PF Help with unorthodox port forwarding

ejr2122

ejr2122

Hello,

Can someone please help me figure out how to forward ports from inside of a jail? I think I need the pf firewall to do this, but I could be wrong.

I have three iocage jails, each on their own VLAN, each running tailscale inside. My goal is to have incoming connections over tailscale blocked unless they're on ports 22 and 443. When those connections pass through, instead of answering them directly, I want the jail to port forward to a different host on the same subnet. The host I have in mind is one that can't run tailscale on it's own, so e.g. I need to come up with a workaround. Normally, a tailscale user would use the subnet feature to solve this problem, but that's not available to me for reasons.

Now I am stuck trying to get pf to run in a jail:

Code: 
root@jail90-csg01:~ # service pf restart
pfctl: /dev/pf: No such file or directory
kldload: can't load pf: Operation not permitted
/etc/rc.d/pf: WARNING: Unable to load kernel module pf
root@jail90-csg01:~ # service pf status
pf.ko is not loaded
root@jail90-csg01:~ # kldload pf.ko
kldload: can't load pf.ko: Operation not permitted

Any ideas on how to get pf working, or how to achieve this differently, would be appreciated!

- Evan Rowley
 
ejr2122 said:
Can someone please help me figure out how to forward ports from inside of a jail?
Click to expand...
Only works with VNET jails.

ejr2122 said:
I want the jail to port forward to a different host on the same subnet.
Click to expand...
You cannot "bounce" packets out of the same interface they came in on.

Code: 
     Translation rules apply only to packets that pass through the specified
     interface, and if no interface is specified, translation is applied to
     packets on all interfaces.  For instance, redirecting port 80 on an
     external interface to an internal web server will only work for
     connections originating from the outside.  Connections to the address of
     the external interface from local hosts will not be redirected, since
     such packets do not actually pass through the external interface.
     Redirections cannot reflect packets back through the interface they
     arrive on, they can only be redirected to hosts connected to different
     interfaces or to the firewall itself.
 
You must log in or register to reply here.
Back
Top