[OpenIndiana-discuss] masquerade

jay at m5.chicago.il.us jay at m5.chicago.il.us
Thu Mar 10 02:11:37 UTC 2016 

This should be a simple and short thread.

How do I configure packet filter on my computer, with two network
interfaces, to masquerade from my private LAN to the outside world, so
machines on my private LAN can have conversations with machines that
have public IP addresses?  Astonishingly, search engines have not led
me swiftly to the solution (lots of stuff about sendmail masquerading
though, in case anyone cares about that), nor can I find helpful
documentation on the Oracle documents website.  I have done my best to
read the fabulous manual, but I am confused.

You can omit telling me about routeadm, I've already done that.  The
computer is already set up to route IP datagrams, I just need to get
the packet filtering right.

Here is the state of my router machine at present:


 / # ipadm show-addr
 ADDROBJ           TYPE     STATE        ADDR
 lo0/v4            static   ok           127.0.0.1/8
 net0/dhcp         dhcp     ok           99.140.186.69/30
 net1/v4           static   ok           192.168.1.42/24
 net1/v4a          static   ok           172.16.1.1/16
 lo0/v6            static   ok           ::1/128
 / # ndd -get /dev/ip ip_forwarding
 1
 / # cat /etc/ipf/ipnat.conf 
 map net1 172.16.0.0/16 -> 0.0.0.0/32
 map net1 192.168.1.0/24 -> 0.0.0.0/32
 / # ipnat -l
 List of active MAP/Redirect filters:
 rdr * 0.0.0.0/0 port 21 -> 0.0.0.0/32 port 21 tcp proxy ftp
 map net1 172.16.0.0/16 -> 0.0.0.0/32
 map net1 192.168.1.0/24 -> 0.0.0.0/32

 List of active sessions:
 MAP 172.16.1.1      53    <- -> 192.168.1.42    53    [172.16.1.3 56138]
 MAP 172.16.1.1      53    <- -> 192.168.1.42    53    [172.16.1.3 61524]
 MAP 172.16.1.1      53    <- -> 192.168.1.42    53    [172.16.1.3 55160]
 MAP 172.16.1.1      64496 <- -> 192.168.1.42    64496 [172.16.1.3 22]


I can ssh in to machines (e.g., the abovementioned 172.16.1.3) on my
home network, but once logged in, I cannot access the outside world
therefrom (e.g., "ping 8.8.8.8" times out).  Needless to say,
172.16.1.1 is the default router for 172.16.1.3, so that is not the
problem.  And, if further proof be needed, 172.16.1.3 can easily ping
99.140.186.69.  So the masquerading is the problem, not the routing.
As I indicated, probably an extremely easy question to answer if you
know the answer.  I'm sure it's something simple, like maybe the zeros
are supposed to be on the left rather than the right, in ipnat.conf.
Thank you in advance for any and all replies.


                        Jay F. Shachter
                        6424 N Whipple St
                        Chicago IL  60645-4111
                                (1-773)7613784   landline
                                (1-410)9964737   GoogleVoice
                                jay at m5.chicago.il.us
                                http://m5.chicago.il.us

                        "Quidquid latine dictum sit, altum videtur"

More information about the openindiana-discuss mailing list