*New 12.1 series Release:
2020-04-17: XigmaNAS 12.1.0.4.7542 - released

*New 11.3 series Release:
2020-04-16: XigmaNAS 11.3.0.4.7538 - released!


We really need "Your" help on XigmaNAS https://translations.launchpad.net/xigmanas translations. Please help today!

Producing and hosting XigmaNAS costs money. Please consider donating for our project so that we can continue to offer you the best.
We need your support! eg: PAYPAL

[HOWTO] IPFW in-kernel nat port forwarding to jails

Jails with XigmaNAS
Forum rules
Set-Up GuideFAQsForum Rules
Post Reply
grzs
NewUser
NewUser
Posts: 8
Joined: 23 Oct 2017 02:48
Status: Offline

[HOWTO] IPFW in-kernel nat port forwarding to jails

#1

Post by grzs »

When I encountered many odd issues after flushing the ipfw rules and fiddling with new ones I tried to simply add redirect rules and it worked.

Basic concept:
I create a new NAT table for each jail to manage their redirects separately.
After this I had to tell the firewall when to use which NAT table.

Example:
I have a jail running a web server, what I want to reach at port 8088 instead of standard 80.
I create NAT table nr 11 for it.
I also want to insert the ipfw rules when I start the jail and delete them when I stop it (to avoid duplication with each restart), so I need two scripts for each jail. I can set them in TheBrig jail configuration form (in section 'Commands', made it visible by clicking to button 'More').
I give one as prestart (redirect_on.sh):

Code: Select all

#!/bin/sh

# variables
nr=11 # NAT table nr, also ipfw rule nr, max 50 !!
pub_if=<outgoing interface>
jail_ip=<jail ip>

# initialize NAT table
ipfw add <$nr-1, e.g. 10> nat $nr ip from any to any <list of source ports, e.g. 8088> via $pub_if
ipfw add $nr nat $nr ip from $jail_ip <service port in jail, e.g. 80> to any via $pub_if

# port forwarding
# ipfw nat $nr config if $pub_if \
# redirect_port tcp <dest-ip-1>:<dest-port-1> <src-port-1>
# redirect_port udp <dest-ip-2>:<dest-port-2> <src-port-2>

ipfw nat $nr config if $pub_if \
	redirect_port tcp $jail_ip:80 8088 \

... and another one as afterstop (redirect_off.sh):

Code: Select all

#!/bin/sh

# delete NAT rules
ipfw delete 10
ipfw delete 11

You can check your firewall and NAT state with these commands as root:

Code: Select all

ipfw show
ipfw nat show config

mcfly
NewUser
NewUser
Posts: 1
Joined: 31 Mar 2020 04:52
Status: Offline

Re: [HOWTO] IPFW in-kernel nat port forwarding to jails

#2

Post by mcfly »

I am interested to create something similar although I am confused as to what you write for your variables pub_if and jail_ip etc. I have setup a VNET as explained in your other how to and can ping from the jail to the host and from the host to the jail. I am thinking I need to forward all outgoing traffic from the jail to the host. in my case my LAN from my router is 192.168.0.0/24 and the vlan is 192.168.1.251/24 and the jail is 192.168.1.252/24. I also read that the jail cannot change the packet routing so how can I get the outgoing traffic from the jail out to the WAN?

Would appreciate any help or guidance on this.

Thanks.

Post Reply

Return to “Jails”