Masquerade
This should be a simple and short thread.
How do I configure packet filter on my Solaris 11 computer, with two network interfaces, to masquerade from my private LAN to the outside world, so machines on my private LAN can have conversations with machines that have public IP addresses? I believe I've already done this on OpenIndiana, but my OpenIndiana system is not presently available to me. Astonishingly, search engines have not led me swiftly to the solution (lots of stuff about sendmail masquerading though, in case anyone cares about that), nor can I find helpful documentation on the Oracle documents website. You can omit telling me about routeadm, I've already done that (Oracle seems intent to make "ndd /dev/ip" -- or, in fact, ndd anything -- obsolete, I don't know why, inasmuch as learning one flexible command strikes me as a lot easier than learning a half-dozen different commands, but I digress). The computer is already set up to route IP datagrams, I just need to get the packet filtering right. As I indicated, probably an extremely easy question to answer if you know the answer. Thank you in advance for any and all replies. Jay F. Shachter jay at m5 dot chicago dot il dot us |
Searching "masquerading" doesn't help because that's more a Linux jargon. Solaris uses ipfilter with which this technique is called using the traditional NAT acronym.
I guess you get what you are looking for in the ipnat manual page and the admin guide. |
I have done my best to read the fabulous manual, but I am confused.
I cannot tell from the documents to which you have directed me, how to do the very simple thing that I want to do. I have a computer with two Ethernet cards, net0 and net1. Net0 receives a DHCP address from my DSL modem, and faces the Internet; net1 is statically configured 172.16.1.1, and faces a private 172.16.0.0/16 network. I want to be able to login to a computer on my private network, and do, e.g., "ping google.com" or "nslookup att.com 8.8.8.8". What specifically do I have to do, to render possible that very simple thing? I have already done "routeadm -e ipv4-forwarding" so you can pick up the story from there. I believe that I have to create an ipnat.conf file in some directory, and add a few simple lines to it, but I cannot tell from reading the documents to which you referred me, what are those few simple lines that I have to add. |
I never configured NAT but I would start with something like that:
Code:
echo "map net1 172.16.0.0/16 -> 0.0.0.0/32" > /etc/ipf/ipnat.conf |
When I did exactly as you requested, I was unable to ssh
from my Internet-facing router to the machine on my private network. I disabled ipfilter, and now I can ssh, but I am back to where I was before. |
Update: The ipnat command needs a -f option.
But I am still unable to access the outside world from the machines on my private LAN. Here are the relevant facts: / # ipadm show-addr ADDROBJ TYPE STATE ADDR lo0/v4 static ok 127.0.0.1/8 net0/dhcp dhcp ok **.**.**.**/30 net1/v4 static ok 192.168.1.42/24 net1/v4a static ok 172.16.1.1/16 lo0/v6 static ok ::1/128 / # ndd -get /dev/ip ip_forwarding 1 / # cat /etc/ipf/ipnat.conf map net1 172.16.0.0/16 -> 0.0.0.0/32 map net1 192.168.1.0/24 -> 0.0.0.0/32 / # ipnat -l List of active MAP/Redirect filters: rdr * 0.0.0.0/0 port 21 -> 0.0.0.0/32 port 21 tcp proxy ftp map net1 172.16.0.0/16 -> 0.0.0.0/32 map net1 192.168.1.0/24 -> 0.0.0.0/32 List of active sessions: MAP 172.16.1.1 53 <- -> 192.168.1.42 53 [172.16.1.3 56138] MAP 172.16.1.1 53 <- -> 192.168.1.42 53 [172.16.1.3 61524] MAP 172.16.1.1 53 <- -> 192.168.1.42 53 [172.16.1.3 55160] MAP 172.16.1.1 64496 <- -> 192.168.1.42 64496 [172.16.1.3 22] What am I doing wrong? As always, thank you in advance for any and all replies. |
Did you try to replace 0.0.0.0 in the map rule by the dhcp supplied address?
|
The problem is solved. Replacing 0 with the actual DHCP address was
not necessary (and, in fact, would have been impractical, as the DHCP address changes frequently, and without warning). Here is my new, working, ipnat.conf file: map net0 172.16.0.0/16 -> 0/32 portmap tcp/udp auto map net0 172.16.0.0/16 -> 0/32 map net0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto map net0 192.168.1.0/24 -> 0/32 |
Thanks for the feedback !
|
All times are GMT -5. The time now is 07:05 PM. |