Solved iocage Jail cannot escape home network

forquare · Dec 31, 2015

Afternoon all,

I have a fresh install of FreeBSD 10.2, it’s installed on VirtualBox. I have given the VM 4x virtio-net bridged adaptors—so they appear to be on my home network (192.168.1.0/24).

My host rc.conf looks like this:

Code:

hostname="aglardae"
keymap="uk.iso.kbd"
ifconfig_vtnet0="DHCP"
local_unbound_enable="YES"
sshd_enable="YES"
ntpd_enable="YES"
powerd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
zfs_enable="YES"

#VBox
vboxguest_enable="YES"
vboxservice_enable="YES"
vboxservice_flags="--disable-timesync"

#iocage
iocage_enable="YES"

# Jails Networking
ifconfig_vtnet1="inet 192.168.150 netmask 255.255.255.0"
ifconfig_vtnet2="inet 192.168.151 netmask 255.255.255.0"
ifconfig_vtnet3="inet 192.168.152 netmask 255.255.255.0"

I Installed and did initial setup of iocage like this:

Code:

pkg install -y iocage
iocage fetch

During the iocage fetch I selected “10.2-RELEASE”. The only potentially interesting thing I saw in the output was “src component not installed, skipped”.

I have then created a Jail using iocage like so:

Code:

iocage create -c tag=ownCloud
iocage set hostname=ownCloud ownCloud
iocage set host_hostname=ownCloud ownCloud
iocage set ip4_addr="vtnet1|192.168.1.150/24" ownCloud
iocage set defaultrouter=192.168.1.254 ownCloud
iocage set allow_raw_sockets=1 ownCloud
iocage set allow_sysvipc=1 ownCloud

iocage start ownCloud
iocage console ownCloud

Inside my Jail I added a new user, and an entry in /etc/hosts:

Code:

192.168.1.150   ownCloud

Also inside the Jail I activated sshd(8), here’s the Jails rc.conf:

Code:

hostname="ownCloud"

cron_flags=" -J 15"

# Disable Sendmail by default
sendmail_enable="NONE"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

# Run secure syslog
syslogd_flags="-c -ss"

# Enable IPv6
ipv6_activate_all_interfaces="YES"

# Enable SSH
sshd_enable="YES"

And here is the Jails resolv.conf (identical to the Jails host):

Code:

# Generated by resolvconf
search lan
# nameserver 192.168.1.254

nameserver 127.0.0.1
options edns0

I can now successfully ssh to the Jail (192.168.1.150) from a completely different host on my network (192.168.1.74), and I can ssh from the Jail to other hosts on my network.
I cannot, however, ssh from the Jail to IP addresses outside of my network which other hosts on the network can ssh to.

I have also had problems installing packages from inside the Jail:

Code:

pkg install owncloud
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:10:amd64/quarterly, please wait...
pkg: Error fetching http://pkg.FreeBSD.org/FreeBSD:10:amd64/quarterly/Latest/pkg.txz: No address record
A pre-built version of pkg could not be found for your system.
Consider changing PACKAGESITE or installing it from ports: 'ports-mgmt/pkg'.

It seems that although the Jail is able to access everything on my home network, it is unable to reach beyond it…I haven’t got any fancy rules on my (very basic!) home router which is blocking it—certainly I spin up new VMs regularly and they never have a problem, the only difference being that the VMs usually use DHCP rather than specifying a static IP.

And nudges in the right direction would be greatly appreciated.

Ben

EDIT 150103:
Added properties when creating the Jail to enable ping/traceroute/etc.

forquare · Jan 2, 2016

Solved it! I think stupidity and misunderstanding is probably to blame.

I have removed/commented the configuration of vtnet1 (the Jails interface) from the hosts rc.conf, so it now looks like this:

Code:

hostname="aglardae"
keymap="uk.iso.kbd"
ifconfig_vtnet0="DHCP"
local_unbound_enable="YES"
sshd_enable="YES"
ntpd_enable="YES"
powerd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
zfs_enable="YES"

# Generate MOTD
motdconfigurator_enable="YES"

#VBox
vboxguest_enable="YES"
vboxservice_enable="YES"
vboxservice_flags="--disable-timesync"

#iocage
iocage_enable="YES"

# Jails Networking
#ifconfig_vtnet1="inet 192.168.150 netmask 255.255.255.0"
ifconfig_vtnet2="inet 192.168.151 netmask 255.255.255.0"
ifconfig_vtnet3="inet 192.168.152 netmask 255.255.255.0"

This allowed me to get out of my network using IP addresses.
The thing that tipped this off to me was that when the Jail was running, running ifconfig on the host showed that the IP address had been configured twice on the same interface. Now that the configuration of the interface is done by the Jail/iocage, it seems to work.

To get DNS working, inside my Jail I uncommented the second line in resolv.conf so I now have this:

Code:

# Generated by resolvconf
search lan
nameserver 192.168.1.254

nameserver 127.0.0.1
options edns0

The Jail was set up with the contents exactly as listed in my first post, and the hosts resolv.conf is identical. I’m not sure why DNS works on the host and not in the Jail? I’d like to understand a bit more about that.

priyadarshan · Sep 24, 2016

forquare said:
I’m not sure why DNS works on the host and not in the Jail? I’d like to understand a bit more about that.

I am not sure, but perhaps the section here: Full Example: BIND in a Jail could help?

Solved iocage Jail cannot escape home network

forquare

forquare

priyadarshan