.Dd October 10, 1998 .Dt IPNAT 8 .Os .Sh NAME .Nm ipnat .Nd user interface to the NAT .Sh SYNOPSIS .Nm ipnat .Op Fl CFlnrsv .Op Fl f Ar filename .Sh DESCRIPTION .Nm provides control over the kernel's network address translation (NAT). The NAT remaps IP addresses from one range to another. In other words, when properly configured on a gateway, the NAT provides Internet access to connected computers lacking officially assigned IP addresses. It is discussed in RFC 1631. .Pp The options are as follows: .Bl -tag -width Ds .It Fl f Ar filename File from which rules are read from. .It Fl C Delete all entries in the NAT list. .It Fl F Flush all active mappings from the NAT table. .It Fl l Display the current entries and mappings. .It Fl n Do not alter the NAT table. .It Fl r Remove, rather than add, entries specified in the rule list. .It Fl s Display statistics. .It Fl v Verbosity. Displays detailed information pertaining to rule processing. .El .Pp Certain configuration requirements must be met before .Nm will work. These are listed in .Pa /usr/share/ipf/nat.2 . .Pp .Nm operates on a list of rules, specified by .Ar filename . This file is typically .Pa /etc/ipnat.rules ; stdin is represented by "\-". Each rule is parsed, then sequentially added to the kernel's internal NAT list. Like .Xr ipf 8 , if an entry contradicts another previously added, the newer will take precedence. .Pp Comments (beginning with a .Ql # ) and blank lines are ignored as .Nm parses the file. Entries may be separated by spaces or tabs. Each rule must begin with either .Em map , .Em bimap , or .Em rdr . .Pp .Em map tells the NAT how a range of addresses should be translated. The entries use the following format: .Pp .Bd -unfilled -offset indent -compact map ifname internal/mask -> external/mask options .Ed .Pp The .Em ifname field is the interface to which packets are sent. A gateway with a PPP link would probably use .Dq ppp0 or .Dq tun0 , while an Ethernet connection would instead have the name of its device. In the presence of multiple network devices, you wish to use the device which is on the external side. .Pp The address range of the LAN goes in the .Em internal field. This is usually one of the three blocks of address space the Internet Assigned Numbers Authority has allocated for private networks (RFC 1597): .Pp .Bd -unfilled -offset indent -compact 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 .Ed .Pp The .Em external address is the offically assigned IP number of the gateway or network. .Pp .Em mask is the netmask of the address. This mask is 32 bits long, and is divided into four 8-bit numbers. .Pp .Bd -unfilled -offset indent -compact 11111111.0.0.0 Class A - 8 bits set. 11111111.11111111.0.0 Class B - 16 bits set. 11111111.11111111.11111111.0 Class C - 24 bits set. .Ed .Pp The number of bits set in the mask is placed following the IP address. .Pp Both .Em internal and .Em external may be an actual IP address, the name of an interface, or a hostname. If it is a network number, however, a problem may arise. For example: .Pp .Bd -unfilled -offset indent -compact map ppp0 10.0.0.0/8 -> 209.1.2.0/24 .Ed .Pp 16,000,000 IP addresses are being squeezed into an address space of only 254. This is solved by the .Em portmap option, which remaps ports instead of IP addresses. The protocol is specified by following the option with either .Em tcp , .Em udp , .Em tcp/udp , or .Em tcpudp (the last two have the same effect). The syntax to assign a range of ports is .Dq portnumber:portnumber . This looks like: .Pp .Bd -unfilled -offset indent -compact map ppp0 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000 map ppp0 10.0.0.0/8 -> 209.1.2.0/24 .Ed .Pp That will cut the number down from ~16,000,000 addresses short to only 527,566. .Pp .Em bimap is used to create static, bidirectional NAT mappings. Standard .Em map rules only create NAT mappings when the connection is initiated from the internal IP address. For example, using the following rule: .Pp .Bd -unfilled -offset indent -compact map ppp0 10.0.0.3/32 -> 209.1.2.3/32 .Ed .Pp NAT mappings will only be created if the machine at 10.0.0.3 initiates the connection. To create a truly bidirectional NAT entry, .Em bimap is necessary. Using the following rule, for example, clients on the ppp0 side of the NAT box can initiate requests to 209.1.2.3. This traffic will be mapped to 10.0.0.3 as expected: .Pp .Bd -unfilled -offset indent -compact bimap ppp0 10.0.0.3/32 -> 209.1.2.3/32 .Ed .Pp To be genuinely useful, .Em bimap should be used in conjunction with either proxy arp, or .Xr ifconfig 8 aliases. For example, if we create two bimap entries such as: .Pp .Bd -unfilled -offset indent -compact bimap fxp0 10.0.0.3/32 -> 209.1.2.3/32 bimap fxp0 10.0.0.4/32 -> 209.1.2.4/32 .Ed .Pp It is necessary to do either: .Pp .Bd -unfilled -offset indent -compact arp -s 209.1.2.3 00:40:aa:bb:cc:dd pub arp -s 209.1.2.4 00:40:aa:bb:cc:dd pub .Ed .Pp (where 00:40:aa:bb:cc:dd is the MAC address of fxp0) or .Pp .Bd -unfilled -offset indent -compact ifconfig fxp0 alias 209.1.2.3 netmask 255.255.255.255 ifconfig fxp0 alias 209.1.2.4 netmask 255.255.255.255 .Ed .Pp .Em rdr tells the NAT how to redirect incoming packets. It is useful if one wishes to redirect a connection through a proxy, or to another box on the private network. The format of this directive is: .Pp rdr ifname external/mask port service -> internal port service protocol .Pp This setup is best described by an example of an actual entry: .Pp .Bd -unfilled -offset indent -compact rdr xl0 0.0.0.0/0 port 25 -> 204.213.176.10 port smtp .Ed .Pp This redirects all smtp packets received on xl0 to 204.213.176.10, port 25. A netmask is not needed on the .Em internal address; it is always 32. The .Em external and .Em internal fields, similar to the .Em map directive, may be actual addresses, hostnames, or interfaces. Likewise, the .Em service field may be the name of a service, or a port number. The .Em protocol of the service may be selected by appending .Em tcp , .Em udp , .Em tcp/udp , or .Em tcpudp (the last two have the same effect) to the end of the line. TCP is the default. .Sh FILES .Bl -tag -width /usr/share/ipf/nat.1 -compact .It Pa /dev/ipnat .It Pa /usr/share/ipf/nat.1 example rules .It Pa /usr/share/ipf/nat.2 system requirements for use of the NAT .It Pa /etc/ipnat.rules actual rule list .El .Sh BUGS .Em bimap should really only be used with single IP addresses (x.x.x.x/32). Bimapping other CIDR ranges will result in unexpected, and possibly random mappings into the destination address block. .Sh SEE ALSO .Xr ipf 4 , .Xr ipnat 4 , .Xr ipnat 5 , .Xr ipf 8 .Pp http://coombs.anu.edu.au/ipfilter/