IPFWNAT(8) BSD System Manager's Manual IPFWNAT(8)NAMEipfwnat - compile and install NAT filters
SYNOPSISipfwnat [-v] [-s server] -i interface
ipfwnat [-v] conffile
ipfwnat-r tag
ipfwnat [-v] -l
DESCRIPTION
The ipfwnat utility installs, queries, and removes NAT boxes from the
system. A NAT box, or Network Address Translation box, translates IP ad-
dresses from an internal name space to an external name space. The most
common use is to allow multiple machines on a local area network to all
share a single external IP address assigned by an ISP.
The BSD/OS IP NAT (IPFWNAT) implementation is built on top of the BSD/OS
IP Filter framework (IPFW) (see ipfw(8)). The NAT filter type may only
be called from the pre-input and pre-output filter points. The pre-input
filter point is used to translate externally visible (external) addresses
to internally visible addresses (internal). The pre-output filter point
is used to do the reverse, translate internal addresses to external ad-
dresses. The NAT boxes attached to these two filters points are "glued"
together such that they reference the same data. For the TCP and UDP IP
protocols the port number associated with the external or internal ad-
dress may also be mapped. The ipfwnat utility takes care of all of this
and provides an easy to use interface. Simple environments can be set up
on the command line. More complicated environments are specified via a
NAT configuration file, conffile.
The options available are
-i This option takes an interface name (i.e., ppp0) as an argument.
A simple NAT box is configured such that all outgoing traffic is
mapped onto the IP address assigned to the IP address associated
with the interface. The -s option, below, may be used to assign
incoming service requests to a machine other than the machine do-
ing the NAT.
-l List out tags of the installed NAT boxes. These are used with
the -r option below. If the -v option is also specified, a more
complete definition of the NAT boxes are displayed. If -vv is
specified then additional debugging information about the NAT
boxes are display.
-r Remove the NAT box with the associated tag. The NAT box on both
the pre-input and pre-output filter chains are removed.
-s Used in conjunction with the -i option, this option specifies
what machine should handle all incoming requests to the IP ad-
dress of the interface. By default this is the box running the
NAT. The -s option allows an internal machine to be used.
-v When installing filters the serial number of the filter is dis-
played as it is installed. When used with the -l option a full
description of the nat is displayed (see the -display command in
ipfw(8).)
If conffile is specified, it is read and the filter defined therein is
installed on the pre-input and pre-output filter chains. (See ipfw(8).)
The conffile consists of commands, each terminated by a `;'.
tag "string" ;
Set the tag for this NAT box (See ipfw(8)). Only one NAT box may
have any given tag specified by the quoted string. Configuring a
new NAT box with the tag that is already in use will cause the
previous NAT box to be destroyed and replaced with the new NAT
box. Example:
tag "my nat";
priority number ;
Set the priority for this NAT box to number (See ipfw(8)). The
priority may be any signed 32 bit number. The priority can be
used to make sure that various pre-input and pre-output filters
are executed in the correct order. The default priority is 1024.
Example:
priority 4096;
buckets number ;
Set the number of hash buckets to be used to number. The default
setting of 997 is probably good for most situations. If you are
expecting a large number of simultaneous NAT sessions you may
want to increase this value. The value should be reasonably
prime. To support about 50,000 NAT sessions a value of 9967
would probably work fine. Example:
buckets 997;
prefill number ;
Pre-allocate number NAT session structures for later use. Typi-
cally this option is not needed and the kernel will allocate NAT
sessions in chunks as needed. Example
prefill 1024;
maxsessions number ;
Limit the number of NAT sessions to number. When the number of
active NAT sessions reaches this value, no new NAT sessions will
be created. Once the number of active NAT sessions goes below
this value NAT sessions will once again be able to be created.
This option is probably not needed. Example
maxsessions 10000;
interface name ;
Limit the NAT box to only work on packets going in or out the in-
terface name. This will also allow wild cards to work with the
service and map commands. Example
interface ppp0;
timeout proto seconds ;
Set the timeout for NAT sessions of the protocol proto to be
seconds. The value of proto may be a positive integer less than
256 or one of the known protocols tcp, udp, or icmp. The default
timeout is 300 seconds (5 minutes) except for TCP sessions, in
which case it is 28800 seconds (8 hours). Example
timeout tcp 86400; # 24 hours
timeout udp 900; # 15 minutes
service [serial] [proto] external[:port] -> internal[:port] [expire in
seconds] ;
A service line is required for each incoming service that is sup-
ported. It may be used to direct a single address port pair, or
all requests to a specified address, or all requests from the in-
terface. If an interface was already specified then the external
address can be 0.0.0.0, which matches the address associated with
the interface (when the interface as more than 1 address assigned
it is indeterminate which address will be used). This can also
be abbreviated as 0. If the external port number is missing, or
is 0, all incoming requests will be matched by this line. If the
internal port number is missing, or is 0, the internal port num-
ber will be the same as the external port number.
Packets are limited to the protocol proto The value of proto may
be a positive integer less than 256 or one of the known protocols
tcp, udp, or icmp. If no proto is specified then this line ap-
plies to all protocols.
A serial number may be specified to allow the easy removal or re-
placement. The serial number must be in square brackets: [101].
Serial numbers must be below 1,000,000,000. Numbers above this
value are automatically assigned by the system to requests that
have no serial number or a serial number of 0. No two requests
can have the same serial number in the same NAT box. Attempting
to install a new request with the same serial number as an exist-
ing request will cause the existing request to be replaced.
If an expire time is provided it is given as the number of
seconds from the time ipfwnat was run in which to expire this
service entry. This feature normally is only needed by daemons
that install temporary service entries, such as ftp-proxy(8).
Example mapping all incoming requests to a single machine:
service 0 -> 0;
Example mapping telnet to one machine and http to another:
service tcp 0:23 -> 198.162.42.17;
service tcp 0:80 -> 198.162.42.31;
Example setting up multiple telnet options:
service tcp 0:23 -> 198.162.42.17;
service tcp 0:223 -> 198.162.42.18;
service tcp 0:323 -> 198.162.42.19;
service tcp 0:423 -> 198.162.42.20;
Example tying specific external addresses to internal machines
(assuming you were assigned 210.42.17.64/29):
service tcp 210.42.17.65:23 -> 198.162.42.17;
service tcp 210.42.17.65:80 -> 198.162.42.31;
service tcp 210.42.17.66 -> 198.162.42.17;
service tcp 210.42.17.67 -> 198.162.42.18;
service tcp 210.42.17.68 -> 198.162.42.19;
service tcp 210.42.17.69 -> 198.162.42.20;
service tcp 210.42.17.70 -> 198.162.42.21;
map [serial] [proto] internal[/mask] -> external[/mask] [port - port] [,
external/mask port - port [, ...]] [expire in seconds] ;
Set up a mapping for outgoing requests. If an interface was al-
ready specified then the external address can be 0.0.0.0, which
matches the address associated with the interface (when the in-
terface as more than 1 address assigned it is indeterminate which
address will be used). This can also be abbreviated as 0.
If the internal address is 0 then all outgoing packets may be af-
fected by this map. The masks are integers between 0 and 32. A
mask of 0 implies and address of 0. A mask of 32 implies no mask
(i.e., only this address).
When a packet that matches the internal network attempts to go
through the NAT box (and is not part of an existing NAT session)
it will be mapped to an external address within the specified
subnet and within the specified port range. If the port range is
not specified then the port number will not be mapped. If all
possible external addresses and ports are already in use for a
given remote address and port the mapping will fail.
Packets are limited to the protocol proto The value of proto may
be a positive integer less than 256 or one of the known protocols
tcp, udp, or icmp. If no proto is provided then this line will
apply to all protocols.
Multiple external addresses and port ranges may be specified by
separating them with commas.
A serial number may be specified to allow the easy removal or re-
placement. The serial number must be in square brackets: [101].
Serial numbers must be below 1,000,000,000. Numbers above this
value are automatically assigned by the system to requests that
have no serial number or a serial number of 0. No two requests
can have the same serial number in the same NAT box. Attempting
to install a new request with the same serial number as an exist-
ing request will cause the existing request to be replaced.
If an expire time is provided it is given as the number of
seconds from the time ipfwnat was run in which to expire this
map. This feature normally is only needed by daemons that in-
stall temporary service entries.
The easiest example is:
map 0 -> 0;
To remap tcp requests to one of 3 addresses:
map tcp 0 -> 210.42.17.67, 210.42.17.68, 210.42.17.69;
To remap tcp requests from specific addresses:
map tcp 198.162.42.17 -> 210.42.17.66;
map tcp 198.162.42.18 -> 210.42.17.67;
map tcp 198.162.42.19 -> 210.42.17.68;
map tcp 198.162.42.20 -> 210.42.17.69;
map tcp 198.162.42.21 -> 210.42.17.70;
SEE ALSOipfw(8)
September 5, 1999 4
