summaryrefslogtreecommitdiffstats
path: root/rules/nat-setup
diff options
context:
space:
mode:
Diffstat (limited to 'rules/nat-setup')
-rw-r--r--rules/nat-setup77
1 files changed, 77 insertions, 0 deletions
diff --git a/rules/nat-setup b/rules/nat-setup
new file mode 100644
index 0000000..b10e8f1
--- /dev/null
+++ b/rules/nat-setup
@@ -0,0 +1,77 @@
+Configuring NAT on your network.
+================================
+
+To start setting up NAT, we need to define which is your "internal" interface
+and which is your "external" interface. The "internal" interface is the
+network adapter connected to the network with private IP addresses which
+you need to change for communicating on the Internet. The "external"
+interface is configured with a valid internet address.
+
+For example, your internal interface might have an IP# of 10.1.1.1 and be
+connected to your ethernet, whilst your external interface might be a PPP
+connection with an IP number of 204.51.62.176.
+
+Thus your network might look like this:
+
+<Internal Network>
+ [pc] [pc]
+ | |
++-+---------+------+
+ |
+ [firewall]
+ |
+ |
+ Internet
+<External Network>
+
+
+Writing the map-rule.
+---------------------
+When you're connected to the Internet, you will either have a block of IP
+addresses assigned to you, maybe several different blocks, or you use a
+single IP address, i.e. with dialup PPP. If you have a block of addresses
+assigned, these can be used to create either a 1:1 mapping (if you have
+only a few internal IP addresses) or N:1 mappings, where groups of internal
+addresses map to a single IP address and unless you have enough Internet
+addresses for a 1:1 mapping, you will want to do "portmapping" for TCP and
+UDP port numbers.
+
+For an N:1 situation, you might have:
+
+map ppp0 10.1.0.0/16 -> 209.23.1.5/32 portmap tcp/udp 10000:40000
+map ppp0 10.1.0.0/16 -> 209.23.1.5/32 portmap
+
+where if you had 16 addresses available, you could do:
+
+map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000
+map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap
+
+Or if you wanted to allocate subnets to each IP#, you might do:
+
+map ppp0 10.1.1.0/24 -> 209.23.1.2/32 portmap tcp/udp 10000:40000
+map ppp0 10.1.2.0/24 -> 209.23.1.3/32 portmap tcp/udp 10000:40000
+map ppp0 10.1.3.0/24 -> 209.23.1.4/32 portmap tcp/udp 10000:40000
+map ppp0 10.1.1.0/24 -> 209.23.1.2/32 portmap
+map ppp0 10.1.2.0/24 -> 209.23.1.3/32 portmap
+map ppp0 10.1.3.0/24 -> 209.23.1.4/32 portmap
+
+*** NOTE: NAT rules are used on a first-match basis only!
+
+
+Filtering with NAT.
+-------------------
+IP Filter will always translate addresses in a packet _BEFORE_ it checks its
+access list for inbound packets and translates addresses _AFTER_ it has
+checked the access control lists for outbound packets.
+
+For example (using the above NAT rules), if you wanted to prevent all hosts
+in the 10.1.2.0/24 subnet from using NAT, you might use the following rule
+with ipf:
+
+block out on ppp0 from 10.1.2.0/24 to any
+block in on ppp0 from any to 10.1.2.0/24
+
+and use these with ipnat:
+
+map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000
+map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap
OpenPOWER on IntegriCloud