www
2022-09-13 +0200 11:14:22 CEST

0chaos.eu

/posts/2022/09/iocage-guide-with-vnet/

Home About Posts Git

meta

iocage Setup Guide

Simple guide to help myself remember. Uses iocage with vnet but no natting.

I will probably change to another helper tool, probably bastille.

Resources used:

Setup iocage

Add to /etc/sysctl.conf:

net.inet.ip.forwarding=1       # Enable IP forwarding between interfaces
net.link.bridge.pfil_onlyip=0  # Only pass IP packets when pfil is enabled
net.link.bridge.pfil_bridge=0  # Packet filter on the bridge interface
net.link.bridge.pfil_member=0  # Packet filter on the member interface

Add to /etc/rc.conf:

# If primary interface is called 'lagg0'
iocage_enable="YES"
cloned_interfaces="bridge0"
vnets_lagg0="666"
ifconfig_lagg0_666="inet 192.168.2.1/24"
ifconfig_bridge0="addm lagg0 up"

Run this:

# Activate
iocage activate zroot

# Fetch latest release
iocage fetch -s https://mirrors.dotsrc.org -d /FreeBSD/releases/amd64 -r LATEST

PF

ext_if = "lagg0"
jail_if = "bridge0"
localnet = "192.168.2.1/24"
tcp_services = "{ ssh, domain, 8080 }"
udp_services = "{ domain }"

# Play nicely
set block-policy return
scrub in all

# Port forwaring
rdr pass on $ext_if proto tcp from any to ($ext_if) port 8080 -> 192.168.2.13 port 8080

# Translate from localnet to external net
nat on $ext_if from $localnet to any -> ($ext_if)

# Remove spoofed packets
antispoof for $ext_if
antispoof for $jail_if

# Block all input pass all output
block all
pass out

# Pass in services on all interfaces
pass in proto tcp to port $tcp_services keep state
pass in proto udp to port $udp_services keep state

# Allow ICMP & traceroute
pass proto icmp all
pass proto udp to port 33433 >< 33626

Creating template jail

# If your IP is 192.168.1.x/24
# And the jail IPs are 192.168.2.x/24
name=prod-default
iocage create -r 13.1-RELEASE -n $name
iocage set vnet="on" allow_raw_sockets="1" boot="on" $name
iocage set defaultrouter="192.168.2.1" ip4_addr="192.168.2.11/24" $name
iocage set vnet_default_interface="lagg0.666" $name

# Configure the jail...

Cloning template

tmpl=prod-default
name=prod-nginx
name_ip=192.168.2.13
iocage stop $tmpl
iocage clone --newmac $tmpl -n $name
iocage set ip4_addr="vnet0|${name_ip}/24" $name
iocage start $tmpl $name

Other

Probably not useful.

# List jails
iocage list

# Ping
iocage exec test-jail ping 1.1.1.1

# Assign IP
iocage set ip4_addr="em0|10.0.2.20/24" test-jail

# Restart and check ping
iocage restart test-jail
iocage exec test-jail ping 1.1.1.1

# Updating
iocage snapshot -n backup20220913 test-jail
iocage update test-jail
iocage snapremove test-jail@backup20220913