Zones-vs-NAT
From pressy's brainbackup
Zones vs. NAT
I installed my VBOX machines in my own private network but one with an public-uplink and wanted to separate my zones. But what, if a zone need access to the public-lan? hmm, let's use NAT ;)
My zone was installed using an anet based on net1, net0 is my public dhcp-NIC:
root@vsol01:~# ipadm show-addr
ADDROBJ TYPE STATE ADDR
lo0/v4 static ok 127.0.0.1/8
net0/VMext01 dhcp ok 192.168.0.24/24
net1/VMint01 static ok 192.168.56.100/24
lo0/v6 static ok ::1/128
root@vsol01:~# netstat -rn
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ---------- ---------
default 192.168.0.198 UG 3 517 net0
127.0.0.1 127.0.0.1 UH 6 638 lo0
192.168.0.0 192.168.0.24 U 3 0 net0
192.168.56.0 192.168.56.100 U 3 933 net1
Routing Table: IPv6
Destination/Mask Gateway Flags Ref Use If
--------------------------- --------------------------- ----- --- ------- -----
::1 ::1 UH 2 12 lo0
root@vsol01:~#
root@vsol01:~# zoneadm list -cv
ID NAME STATUS PATH BRAND IP
0 global running / solaris shared
1 zsol01 running /zones/zsol01 solaris excl
root@vsol01:~#
root@vsol01:~# zonecfg -z zsol01 info | grep lower-link
lower-link: net1
root@vsol01:~# dladm
LINK CLASS MTU STATE OVER
net0 phys 1500 up --
net1 phys 1500 up --
zsol01/net0 vnic 1500 up net1
root@vsol01:~# zlogin zsol01 netstat -rn
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ---------- ---------
127.0.0.1 127.0.0.1 UH 2 0 lo0
Routing Table: IPv6
Destination/Mask Gateway Flags Ref Use If
--------------------------- --------------------------- ----- --- ------- -----
::1 ::1 UH 2 0 lo0
So let's configure the zone to use my global zone as a router and use ipfilters to NAT the zone's address:
root@vsol01:~# zlogin zsol01 route -p add default 192.168.56.100
add net default: gateway 192.168.56.100
add persistent net default: gateway 192.168.56.100
root@vsol01:~#
root@vsol01:~# ipadm set-prop -p forwarding=on ipv4
root@vsol01:~# ipadm show-prop -p forwarding ipv4
PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE
ipv4 forwarding rw on on off on,off
root@vsol01:~#
root@vsol01:~# routeadm
Configuration Current Current
Option Configuration System State
---------------------------------------------------------------
IPv4 routing disabled disabled
IPv6 routing disabled disabled
IPv4 forwarding enabled enabled
IPv6 forwarding disabled disabled
Routing services "route:default ripng:default"
Routing daemons:
STATE FMRI
disabled svc:/network/routing/route:default
disabled svc:/network/routing/rdisc:default
online svc:/network/routing/ndp:default
disabled svc:/network/routing/legacy-routing:ipv4
disabled svc:/network/routing/legacy-routing:ipv6
disabled svc:/network/routing/ripng:default
root@vsol01:~#
root@vsol01:/etc/ipf# vi ipnat.conf
map net0 192.168.56.0/24 -> 0/32 portmap tcp/udp auto
map net0 192.168.56.0/24 -> 0/32
root@vsol01:/etc/ipf# svcadm enable network/ipfilter
After editing the zone's nameservice to reach "the internet" you should see an active NAT:
root@vsol01:~# ipnat -l List of active MAP/Redirect filters: map net0 192.168.56.0/24 -> 0.0.0.0/32 portmap tcp/udp auto map net0 192.168.56.0/24 -> 0.0.0.0/32 List of active sessions: MAP 192.168.56.101 52226 <- -> 192.168.0.24 26538 [193.168.25.190 53] MAP 192.168.56.101 35013 <- -> 192.168.0.24 26713 [193.168.25.190 53]