*New 11.3 series Release:
2019-10-19: XigmaNAS 11.3.0.4.7014 - released

*New 12.0 series Release:
2019-10-05: XigmaNAS 12.0.0.4.6928 - released!

*New 11.2 series Release:
2019-09-23: XigmaNAS 11.2.0.4.6881 - released!

We really need "Your" help on XigmaNAS https://translations.launchpad.net/xigmanas translations. Please help today!

Producing and hosting XigmaNAS costs money. Please consider donating for our project so that we can continue to offer you the best.
We need your support! eg: PAYPAL

[HOWTO] IPFW in-kernel nat port forwarding to jails

Jails with XigmaNAS
Forum rules
Set-Up GuideFAQsForum Rules
Post Reply
grzs
NewUser
NewUser
Posts: 7
Joined: 23 Oct 2017 02:48
Status: Offline

[HOWTO] IPFW in-kernel nat port forwarding to jails

#1

Post by grzs » 04 Aug 2018 04:41

When I encountered many odd issues after flushing the ipfw rules and fiddling with new ones I tried to simply add redirect rules and it worked.

Basic concept:
I create a new NAT table for each jail to manage their redirects separately.
After this I had to tell the firewall when to use which NAT table.

Example:
I have a jail running a web server, what I want to reach at port 8088 instead of standard 80.
I create NAT table nr 11 for it.
I also want to insert the ipfw rules when I start the jail and delete them when I stop it (to avoid duplication with each restart), so I need two scripts for each jail. I can set them in TheBrig jail configuration form (in section 'Commands', made it visible by clicking to button 'More').
I give one as prestart (redirect_on.sh):

Code: Select all

#!/bin/sh

# variables
nr=11 # NAT table nr, also ipfw rule nr, max 50 !!
pub_if=<outgoing interface>
jail_ip=<jail ip>

# initialize NAT table
ipfw add <$nr-1, e.g. 10> nat $nr ip from any to any <list of source ports, e.g. 8088> via $pub_if
ipfw add $nr nat $nr ip from $jail_ip <service port in jail, e.g. 80> to any via $pub_if

# port forwarding
# ipfw nat $nr config if $pub_if \
# redirect_port tcp <dest-ip-1>:<dest-port-1> <src-port-1>
# redirect_port udp <dest-ip-2>:<dest-port-2> <src-port-2>

ipfw nat $nr config if $pub_if \
	redirect_port tcp $jail_ip:80 8088 \

... and another one as afterstop (redirect_off.sh):

Code: Select all

#!/bin/sh

# delete NAT rules
ipfw delete 10
ipfw delete 11

You can check your firewall and NAT state with these commands as root:

Code: Select all

ipfw show
ipfw nat show config

Post Reply

Return to “Jails”