hackacad/docs/chapters/subcommands/rdr.rst

rdr
===

`bastille rdr` allows you to configure dynamic rdr rules for your containers
without modifying pf.conf (assuming you are using the `bastille0` interface
for a private network and have enabled `rdr-anchor 'rdr/*'` in /etc/pf.conf
as described in the Networking section).

Note: you need to be careful if host services are configured to run
on all interfaces as this will include the jail interface - you should
specify the interface they run on in rc.conf (or other config files)

.. code-block:: shell
    
    # bastille rdr dev1 tcp 2001 22
    [jail1]:
    IPv4 tcp/2001:22  on em0
   
    # bastille rdr dev1 list
    rdr on em0 inet proto tcp from any to any port = 2001 -> 10.17.89.1 port 22
    
    # bastille rdr dev1 udp 2053 53
    [jail1]:
    IPv4 udp/2053:53 on em0
    
    # bastille rdr dev1 list
    rdr pass on em0 inet proto tcp from any to any port = 2001 -> 10.17.89.1 port 22
    rdr pass on em0 inet proto udp from any to any port = 2053 -> 10.17.89.1 port 53
    
    # bastille rdr dev1 clear
    nat cleared

The `rdr` command includes 4 additional options:

.. code-block:: shell

    -i | --interface   [interface]               Set the interface to create the rdr rule on. Useful if you have multiple interfaces.
    -s | --source      [source ip]               Limit rdr to a source IP. Useful to only allow access from a certian IP or subnet.
    -d | --destination [destination ip]          Limit rdr to a destination IP. Useful if you have multiple IPs on one interface.
    -t | --type        [ipv4|ipv6]               Specify IP type. Must be used if -s or -d are used. Defaults to both.

.. code-block:: shell

    # bastille rdr dev1 -i vtnet0 udp 8000 80
    [jail1]:
    IPv4 tcp/8000:80 on vtnet0
    
    # bastille rdr dev1 -s 192.168.0.1 tcp 8080 81
    [jail1]:
    IPv4 tcp/8080:81 on em0

    # bastille rdr dev1 -d 192.168.0.84 tcp 8082 82
    [jail1]:
    IPv4 tcp/8082:82 on em0

    # bastille rdr dev1 -i vtnet0 -d 192.168.0.45 tcp 9000 9000
    [jail1]:
    IPv4 tcp/9000:9000 on vtnet0

    # bastille rdr dev1 list
    rdr pass on vtnet0 inet proto udp from any to any port = 2001 -> 10.17.89.1 port 22
    rdr pass on em0 inet proto tcp from 192.168.0.1 to any port = 8080 -> 10.17.89.1 port 81
    rdr pass on em0 inet proto tcp from any to 192.168.0.84 port = 8082 -> 10.17.89.1 port 82
    rdr pass on vtnet0 inet proto tcp from any to 192.168.0.45 port = 9000 -> 10.17.89.1 port 9000

The options can be used together, as seen above.

If you have multiple interfaces assigned to your jail, `bastille rdr` will
only redirect using the default one.

.. code-block:: shell

  # bastille rdr --help
  Usage: bastille rdr TARGET [option(s)] [clear|reset|list|(tcp|udp host_port jail_port [log ['(' logopts ')'] ] )]
 
    Options:

    -i | --interface   [interface]               Set the interface to create the rdr rule on. Useful if you have multiple interfaces.
    -s | --source      [source ip]               Limit rdr to a source IP. Useful to only allow access from a certian IP or subnet.
    -d | --destination [destination ip]          Limit rdr to a destination IP. Useful if you have multiple IPs on one interface.
    -t | --type        [ipv4|ipv6]               Specify IP type. Must be used if -s or -d are used. Defaults to both.
    -x | --debug                                 Enable debug mode.
Add dynamic rdr 2020-02-01 15:58:02 +00:00			`rdr`
			`===`

doc: rdr with multiple interfaces 2025-01-08 10:31:47 -07:00			`bastille rdr` allows you to configure dynamic rdr rules for your containers
Cleanup whitespace 2020-04-14 11:52:29 +02:00			without modifying pf.conf (assuming you are using the `bastille0` interface
			for a private network and have enabled `rdr-anchor 'rdr/*'` in /etc/pf.conf
Add dynamic rdr 2020-02-01 15:58:02 +00:00			`as described in the Networking section).`

Cleanup whitespace 2020-04-14 11:52:29 +02:00			`Note: you need to be careful if host services are configured to run`
			`on all interfaces as this will include the jail interface - you should`
Fix typo in rdr documentation 2020-09-05 21:19:51 -04:00			`specify the interface they run on in rc.conf (or other config files)`
Add dynamic rdr 2020-02-01 15:58:02 +00:00
			`.. code-block:: shell`
document new changes to rdr 2024-12-11 11:35:14 -07:00
Switch from `--option` to `option` and fix typos 2020-02-02 00:28:02 +00:00			`# bastille rdr dev1 tcp 2001 22`
document new changes to rdr 2024-12-11 11:35:14 -07:00			`[jail1]:`
docs: rdr, fix info return block 2025-01-11 16:13:29 -07:00			`IPv4 tcp/2001:22 on em0`
document new changes to rdr 2024-12-11 11:35:14 -07:00
Switch from `--option` to `option` and fix typos 2020-02-02 00:28:02 +00:00			`# bastille rdr dev1 list`
Add dynamic rdr 2020-02-01 15:58:02 +00:00			`rdr on em0 inet proto tcp from any to any port = 2001 -> 10.17.89.1 port 22`
document new changes to rdr 2024-12-11 11:35:14 -07:00
Switch from `--option` to `option` and fix typos 2020-02-02 00:28:02 +00:00			`# bastille rdr dev1 udp 2053 53`
document new changes to rdr 2024-12-11 11:35:14 -07:00			`[jail1]:`
docs: rdr, fix info return block 2025-01-11 16:13:29 -07:00			`IPv4 udp/2053:53 on em0`
document new changes to rdr 2024-12-11 11:35:14 -07:00
Switch from `--option` to `option` and fix typos 2020-02-02 00:28:02 +00:00			`# bastille rdr dev1 list`
document new changes to rdr 2024-12-11 11:35:14 -07:00			`rdr pass on em0 inet proto tcp from any to any port = 2001 -> 10.17.89.1 port 22`
			`rdr pass on em0 inet proto udp from any to any port = 2053 -> 10.17.89.1 port 53`

Switch from `--option` to `option` and fix typos 2020-02-02 00:28:02 +00:00			`# bastille rdr dev1 clear`
Add dynamic rdr 2020-02-01 15:58:02 +00:00			`nat cleared`
Add docs about RDR multiple interfaces 2024-12-09 17:26:44 -07:00
doc: rdr with multiple interfaces 2025-01-08 10:31:47 -07:00			The `rdr` command includes 4 additional options:
spacing 2024-12-11 11:38:53 -07:00
docs: update rdr docs with code block for options 2025-01-11 16:09:29 -07:00			`.. code-block:: shell`

			`-i \| --interface [interface] Set the interface to create the rdr rule on. Useful if you have multiple interfaces.`
			`-s \| --source [source ip] Limit rdr to a source IP. Useful to only allow access from a certian IP or subnet.`
			`-d \| --destination [destination ip] Limit rdr to a destination IP. Useful if you have multiple IPs on one interface.`
			`-t \| --type [ipv4\|ipv6] Specify IP type. Must be used if -s or -d are used. Defaults to both.`
Add docs about RDR multiple interfaces 2024-12-09 17:26:44 -07:00
			`.. code-block:: shell`

docs: rdr, fix info return block 2025-01-11 16:13:29 -07:00			`# bastille rdr dev1 -i vtnet0 udp 8000 80`
document new changes to rdr 2024-12-11 11:35:14 -07:00			`[jail1]:`
docs: rdr, fix info return block 2025-01-11 16:13:29 -07:00			`IPv4 tcp/8000:80 on vtnet0`
document new changes to rdr 2024-12-11 11:35:14 -07:00
			`# bastille rdr dev1 -s 192.168.0.1 tcp 8080 81`
			`[jail1]:`
docs: rdr, fix info return block 2025-01-11 16:13:29 -07:00			`IPv4 tcp/8080:81 on em0`
document new changes to rdr 2024-12-11 11:35:14 -07:00
			`# bastille rdr dev1 -d 192.168.0.84 tcp 8082 82`
			`[jail1]:`
docs: rdr, fix info return block 2025-01-11 16:13:29 -07:00			`IPv4 tcp/8082:82 on em0`
document new changes to rdr 2024-12-11 11:35:14 -07:00
			`# bastille rdr dev1 -i vtnet0 -d 192.168.0.45 tcp 9000 9000`
			`[jail1]:`
docs: rdr, fix info return block 2025-01-11 16:13:29 -07:00			`IPv4 tcp/9000:9000 on vtnet0`
document new changes to rdr 2024-12-11 11:35:14 -07:00
Add docs about RDR multiple interfaces 2024-12-09 17:26:44 -07:00			`# bastille rdr dev1 list`
document new changes to rdr 2024-12-11 11:35:14 -07:00			`rdr pass on vtnet0 inet proto udp from any to any port = 2001 -> 10.17.89.1 port 22`
			`rdr pass on em0 inet proto tcp from 192.168.0.1 to any port = 8080 -> 10.17.89.1 port 81`
			`rdr pass on em0 inet proto tcp from any to 192.168.0.84 port = 8082 -> 10.17.89.1 port 82`
			`rdr pass on vtnet0 inet proto tcp from any to 192.168.0.45 port = 9000 -> 10.17.89.1 port 9000`

			`The options can be used together, as seen above.`
doc: rdr with multiple interfaces 2025-01-08 10:31:47 -07:00
			If you have multiple interfaces assigned to your jail, `bastille rdr` will
			`only redirect using the default one.`
Update rdr.rst 2025-03-01 13:13:09 -07:00
			`.. code-block:: shell`

			`# bastille rdr --help`
			`Usage: bastille rdr TARGET [option(s)] [clear\|reset\|list\|(tcp\|udp host_port jail_port [log ['(' logopts ')'] ] )]`

			`Options:`

			`-i \| --interface [interface] Set the interface to create the rdr rule on. Useful if you have multiple interfaces.`
			`-s \| --source [source ip] Limit rdr to a source IP. Useful to only allow access from a certian IP or subnet.`
			`-d \| --destination [destination ip] Limit rdr to a destination IP. Useful if you have multiple IPs on one interface.`
			`-t \| --type [ipv4\|ipv6] Specify IP type. Must be used if -s or -d are used. Defaults to both.`
			`-x \| --debug Enable debug mode.`