The FreeBSD Diary
Providing practical examples since 1998If you buy from Amazon USA, please support us by using this link.
NAT rules - for IP Filter 12 January 1999
NAT, or Network Address Translation, is also referred to as IP Aliasing and IP
Masquerading. NAT is a method for translating internal intranet (private) address to
external (public) Internet addresses.
In order for NAT to work, your box needs to be set up as a gateway. This allows your box to forward packets, which is what it does when it acts as a gateway. It receives packets from other machines on your subnet and forwards them on to the ultimate destination. You can enable packet forwarding by issuing the following command:
You can tell FreeBSD to set your box up as a gateway by including the following line in /etc/rc.conf:
This line will ensure the command is executed during the system startup process.
Example NAT rules
|I'm using ipfilter and I
recommend it as a great packet filter tool for creating a firewall. Included with
this product is ipnat, which does the NAT for ipfilter. Here's how
I invoke ipnat:
I am also using DHCP. In such circumstances, you can substitute 0.0.0.0/32 for the otherwise unknown IP address. ipfilter will determine the address at run time. Although this example is for dynamic IP addressees, I'm not sure, but I strongly suspect that this will work for static addresses as well. Here are the contents of /etc/ipnat.conf:
ed0 is the network which leads to the outside world. 192.168.0.0/16 represents the inside network. If you are setting up a home network, I suggest you use 192.168.0.* for your subnet. In this case, the above examples will work for you. If they don't, then please add your comments.
Put these rules before any redirects (i.e. rdr).
|I also used this ipnat rule for a short while to redirect traffic from the
firewall to a computer on my internal LAN:
Where tun0 is the public interface on my firewall and 10.0.0.1 is a box on my internal LAN which is running a webserver. The above goes into /etc/ipnat.conf.
NOTE: Do your redirection after your mapping. That is, put the rdr after any map directives.