1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
|
.Dd October 10, 1998
.Dt IPNAT 8
.Os
.Sh NAME
.Nm ipnat
.Nd manage IP network address translation rules
.Sh SYNOPSIS
.Nm ipnat
.Op Fl CFlnrsv
.Op Fl f Ar filename
.Sh DESCRIPTION
The
.Nm
utility
provides control over the kernel's network address translation (NAT).
The NAT facility remaps IP addresses from one range the another.
It can be used to provide internal networks with Internet connectivity by
mapping several private IP addresses to a single routeable
.Pq i.e., Dq real
Internet address.
.Pp
In other words, when properly configured on a gateway, the NAT provides
Internet access to connected computers lacking officially assigned IP
addresses.
It is discussed in RFC 1631.
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl f Ar filename
File from which rules are read.
.It Fl C
Delete all entries in the NAT list.
.It Fl F
Flush all active mappings from the NAT table.
.It Fl l
Display the current rule list and active mappings.
.It Fl n
Do not alter the NAT table.
.It Fl r
Remove, rather than add, entries specified in the rule list.
.It Fl s
Display statistics.
.It Fl v
Verbosity. Displays detailed information pertaining to rule processing.
.El
.Pp
Certain configuration requirements must be met before
.Nm
will work:
.Bl -enum -offset indent
.It
Network address translation requires packet forwarding capabilities.
Ensure the
.Pa /etc/sysctl.conf
file contains the assignment
.Cm net.inet.ip.forwarding=1 .
.It
Packet filtering (see
.Xr ipf 8 )
must be enabled, even if it's not being used. Check the
.Pa /etc/rc.conf
file and make sure it contains the assignment
.Cm ipfilter=YES .
.It
The kernel must be configured with
.Cm option IPFILTER
(and
.Cm option IPFILTER_LOG
if
.Xr ipmon 8
is needed).
Both options are compiled into the default (GENERIC) kernel that comes with
the system.
.It
Finally, enable NAT itself by setting
.Cm ipnat=YES
in
.Pa /etc/rc.conf .
This will cause
.Pa /etc/netstart
to run
.Nm
at boot-time with
.Pa /etc/ipnat.rules
as the rule list to install.
.El
.Pp
The
.Nm
utility operates on a list of rules, specified by
.Fl f Ar filename .
This file is typically
.Pa /etc/ipnat.rules ;
standard input is represented by a single dash
.Pq Ql - .
Each rule is parsed, then sequentially added to
the kernel's internal NAT list. Like
.Xr ipf 8 ,
if an entry contradicts another previously added, the newer will take
precedence.
.Pp
Comments (beginning with a
.Ql # )
and blank lines are ignored as
.Nm
parses the file. Entries may be separated by spaces or tabs. Each rule must
begin with either
.Em map ,
.Em bimap ,
or
.Em rdr .
See below for rule syntax, or refer to
.Pa /usr/share/ipf/nat.1
for sample rule entries.
.Ss Mapping rules
.Em map
tells the NAT how a range of addresses should be translated. The entries use
the following format:
.Pp
.Bd -unfilled -offset indent -compact
map ifname internal/mask -> external/mask options
.Ed
.Pp
The
.Em ifname
field is the interface to which packets are sent. A gateway with a PPP link
would probably use
.Dq ppp0
or
.Dq tun0 ,
while an Ethernet connection would instead have the name of its device.
In the presence of multiple network devices, you wish to use the device
which is on the external side.
.Pp
As a quick example:
.Bd -literal -offset indent
map ep1 10.1.1.0/24 -> ep1/32 portmap tcp/udp 10000:20000
.Ed
.Pp
This rule would remap all connections originating from 10.1.1.0 through
10.1.1.254 to the externally-connected network.
Note that
.Dq ep1
is the name of the
.Em outside
interface on the gateway; that is, the interface with the external
.Pq i.e., Dq real
IP address.
Do not specify internal interface names, use their addresses instead.
.Pp
The address range of the LAN goes in the
.Em internal
field. This is usually one of the three blocks of address space the Internet
Assigned Numbers Authority has allocated for private networks (RFC 1597):
.Pp
.Bd -unfilled -offset indent -compact
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
.Ed
.Pp
The
.Em external
address is the offically assigned IP number of the gateway or network.
.Pp
.Em mask
is the netmask of the address. This mask is 32 bits long, and is divided into
four 8-bit numbers.
.Pp
.Bd -unfilled -offset indent -compact
11111111.0.0.0 Class A - 8 bits set.
11111111.11111111.0.0 Class B - 16 bits set.
11111111.11111111.11111111.0 Class C - 24 bits set.
.Ed
.Pp
The number of bits set in the mask is placed following the IP address.
.Pp
Both
.Em internal
and
.Em external
may be an actual IP address, the name of an interface, or a hostname. If it is
a network number, however, a problem may arise. For example:
.Pp
.Bd -unfilled -offset indent -compact
map ppp0 10.0.0.0/8 -> 209.1.2.0/24
.Ed
.Pp
16,000,000 IP addresses are being squeezed into an address space of only 254.
This is solved by the
.Em portmap
option, which remaps ports instead of IP addresses. The protocol is specified
by following the option with either
.Em tcp ,
.Em udp ,
.Em tcp/udp ,
or
.Em tcpudp
(the last two have the same effect). The syntax to assign a range of ports is
.Dq portnumber:portnumber .
This looks like:
.Pp
.Bd -unfilled -offset indent -compact
map ppp0 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000
map ppp0 10.0.0.0/8 -> 209.1.2.0/24
.Ed
.Pp
That will cut the number down from ~16,000,000 addresses short to only 527,566.
.Pp
.Ss Bidirectional mapping rules
.Em bimap
is used to create static, bidirectional NAT mappings. Standard
.Em map
rules only create NAT mappings when the connection is initiated from the
internal IP address. For example, using the following rule:
.Pp
.Bd -unfilled -offset indent -compact
map ppp0 10.0.0.3/32 -> 209.1.2.3/32
.Ed
.Pp
NAT mappings will only be created if the machine at 10.0.0.3 initiates the
connection. To create a truly bidirectional NAT entry,
.Em bimap
is necessary. Using the following rule, for example, clients on the
ppp0 side of the NAT box can initiate requests to 209.1.2.3. This
traffic will be mapped to 10.0.0.3 as expected:
.Pp
.Bd -unfilled -offset indent -compact
bimap ppp0 10.0.0.3/32 -> 209.1.2.3/32
.Ed
.Pp
To be genuinely useful,
.Em bimap
should be used in conjunction with either proxy arp, or
.Xr ifconfig 8
aliases. For example, if we create two bimap entries such as:
.Pp
.Bd -unfilled -offset indent -compact
bimap fxp0 10.0.0.3/32 -> 209.1.2.3/32
bimap fxp0 10.0.0.4/32 -> 209.1.2.4/32
.Ed
.Pp
It is necessary to do either:
.Pp
.Bd -unfilled -offset indent -compact
arp -s 209.1.2.3 00:40:aa:bb:cc:dd pub
arp -s 209.1.2.4 00:40:aa:bb:cc:dd pub
.Ed
.Pp
(where 00:40:aa:bb:cc:dd is the MAC address of fxp0) or
.Pp
.Bd -unfilled -offset indent -compact
ifconfig fxp0 alias 209.1.2.3 netmask 255.255.255.255
ifconfig fxp0 alias 209.1.2.4 netmask 255.255.255.255
.Ed
.Pp
.Ss Redirection rules
.Em rdr
tells the NAT how to redirect incoming packets. It is useful if one wishes to
redirect a connection through a proxy, or to another box on the private
network. The format of this directive is:
.Pp
rdr ifname external/mask port service -> internal port service protocol
.Pp
This setup is best described by an example of an actual entry:
.Pp
.Bd -unfilled -offset indent -compact
rdr xl0 0.0.0.0/0 port 25 -> 204.213.176.10 port smtp
.Ed
.Pp
This redirects all smtp packets received on xl0 to 204.213.176.10, port 25. A
netmask is not needed on the
.Em internal
address; it is always 32. The
.Em external
and
.Em internal
fields, similar to the
.Em map
directive, may be actual addresses, hostnames, or interfaces. Likewise, the
.Em service
field may be the name of a service, or a port number. The
.Em protocol
of the service may be selected by appending
.Em tcp ,
.Em udp ,
.Em tcp/udp ,
or
.Em tcpudp
(the last two have the same effect) to the end of the line. TCP is the default.
.Sh FILES
.Bl -tag -width /usr/share/ipf/nat.1 -compact
.It Pa /etc/ipnat.rules
default system rule list
.It Pa /usr/share/ipf/nat.1
example rules
.It Pa /usr/share/ipf/nat.2
system requirements for use of the NAT
.It Pa /dev/ipnat
device file
.El
.Sh BUGS
.Em bimap
should really only be used with single IP addresses (x.x.x.x/32). Bimapping
other CIDR ranges will result in unexpected, and possibly random mappings
into the destination address block.
.Sh SEE ALSO
.Xr ipnat 4 ,
.Xr ipnat 5 ,
.Xr ipf 8
.Pp
http://coombs.anu.edu.au/ipfilter/
|