756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill CunningtonConfiguring NAT on your network.
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington================================
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill CunningtonTo start setting up NAT, we need to define which is your "internal" interface
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunningtonand which is your "external" interface. The "internal" interface is the
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunningtonnetwork adapter connected to the network with private IP addresses which
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunningtonyou need to change for communicating on the Internet. The "external"
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunningtoninterface is configured with a valid internet address.
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill CunningtonFor example, your internal interface might have an IP# of 10.1.1.1 and be
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunningtonconnected to your ethernet, whilst your external interface might be a PPP
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunningtonconnection with an IP number of 204.51.62.176.
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington
a093731116a8c24d49b903df7602cf586e499b45Phill CunningtonThus your network might look like this:
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington<Internal Network>
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington [pc] [pc]
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington | |
af38905e8a5231702db169603d942d5d2e0c4332David Luna+-+---------+------+
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington |
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington [firewall]
af38905e8a5231702db169603d942d5d2e0c4332David Luna |
af38905e8a5231702db169603d942d5d2e0c4332David Luna |
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington Internet
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington<External Network>
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill CunningtonWriting the map-rule.
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington---------------------
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill CunningtonWhen you're connected to the Internet, you will either have a block of IP
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunningtonaddresses assigned to you, maybe several different blocks, or you use a
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunningtonsingle IP address, i.e. with dialup PPP. If you have a block of addresses
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunningtonassigned, these can be used to create either a 1:1 mapping (if you have
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunningtononly a few internal IP addresses) or N:1 mappings, where groups of internal
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunningtonaddresses map to a single IP address and unless you have enough Internet
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunningtonaddresses for a 1:1 mapping, you will want to do "portmapping" for TCP and
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill CunningtonUDP port numbers.
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill CunningtonFor an N:1 situation, you might have:
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunningtonmap ppp0 10.1.0.0/16 -> 209.23.1.5/32 portmap tcp/udp 10000:40000
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunningtonmap ppp0 10.1.0.0/16 -> 209.23.1.5/32 portmap
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington
af38905e8a5231702db169603d942d5d2e0c4332David Lunawhere if you had 16 addresses available, you could do:
af38905e8a5231702db169603d942d5d2e0c4332David Luna
af38905e8a5231702db169603d942d5d2e0c4332David Lunamap ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunningtonmap ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill CunningtonOr if you wanted to allocate subnets to each IP#, you might do:
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunningtonmap ppp0 10.1.1.0/24 -> 209.23.1.2/32 portmap tcp/udp 10000:40000
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunningtonmap ppp0 10.1.2.0/24 -> 209.23.1.3/32 portmap tcp/udp 10000:40000
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunningtonmap ppp0 10.1.3.0/24 -> 209.23.1.4/32 portmap tcp/udp 10000:40000
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunningtonmap ppp0 10.1.1.0/24 -> 209.23.1.2/32 portmap
fe2cb3553345444415a0867e35b41baebbc6c8aaRich Rileymap ppp0 10.1.2.0/24 -> 209.23.1.3/32 portmap
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunningtonmap ppp0 10.1.3.0/24 -> 209.23.1.4/32 portmap
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington*** NOTE: NAT rules are used on a first-match basis only!
Filtering with NAT.
-------------------
IP Filter will always translate addresses in a packet _BEFORE_ it checks its
access list for inbound packets and translates addresses _AFTER_ it has
checked the access control lists for outbound packets.
For example (using the above NAT rules), if you wanted to prevent all hosts
in the 10.1.2.0/24 subnet from using NAT, you might use the following rule
with ipf:
block out on ppp0 from 10.1.2.0/24 to any
block in on ppp0 from any to 10.1.2.0/24
and use these with ipnat:
map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000
map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap