| cvs2git | 5540113 | 2006-06-15 16:38:29 +0000 | [diff] [blame] | 1 | Configuring NAT on your network. |
| 2 | ================================ |
| 3 | |
| 4 | To start setting up NAT, we need to define which is your "internal" interface |
| 5 | and which is your "external" interface. The "internal" interface is the |
| 6 | network adapter connected to the network with private IP addresses which |
| 7 | you need to change for communicating on the Internet. The "external" |
| 8 | interface is configured with a valid internet address. |
| 9 | |
| 10 | For example, your internal interface might have an IP# of 10.1.1.1 and be |
| 11 | connected to your ethernet, whilst your external interface might be a PPP |
| 12 | connection with an IP number of 204.51.62.176. |
| 13 | |
| 14 | Thus your network might look like this: |
| 15 | |
| 16 | <Internal Network> |
| 17 | [pc] [pc] |
| 18 | | | |
| 19 | +-+---------+------+ |
| 20 | | |
| 21 | [firewall] |
| 22 | | |
| 23 | | |
| 24 | Internet |
| 25 | <External Network> |
| 26 | |
| 27 | |
| 28 | Writing the map-rule. |
| 29 | --------------------- |
| 30 | When you're connected to the Internet, you will either have a block of IP |
| 31 | addresses assigned to you, maybe several different blocks, or you use a |
| 32 | single IP address, i.e. with dialup PPP. If you have a block of addresses |
| 33 | assigned, these can be used to create either a 1:1 mapping (if you have |
| 34 | only a few internal IP addresses) or N:1 mappings, where groups of internal |
| 35 | addresses map to a single IP address and unless you have enough Internet |
| 36 | addresses for a 1:1 mapping, you will want to do "portmapping" for TCP and |
| 37 | UDP port numbers. |
| 38 | |
| 39 | For an N:1 situation, you might have: |
| 40 | |
| 41 | map ppp0 10.1.0.0/16 -> 209.23.1.5/32 portmap tcp/udp 10000:40000 |
| 42 | map ppp0 10.1.0.0/16 -> 209.23.1.5/32 portmap |
| 43 | |
| 44 | where if you had 16 addresses available, you could do: |
| 45 | |
| 46 | map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000 |
| 47 | map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap |
| 48 | |
| 49 | Or if you wanted to allocate subnets to each IP#, you might do: |
| 50 | |
| 51 | map ppp0 10.1.1.0/24 -> 209.23.1.2/32 portmap tcp/udp 10000:40000 |
| 52 | map ppp0 10.1.2.0/24 -> 209.23.1.3/32 portmap tcp/udp 10000:40000 |
| 53 | map ppp0 10.1.3.0/24 -> 209.23.1.4/32 portmap tcp/udp 10000:40000 |
| 54 | map ppp0 10.1.1.0/24 -> 209.23.1.2/32 portmap |
| 55 | map ppp0 10.1.2.0/24 -> 209.23.1.3/32 portmap |
| 56 | map ppp0 10.1.3.0/24 -> 209.23.1.4/32 portmap |
| 57 | |
| 58 | *** NOTE: NAT rules are used on a first-match basis only! |
| 59 | |
| 60 | |
| 61 | Filtering with NAT. |
| 62 | ------------------- |
| 63 | IP Filter will always translate addresses in a packet _BEFORE_ it checks its |
| 64 | access list for inbound packets and translates addresses _AFTER_ it has |
| 65 | checked the access control lists for outbound packets. |
| 66 | |
| 67 | For example (using the above NAT rules), if you wanted to prevent all hosts |
| 68 | in the 10.1.2.0/24 subnet from using NAT, you might use the following rule |
| 69 | with ipf: |
| 70 | |
| 71 | block out on ppp0 from 10.1.2.0/24 to any |
| 72 | block in on ppp0 from any to 10.1.2.0/24 |
| 73 | |
| 74 | and use these with ipnat: |
| 75 | |
| 76 | map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000 |
| 77 | map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap |