[OpenIndiana-discuss] container with same ip
Goetz T. Fischer
g.fischer at r-a-c.de
Thu Nov 16 22:44:25 UTC 2023
the zone seems fine now but nat is not working at all. i tried a bunch of examples from whatever docs i
could find but no luck. i did the following on the host (global zone):
dladm create-etherstub etherstub0
dladm create-vnic -l etherstub0 gvnic1
ipadm create-ip gvnic1
ipadm create-addr -T static -a 10.0.0.1/24 gvnic1/v4
dladm create-vnic -l etherstub0 zvnic1
then i installed the zone using zvnic1 in its config. i assigned 10.0.0.2 and set the gateway to
10.0.0.1. for testing i changed the zone's sshd port to 23456 and i can reach that from the global zone.
so far so good.
now it would be time for nat and the redirections. e1000g0 is my real nic and just for this example
let's say its ip is 1.2.3.4.
i added the following to ipnat.conf:
map e1000g0 from 10.0.0.0/24 to any -> 1.2.3.4
rdr e1000g0 from any to any port = 23456 -> 10.0.0.2 port 23456
when i try to connect to 1.2.3.4 on port 23456 from the outisde (foreign/outside ip 1.2.3.5) i get a
connection but nothing happens. ipnat -l shows:
List of active MAP/Redirect filters:
map e1000g0 from 10.0.0.0/24 to any -> 1.2.3.4/32
rdr e1000g0 from any to 1.2.3.4/32 port = 23456 -> 10.0.0.2 port 23456 tcp
List of active sessions:
RDR 10.0.0.2 23456 <- -> 1.2.3.4 23456 [1.2.3.5 50249]
when i try to reach the internet from inside the zone i get nothing either. so it seems the redirect
works but nat does not.
once more, any help would be very welcome ...
On Wed, 15 Nov 2023 17:50:52 +0000, Peter Tribble wrote:
> The way I do this (on OmniOS and Tribblix, but conceptually it's the same
> on all Solaris/illumos
> variants):
>
> 1. Create an etherstub
>
> 2. In the global zone, create a vnic over that etherstub, and then give it
> an address eg 10.0.0.1
>
> 3. For each zone, create a vnic over that etherstub, and assign the vnic to
> that zone
> as an exclusive-ip device (so the addresses will be 10.0.0.2, 10.0.0.3 etc)
>
> 4. Run haproxy or nginx (or something similar, whatever you're familiar
> with) in the global zone as
> a reverse proxy so it's listening on the system's main IP address, and
> proxies the traffic to the zone(s).
> This can be name-based websites (either from the host header for http or
> SNI for https), or port-based
> for things that can't handle routing based on names (eg ssh).
>
> 5. If you want to get out of the zone, set up simple nat in the global zone
> and have each zone point
> it's default router at the global zone's address on the etherstub. But if
> you don't want the zones to
> be able to escape, don't handle nat. (In that case you might want a local
> dns server or forward proxy
> if you need to handle outbound requests.)
More information about the openindiana-discuss
mailing list