[OpenIndiana-discuss] masquerade
Jason Matthews
jason at broken.net
Thu Mar 10 03:59:45 UTC 2016
here is an example from one my hosts that NATs addresses for outbound
postback connections for a number of zones on the same machine. the data
is routed over a etherstub and lands on a vnic in the rfc1918 subnet.
jason at jobs011:~jason# cat /etc/ipf/ipnat.conf
map net1 172.16.254.0/24 -> 198.134.7.27/32
in this example, net1 is a vnic (could be phys interface) that the
public address resides on. once you have a config file in place will
then need to (re)start ipfilter with svcadm enable ipfilter
i hope that helps. other references:
http://docs.oracle.com/cd/E19253-01/816-4554/euqfc/index.html
http://www.rite-group.com/rich/solaris_nat.html
j.
On 3/9/2016 6:11 PM, jay at m5.chicago.il.us wrote:
> This should be a simple and short thread.
>
> How do I configure packet filter on my computer, with two network
> interfaces, to masquerade from my private LAN to the outside world, so
> machines on my private LAN can have conversations with machines that
> have public IP addresses? Astonishingly, search engines have not led
> me swiftly to the solution (lots of stuff about sendmail masquerading
> though, in case anyone cares about that), nor can I find helpful
> documentation on the Oracle documents website. I have done my best to
> read the fabulous manual, but I am confused.
>
> You can omit telling me about routeadm, I've already done that. The
> computer is already set up to route IP datagrams, I just need to get
> the packet filtering right.
>
> Here is the state of my router machine at present:
>
>
> / # ipadm show-addr
> ADDROBJ TYPE STATE ADDR
> lo0/v4 static ok 127.0.0.1/8
> net0/dhcp dhcp ok 99.140.186.69/30
> net1/v4 static ok 192.168.1.42/24
> net1/v4a static ok 172.16.1.1/16
> lo0/v6 static ok ::1/128
> / # ndd -get /dev/ip ip_forwarding
> 1
> / # cat /etc/ipf/ipnat.conf
> map net1 172.16.0.0/16 -> 0.0.0.0/32
> map net1 192.168.1.0/24 -> 0.0.0.0/32
> / # ipnat -l
> List of active MAP/Redirect filters:
> rdr * 0.0.0.0/0 port 21 -> 0.0.0.0/32 port 21 tcp proxy ftp
> map net1 172.16.0.0/16 -> 0.0.0.0/32
> map net1 192.168.1.0/24 -> 0.0.0.0/32
>
> List of active sessions:
> MAP 172.16.1.1 53 <- -> 192.168.1.42 53 [172.16.1.3 56138]
> MAP 172.16.1.1 53 <- -> 192.168.1.42 53 [172.16.1.3 61524]
> MAP 172.16.1.1 53 <- -> 192.168.1.42 53 [172.16.1.3 55160]
> MAP 172.16.1.1 64496 <- -> 192.168.1.42 64496 [172.16.1.3 22]
>
>
> I can ssh in to machines (e.g., the abovementioned 172.16.1.3) on my
> home network, but once logged in, I cannot access the outside world
> therefrom (e.g., "ping 8.8.8.8" times out). Needless to say,
> 172.16.1.1 is the default router for 172.16.1.3, so that is not the
> problem. And, if further proof be needed, 172.16.1.3 can easily ping
> 99.140.186.69. So the masquerading is the problem, not the routing.
> As I indicated, probably an extremely easy question to answer if you
> know the answer. I'm sure it's something simple, like maybe the zeros
> are supposed to be on the left rather than the right, in ipnat.conf.
> Thank you in advance for any and all replies.
>
>
> Jay F. Shachter
> 6424 N Whipple St
> Chicago IL 60645-4111
> (1-773)7613784 landline
> (1-410)9964737 GoogleVoice
> jay at m5.chicago.il.us
> http://m5.chicago.il.us
>
> "Quidquid latine dictum sit, altum videtur"
>
>
> _______________________________________________
> openindiana-discuss mailing list
> openindiana-discuss at openindiana.org
> http://openindiana.org/mailman/listinfo/openindiana-discuss
>
More information about the openindiana-discuss
mailing list