The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.
[ HOME | TOPICS | INDEX | WEB RESOURCES | BOOKS | CONTRIBUTE | SEARCH | FEEDBACK | FAQ | FORUMS ]
NAT rules - for IP Filter 12 January 1999
Need more help on this topic? Click here
This article has 8 comments
Show me similar articles
NAT, or Network Address Translation, is also referred to as IP Aliasing and IP Masquerading.  NAT is a method for translating internal intranet (private) address to external (public) Internet addresses.

In order for NAT to work, your box needs to be set up as a gateway.  This allows your box to forward packets, which is what it does when it acts as a gateway.  It receives packets from other machines on your subnet and forwards them on to the ultimate destination.  You can enable packet forwarding by issuing the following command:

sysctl -w net.inet.ip.forwarding=1

You can tell FreeBSD to set your box up as a gateway by including the following line in /etc/rc.conf:

gateway_enable="yes"

This line will ensure the command is executed during the system startup process.

Example NAT rules
I'm using ipfilter and I recommend it as a great packet filter tool for creating a firewall.  Included with this product is ipnat, which does the NAT for ipfilter.  Here's how I invoke ipnat:
ipnat -f /etc/ipnat.conf

I am also using DHCP.  In such circumstances, you can substitute 0.0.0.0/32 for the otherwise unknown IP address.  ipfilter will determine the address at run time.  Although this example is for dynamic IP addressees, I'm not sure, but I strongly suspect that this will work for static addresses as well.  Here are the contents of /etc/ipnat.conf:

map ed0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp/udp 40000:65000
map ed0 192.168.0.0/16 -> 0.0.0.0/32

ed0 is the network which leads to the outside world.  192.168.0.0/16 represents the inside network.  If you are setting up a home network, I suggest you use 192.168.0.* for your subnet.  In this case, the above examples will work for you.   If they don't, then please add your comments.

Put these rules before any redirects (i.e. rdr).

I also used this ipnat rule for a short while to redirect traffic from the firewall to a computer on my internal LAN:
rdr tun0 0.0.0.0/0 port 80 -> 10.0.0.1 port 80

Where tun0 is the public interface on my firewall and 10.0.0.1 is a box on my internal LAN which is running a webserver.  The above goes into /etc/ipnat.conf.

NOTE: Do your redirection after your mapping.  That is, put the rdr after any map directives.


Need more help on this topic? Click here
This article has 8 comments
Show me similar articles