More NAT and Zones Tricks

Some people have been trying out the technique I posted to use IPFilter to provide NAT service for non-global zones. Here are a few new tidbits based on their feedback.

I had an error in my instructions (now corrected): I said to use the "down" argument on the ifconfig addif command for the global zone's imaginary address. I would have sworn that this worked for me but people reported that it didn't, so I tried it again and sure enough, it doesn't work. So the right thing is to use "up," not "down," on the "addif" step.

I didn't have time to try inbound port redirection but some other people tried it and it works. This is very useful if you want to run inbound network services (say, a web server) in different zones but you don't want to give each service its own IP address. You can use IPFilter's rdr ipnat rule to direct incoming requests to particular zones. The rule must use the destination port number to distinguish the incoming requests (naturally, since the destination addresses will all be identical) and redirect the packets to a new destination address (the private address for the appropriate zone). This does require that you assign each service a unique port number on your external, public, address: If you want to run two web servers, each in its own zone, they can't both use TCP port 80 on your public address.

An example rdr rule might look like this:

	rdr bge0 0/0 port 80 -> 10.10.10.2 port 80 tcp

tags: ,

Comments:

One way to overcome the need for unique port numbers for at least http-service would be to have one httpd running on one IP-address (and one Port (80) e.g. inside a separate zone). The only thing this Webserver does is working as a internet-domain-based relay or dispatcher by redirecting requests to the IPs of different zones. This way, behind this single httpd-dispatcher, one could collect many (hundreds?) private zones, each controlling theyr private http-server.

Posted by Th Wagner on January 09, 2006 at 07:27 PM PST #

What Th suggested is easily achieved with mod_proxy under Apache - 2.2 adds some nice features as well, such as mod_proxy_balancer which implements, well, a proxy balancer. Quite nice.

Posted by Ryan Schwartz on May 12, 2006 at 04:09 PM PDT #

I just wanted to say that I followed this recipt and it wored straight forward. Thanks for this... anyway, this is a trick. But is it sometihing that SUN would spread as the way to do NAT between GlobalZOne and LocalZones ?

Posted by guest on December 01, 2006 at 05:10 PM PST #

The anonymous above is me... ;-)

Posted by C. Heymann on December 01, 2006 at 05:11 PM PST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

ford

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today