LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > Solaris / OpenSolaris
User Name
Password
Solaris / OpenSolaris This forum is for the discussion of Solaris, OpenSolaris, OpenIndiana, and illumos.
General Sun, SunOS and Sparc related questions also go here. Any Solaris fork or distribution is welcome.

Notices


Reply
  Search this Thread
Old 03-08-2016, 02:45 PM   #1
shachter
Member
 
Registered: Jul 2007
Posts: 69

Rep: Reputation: 1
Masquerade


This should be a simple and short thread.

How do I configure packet filter on my Solaris 11
computer, with two network interfaces, to masquerade
from my private LAN to the outside world, so machines
on my private LAN can have conversations with machines
that have public IP addresses? I believe I've already
done this on OpenIndiana, but my OpenIndiana system
is not presently available to me. Astonishingly,
search engines have not led me swiftly to the solution
(lots of stuff about sendmail masquerading though,
in case anyone cares about that), nor can I find
helpful documentation on the Oracle documents website.

You can omit telling me about routeadm, I've already
done that (Oracle seems intent to make "ndd /dev/ip"
-- or, in fact, ndd anything -- obsolete, I don't know
why, inasmuch as learning one flexible command strikes
me as a lot easier than learning a half-dozen different
commands, but I digress). The computer is already set
up to route IP datagrams, I just need to get the
packet filtering right. As I indicated, probably an
extremely easy question to answer if you know the
answer. Thank you in advance for any and all replies.

Jay F. Shachter
jay at m5 dot chicago dot il dot us
 
Old 03-08-2016, 03:58 PM   #2
jlliagre
Moderator
 
Registered: Feb 2004
Location: Outside Paris
Distribution: Solaris 11.4, Oracle Linux, Mint, Tribblix, Ubuntu/WSL
Posts: 9,761

Rep: Reputation: 459Reputation: 459Reputation: 459Reputation: 459Reputation: 459
Searching "masquerading" doesn't help because that's more a Linux jargon. Solaris uses ipfilter with which this technique is called using the traditional NAT acronym.

I guess you get what you are looking for in the ipnat manual page and the admin guide.
 
Old 03-08-2016, 10:59 PM   #3
shachter
Member
 
Registered: Jul 2007
Posts: 69

Original Poster
Rep: Reputation: 1
I have done my best to read the fabulous manual, but I am confused.
I cannot tell from the documents to which you have directed me,
how to do the very simple thing that I want to do. I have a
computer with two Ethernet cards, net0 and net1. Net0 receives
a DHCP address from my DSL modem, and faces the Internet; net1
is statically configured 172.16.1.1, and faces a private 172.16.0.0/16
network. I want to be able to login to a computer on my private
network, and do, e.g., "ping google.com" or "nslookup att.com 8.8.8.8".
What specifically do I have to do, to render possible that very
simple thing? I have already done "routeadm -e ipv4-forwarding"
so you can pick up the story from there. I believe that I have
to create an ipnat.conf file in some directory, and add a few
simple lines to it, but I cannot tell from reading the documents
to which you referred me, what are those few simple lines that I
have to add.
 
Old 03-09-2016, 01:36 AM   #4
jlliagre
Moderator
 
Registered: Feb 2004
Location: Outside Paris
Distribution: Solaris 11.4, Oracle Linux, Mint, Tribblix, Ubuntu/WSL
Posts: 9,761

Rep: Reputation: 459Reputation: 459Reputation: 459Reputation: 459Reputation: 459
I never configured NAT but I would start with something like that:

Code:
echo "map net1 172.16.0.0/16 -> 0.0.0.0/32" > /etc/ipf/ipnat.conf
ipnat /etc/ipf/ipnat.conf
svcadm enable ipfilter
Not sure if the 0.0.0.0 will pick the dhcp configured IP, maybe the actual address is expected here.
 
Old 03-09-2016, 06:56 PM   #5
shachter
Member
 
Registered: Jul 2007
Posts: 69

Original Poster
Rep: Reputation: 1
When I did exactly as you requested, I was unable to ssh
from my Internet-facing router to the machine on my private
network.

I disabled ipfilter, and now I can ssh, but I am back to
where I was before.
 
Old 03-09-2016, 07:50 PM   #6
shachter
Member
 
Registered: Jul 2007
Posts: 69

Original Poster
Rep: Reputation: 1
Update: The ipnat command needs a -f option.
But I am still unable to access the outside world from the machines
on my private LAN. Here are the relevant facts:

/ # ipadm show-addr
ADDROBJ TYPE STATE ADDR
lo0/v4 static ok 127.0.0.1/8
net0/dhcp dhcp ok **.**.**.**/30
net1/v4 static ok 192.168.1.42/24
net1/v4a static ok 172.16.1.1/16
lo0/v6 static ok ::1/128
/ # ndd -get /dev/ip ip_forwarding
1
/ # cat /etc/ipf/ipnat.conf
map net1 172.16.0.0/16 -> 0.0.0.0/32
map net1 192.168.1.0/24 -> 0.0.0.0/32
/ # ipnat -l
List of active MAP/Redirect filters:
rdr * 0.0.0.0/0 port 21 -> 0.0.0.0/32 port 21 tcp proxy ftp
map net1 172.16.0.0/16 -> 0.0.0.0/32
map net1 192.168.1.0/24 -> 0.0.0.0/32

List of active sessions:
MAP 172.16.1.1 53 <- -> 192.168.1.42 53 [172.16.1.3 56138]
MAP 172.16.1.1 53 <- -> 192.168.1.42 53 [172.16.1.3 61524]
MAP 172.16.1.1 53 <- -> 192.168.1.42 53 [172.16.1.3 55160]
MAP 172.16.1.1 64496 <- -> 192.168.1.42 64496 [172.16.1.3 22]

What am I doing wrong? As always, thank you in advance for any and all replies.

Last edited by jlliagre; 03-10-2016 at 02:28 AM. Reason: public address sanitized
 
Old 03-10-2016, 02:34 AM   #7
jlliagre
Moderator
 
Registered: Feb 2004
Location: Outside Paris
Distribution: Solaris 11.4, Oracle Linux, Mint, Tribblix, Ubuntu/WSL
Posts: 9,761

Rep: Reputation: 459Reputation: 459Reputation: 459Reputation: 459Reputation: 459
Did you try to replace 0.0.0.0 in the map rule by the dhcp supplied address?
 
Old 03-10-2016, 10:42 AM   #8
shachter
Member
 
Registered: Jul 2007
Posts: 69

Original Poster
Rep: Reputation: 1
The problem is solved. Replacing 0 with the actual DHCP address was
not necessary (and, in fact, would have been impractical, as the DHCP
address changes frequently, and without warning). Here is my new,
working, ipnat.conf file:

map net0 172.16.0.0/16 -> 0/32 portmap tcp/udp auto
map net0 172.16.0.0/16 -> 0/32
map net0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto
map net0 192.168.1.0/24 -> 0/32
 
1 members found this post helpful.
Old 03-10-2016, 01:33 PM   #9
jlliagre
Moderator
 
Registered: Feb 2004
Location: Outside Paris
Distribution: Solaris 11.4, Oracle Linux, Mint, Tribblix, Ubuntu/WSL
Posts: 9,761

Rep: Reputation: 459Reputation: 459Reputation: 459Reputation: 459Reputation: 459
Thanks for the feedback !
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Cannot Masquerade junpit Linux - Networking 10 06-23-2006 04:09 AM
Masquerade nanoprobe Linux - Networking 7 06-12-2005 08:48 AM
IP Masquerade qbik Slackware 3 09-11-2003 03:02 PM
IP Masquerade help armcfall Linux - Networking 6 06-24-2003 09:06 AM
About masquerade Nuts Linux - Networking 8 08-30-2002 09:56 AM

LinuxQuestions.org > Forums > Other *NIX Forums > Solaris / OpenSolaris

All times are GMT -5. The time now is 11:47 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration