 |
Home page |
|
Documentation top level |
| Previous | Next | Table of Contents |
Network Address Translation (NAT) is part of IPfilter, which comes by default with the NetBSD release. The job of NAT is to take a source IP address and translate it to another out a different network interface. This is also known as masquerading.
Luckily for you (as the exhausted reader) and I (the exhausted author) configuring NAT is pretty simple, especially with the example we are using.
/etc/ipnat.conf Needs to Look Like
(top)
map ep0 172.16.0.0/16 -> 216.68.250.60/32 proxy port ftp ftp/tcp map ep0 172.16.0.0/16 -> 216.68.250.60/32 portmap tcp/udp 10000:20000 map ep0 172.16.0.0/16 -> 216.68.250.60/32
First we are proxying ftp thru the ep0 interface. The next line says go ahead and map all tcp/udp traffic right on through the interface and assign each out bound "connection" a port from 10000 to 20000 and finally the last line says, just plain map from 172.16.0.0/16 to 216.68.250.60/32. For our purposes this is all we need so the rest of this document is of limited interest to those of you in a crunch trying to get a firewall up.
map fxp0 216.68.250.60/32 -> 172.16.14.1/32 (add whatever service here)
This might be handy to connect to a specific server inside (such as a web server) or if you recall the DMZ example in the overview document, we may wish to translate into the DMZ from the world. Additionally it can be used as a poor man's router to link internal networks together - but there are much better was of doing that.
Instead of this, however, most administrators would locate the web server within a DMZ and use ipfilter to ensure only http and ssh connections can be made to the system.
If you look closely you will see all outbound connections map to a single IP address, what if you wanted to be able to map to more? You can do so by simply changing the single address to a network:
map ep0 172.16.0.0/16 -> 216.68.250.0/24
Finally, the portmap range can be adjusted to whatever you feel is necessary.
IPNAT With Dial Up Networking
(top)
Many home users use dial up connections to access the internet. Many
dial up connections are assigned a dynamic IP address every time the
user connects. At first glance it may appear that some method for
putting this new address into /etc/ipnat.conf is required.
Luckily, that is not so. Take note of how addresses can be shown on the
internet side of the ipnat.conf file. Actually entire
subnets can be used like so:
map ep0 172.16.0.0/16 -> 216.68.0.0/16
What this is saying is that addresses from 172.16.0.0 can be assigned any address on 216.68.0.0's network. Keeping that in mind, on a dial up connection you know you will be given one and one address, so the following entries effectively do the same:
map ppp0 172.16.0.0 -> 0/32 proxy port ftp ftp/tcp map ppp0 172.16.0.0 -> 0/32 portmap tcp/udp 40000:60000 map ppp0 172.16.0.0 -> 0/32
Here we are saying map anything on 172.16.0.0 to one single address, the address the interface will have.
| Previous | Next | Table of Contents |
|
|