[OpenIndiana-discuss] masquerade
Peter Tribble
peter.tribble at gmail.com
Thu Mar 10 09:37:24 UTC 2016
On Thu, Mar 10, 2016 at 2:11 AM, <jay at m5.chicago.il.us> wrote:
>
> This should be a simple and short thread.
>
> How do I configure packet filter on my computer, with two network
> interfaces, to masquerade from my private LAN to the outside world, so
> machines on my private LAN can have conversations with machines that
> have public IP addresses? Astonishingly, search engines have not led
> me swiftly to the solution (lots of stuff about sendmail masquerading
> though, in case anyone cares about that), nor can I find helpful
> documentation on the Oracle documents website. I have done my best to
> read the fabulous manual, but I am confused.
>
I wrote a blog entry that covers this:
http://ptribble.blogspot.co.uk/2015/11/zones-behind-zones.html
It's in a different context (zones wired with crossbow rather than hosts on
a LAN)
but should cover it. So if you ignore the dladm bits to set up crossbow
then it
boils down to
ipadm set-ifprop -p forwarding=on -m ipv4 net0
ipadm set-ifprop -p forwarding=on -m ipv4 net1
and
map net0 172.16.0.0/16 -> 0/32 portmap tcp/udp auto
map net0 172.16.0.0/16 -> 0/32
where you use the interface on the *public* side of the network. I think,
looking
at what you have below, that just changing net1 to net0 in ipnat.conf is
what
you need to do.
You can omit telling me about routeadm, I've already done that. The
> computer is already set up to route IP datagrams, I just need to get
> the packet filtering right.
>
> Here is the state of my router machine at present:
>
>
> / # ipadm show-addr
> ADDROBJ TYPE STATE ADDR
> lo0/v4 static ok 127.0.0.1/8
> net0/dhcp dhcp ok 99.140.186.69/30
> net1/v4 static ok 192.168.1.42/24
> net1/v4a static ok 172.16.1.1/16
> lo0/v6 static ok ::1/128
> / # ndd -get /dev/ip ip_forwarding
> 1
> / # cat /etc/ipf/ipnat.conf
> map net1 172.16.0.0/16 -> 0.0.0.0/32
> map net1 192.168.1.0/24 -> 0.0.0.0/32
> / # ipnat -l
> List of active MAP/Redirect filters:
> rdr * 0.0.0.0/0 port 21 -> 0.0.0.0/32 port 21 tcp proxy ftp
> map net1 172.16.0.0/16 -> 0.0.0.0/32
> map net1 192.168.1.0/24 -> 0.0.0.0/32
>
> List of active sessions:
> MAP 172.16.1.1 53 <- -> 192.168.1.42 53 [172.16.1.3 56138]
> MAP 172.16.1.1 53 <- -> 192.168.1.42 53 [172.16.1.3 61524]
> MAP 172.16.1.1 53 <- -> 192.168.1.42 53 [172.16.1.3 55160]
> MAP 172.16.1.1 64496 <- -> 192.168.1.42 64496 [172.16.1.3 22]
>
>
> I can ssh in to machines (e.g., the abovementioned 172.16.1.3) on my
> home network, but once logged in, I cannot access the outside world
> therefrom (e.g., "ping 8.8.8.8" times out). Needless to say,
> 172.16.1.1 is the default router for 172.16.1.3, so that is not the
> problem. And, if further proof be needed, 172.16.1.3 can easily ping
> 99.140.186.69. So the masquerading is the problem, not the routing.
> As I indicated, probably an extremely easy question to answer if you
> know the answer. I'm sure it's something simple, like maybe the zeros
> are supposed to be on the left rather than the right, in ipnat.conf.
> Thank you in advance for any and all replies.
>
>
> Jay F. Shachter
> 6424 N Whipple St
> Chicago IL 60645-4111
> (1-773)7613784 landline
> (1-410)9964737 GoogleVoice
> jay at m5.chicago.il.us
> http://m5.chicago.il.us
>
> "Quidquid latine dictum sit, altum videtur"
>
>
> _______________________________________________
> openindiana-discuss mailing list
> openindiana-discuss at openindiana.org
> http://openindiana.org/mailman/listinfo/openindiana-discuss
>
--
-Peter Tribble
http://www.petertribble.co.uk/ - http://ptribble.blogspot.com/
More information about the openindiana-discuss
mailing list