L2 Cache

Behold the power of |!

User Tools

Site Tools


Sidebar

snipets:solaris:smartos-nat

SmartOS single IP with NAT

While testing out SmartOS on OVH for as possible ESXi replacement I ended up with a kimsufi server for a month with only 1 NIC and IP.

Below is a custom script and smf manifest to setup natting in the global zone on SmartOS.

SmartOS Global Zone Configuration

system configuration

Append the following to /usbkey/config to create an etherstub on boot.

# create etherstub called 'switch0' at boot
etherstub="switch0"

network script to setup NAT

Update the script to suit your needs. I chose 172.16.0.0/24 for my internal network and gave the GZ the first IP so it can act as gateway. 172.16.0.2 is the IP of my first zone, you probably want to chance that too.

Also enable the firewall and allow ICMP + SSH, this protects the vnc displays spawned by vmadm, you can use ssh + forwarding to access them.

/opt/custom/bin/net-setup
#!/usr/bin/sh
 
## setup gw0
if [ `dladm show-vnic | grep gw0 | wc -l` -ne 1 ]; then
  /usr/sbin/dladm create-vnic -m 2:8:20:bc:d5:5f -l switch0 gw0
  /usr/sbin/ipadm create-addr -T static -a 172.16.0.1/24 gw0/v4
fi
 
## setup ip forwarding
/usr/sbin/routeadm -u -e ipv4-forwarding
/usr/sbin/routeadm -u -e ipv6-forwarding
 
## clear nat and firewall rules
[ -e /etc/ipf/ipnat.conf ] && rm /etc/ipf/ipnat.conf
[ -e /etc/ipf/ipf.conf ] && rm /etc/ipf/ipf.conf
 
## setup firewall
echo "# Default policies" >> /etc/ipf/ipf.conf
echo "pass out all keep state" >> /etc/ipf/ipf.conf
echo "block in all" >> /etc/ipf/ipf.conf
echo "block return-rst in log first proto tcp all" >> /etc/ipf/ipf.conf
echo "block return-icmp(host-unr) in log proto udp all" >> /etc/ipf/ipf.conf
echo "pass out quick proto udp from any to any port = 53" >> /etc/ipf/ipf.conf
echo "# Allow Loopback" >> /etc/ipf/ipf.conf
echo "pass in quick on lo0 all" >> /etc/ipf/ipf.conf
echo "pass out quick on lo0 all" >> /etc/ipf/ipf.conf
echo "# Allow ICMP" >> /etc/ipf/ipf.conf
echo "pass out quick proto icmp all keep state" >> /etc/ipf/ipf.conf
echo "pass in quick proto icmp all keep state" >> /etc/ipf/ipf.conf
echo "# Allow SSH" >> /etc/ipf/ipf.conf
echo "pass in quick proto tcp from any to any port = 22 flags S/FSRPAU keep state keep frags" >> /etc/ipf/ipf.conf
 
## setup portforwarding
echo "rdr e1000g0 from any to any port = 2201 -> 172.16.0.2 port 22 tcp" >> /etc/ipf/ipnat.conf
echo "pass in quick proto tcp from any to any port = 2201 flags S/FSRPAU keep state keep frags" >> /etc/ipf/ipf.conf
echo "rdr e1000g0 from any to any port = 2202 -> 172.16.0.3 port 22 tcp" >> /etc/ipf/ipnat.conf
echo "pass in quick proto tcp from any to any port = 2202 flags S/FSRPAU keep state keep frags" >> /etc/ipf/ipf.conf
 
## setup outbound nat
echo "map e1000g0 from 172.16.0.0/24 to any -> 0/32 proxy port ftp ftp/tcp" >> /etc/ipf/ipnat.conf
echo "map e1000g0 from 172.16.0.0/24 to any -> 0/32 portmap tcp/udp auto" >> /etc/ipf/ipnat.conf
echo "map e1000g0 from 172.16.0.0/24 to any -> 0/32" >> /etc/ipf/ipnat.conf
 
## enable firewall / NET
/usr/sbin/ipf -E -Fa -v -f /etc/ipf/ipf.conf
/usr/sbin/ipnat -C -v -f /etc/ipf/ipnat.conf
 
## OVH/Kimsufi NTP fix
#/usr/sbin/svcadm disable ntp
#/usr/bin/grep -v server /etc/inet/ntp.conf > /tmp/ntp.conf
#echo "server europe.pool.ntp.org" >> /tmp/ntp.conf
#/usr/bin/mv /tmp/ntp.conf /etc/inet/ntp.conf
#/usr/sbin/svcadm enable ntp

note: zones always need at least one inbound rule for outbound NAT to work.

smf manifest to run net-setup at boot

/opt/custom/smf/net-setup.xml
<?xml version="1.0"?>
<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
 
<service_bundle type='manifest' name='site:net-setup'>
<service name='site/net-setup' type='service' version='1'>
        <create_default_instance enabled='true' />
        <single_instance />
            <dependency name='net-physical' grouping='require_all' restart_on='none' type='service'>
        <service_fmri value='svc:/network/physical'/>
        </dependency>
        <dependency name='filesystem' grouping='require_all' restart_on='none' type='service'>
            <service_fmri value='svc:/system/filesystem/local'/>
        </dependency>
 
        <exec_method type='method' name='start' exec='/opt/custom/bin/net-setup' timeout_seconds='0' />
        <exec_method type='method' name='stop' exec=':true' timeout_seconds='0' />
 
        <property_group name='startd' type='framework'>
                <propval name='duration' type='astring' value='transient' />
        </property_group>
 
        <stability value='Unstable' />
</service>
</service_bundle>

make sure to remove the first set of indetations that happens when copying from this wiki!

After a reboot any zone/vm you add to the switch0 nic_tag with an IP in 172.16.0.0/24 should have internet access.

example configuration for zone

{
  "alias": "testvm",
  "hostname": "testvm",
  "brand": "joyent",
  "max_physical_memory": 256,
  "dataset_uuid": "8639203c-d515-11e3-9571-5bf3a74f354f",
  "resolvers": [ "8.8.4.4", "8.8.8.8" ],
  "nics": [
    {
      "nic_tag": "switch0",
      "ip": "172.16.0.2",
      "netmask": "255.255.255.0",
      "allow_ip_spoofing": "true",
      "gateway": "172.16.0.1",
      "primary": "true"
    }
  ]
}
snipets/solaris/smartos-nat.txt · Last modified: 2016/03/03 20:39 by sjorge