Archives for posts with tag: ezjail

Continuing with the previous blog where we learned how to create a Jail on FreeBSD 10 without internet, here we will see two ways to provide internet access to the Jail one using PF(employing the NAT feature) and another where we piggy back a host interface(FreeBSD aliases the interface).

 

First the easy one(without NAT):

This is easy, while creating a Jail just use the host network interface and select an available IP from the same subnet as the host is on. Following is a logical representation of our setup.

Logical diagram of what we will achieve.

To start with, first determine the interface you want to use:

ifconfig

Sample output:

em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 08:00:27:57:37:49
inet6 fe80::a00:27ff:fe57:3749%em0 prefixlen 64 scopeid 0x1
inet 10.0.2.15 netmask 0xffffff00 broadcast 10.0.2.255

em1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 08:00:27:63:4f:4b
inet 192.168.56.9 netmask 0xffffff00 broadcast 192.168.56.255
inet 192.168.56.50 netmask 0xffffffff broadcast 192.168.56.50 vhid 1
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active

On my PC em0 is the interface I would like to place my jail, as that is connected to internet.

So create a jail like:

# ezjail-admin create YOUR-jail-name ‘em0|10.0.2.16

By default ping is disabled on Jails, try using telnet to connect to one of the public websites.

In the following example I am sending a GET request on gnu.org on TCP:80(http) from the Jail, after getting its IP address:

# ezjail-admin console your-jail-name

Jail shell> host gnu.org
gnu.org has address 208.118.235.148
gnu.org mail is handled by 10 eggs.gnu.org.

Jail shell> telnet 208.118.235.148 80
Trying 208.118.235.148…
Connected to 208.118.235.148.
Escape character is ‘^]’.
GET
<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href=”http://savannah.nongnu.org/”>here</a&gt;.</p>
<hr>
<address>Apache/2.4.7 Server at http://www.nongnu.org Port 80</address>
</body></html>
Connection closed by foreign host.

It works! 🙂

You can now install applications from internet and further configure the Jail, but first add a nameserver by creating a new /etc/resolv.conf 😉

Bonus:

We can extend on this method to attach multiple IP addresses of different networks to the jail.

dual-network

Let say you want to use both em0 and em1 with different IP addresses:

ezjail-admin create YOUR-jail-name ‘em0|10.0.2.16,em1|192.168.56.30

This attaches two new IP address to the respective interfaces and the Jail becomes accessible from both subnets(10.0.2.0/24, 192.168.56.0/24)

The above methods works if you have spare IP addresses, what if you have limited IP addresses and/or you want to isolate the Jails on a separate subnet?

Well that is when NAT comes into picture.

Read more about it at wikipedia =>

https://en.wikipedia.org/wiki/Network_address_translation

Internet connectivity for Jails with NAT(using PF):

NAT is useful when you want to isolate the jails/hosts completely on a private subnet.
And/or, you have limited public IP addresses and want to share it among different Jails.

By following this guide you will achieve something like below:

NAT-network-for-jails

 

 

 

 

 

In the above diagram the Jails are restricted to subnet 172.17.0.0/16, they cannot reach other networks on their own. In order to reach internet(or other subnets) we NAT the outgoing connection using the host as the gateway, which causes the outgoing connections to appear as originating from the host. For hosts on subnets 10. and 192. if a jail contacts them then the connection appears to come 10.0.2.15 and 192.168.56.1 respectively which is not their actual IP address!

First we need to prepare the host to act as a gateway and as router which NATs the connections(firewall/packet filtering is optional).

Enable the host system to act as a gateway:

# sysctl net.inet.ip.forwarding=1

To forward IPv6 traffic, use:

# sysctl net.inet6.ip6.forwarding=1

To enable these settings at system boot(and make them permanent), add the following to /etc/rc.conf:

gateway_enable=”YES” #for ipv4
ipv6_gateway_enable=”YES” #for ipv6

Now we create a cloned interface which the jails will user and later enable NAT using PF.

Clone the loopback interface on which the jails will communicate:

In /etc/rc.conf add:

cloned_interfaces=”lo1″

Then on the host:

# service netif cloneup

If no error is shown then lo1 is created, if you would like to confirm, run ifconfig on host.

Next create a jail with this new interface and an IP address:

# ezjail-admin create your-jail ‘lo1|172.17.1.3

Start the Jail:

# ezjail-admin onestart your-jail

If no errors are shown, your-jail is running attached to lo1, check using ifconfig:

lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet 172.17.1.3 netmask 0xffffffff
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

However, this jail cannot reach internet, the final step is to enable NAT. I am using PF here as it is very easy to configure, configuring IPFW for NAT with stateful filtering is hard.

To enable PF add following in /etc/rc.conf:

pf_enable=”YES”

There are bunch of other things you can enable, refer the manual for these, I am trying to keep this how to simple. 😉

Next run:

# service pf start

By default PF reads the filtering rules and configuration from /etc/pf.conf. We will be making the bare minimum changes required for NAT here.

For my environment I had to add following in /etc/pf.conf:

#Declare the interfaces, Public IP, private subnet,
EXT_IF0 = “em0”
EXT_IF1 = “em1″

IP_PUB=”10.0.2.15″
NET_JAIL=”172.17.0.0/16″
LAN_IP=”192.168.56.7”
nat pass on $EXT_IF1 from $NET_JAIL to any -> $LAN_IP
nat pass on $EXT_IF0 from $NET_JAIL to any -> $IP_PUB

#### end of pf.conf ####

To make it easy to make further changes we first declare the interfaces, IP addresses the host is on($IP_PUB, $LAN_IP) and the network jails are on(NET_JAIL), you can limit NET_JAIL to a single Jail IP by using /32 as the routing prefix, like 172.17.1.3/32.

Next we have written the NAT rules, which direct PF to NAT(and pass) any packet arriving from jail network($NET_JAIL) on either of interfaces($EXT_IF0, $EXT_IF1) depending upon the destination to either the LAN($LAN_IP) or the internet($IP_PUB). PF maintains the state of the connections and the reply packets are routed back to the jails appropriately.

Done! The network diagram looks something like this:

network-diagram-NAT-network-for-jails

Refer the PF manual if you want to use more advanced features. Enjoy jailing the daemons!

Advertisements

A BSD Jail is a container which provides isolated environment for applications to run. Ezjail simplifies the process of installing and managing Jails.

Most of the posts on ezjail focus on downloading a FreeBSD basejail/template from internet.

I was curious on how can I use what is with me – a DVD .iso image of FreeBSD 10.2 RELEASE. Turns out it is not that hard and ezjail does support this.

This post is aimed to help users who are on a low bandwidth link or lack internet connectivity. I have used version 10.2 here, this might not work with earlier releases, and the following commands are executed as root user.

In the end we will have something like:

Logical diagram of what we will achieve.

Logical diagram of what we will achieve.

The diagram is a logical representation of what we will get.

Now to start with, after installing FreeBSD(ZFS recommended for production servers), and installing ezjail from the FreeBSD repo(http://pkg.freebsd.org/)  (in case you lack internet, you can download the ezjail package) mount the CD/DVD .iso image you have:

# mount -t cd9660 /dev/cd0 /media/optical/

OR

# mount_cd9660 /dev/cd0 /media/optical/

/dev/cd0 is for both CD or a DVD. You may have to create the optical/ directory under /media or /mnt.

If  there were no error messages then the disc was mounted.

Execute following to verify:

# mount
.
.
.
/dev/cd0 2.6G 2.6G 0B 100% /media/optical

OR

# df
.
.
.
/dev/cd0 2675856 2675856 0 100% /media/optical

The FreeBSD distribution which contains the base OS(in file base.txz) is  under usr/freebsd-dist on the optical media.

root@Zfreebsd:/media/optical/usr/freebsd-dist # ls
MANIFEST base.txz doc.txz games.txz kernel.txz lib32.txz ports.txz src.txz

root@Zfreebsd:/media/optical/usr/freebsd-dist # pwd
/media/optical/usr/freebsd-dist

Supply the above (absolute/full) path to ezjail-admin to create a basejail:

# ezjail-admin install-h file:///media/optical/usr/freebsd-dist

This will extract and install a base jail necessary to create other jails, to install man pages supply (-m):

# ezjail-admin install -m-h file:///media/optical/usr/freebsd-dist
.
.
.
/usr/jails/basejail/usr/lib32/libutempter.a
/usr/jails/basejail/usr/lib32/libuutil_p.a
146888 blocks
Note: a non-standard /etc/make.conf was copied to the template jail in order to get the ports collection running inside jails.

After this you can see the base jail created by ezjail under /usr/jails:

# ls -l /usr/jails/
total 18
drwxr-xr-x   9 root  wheel   9 Dec 12 15:28 basejail
drwxr-xr-x   3 root  wheel   3 Dec 12 15:28 flavours
drwxr-xr-x  12 root  wheel  22 Dec 12 15:28 newjail

You environment is now ready to create jails using this base jail.

Optional, update the basejail to latest patches:

# ezjail-admin update  -u

Creating a test jail

# ezjail-admin create testjail1 ’em0|10.0.2.16′
.
.
.
/usr/jails/testjail1/./.profile
6287 blocks
Warning: Some services already seem to be listening on all IP, (including 10.0.2.16)
This may cause some confusion, here they are:
root     ntpd       655   20 udp6   *:123                 *:*
root     ntpd       655   21 udp4   *:123                 *:*
root     syslogd    493   6  udp6   *:514                 *:*
root     syslogd    493   7  udp4   *:514                 *:*

To resolve the warning shown we need to limit what these services can listen on the host.

For ntpd it is difficult to do this, so either install net/openntpd or disable it in /etc/rc.conf:

#sysrc ntpd_enable=”NO”

 

# service ntpd onestop

 

For syslod there are flags to pass which will will bind it to the host address:
In /etc/rc.conf

syslogd_enable=”YES”
syslogd_flags=”-s -b 127.0.0.1″
#-s causes it to be in secure mode, -b to bind it to
#an address

Restart syslogd:

# service syslogd restart

Also change ssh configuration to listen only one select IP addresses:

ListenAddress xxx.xxx.xxx.xxx

Restart SSH after checking for errors:

# sshd -t

# service sshd restart

 

Now start the jail you created:

# ezjail-admin start testjail1

# ezjail-admin list

Get a shell in your new jail with the:

# ezjail-admin console testjail1

You can now install applications inside the jail. It is just like another FreeBSD machine.
Optional, To allow ping from inside jail:
You need to change settings on your host and on the jail.

On host:

# sysctl security.jail.allow_raw_sockets=1

For setting it permanently, modify /etc/sysctl.conf.

For the Jail on host:
Edit the ezjail config of the jail on the host:
For me it is /usr/local/etc/ezjail/testjail1, add following:

export jail_testjail1_parameters=”allow.raw_sockets”

OR

export jail_testjail1_parameters=”allow.raw_sockets=1″

To make this effective restart jail from the host:

# ezjail-admin restart testjail1

You can ping the jail from the host, and if the jail was assigned an IP address on the same subnet as other machines on the network, you can ping this IP from the machines.

In the next post I will detail on how to provide NAT connections to the jails, NAT is required to provide internet access the jails and redirection to provide access to external world to the service running on your jail.