Ամպ

Configure base jail with networking

Lilit

get latest base and extract in the path where jail must be located 

$ fetch http://ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/12.1-RELEASE/base.txz
$ tar -xf base.txz -C /usr/local/jailz/base

create /etc/jail.conf file and add:

exec.start = "/bin/sh /etc/rc";
exec.stop  = "/bin/sh /etc/rc.shutdown";
exec.clean; 
allow.raw_sockets; 
allow.mount.tmpfs;
mount.devfs;

base {
    $id     = "10";
    #assign ip to jail
    $ipaddr = "172.16.150.${id}";
    $mask   = "255.255.255.0"; 
    $gw     = "172.16.150.1";    
    vnet;
    vnet.interface = "epair${id}b";

    # create epair and bridge interfaces on host for this jail
    exec.prestart   = "ifconfig epair${id} create up";
    exec.prestart  += "ifconfig epair${id}a up descr vnet-${name}";
    exec.prestart  += "ifconfig bridge150 addm epair${id}a up";

    # create network interface on jail and add default routing
    exec.start      = "/sbin/ifconfig lo0 127.0.0.1 up";
    exec.start     += "/sbin/ifconfig epair${id}b ${ipaddr} netmask ${mask} up";
    exec.start     += "/sbin/route add default ${gw}";
    # add firewall rule for jail
    exec.start     += "/sbin/ipfw add 1000 allow ip from any to any";
    exec.start     += "/bin/sh /etc/rc";

    # remove created interfaces if jail is removed
    exec.poststop   = "ifconfig bridge150 deletem epair${id}a";
    exec.poststop  += "ifconfig epair${id}a destroy";

    host.hostname = "${name}.loc";
    path = "/usr/local/jailz/${name}";
    persist;
}

configure /etc/rc.conf for jail networking.

# create bridge interface
cloned_interfaces="bridge150"
ifconfig_bridge150="inet 172.16.150.1 netmask 0xffffff00 descr jailz-bridge" 
# configure firewall with "OPEN" rules
firewall_type="OPEN"
firewall_enable="YES"
#enable NAT
firewall_nat_enable="YES"

configure NAT for jail. Add the following code to /etc/rc.firewall 

${fwcmd} nat 1 config if ena0
${fwcmd} add 5000 nat 1 ip from any to any

enable ip forwarding on host

$  sysctl net.inet.ip.forwarding=1

To make it permanent add the following line to /etc/rc.conf

gateway_enable="YES"

Reboot

Start your jail

service jail onestart base

Fix resolv.conf of jail

$ cp /etc/resolv.conf /usr/local/jailz/base/etc/

Enjoy your jail

$ jexec $id

If you want to have access to the services running on jail from host IP, you can use relayd for port forwarding.

install relayd

$ pkg install relayd

Create /usr/local/etc/relayd.conf

Add the following config:

jail="172.16.150.10"
host_port="8080"
jail_service_port="8008"
relay tcpgw {
        # Run as a simple TCP relay
        listen on 0.0.0.0 port $host_port
        # Forward to the shared carp(4) address of an internal gateway
        forward to $jail port $jail_service_port
}

Enable relayd service and start it:

$ echo relayd_enable="YES" >> /etc/rc.conf
$ service relayd start

Enjoy!

Useful links:
https://bsd.plumbing/

Post Views: 798