xref: /illumos-gate/usr/src/cmd/ipf/examples/nat-setup (revision 7c478bd9)
1*7c478bd9Sstevel@tonic-gateConfiguring NAT on your network.
2*7c478bd9Sstevel@tonic-gate================================
3*7c478bd9Sstevel@tonic-gate
4*7c478bd9Sstevel@tonic-gateTo start setting up NAT, we need to define which is your "internal" interface
5*7c478bd9Sstevel@tonic-gateand which is your "external" interface.  The "internal" interface is the
6*7c478bd9Sstevel@tonic-gatenetwork adapter connected to the network with private IP addresses which
7*7c478bd9Sstevel@tonic-gateyou need to change for communicating on the Internet.  The "external"
8*7c478bd9Sstevel@tonic-gateinterface is configured with a valid internet address.
9*7c478bd9Sstevel@tonic-gate
10*7c478bd9Sstevel@tonic-gateFor example, your internal interface might have an IP# of 10.1.1.1 and be
11*7c478bd9Sstevel@tonic-gateconnected to your ethernet, whilst your external interface might be a PPP
12*7c478bd9Sstevel@tonic-gateconnection with an IP number of 204.51.62.176.
13*7c478bd9Sstevel@tonic-gate
14*7c478bd9Sstevel@tonic-gateThus your network might look like this:
15*7c478bd9Sstevel@tonic-gate
16*7c478bd9Sstevel@tonic-gate<Internal Network>
17*7c478bd9Sstevel@tonic-gate [pc]      [pc]
18*7c478bd9Sstevel@tonic-gate  |         |
19*7c478bd9Sstevel@tonic-gate+-+---------+------+
20*7c478bd9Sstevel@tonic-gate                   |
21*7c478bd9Sstevel@tonic-gate               [firewall]
22*7c478bd9Sstevel@tonic-gate                   |
23*7c478bd9Sstevel@tonic-gate                   |
24*7c478bd9Sstevel@tonic-gate               Internet
25*7c478bd9Sstevel@tonic-gate<External Network>
26*7c478bd9Sstevel@tonic-gate
27*7c478bd9Sstevel@tonic-gate
28*7c478bd9Sstevel@tonic-gateWriting the map-rule.
29*7c478bd9Sstevel@tonic-gate---------------------
30*7c478bd9Sstevel@tonic-gateWhen you're connected to the Internet, you will either have a block of IP
31*7c478bd9Sstevel@tonic-gateaddresses assigned to you, maybe several different blocks, or you use a
32*7c478bd9Sstevel@tonic-gatesingle IP address, i.e. with dialup PPP.  If you have a block of addresses
33*7c478bd9Sstevel@tonic-gateassigned, these can be used to create either a 1:1 mapping (if you have
34*7c478bd9Sstevel@tonic-gateonly a few internal IP addresses) or N:1 mappings, where groups of internal
35*7c478bd9Sstevel@tonic-gateaddresses map to a single IP address and unless you have enough Internet
36*7c478bd9Sstevel@tonic-gateaddresses for a 1:1 mapping, you will want to do "portmapping" for TCP and
37*7c478bd9Sstevel@tonic-gateUDP port numbers.
38*7c478bd9Sstevel@tonic-gate
39*7c478bd9Sstevel@tonic-gateFor an N:1 situation, you might have:
40*7c478bd9Sstevel@tonic-gate
41*7c478bd9Sstevel@tonic-gatemap ppp0 10.1.0.0/16 -> 209.23.1.5/32 portmap tcp/udp 10000:40000
42*7c478bd9Sstevel@tonic-gatemap ppp0 10.1.0.0/16 -> 209.23.1.5/32 portmap
43*7c478bd9Sstevel@tonic-gate
44*7c478bd9Sstevel@tonic-gatewhere if you had 16 addresses available, you could do:
45*7c478bd9Sstevel@tonic-gate
46*7c478bd9Sstevel@tonic-gatemap ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000
47*7c478bd9Sstevel@tonic-gatemap ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap
48*7c478bd9Sstevel@tonic-gate
49*7c478bd9Sstevel@tonic-gateOr if you wanted to allocate subnets to each IP#, you might do:
50*7c478bd9Sstevel@tonic-gate
51*7c478bd9Sstevel@tonic-gatemap ppp0 10.1.1.0/24 -> 209.23.1.2/32 portmap tcp/udp 10000:40000
52*7c478bd9Sstevel@tonic-gatemap ppp0 10.1.2.0/24 -> 209.23.1.3/32 portmap tcp/udp 10000:40000
53*7c478bd9Sstevel@tonic-gatemap ppp0 10.1.3.0/24 -> 209.23.1.4/32 portmap tcp/udp 10000:40000
54*7c478bd9Sstevel@tonic-gatemap ppp0 10.1.1.0/24 -> 209.23.1.2/32 portmap
55*7c478bd9Sstevel@tonic-gatemap ppp0 10.1.2.0/24 -> 209.23.1.3/32 portmap
56*7c478bd9Sstevel@tonic-gatemap ppp0 10.1.3.0/24 -> 209.23.1.4/32 portmap
57*7c478bd9Sstevel@tonic-gate
58*7c478bd9Sstevel@tonic-gate*** NOTE: NAT rules are used on a first-match basis only!
59*7c478bd9Sstevel@tonic-gate
60*7c478bd9Sstevel@tonic-gate
61*7c478bd9Sstevel@tonic-gateFiltering with NAT.
62*7c478bd9Sstevel@tonic-gate-------------------
63*7c478bd9Sstevel@tonic-gateIP Filter will always translate addresses in a packet _BEFORE_ it checks its
64*7c478bd9Sstevel@tonic-gateaccess list for inbound packets and translates addresses _AFTER_ it has
65*7c478bd9Sstevel@tonic-gatechecked the access control lists for outbound packets.
66*7c478bd9Sstevel@tonic-gate
67*7c478bd9Sstevel@tonic-gateFor example (using the above NAT rules), if you wanted to prevent all hosts
68*7c478bd9Sstevel@tonic-gatein the 10.1.2.0/24 subnet from using NAT, you might use the following rule
69*7c478bd9Sstevel@tonic-gatewith ipf:
70*7c478bd9Sstevel@tonic-gate
71*7c478bd9Sstevel@tonic-gateblock out on ppp0 from 10.1.2.0/24 to any
72*7c478bd9Sstevel@tonic-gateblock in on ppp0 from any to 10.1.2.0/24
73*7c478bd9Sstevel@tonic-gate
74*7c478bd9Sstevel@tonic-gateand use these with ipnat:
75*7c478bd9Sstevel@tonic-gate
76*7c478bd9Sstevel@tonic-gatemap ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000
77*7c478bd9Sstevel@tonic-gatemap ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap
78