OpenIndiana zone with NAT

And here's a config for an OpenSolaris zone configured with NAT. Again, it's here so I can remember it myself. I haven't tested portforwarding (yet), but theoretically it should be like this. 

/etc/ipf/ipnat.conf:
rdr e1000g0 0.0.0.0/0 port 2222 -> 192.168.1.1 port 22

Network:

✓|725M|[kevin@tilab-oi-5 ~]$ pfexec dladm create-etherstub vswitch0
✓|725M|[kevin@tilab-oi-5 ~]$ pfexec dladm create-vnic -l vswitch0 vnic1
✓|725M|[kevin@tilab-oi-5 ~]$ pfexec dladm create-vnic -l vswitch0 vnic0
✓|725M|[kevin@tilab-oi-5 ~]$ dladm show-etherstub
LINK
vswitch0
✓|725M|[kevin@tilab-oi-5 ~]$ dladm show-vnic
LINK         OVER         SPEED  MACADDRESS        MACADDRTYPE         VID
vnic0        vswitch0     0      2:8:20:6f:d3:6c   random              0
vnic1        vswitch0     0      2:8:20:ba:15:5a   random              0
✓|725M|[kevin@tilab-oi-5 ~]$ pfexec ifconfig vnic0 plumb
✓|725M|[kevin@tilab-oi-5 ~]$ pfexec ifconfig vnic0 inet 192.168.1.1 up
✓|725M|[kevin@tilab-oi-5 ~]$ ifconfig vnic0
vnic0: flags=1000843 mtu 9000 index 4
	inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255
✓|725M|[kevin@tilab-oi-5 ~]$ cat /etc/hostname.vnic0
192.168.1.1
✓|725M|[kevin@tilab-oi-5 ~]$ pfexec routeadm -u -e ipv4-forwarding
✓|725M|[kevin@tilab-oi-5 ~]$ routeadm
              Configuration   Current              Current
                     Option   Configuration        System State
---------------------------------------------------------------
               IPv4 routing   disabled             disabled
               IPv6 routing   disabled             disabled
            IPv4 forwarding   enabled              enabled
            IPv6 forwarding   disabled             disabled

           Routing services   "route:default ripng:default"

Routing daemons:

                      STATE   FMRI
                   disabled   svc:/network/routing/route:default
                   disabled   svc:/network/routing/rdisc:default
                   disabled   svc:/network/routing/legacy-routing:ipv4
                   disabled   svc:/network/routing/legacy-routing:ipv6
                   disabled   svc:/network/routing/ripng:default
                     online   svc:/network/routing/ndp:default
✓|725M|[kevin@tilab-oi-5 ~]$ cat /etc/ipf/ipnat.conf
map e1000g0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto
map e1000g0 192.168.1.0/24 -> 0/32
✓|725M|[kevin@tilab-oi-5 ~]$ pfexec svcadm enable network/ipfilter

Zonecfg:

✓|630M|[kevin@iusaaset ~]$ pfexec zfs create -o compression=gzip-5 rpool/export/zones
✓|630M|[kevin@iusaaset ~]$ pfexec zfs set mountpoint=/zones rpool/export/zones
✓|630M|[kevin@iusaaset ~]$ pfexec zonecfg -z deadbeef
deadbeef: No such zone configured
Use 'create' to begin configuring a new zone.
zonecfg:deadbeef> create
zonecfg:deadbeef> set zonepath=/zones/deadbeef
zonecfg:deadbeef> set autoboot=false
zonecfg:deadbeef> set ip-type=exclusive
zonecfg:deadbeef> add net
zonecfg:deadbeef:net> set physical=vnic1
zonecfg:deadbeef:net> end
zonecfg:deadbeef> verify
zonecfg:deadbeef> commit
zonecfg:deadbeef> exit
✓|630M|[kevin@iusaaset ~]$ pfexec zoneadm -z deadbeef install
[...]
✓|630M|[kevin@iusaaset ~]$ pfexec zoneadm -z deadbeef boot
✓|630M|[kevin@iusaaset ~]$ zlogin -C deadbeef

By default, there was a missing route in my zone:

root@deadbeef:~# netstat -nr

Routing Table: IPv4
  Destination           Gateway           Flags  Ref     Use     Interface
-------------------- -------------------- ----- ----- ---------- ---------
127.0.0.1            127.0.0.1            UH        2         48 lo0
192.168.1.0        192.168.1.2        U         3       57 vnic1     

Routing Table: IPv6
  Destination/Mask            Gateway                   Flags Ref   Use    If
--------------------- -------------------- ----- --- ------- -----
::1       ::1                         UH      2       0      lo0
root@deadbeef:~# route
usage: route [ -fnpqv ] [ -R  ] cmd [[ - ] args ]
root@deadbeef:~# man route
No manual entry for route.
root@deadbeef:~# route add 0.0.0.0/0 192.168.1.1
add net 0.0.0.0/0: gateway 192.168.1.1
root@deadbeef:~# route
usage: route [ -fnpqv ] [ -R  ] cmd [[ - ] args ]
root@deadbeef:~# netstat -nr

Routing Table: IPv4
  Destination           Gateway           Flags  Ref     Use     Interface
-------------------- -------------------- ----- ----- ---------- ---------
default              192.168.1.1          UG        1          0
127.0.0.1            127.0.0.1            UH        2         48 lo0
192.168.1.0          192.168.1.2          U         3         57 vnic1     

Routing Table: IPv6
  Destination/Mask            Gateway                   Flags Ref   Use    If
--------------------- -------------------- ----- --- ------- -----
::1       ::1                         UH      2       0      lo0

If I want to see the current connections, I can do the following:

✓|725M|[kevin@tilab-oi-5 ~]$ pfexec ipnat -l
List of active MAP/Redirect filters:
map e1000g0 192.168.1.0/24 -> 0.0.0.0/32 portmap tcp/udp auto
map e1000g0 192.168.1.0/24 -> 0.0.0.0/32

List of active sessions:
MAP 192.168.1.2     61258 <- -> 145.24.159.200  1550  [145.24.222.162 22]
Posted on 07-06-2011 by . This entry was posted in OpenIndiana. Bookmark the permalink.

Comments are closed.