Reply
 
Thread Tools Display Modes
  #1  
Old 01-30-2013, 05:14 AM
GeoffShep GeoffShep is offline
Senior Member
 
Join Date: Jan 2013
Posts: 175
Thanks: 12
Thanked 50 Times in 41 Posts
Default Linux Jail - Visibilty from Network
I have created a Linux Jail (Debian) using Warden and installed a server in it. However, my router is unable to see the Debian Jail, hence I cannot access the server in the Jail. I have read the article in BSD magazine and done searches and understand that I need some additional networking configuration to see the server. The BSDMag article on Linux Jails I found a little confusing and the formatting of some of the instructions made me unsure of what was required.

The router uses the 192.168.x.y domain, I have given the Jail the IP of 192.168.x.z where z is a unique number (which I will assign in the router once I can get the router to see the Jail as an attached device).

I am reluctant to follow any FreeBSD configuration, since there is no Warden in FreeBSD. What additional configuration do I need to do in the config files to get the router to see the Jail?

Thanks.


PS .. I am slowly working through the BSDMag article and interpreting what was meant. I think I may have been mistaken in expecting the Jail to appear on my router's attached devices list, as NAT for the jails is set up on the Host system. When I get it working, I shall post how I did it here. In the meantime, any help appreciated.

Thanks again.

PPS .. It appears that NAT may be a bit of a furphy ... and that simply using an address in the router's address space is the go.

Last edited by GeoffShep; 02-01-2013 at 05:18 AM.
Reply With Quote
  #2  
Old 01-31-2013, 12:43 AM
bpaddock bpaddock is offline
Junior Member
 
Join Date: Jan 2013
Posts: 16
Thanks: 0
Thanked 0 Times in 0 Posts
Default
Originally Posted by GeoffShep View Post
I have created a Linux Jail (Debian) using Warden and installed a server in it. However, my router is unable to see the Debian Jail, hence I cannot access the server in the Jail. I have read the article in BSD magazine and done searches and understand that I need some additional networking configuration to see the server. The BSDMag article on Linux Jails I found a little confusing and the formatting of some of the instructions made me unsure of what was required.

The router uses the 192.168.x.y domain, I have given the Jail the IP of 192.168.x.z where z is a unique number (which I will assign in the router once I can get the router to see the Jail as an attached device).
I'm going through this right now myself, here is what I picked out of the
BSDMag article:

Code:
# ifconfig lo1 create

# ifconfig lo1 10.0.0.2 netmask 255.255.255.255
# Isn't that netmask from the article wrong??  Should be 255.255.255.0?

To make this persistent, add the following to

/etc/rc.conf:
cloned_interfaces="lo1"
ifconfig_lo1="inet 10.0.0.2 netmask 255.255.255.255"
# Should be 255.255.255.0?

/etc/pf.conf needs to look like this:
<--- cut --->
ext_if="re0"           #NEW
jail_if="lo1"          #NEW
jail_ip="10.0.0.0/24"  #NEW

set skip on lo0
set block-policy return
scrub in all
nat pass on $ext_if from $jail_ip to any -> $ext_if #NEW
# Rest of pf.conf is unchanged:
block in log
...
<--- cut --->

Reload the pf rules:
# pfctl -f /etc/pf.conf

# sysctl -w net.inet.ip.forwarding=1

To make this persistent, add the following to /etc/sysctl.conf:
net.inet.ip.forwarding=1
You do not want a IP address in your router space as best I can tell.
Use the 10.0.0.2 that they show. The article is also wrong in their comment about using IP address up to 10.0.0.24. The 24 is a mask. You can use any IP 10.0.0.1 to 10.0.0.254; 255 is reserved with what they show. Also think the netmask they show is wrong. Should be 255.255.255.0?

Still I'm missing something as debain installed but apt-get fails as tho it can not get out of the jail. Seems like the ip forwarding is not working.

Also on my box em0 is actually re0, what does ifconfig show it is for you?
Reply With Quote
  #3  
Old 01-31-2013, 04:04 AM
GeoffShep GeoffShep is offline
Senior Member
 
Join Date: Jan 2013
Posts: 175
Thanks: 12
Thanked 50 Times in 41 Posts
Default
bp,

Thanks .. yes I'm coming to the conclusion that I'll have to set up a different IP address space as well. Plodding along - will get there. Jails have turned out a bit different to what I expected, however that is not a real problem, just a different way of doing it. I'm sure after I work it all out it will seem obvious.

Not sure about the net mask - I'll have a look .. thanks for that point.

I have re0 as the ethernet device. That is because in BSD the ethernet device is named after the driver, whereas in Linux it is the type of device.

I guess for me, the BSDMag article would have been easier if there was an overall summary of the process as well. But then that is just my learning style.

I haven't had any problems in accessing the outside from with-in the Jail.

Appreciate the post

Rgds


PS .. This article provides some good info as well to cross-reference with the BSDMag article
http://www.bsdguides.org/2008/managing-jails/

Last edited by GeoffShep; 01-31-2013 at 04:18 AM.
Reply With Quote
  #4  
Old 01-31-2013, 04:30 AM
gja gja is offline
Member
 
Join Date: Dec 2012
Location: Melbourne, Australia
Posts: 45
Thanks: 1
Thanked 4 Times in 4 Posts
Default Just use an IP addr from your local LAN space
Not sure if I'm misunderstanding your situation, but I recently created a Debian Jail using the Warden and it "Just Worked(tm)". The information quoted above from a BSDmag article is misleading and probably redundant if you're using Warden (because Warden does a lot of the background jail and network configuration automagically).

My example situation -- desktop PC running PCBSD 9.1, single Ethernet interface re0 with IP address of 10.1.1.6 on my home's 10.1.1/24 LAN.

I told Warden to use re0 as the underlying network interface, and assigned 10.1.1.7 to my new Debian Jail. After that, no additional magic was required (by me) to ensure my Debian Jail could talk to other hosts on my local LAN (including my router to the outside world). Inside the jail, apt-get worked as expected.

Behind the scenes, when the Debian jail is launched Warden ensures 10.1.1.7 is aliased to my re0 interface with a netmask of 255.255.255.255 (no typo -- aliased IP addresses should usually be a /32 when they're on the same subnet as the underlying ethernet interface's primary IP address).

Although some people have dabbled in the past with creatively doing local loop-back NAT for Jails, there's no NAT happening underneath the Warden's Debian Jail.

If your LAN's router isn't "seeing" traffic from your Debian Jail, there might be something else odd happening external to your jail....
Reply With Quote
  #5  
Old 01-31-2013, 04:43 AM
gja gja is offline
Member
 
Join Date: Dec 2012
Location: Melbourne, Australia
Posts: 45
Thanks: 1
Thanked 4 Times in 4 Posts
Default
A further thought -- you initially mentioned "I cannot access the server in the Jail". I suspect the PCBSD firewall rules apply to all active jails as well as the primary host itself, since the pf (packet filter) rules apply to all traffic traversing an ethernet interface (e.g. re0).

So if your new Jail'd server is on a TCP or UDP port that's current blocked by your PCBSD desktop's own firewall rules, the new server will probably be unreachable to inbound connections from the elsewhere on your LAN (even though the jail's IP is not the same as your desktop's primary IP address). Try 'pfctl -s rules' on a command line as root to see the currently active rules and the interfaces to which they apply.

cheers,
gja
Reply With Quote
  #6  
Old 01-31-2013, 11:51 PM
bpaddock bpaddock is offline
Junior Member
 
Join Date: Jan 2013
Posts: 16
Thanks: 0
Thanked 0 Times in 0 Posts
Default
Quote:
Just use an IP addr from your local LAN space
That seems to be the key item missing from the documentation and examples. Examples talk about NATing between the jail and the real world, seeming to imply that they should be different address spaces.

Once I entered a unused IP that was in my routers subnet the Debain Jail was able to run apt-get update/upgrade.
Reply With Quote
  #7  
Old 02-01-2013, 05:14 AM
GeoffShep GeoffShep is offline
Senior Member
 
Join Date: Jan 2013
Posts: 175
Thanks: 12
Thanked 50 Times in 41 Posts
Default
The Progress so far

I decided to go back a couple of steps and start again fresh. Decided to follow Kris Moore 's tutorial for OwnCloud on a standard Jail (BSDMag 9/12).

IP Address Ranges for Jail
  • If you are not doing a NAT thing on the BSD host, use an IP address from the range the router is managing.
  • If you ARE doing a NAT thing on the BSD host, then choose a different network range.

Jail seen from Computers on Network

When I set up a BSD Jail using the same address network as my router as bpaddock said above, and after installing Apache, activating the service and opening the firewall, I went to another computer on my network, typed in the Jail IP and Apache instantly came up.

Listening on Ports

With a bit more experience, I think one problem I have had with my Linux Jails is that they have not been listening on the appropriate ports which is something I need to attend to.

Jail Visibility and the Router

I have been concerned that the router can not see the Jail. I don't think this is a problem. What I think happens is that when the Jail's IP address is called, the router queries each device in the router's address space. The Host BSD machine receives the Jails IP, and knows where to refer this address - hence even though the Jail does not appear in the router device list, you can still connect to it.


Later .....

Further ... I think I've got the thing sorted now that I understand a bit more about how the Jails are seen in the network. After the above, I reloaded a linux jail, installed SSH and started the server. The info tab showed that the Jail was listening on port 22. I allowed an exception in the firewall and restarted the firewall. Then I went to another machine on the network and:

ssh 192.168.1.140 (the Jail IP)

and it connected.


So I think I've now SOLVED my query. Hope this helps someone.



phew.

Last edited by GeoffShep; 02-01-2013 at 06:14 AM.
Reply With Quote
The Following User Says Thank You to GeoffShep For This Useful Post:
Atomic Rooster (02-25-2013)
  #8  
Old 02-01-2013, 08:32 PM
Klumpo Klumpo is offline
Member
 
Join Date: Dec 2012
Posts: 42
Thanks: 3
Thanked 5 Times in 5 Posts
Default
Start off with using one interface, one subnet (use your LAN), use the default route on the host, turn off pf, add complexity when you find a need for it, and when you feel confident with the setup you have (so you can roll back if things stop working). And have fun! Warden is an amazing tool.
Reply With Quote
  #9  
Old 02-01-2013, 08:36 PM
Klumpo Klumpo is offline
Member
 
Join Date: Dec 2012
Posts: 42
Thanks: 3
Thanked 5 Times in 5 Posts
Default
Pros with my suggestion:
All jails can reach all jails on the network.
Cons with my suggestion:
Eh, all jails can reach all jails on the network?!

;-)
Reply With Quote
  #10  
Old 02-03-2013, 07:37 AM
GeoffShep GeoffShep is offline
Senior Member
 
Join Date: Jan 2013
Posts: 175
Thanks: 12
Thanked 50 Times in 41 Posts
Default
I may not have solved my problem after all. Whilst I can SSH into my Linux Jail, I am unable to make any other ports visible than the initial ones.

For example, I install Apache in Linux, start the server, and it does not appear in the "listened ports" dialogue. I've tried that with a couple of Linux Jails and a couple of servers with the same result.

No such problems with the BSD Jail - it is going fantastically. I have even been able to look at installed Owncloud and Oneye servers from the Internet.

btw .. firewall is correctly configured (as evidenced by BSD jail).

Thanks.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 04:21 AM.


Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.

Copyright 2005-2010, The PC-BSD Project. PC-BSD and the PC-BSD logo are registered trademarks of iXsystems.
All other content is freely available for sharing under the terms of the Creative Commons Attribution License.