xref: /netbsd-src/external/bsd/ipf/dist/rules/nat-setup (revision bc4097aacfdd9307c19b7947c13c6ad6982527a9)

Configuring NAT on your network.
================================

To start setting up NAT, we need to define which is your "internal" interface
and which is your "external" interface.  The "internal" interface is the
network adapter connected to the network with private IP addresses which
you need to change for communicating on the Internet.  The "external"
interface is configured with a valid internet address.

For example, your internal interface might have an IP# of 10.1.1.1 and be
connected to your ethernet, whilst your external interface might be a PPP
connection with an IP number of 204.51.62.176.

Thus your network might look like this:

<Internal Network>
 [pc]      [pc]
  |         |
+-+---------+------+
                   |
               [firewall]
                   |
                   |
               Internet
<External Network>


Writing the map-rule.
---------------------
When you're connected to the Internet, you will either have a block of IP
addresses assigned to you, maybe several different blocks, or you use a
single IP address, i.e. with dialup PPP.  If you have a block of addresses
assigned, these can be used to create either a 1:1 mapping (if you have
only a few internal IP addresses) or N:1 mappings, where groups of internal
addresses map to a single IP address and unless you have enough Internet
addresses for a 1:1 mapping, you will want to do "portmapping" for TCP and
UDP port numbers.

For an N:1 situation, you might have:

map ppp0 10.1.0.0/16 -> 209.23.1.5/32 portmap tcp/udp 10000:40000
map ppp0 10.1.0.0/16 -> 209.23.1.5/32 portmap

where if you had 16 addresses available, you could do:

map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000
map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap

Or if you wanted to allocate subnets to each IP#, you might do:

map ppp0 10.1.1.0/24 -> 209.23.1.2/32 portmap tcp/udp 10000:40000
map ppp0 10.1.2.0/24 -> 209.23.1.3/32 portmap tcp/udp 10000:40000
map ppp0 10.1.3.0/24 -> 209.23.1.4/32 portmap tcp/udp 10000:40000
map ppp0 10.1.1.0/24 -> 209.23.1.2/32 portmap
map ppp0 10.1.2.0/24 -> 209.23.1.3/32 portmap
map ppp0 10.1.3.0/24 -> 209.23.1.4/32 portmap

*** NOTE: NAT rules are used on a first-match basis only!


Filtering with NAT.
-------------------
IP Filter will always translate addresses in a packet _BEFORE_ it checks its
access list for inbound packets and translates addresses _AFTER_ it has
checked the access control lists for outbound packets.

For example (using the above NAT rules), if you wanted to prevent all hosts
in the 10.1.2.0/24 subnet from using NAT, you might use the following rule
with ipf:

block out on ppp0 from 10.1.2.0/24 to any
block in on ppp0 from any to 10.1.2.0/24

and use these with ipnat:

map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000
map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap