The FreeBSD Diary |
(TM) | Providing practical examples since 1998If you buy from Amazon USA, please support us by using this link. |
NAT rules - for IP Filter
12 January 1999
|
NAT, or Network Address Translation, is also referred to as IP Aliasing and IP
Masquerading. NAT is a method for translating internal intranet (private) address to
external (public) Internet addresses. In order for NAT to work, your box needs to be set up as a gateway. This allows your box to forward packets, which is what it does when it acts as a gateway. It receives packets from other machines on your subnet and forwards them on to the ultimate destination. You can enable packet forwarding by issuing the following command:
You can tell FreeBSD to set your box up as a gateway by including the following line in /etc/rc.conf:
This line will ensure the command is executed during the system startup process. |
Example NAT rules
|
I'm using ipfilter and I
recommend it as a great packet filter tool for creating a firewall. Included with
this product is ipnat, which does the NAT for ipfilter. Here's how
I invoke ipnat:
I am also using DHCP. In such circumstances, you can substitute 0.0.0.0/32 for the otherwise unknown IP address. ipfilter will determine the address at run time. Although this example is for dynamic IP addressees, I'm not sure, but I strongly suspect that this will work for static addresses as well. Here are the contents of /etc/ipnat.conf:
ed0 is the network which leads to the outside world. 192.168.0.0/16 represents the inside network. If you are setting up a home network, I suggest you use 192.168.0.* for your subnet. In this case, the above examples will work for you. If they don't, then please add your comments. Put these rules before any redirects (i.e. rdr). |
I also used this ipnat rule for a short while to redirect traffic from the
firewall to a computer on my internal LAN:
Where tun0 is the public interface on my firewall and 10.0.0.1 is a box on my internal LAN which is running a webserver. The above goes into /etc/ipnat.conf. NOTE: Do your redirection after your mapping. That is, put the rdr after any map directives. |