Hi Christine,
After Mike D supplied me with some more details, I was able to use 'rdr' to
redirect traffic as he suggested. Here is what I did:
1) Enable ipfilter
Comment out the appropriate line in /etc/ipf/pfil.ap.
svcadm enable network/ipfilter
svcadm enbale network/pfil
2) Add a NAT rule to /etc/ipf/ipnat.conf and run:
ipnat -f <filename>
My ipnat.conf file just had this:
rdr e1000g0 192.168.0.2 port 23 -> 192.168.0.102 port 23 tcp/udp
where 192.168.0.2 is the global zone, and ...102 is the Container. This
forwarded all inbound telnet connections to the Containers.
The tcp/udp field probably isn't necessary.
If it doesn't work, test these:
* ifconfig e1000g0 modlist
The output should include the pfil module.
* ipnat -l
The output should include the rdr rule you inserted earlier.
* Make sure pfild is running.
Christine Tran wrote:
Here's the link to ipf-howto for Jeff.
http://www.signaltonoise.net/library/ipf-howto.html
Mike Ditto wrote:
Christine Tran wrote:
Does this mean I can't have my global zone redirect to a non-global
zone living on the same box? Because I'm really using the loopback
interface and not leaving the system on any physical interface?
This applies whether my global and non-global zone share one
interface, or have unique interfaces? I would like some
clarification if Darren is around? Thanks!
Christine,
It should be possible to use rdr to redirect inbound traffic to another
zone (IP address) on the same machine. This isn't mentioned in the ipf
how-to because without zones, there is generally no reason to do this.
Basically, when you use rdr, the inbound packet is modified before the
IP stack sees it, so it will be correctly delivered to the modified
destination if that destination is on the local machine or reachable
through some interface other than the one on which the packet arrived.
Customer was swearing up and down that he cannot use rdr to direct
traffic onto a web server running inside a zone on a box that is also
acting as a router and accepting inbound traffic. I don't know how much
of this is a misconfiguration (he says he can redirect to another
physical box, but not onto a zone on the same box). I was going to
write to Darren directly but thought the list could benefit from the
discussion.
The use for this, and I'm guessing here, might be something like, I have
widgetco.com with several autonomous subdivisions. I can't all have
my zones called widgetco (so that all my customers can access via
http://widgetco.com) so I have one big server that accepts and redirects
to different zones and then the webserver there does URL rewrites.
CT
_______________________________________________
zones-discuss mailing list
[email protected]
--
--------------------------------------------------------------------------
Jeff VICTOR Sun Microsystems jeff.victor @ sun.com
OS Ambassador Sr. Technical Specialist
Solaris 10 Zones FAQ: http://www.opensolaris.org/os/community/zones/faq
--------------------------------------------------------------------------
_______________________________________________
zones-discuss mailing list
[email protected]
