Table of Contents
Network Address Translation (NAT) is part of IPfilter, which comes by default with the NetBSD release. The job of NAT is to take a source IP address and translate it to another out a different network interface. This is also known as masquerading.
Luckily for you (as the exhausted reader) and I (the exhausted author) configuring NAT is pretty simple, especially with the example we are using.
It is very simple:
map ep0 172.16.0.0/16 -> 220.127.116.11/32 proxy port ftp ftp/tcp map ep0 172.16.0.0/16 -> 18.104.22.168/32 portmap tcp/udp 10000:20000 map ep0 172.16.0.0/16 -> 22.214.171.124/32
First we are proxying ftp thru the ep0 interface. The next line says go ahead and map all tcp/udp traffic right on through the interface and assign each out bound "connection" a port from 10000 to 20000 and finally the last line says, just plain map from 172.16.0.0/16 to 126.96.36.199/32. For our purposes this is all we need so the rest of this document is of limited interest to those of you in a crunch trying to get a firewall up.
A few items of interest for the curious, we can also map into the local network as well:
map fxp0 188.8.131.52/32 -> 172.16.14.1/32 (add whatever service here)
This might be handy to connect to a specific server inside (such as a web server) or if you recall the DMZ example in the overview document, we may wish to translate into the DMZ from the world. Additionally it can be used as a poor man's router to link internal networks together - but there are much better was of doing that.
Instead of this, however, most administrators would locate the web server within a DMZ and use ipfilter to ensure only http and ssh connections can be made to the system.
If you look closely you will see all outbound connections map to a single IP address, what if you wanted to be able to map to more? You can do so by simply changing the single address to a network:
map ep0 172.16.0.0/16 -> 184.108.40.206/24
Finally, the portmap range can be adjusted to whatever you feel is necessary.
Many home users use dial up connections to access the
internet. Many dial up connections are assigned a dynamic IP address
every time the user connects. At first glance it may appear that some
method for putting this new address into
/etc/ipnat.conf is required. Luckily, that is
not so. Take note of how addresses can be shown on the internet side
ipnat.conf file. Actually entire subnets
can be used like so:
map ep0 172.16.0.0/16 -> 220.127.116.11/16
What this is saying is that addresses from 172.16.0.0 can be assigned any address on 18.104.22.168's network. Keeping that in mind, on a dial up connection you know you will be given one and one address, so the following entries effectively do the same:
map ppp0 172.16.0.0 -> 0/32 proxy port ftp ftp/tcp map ppp0 172.16.0.0 -> 0/32 portmap tcp/udp 40000:60000 map ppp0 172.16.0.0 -> 0/32
Here we are saying map anything on 172.16.0.0 to one single address, the address the interface will have.