Zones-vs-NAT

From pressy's brainbackup
Jump to: navigation, search

Zones vs. NAT

I installed my VBOX machines in my own private network but one with an public-uplink and wanted to separate my zones. But what, if a zone need access to the public-lan? hmm, let's use NAT ;)

My zone was installed using an anet based on net1, net0 is my public dhcp-NIC:

root@vsol01:~# ipadm show-addr
ADDROBJ           TYPE     STATE        ADDR
lo0/v4            static   ok           127.0.0.1/8
net0/VMext01      dhcp     ok           192.168.0.24/24
net1/VMint01      static   ok           192.168.56.100/24
lo0/v6            static   ok           ::1/128
root@vsol01:~# netstat -rn

Routing Table: IPv4
  Destination           Gateway           Flags  Ref     Use     Interface
-------------------- -------------------- ----- ----- ---------- ---------
default              192.168.0.198        UG        3        517 net0
127.0.0.1            127.0.0.1            UH        6        638 lo0
192.168.0.0          192.168.0.24         U         3          0 net0
192.168.56.0         192.168.56.100       U         3        933 net1

Routing Table: IPv6
  Destination/Mask            Gateway                   Flags Ref   Use    If
--------------------------- --------------------------- ----- --- ------- -----
::1                         ::1                         UH      2      12 lo0
root@vsol01:~#
root@vsol01:~# zoneadm list -cv
  ID NAME             STATUS     PATH                           BRAND    IP
   0 global           running    /                              solaris  shared
   1 zsol01           running    /zones/zsol01                  solaris  excl
root@vsol01:~#
root@vsol01:~# zonecfg -z zsol01 info | grep lower-link
        lower-link: net1
root@vsol01:~# dladm
LINK                CLASS     MTU    STATE    OVER
net0                phys      1500   up       --
net1                phys      1500   up       --
zsol01/net0         vnic      1500   up       net1
root@vsol01:~# zlogin zsol01 netstat -rn

Routing Table: IPv4
  Destination           Gateway           Flags  Ref     Use     Interface
-------------------- -------------------- ----- ----- ---------- ---------
127.0.0.1            127.0.0.1            UH        2          0 lo0

Routing Table: IPv6
  Destination/Mask            Gateway                   Flags Ref   Use    If
--------------------------- --------------------------- ----- --- ------- -----
::1                         ::1                         UH      2       0 lo0

So let's configure the zone to use my global zone as a router and use ipfilters to NAT the zone's address:

root@vsol01:~# zlogin zsol01 route -p add default 192.168.56.100
add net default: gateway 192.168.56.100
add persistent net default: gateway 192.168.56.100
root@vsol01:~# 
root@vsol01:~# ipadm set-prop -p forwarding=on ipv4
root@vsol01:~# ipadm show-prop -p forwarding ipv4
PROTO PROPERTY              PERM CURRENT      PERSISTENT   DEFAULT      POSSIBLE
ipv4  forwarding            rw   on           on           off          on,off
root@vsol01:~#
root@vsol01:~# routeadm
              Configuration   Current              Current
                     Option   Configuration        System State
---------------------------------------------------------------
               IPv4 routing   disabled             disabled
               IPv6 routing   disabled             disabled
            IPv4 forwarding   enabled              enabled
            IPv6 forwarding   disabled             disabled

           Routing services   "route:default ripng:default"

Routing daemons:

                      STATE   FMRI
                   disabled   svc:/network/routing/route:default
                   disabled   svc:/network/routing/rdisc:default
                     online   svc:/network/routing/ndp:default
                   disabled   svc:/network/routing/legacy-routing:ipv4
                   disabled   svc:/network/routing/legacy-routing:ipv6
                   disabled   svc:/network/routing/ripng:default
root@vsol01:~#
root@vsol01:/etc/ipf# vi ipnat.conf
map net0 192.168.56.0/24 -> 0/32 portmap tcp/udp auto
map net0 192.168.56.0/24 -> 0/32
root@vsol01:/etc/ipf# svcadm enable network/ipfilter

After editing the zone's nameservice to reach "the internet" you should see an active NAT:

root@vsol01:~# ipnat -l
List of active MAP/Redirect filters:
map net0 192.168.56.0/24 -> 0.0.0.0/32 portmap tcp/udp auto
map net0 192.168.56.0/24 -> 0.0.0.0/32

List of active sessions:
MAP 192.168.56.101  52226 <- -> 192.168.0.24    26538 [193.168.25.190 53]
MAP 192.168.56.101  35013 <- -> 192.168.0.24    26713 [193.168.25.190 53]