[OpenIndiana-discuss] container with same ip
Peter Tribble
peter.tribble at gmail.com
Thu Nov 16 23:02:51 UTC 2023
On Thu, Nov 16, 2023 at 10:45 PM Goetz T. Fischer <g.fischer at r-a-c.de>
wrote:
> the zone seems fine now but nat is not working at all. i tried a bunch of
> examples from whatever docs i
> could find but no luck.
Have you enabled ipv4 forwarding in the global zone? Something like
routeadm -e ipv4-forwarding
(It turns out that there are so many ways to configure ipv4 forwarding -
routeadm as above, ipadm set-prop,
or ipadm set-ifprop on a per-interface basis.)
> i did the following on the host (global zone):
>
> dladm create-etherstub etherstub0
> dladm create-vnic -l etherstub0 gvnic1
> ipadm create-ip gvnic1
> ipadm create-addr -T static -a 10.0.0.1/24 gvnic1/v4
> dladm create-vnic -l etherstub0 zvnic1
>
> then i installed the zone using zvnic1 in its config. i assigned 10.0.0.2
> and set the gateway to
> 10.0.0.1. for testing i changed the zone's sshd port to 23456 and i can
> reach that from the global zone.
> so far so good.
>
> now it would be time for nat and the redirections. e1000g0 is my real nic
> and just for this example
> let's say its ip is 1.2.3.4.
> i added the following to ipnat.conf:
>
> map e1000g0 from 10.0.0.0/24 to any -> 1.2.3.4
> rdr e1000g0 from any to any port = 23456 -> 10.0.0.2 port 23456
>
> when i try to connect to 1.2.3.4 on port 23456 from the outisde
> (foreign/outside ip 1.2.3.5) i get a
> connection but nothing happens. ipnat -l shows:
>
> List of active MAP/Redirect filters:
> map e1000g0 from 10.0.0.0/24 to any -> 1.2.3.4/32
> rdr e1000g0 from any to 1.2.3.4/32 port = 23456 -> 10.0.0.2 port 23456 tcp
>
> List of active sessions:
> RDR 10.0.0.2 23456 <- -> 1.2.3.4 23456 [1.2.3.5 50249]
>
>
> when i try to reach the internet from inside the zone i get nothing
> either. so it seems the redirect
> works but nat does not.
> once more, any help would be very welcome ...
>
>
> On Wed, 15 Nov 2023 17:50:52 +0000, Peter Tribble wrote:
> > The way I do this (on OmniOS and Tribblix, but conceptually it's the same
> > on all Solaris/illumos
> > variants):
> >
> > 1. Create an etherstub
> >
> > 2. In the global zone, create a vnic over that etherstub, and then give
> it
> > an address eg 10.0.0.1
> >
> > 3. For each zone, create a vnic over that etherstub, and assign the vnic
> to
> > that zone
> > as an exclusive-ip device (so the addresses will be 10.0.0.2, 10.0.0.3
> etc)
> >
> > 4. Run haproxy or nginx (or something similar, whatever you're familiar
> > with) in the global zone as
> > a reverse proxy so it's listening on the system's main IP address, and
> > proxies the traffic to the zone(s).
> > This can be name-based websites (either from the host header for http or
> > SNI for https), or port-based
> > for things that can't handle routing based on names (eg ssh).
> >
> > 5. If you want to get out of the zone, set up simple nat in the global
> zone
> > and have each zone point
> > it's default router at the global zone's address on the etherstub. But if
> > you don't want the zones to
> > be able to escape, don't handle nat. (In that case you might want a local
> > dns server or forward proxy
> > if you need to handle outbound requests.)
>
> _______________________________________________
> openindiana-discuss mailing list
> openindiana-discuss at openindiana.org
> https://openindiana.org/mailman/listinfo/openindiana-discuss
>
--
-Peter Tribble
http://www.petertribble.co.uk/ - http://ptribble.blogspot.com/
More information about the openindiana-discuss
mailing list