xref: /titanic_52/usr/src/cmd/ipf/examples/nat-setup (revision ee5416c9d7e449233197d5d20bc6b81e4ff091b2)
1Configuring NAT on your network.
2================================
3
4To start setting up NAT, we need to define which is your "internal" interface
5and which is your "external" interface.  The "internal" interface is the
6network adapter connected to the network with private IP addresses which
7you need to change for communicating on the Internet.  The "external"
8interface is configured with a valid internet address.
9
10For example, your internal interface might have an IP# of 10.1.1.1 and be
11connected to your ethernet, whilst your external interface might be a PPP
12connection with an IP number of 204.51.62.176.
13
14Thus your network might look like this:
15
16<Internal Network>
17 [pc]      [pc]
18  |         |
19+-+---------+------+
20                   |
21               [firewall]
22                   |
23                   |
24               Internet
25<External Network>
26
27
28Writing the map-rule.
29---------------------
30When you're connected to the Internet, you will either have a block of IP
31addresses assigned to you, maybe several different blocks, or you use a
32single IP address, i.e. with dialup PPP.  If you have a block of addresses
33assigned, these can be used to create either a 1:1 mapping (if you have
34only a few internal IP addresses) or N:1 mappings, where groups of internal
35addresses map to a single IP address and unless you have enough Internet
36addresses for a 1:1 mapping, you will want to do "portmapping" for TCP and
37UDP port numbers.
38
39For an N:1 situation, you might have:
40
41map ppp0 10.1.0.0/16 -> 209.23.1.5/32 portmap tcp/udp 10000:40000
42map ppp0 10.1.0.0/16 -> 209.23.1.5/32 portmap
43
44where if you had 16 addresses available, you could do:
45
46map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000
47map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap
48
49Or if you wanted to allocate subnets to each IP#, you might do:
50
51map ppp0 10.1.1.0/24 -> 209.23.1.2/32 portmap tcp/udp 10000:40000
52map ppp0 10.1.2.0/24 -> 209.23.1.3/32 portmap tcp/udp 10000:40000
53map ppp0 10.1.3.0/24 -> 209.23.1.4/32 portmap tcp/udp 10000:40000
54map ppp0 10.1.1.0/24 -> 209.23.1.2/32 portmap
55map ppp0 10.1.2.0/24 -> 209.23.1.3/32 portmap
56map ppp0 10.1.3.0/24 -> 209.23.1.4/32 portmap
57
58*** NOTE: NAT rules are used on a first-match basis only!
59
60
61Filtering with NAT.
62-------------------
63IP Filter will always translate addresses in a packet _BEFORE_ it checks its
64access list for inbound packets and translates addresses _AFTER_ it has
65checked the access control lists for outbound packets.
66
67For example (using the above NAT rules), if you wanted to prevent all hosts
68in the 10.1.2.0/24 subnet from using NAT, you might use the following rule
69with ipf:
70
71block out on ppp0 from 10.1.2.0/24 to any
72block in on ppp0 from any to 10.1.2.0/24
73
74and use these with ipnat:
75
76map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000
77map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap
78