Google Groups Home
Help | Sign in
comp.unix.solaris
+ new post
About this group
Subscribe to this group
This is a Usenet group - learn more
Message from discussion Networking in Zones
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
spacegoose  
View profile
  More options Mar 5, 2:11 pm
Newsgroups: comp.unix.solaris
From: spacegoose <spacego...@gmail.com>
Date: Wed, 5 Mar 2008 11:11:48 -0800 (PST)
Local: Wed, Mar 5 2008 2:11 pm
Subject: Re: Networking in Zones
Reply to author | Forward | Print | View thread | Show original | Report this message | Find messages by this author
On Mar 5, 11:15 am, "Daniel Rock" <v200...@deadcafe.de> wrote:

> spacegoose <spacego...@gmail.com> wrote:
> > I have an 08/07 Sol 10 x86 machine with 1 physical NIC and1 IP
> > address.

> > I have 3 sparse zones with the IPs 192.168.0.10, 192.168.0.20, and
> > 192.168.0.30.
> > I would like to use NAT and IPF to, for example, forward port 2222
> > requests from the public IP to 22 on 192.168.0.10 which is bound as
> > elxl:1; and 3333 to 192.168.0.20, bound to elxl0:2, etc.

> 1. The global zone must also have an address in your private subnet.

> 2. You have to create a fake default route out of your private subnet
>    so the zones can access the internet

> I use names for the following examples:

> fakerouter              dummy IP address of a fake default router in
>                         your subnet
> global                  IP address of global zone in your subnet
> zone1                   IP address of one non-global zone

> They could look line

> 172.16.1.254            fakerouter
> 172.16.1.1              global
> 172.16.1.101            zone1

> The network interface in the following examples will be "bge0". Set
> netmask as required in /etc/inet/netmasks

> (1) setup the global zone. The script should start before starting zones.
>     You can either define a service with proper dependencies or put the
>     script in /etc/rc2.d (zones will start as milestone:multi-user-server
>     which is equivalent to run level 3)

>         #!/sbin/sh
>         iface="bge0"
>         globalname="global"
>         fakerouter="fakerouter"

>         routerip=`netstat -rn | awk '/default/ { print $2 }'`
>         ping $routerip >/dev/null 2>&1
>         routermac=`netstat -pn | nawk '$2 == "'$routerip'" { print $NF }'`
>         ifconfig $iface addif $globalname deprecated netmask + broadcast + up
>         route add default $fakerouter
>         arp -s $fakerouter $routermac
>         /usr/sbin/ipf -y

> This script will get the MAC address of the default router, create a static
> arp entry with the MAC address of the router to "fakerouter" IP address
> and sets a default router from the private net to this router. Then it
> will reload ipfilter rules.

> Change variable names as required.

> You will see two default routes in your global zones, but don't worry - that's
> Ok.

> (2) setup ipfilter/ipnat

> ipf.conf should contain at least the following rules so private addresses
> won't leak out:

>         block out quick on bge0 from any to 10.0.0.0/8
>         block out quick on bge0 from any to 172.16.0.0/12
>         block out quick on bge0 from any to 192.168.0.0/16

>         block in quick on bge0 from 10.0.0.0/8 to any
>         block in quick on bge0 from 172.16.0.0/12 to any
>         block in quick on bge0 from 192.168.0.0/16 to any

> In ipnat.conf you can use the usual redirect rules. Say, zone1 contains a
> mail server:

>         rdr bge0 0/0 port smtp -> zone1 port smtp tcp age 120
>         rdr bge0 0/0 port submission -> zone1 port submission tcp age 120

> And for outgoing traffic

>         map bge0 172.16.0.0/12 -> 0 age 120

> ("age 120" is (was?) needed because of a ipfilter bug introduced in S10U4)

> --
> Daniel

Wow - this seems to work! I already had an interface in the global
zone on the same subnet as the zones (so I could ping them). I halted
a zone, ran the script* and was able to SSH into the redzone on port
2222 from a completely different machine.
By the way in your ipnat you refer to zone1 will the name instead of
IP address, does this work? I did not modify my ipf or ipnat .confs
for now, as they were already in place, I will consider rules to
prevent IP address leaking though.

*I did receive an error on running the script, but enough of it seems
to have worked (perhaps all I needed was the additional gateway?):

ifconfig: setifflags: SIOCSLIFFLAGS: elxl0:2: Cannot assign requested
address ???

# zoneadm -z redzone halt
# ./setup
Setting netmask of elxl0 to 255.255.255.128
Created new logical interface elxl0:2
Setting netmask of elxl0:2 to 255.255.255.128
ifconfig: setifflags: SIOCSLIFFLAGS: elxl0:2: Cannot assign requested
address
add net default: gateway 192.168.0.50
filter sync'd
# zoneadm -z redzone boot

I did see two default gateways as you said I would. And redzone could
access the internet, and be accessed via my ipnat and ipf rules (e.g.
port 2222).

Do you know if this is a workaround to what the Exclusive-IP zones do
- with dladm, etc.?

Is this as effective? Any drawbacks to this?

Thanks,
sg


    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2008 Google