LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Solaris / OpenSolaris (https://www.linuxquestions.org/questions/solaris-opensolaris-20/)
-   -   Masquerade (https://www.linuxquestions.org/questions/solaris-opensolaris-20/masquerade-4175574335/)

shachter 03-08-2016 02:45 PM
Masquerade
 
This should be a simple and short thread.

How do I configure packet filter on my Solaris 11
computer, with two network interfaces, to masquerade
from my private LAN to the outside world, so machines
on my private LAN can have conversations with machines
that have public IP addresses? I believe I've already
done this on OpenIndiana, but my OpenIndiana system
is not presently available to me. Astonishingly,
search engines have not led me swiftly to the solution
(lots of stuff about sendmail masquerading though,
in case anyone cares about that), nor can I find
helpful documentation on the Oracle documents website.

You can omit telling me about routeadm, I've already
done that (Oracle seems intent to make "ndd /dev/ip"
-- or, in fact, ndd anything -- obsolete, I don't know
why, inasmuch as learning one flexible command strikes
me as a lot easier than learning a half-dozen different
commands, but I digress). The computer is already set
up to route IP datagrams, I just need to get the
packet filtering right. As I indicated, probably an
extremely easy question to answer if you know the
answer. Thank you in advance for any and all replies.

Jay F. Shachter
jay at m5 dot chicago dot il dot us

jlliagre 03-08-2016 03:58 PM
Searching "masquerading" doesn't help because that's more a Linux jargon. Solaris uses ipfilter with which this technique is called using the traditional NAT acronym.

I guess you get what you are looking for in the ipnat manual page and the admin guide.

shachter 03-08-2016 10:59 PM
I have done my best to read the fabulous manual, but I am confused.
I cannot tell from the documents to which you have directed me,
how to do the very simple thing that I want to do. I have a
computer with two Ethernet cards, net0 and net1. Net0 receives
a DHCP address from my DSL modem, and faces the Internet; net1
is statically configured 172.16.1.1, and faces a private 172.16.0.0/16
network. I want to be able to login to a computer on my private
network, and do, e.g., "ping google.com" or "nslookup att.com 8.8.8.8".
What specifically do I have to do, to render possible that very
simple thing? I have already done "routeadm -e ipv4-forwarding"
so you can pick up the story from there. I believe that I have
to create an ipnat.conf file in some directory, and add a few
simple lines to it, but I cannot tell from reading the documents
to which you referred me, what are those few simple lines that I
have to add.

jlliagre 03-09-2016 01:36 AM
I never configured NAT but I would start with something like that:

Code:
echo "map net1 172.16.0.0/16 -> 0.0.0.0/32" > /etc/ipf/ipnat.conf
ipnat /etc/ipf/ipnat.conf
svcadm enable ipfilter
Not sure if the 0.0.0.0 will pick the dhcp configured IP, maybe the actual address is expected here.

shachter 03-09-2016 06:56 PM
When I did exactly as you requested, I was unable to ssh
from my Internet-facing router to the machine on my private
network.

I disabled ipfilter, and now I can ssh, but I am back to
where I was before.

shachter 03-09-2016 07:50 PM
Update: The ipnat command needs a -f option.
But I am still unable to access the outside world from the machines
on my private LAN. Here are the relevant facts:

/ # ipadm show-addr
ADDROBJ TYPE STATE ADDR
lo0/v4 static ok 127.0.0.1/8
net0/dhcp dhcp ok **.**.**.**/30
net1/v4 static ok 192.168.1.42/24
net1/v4a static ok 172.16.1.1/16
lo0/v6 static ok ::1/128
/ # ndd -get /dev/ip ip_forwarding
1
/ # cat /etc/ipf/ipnat.conf
map net1 172.16.0.0/16 -> 0.0.0.0/32
map net1 192.168.1.0/24 -> 0.0.0.0/32
/ # ipnat -l
List of active MAP/Redirect filters:
rdr * 0.0.0.0/0 port 21 -> 0.0.0.0/32 port 21 tcp proxy ftp
map net1 172.16.0.0/16 -> 0.0.0.0/32
map net1 192.168.1.0/24 -> 0.0.0.0/32

List of active sessions:
MAP 172.16.1.1 53 <- -> 192.168.1.42 53 [172.16.1.3 56138]
MAP 172.16.1.1 53 <- -> 192.168.1.42 53 [172.16.1.3 61524]
MAP 172.16.1.1 53 <- -> 192.168.1.42 53 [172.16.1.3 55160]
MAP 172.16.1.1 64496 <- -> 192.168.1.42 64496 [172.16.1.3 22]

What am I doing wrong? As always, thank you in advance for any and all replies.

jlliagre 03-10-2016 02:34 AM
Did you try to replace 0.0.0.0 in the map rule by the dhcp supplied address?

shachter 03-10-2016 10:42 AM
The problem is solved. Replacing 0 with the actual DHCP address was
not necessary (and, in fact, would have been impractical, as the DHCP
address changes frequently, and without warning). Here is my new,
working, ipnat.conf file:

map net0 172.16.0.0/16 -> 0/32 portmap tcp/udp auto
map net0 172.16.0.0/16 -> 0/32
map net0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto
map net0 192.168.1.0/24 -> 0/32

jlliagre 03-10-2016 01:33 PM
Thanks for the feedback !


All times are GMT -5. The time now is 07:05 PM.