0.100
route: writing to routing socket: Operation not permitted
```
and that to do with here by it?
must it be so?


----------



## SirDice (Jul 23, 2009)

You can't change an IP address or change the routing inside a jail. If the host is able to access the internet you should now concentrate on ipfw/nat.

It's quite likely your NAT isn't setup correctly. I don't use ipfw/natd (I use PF) so I can't really help with that.


----------



## ProFTP (Jul 23, 2009)

I need to write *ipfw -f flush*

and to add it in *rc.conf* or in *pf.conf*?



```
lan_if="em0"
lan_if_subnet="10.0.0.0/8"
lan_if_ip="10.xx.yyy.zzz"
jail_vps_server_ip="123.xx.yyy.zz"
nat on $lan_if inet proto { tcp, udp, icmp } from $jail_vps_server_ip to $lan_if_subnet -> $lan_if_ip
```


----------



## ProFTP (Jul 25, 2009)

but as to do, if *jail_vps_server_ip="123.xx.yyy.zz"* local address?


----------



## ProFTP (Jul 25, 2009)

```
lan_if_subnet="10.0.0.0/8"
lan_if_ip="10.xx.yyy.zzz"
```
it so is as in an example... ok...


----------



## ProFTP (Jul 25, 2009)

server:

```
ipfw -f flush
```


```
kldload pf.ko
```


```
lan_if="rl0"
lan_if_subnet="10.8.0.0/8"
lan_if_ip="10.8.0.100"
jail_vps_server_ip="192.168.1.231"
nat on $lan_if inet proto { tcp, udp, icmp } from $jail_vps_server_ip to $lan_if_subnet -> $lan_if_ip
```


```
# pfctl -e
No ALTQ support in kernel
ALTQ related functions disabled
pfctl: pf already enabled
```


```
# /usr/local/etc/rc.d/ezjail.sh restart
rcorder: could not open log: No such file or directory
Stopping jails: apachejail.
Configuring jails:.
Starting jails:/etc/rc.d/jail: INFO: Mounting fstab for jail apachejail (/etc/fstab.apachejail)
/etc/rc.d/jail: INFO: Mounting devfs on /home/jails/apachejail/dev
/etc/rc.d/jail: INFO: Mounting fdescfs on /home/jails/apachejail/dev/fd
/etc/rc.d/jail: INFO: Mounting procfs onto /home/jails/apachejail/proc
```



```
jail /home/jails/apachejail apachejail 192.168.1.231 /bin/csh
```


```
# ping 74.125.127.100
PING 74.125.127.100 (74.125.127.100): 56 data bytes
^C^C
--- 74.125.127.100 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
apachejail#
```


----------



## ProFTP (Jul 25, 2009)

```
apachejail # ping 10.8.0.100
PING 10.8.0.58 (10.8.0.58): 56 data bytes
64 bytes from 10.8.0.58: icmp_seq=0 ttl=128 time=0.085 ms
64 bytes from 10.8.0.58: icmp_seq=1 ttl=128 time=0.078 ms
64 bytes from 10.8.0.58: icmp_seq=2 ttl=128 time=0.077 ms
^C
--- 10.8.0.58 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.077/0.080/0.085/0.004 ms
```


----------



## ProFTP (Jul 25, 2009)

============

there is not an option      of #device bpf in my kernel # Berkeley packet filter can it influence on NAT? does NAT can from it not to work?


----------



## ProFTP (Jul 25, 2009)

and that farther to do, prompt me please?


----------



## dotslash (Jan 25, 2010)

ProFTP this may be 5 months too late, but what is the value of security.jail.allow_raw_sockets?


----------

