rules/nat-setup - net/ipfilter - Rivoreo Source Code Repositories

 Configuring NAT on your network.
 ================================

 To start setting up NAT, we need to define which is your "internal" interface
 and which is your "external" interface.  The "internal" interface is the
 network adapter connected to the network with private IP addresses which
 you need to change for communicating on the Internet.  The "external"
 interface is configured with a valid internet address.

 For example, your internal interface might have an IP# of 10.1.1.1 and be
 connected to your ethernet, whilst your external interface might be a PPP
 connection with an IP number of 204.51.62.176.

 Thus your network might look like this:

 <Internal Network>
  [pc]      [pc]
   |         |
 +-+---------+------+
                    |
                [firewall]
                    |
                    |
                Internet
 <External Network>


 Writing the map-rule.
 ---------------------
 When you're connected to the Internet, you will either have a block of IP
 addresses assigned to you, maybe several different blocks, or you use a
 single IP address, i.e. with dialup PPP.  If you have a block of addresses
 assigned, these can be used to create either a 1:1 mapping (if you have
 only a few internal IP addresses) or N:1 mappings, where groups of internal
 addresses map to a single IP address and unless you have enough Internet
 addresses for a 1:1 mapping, you will want to do "portmapping" for TCP and
 UDP port numbers.

 For an N:1 situation, you might have:

 map ppp0 10.1.0.0/16 -> 209.23.1.5/32 portmap tcp/udp 10000:40000
 map ppp0 10.1.0.0/16 -> 209.23.1.5/32 portmap

 where if you had 16 addresses available, you could do:

 map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000
 map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap

 Or if you wanted to allocate subnets to each IP#, you might do:

 map ppp0 10.1.1.0/24 -> 209.23.1.2/32 portmap tcp/udp 10000:40000
 map ppp0 10.1.2.0/24 -> 209.23.1.3/32 portmap tcp/udp 10000:40000
 map ppp0 10.1.3.0/24 -> 209.23.1.4/32 portmap tcp/udp 10000:40000
 map ppp0 10.1.1.0/24 -> 209.23.1.2/32 portmap
 map ppp0 10.1.2.0/24 -> 209.23.1.3/32 portmap
 map ppp0 10.1.3.0/24 -> 209.23.1.4/32 portmap

 *** NOTE: NAT rules are used on a first-match basis only!


 Filtering with NAT.
 -------------------
 IP Filter will always translate addresses in a packet _BEFORE_ it checks its
 access list for inbound packets and translates addresses _AFTER_ it has
 checked the access control lists for outbound packets.

 For example (using the above NAT rules), if you wanted to prevent all hosts
 in the 10.1.2.0/24 subnet from using NAT, you might use the following rule
 with ipf:

 block out on ppp0 from 10.1.2.0/24 to any
 block in on ppp0 from any to 10.1.2.0/24

 and use these with ipnat:

 map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000
 map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap
	Configuring NAT on your network.
	================================

	To start setting up NAT, we need to define which is your "internal" interface
	and which is your "external" interface. The "internal" interface is the
	network adapter connected to the network with private IP addresses which
	you need to change for communicating on the Internet. The "external"
	interface is configured with a valid internet address.

	For example, your internal interface might have an IP# of 10.1.1.1 and be
	connected to your ethernet, whilst your external interface might be a PPP
	connection with an IP number of 204.51.62.176.

	Thus your network might look like this:

	<Internal Network>
	[pc] [pc]
	\| \|
	+-+---------+------+
	\|
	[firewall]
	\|
	\|
	Internet
	<External Network>


	Writing the map-rule.
	---------------------
	When you're connected to the Internet, you will either have a block of IP
	addresses assigned to you, maybe several different blocks, or you use a
	single IP address, i.e. with dialup PPP. If you have a block of addresses
	assigned, these can be used to create either a 1:1 mapping (if you have
	only a few internal IP addresses) or N:1 mappings, where groups of internal
	addresses map to a single IP address and unless you have enough Internet
	addresses for a 1:1 mapping, you will want to do "portmapping" for TCP and
	UDP port numbers.

	For an N:1 situation, you might have:

	map ppp0 10.1.0.0/16 -> 209.23.1.5/32 portmap tcp/udp 10000:40000
	map ppp0 10.1.0.0/16 -> 209.23.1.5/32 portmap

	where if you had 16 addresses available, you could do:

	map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000
	map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap

	Or if you wanted to allocate subnets to each IP#, you might do:

	map ppp0 10.1.1.0/24 -> 209.23.1.2/32 portmap tcp/udp 10000:40000
	map ppp0 10.1.2.0/24 -> 209.23.1.3/32 portmap tcp/udp 10000:40000
	map ppp0 10.1.3.0/24 -> 209.23.1.4/32 portmap tcp/udp 10000:40000
	map ppp0 10.1.1.0/24 -> 209.23.1.2/32 portmap
	map ppp0 10.1.2.0/24 -> 209.23.1.3/32 portmap
	map ppp0 10.1.3.0/24 -> 209.23.1.4/32 portmap

	*** NOTE: NAT rules are used on a first-match basis only!


	Filtering with NAT.
	-------------------
	IP Filter will always translate addresses in a packet _BEFORE_ it checks its
	access list for inbound packets and translates addresses _AFTER_ it has
	checked the access control lists for outbound packets.

	For example (using the above NAT rules), if you wanted to prevent all hosts
	in the 10.1.2.0/24 subnet from using NAT, you might use the following rule
	with ipf:

	block out on ppp0 from 10.1.2.0/24 to any
	block in on ppp0 from any to 10.1.2.0/24

	and use these with ipnat:

	map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000
	map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap