[OpenIndiana-discuss] masquerade

Jonathan Adams t12nslookup at gmail.com
Thu Mar 10 10:06:36 UTC 2016 

Hi Peter, sorry for hijacking this thread.

I forgot about the "set-ifprop" thing ... I was just wondering if you know
of a way of doing the same thing for OpenVPN tun connections, so that it
remembers the state, at the moment I have to rely on an init.d script that
runs "ifconfig tun0 router"

Jon

On 10 March 2016 at 09:37, Peter Tribble <peter.tribble at gmail.com> wrote:

> On Thu, Mar 10, 2016 at 2:11 AM, <jay at m5.chicago.il.us> wrote:
>
> >
> > This should be a simple and short thread.
> >
> > How do I configure packet filter on my computer, with two network
> > interfaces, to masquerade from my private LAN to the outside world, so
> > machines on my private LAN can have conversations with machines that
> > have public IP addresses?  Astonishingly, search engines have not led
> > me swiftly to the solution (lots of stuff about sendmail masquerading
> > though, in case anyone cares about that), nor can I find helpful
> > documentation on the Oracle documents website.  I have done my best to
> > read the fabulous manual, but I am confused.
> >
>
> I wrote a blog entry that covers this:
>
> http://ptribble.blogspot.co.uk/2015/11/zones-behind-zones.html
>
> It's in a different context (zones wired with crossbow rather than hosts on
> a LAN)
> but should cover it. So if you ignore the dladm bits to set up crossbow
> then it
> boils down to
>
> ipadm set-ifprop -p forwarding=on -m ipv4 net0
> ipadm set-ifprop -p forwarding=on -m ipv4 net1
>
> and
>
> map net0 172.16.0.0/16 -> 0/32 portmap tcp/udp auto
> map net0 172.16.0.0/16 -> 0/32
>
> where you use the interface on the *public* side of the network. I think,
> looking
> at what you have below, that just changing net1 to net0 in ipnat.conf is
> what
> you need to do.
>
> You can omit telling me about routeadm, I've already done that.  The
> > computer is already set up to route IP datagrams, I just need to get
> > the packet filtering right.
> >
> > Here is the state of my router machine at present:
> >
> >
> >  / # ipadm show-addr
> >  ADDROBJ           TYPE     STATE        ADDR
> >  lo0/v4            static   ok           127.0.0.1/8
> >  net0/dhcp         dhcp     ok           99.140.186.69/30
> >  net1/v4           static   ok           192.168.1.42/24
> >  net1/v4a          static   ok           172.16.1.1/16
> >  lo0/v6            static   ok           ::1/128
> >  / # ndd -get /dev/ip ip_forwarding
> >  1
> >  / # cat /etc/ipf/ipnat.conf
> >  map net1 172.16.0.0/16 -> 0.0.0.0/32
> >  map net1 192.168.1.0/24 -> 0.0.0.0/32
> >  / # ipnat -l
> >  List of active MAP/Redirect filters:
> >  rdr * 0.0.0.0/0 port 21 -> 0.0.0.0/32 port 21 tcp proxy ftp
> >  map net1 172.16.0.0/16 -> 0.0.0.0/32
> >  map net1 192.168.1.0/24 -> 0.0.0.0/32
> >
> >  List of active sessions:
> >  MAP 172.16.1.1      53    <- -> 192.168.1.42    53    [172.16.1.3 56138]
> >  MAP 172.16.1.1      53    <- -> 192.168.1.42    53    [172.16.1.3 61524]
> >  MAP 172.16.1.1      53    <- -> 192.168.1.42    53    [172.16.1.3 55160]
> >  MAP 172.16.1.1      64496 <- -> 192.168.1.42    64496 [172.16.1.3 22]
> >
> >
> > I can ssh in to machines (e.g., the abovementioned 172.16.1.3) on my
> > home network, but once logged in, I cannot access the outside world
> > therefrom (e.g., "ping 8.8.8.8" times out).  Needless to say,
> > 172.16.1.1 is the default router for 172.16.1.3, so that is not the
> > problem.  And, if further proof be needed, 172.16.1.3 can easily ping
> > 99.140.186.69.  So the masquerading is the problem, not the routing.
> > As I indicated, probably an extremely easy question to answer if you
> > know the answer.  I'm sure it's something simple, like maybe the zeros
> > are supposed to be on the left rather than the right, in ipnat.conf.
> > Thank you in advance for any and all replies.
> >
> >
> >                         Jay F. Shachter
> >                         6424 N Whipple St
> >                         Chicago IL  60645-4111
> >                                 (1-773)7613784   landline
> >                                 (1-410)9964737   GoogleVoice
> >                                 jay at m5.chicago.il.us
> >                                 http://m5.chicago.il.us
> >
> >                         "Quidquid latine dictum sit, altum videtur"
> >
> >
> > _______________________________________________
> > openindiana-discuss mailing list
> > openindiana-discuss at openindiana.org
> > http://openindiana.org/mailman/listinfo/openindiana-discuss
> >
>
>
>
> --
> -Peter Tribble
> http://www.petertribble.co.uk/ - http://ptribble.blogspot.com/
> _______________________________________________
> openindiana-discuss mailing list
> openindiana-discuss at openindiana.org
> http://openindiana.org/mailman/listinfo/openindiana-discuss
>

More information about the openindiana-discuss mailing list