Search all pages
Professions, Sciences, Humanities, Business, ...
Text-based, GUI, Audio, Video, Keyboards, Mouse, Images,...
Conversions, tests, processing, manipulation,...
Integer, Floating point, Matrix, Statistics, Boolean, ...
Algorithms, Memory, Process control, Debugging, ...
Data storage, Integrity, Encryption, Compression, ...
Networks, protocols, Interprocess, Remote, Client Server, ...
Timing, Calendar and Clock, Audio, Video, Printer, Controls...
Management, Filtering, File & Directory access, Viewers, ...
RocketLink!--> Man page versions:
IPNAT(8) OpenBSD System Manager's Manual IPNAT(8)
ipnat - manage IP network address translation rules
ipnat [-CFlnrsv] [-f filename]
The ipnat utility provides control over the kernel's network address
translation (NAT). The NAT facility remaps IP addresses from one range
the another. It can be used to provide internal networks with Internet
connectivity by mapping several private IP addresses to a single route-
able (i.e., ``real'') Internet address.
In other words, when properly configured on a gateway, the NAT provides
Internet access to connected computers lacking officially assigned IP ad-
dresses. It is discussed in RFC 1631.
The options are as follows:
File from which rules are read.
-C Delete all entries in the NAT list.
-F Flush all active mappings from the NAT table.
-l Display the current rule list and active mappings.
-n Do not alter the NAT table.
-r Remove, rather than add, entries specified in the rule list.
-s Display statistics.
-v Verbosity. Displays detailed information pertaining to rule pro-
Certain configuration requirements must be met before ipnat will work:
1. Network address translation requires packet forwarding capa-
bilities. Ensure the /etc/sysctl.conf file contains the as-
2. Packet filtering (see ipf(8)) must be enabled, even if it's
not being used. Check the /etc/rc.conf file and make sure it
contains the assignment ipfilter=YES.
3. The kernel must be configured with option IPFILTER (and option
IPFILTER_LOG if ipmon(8) is needed). Both options are com-
piled into the default (GENERIC) kernel that comes with the
4. Finally, enable NAT itself by setting ipnat=YES in
/etc/rc.conf. This will cause /etc/netstart to run ipnat at
boot-time with /etc/ipnat.rules as the rule list to install.
The ipnat utility operates on a list of rules, specified by -f filename.
This file is typically /etc/ipnat.rules; standard input is represented by
a single dash (`-'). Each rule is parsed, then sequentially added to the
kernel's internal NAT list. Like ipf(8), if an entry contradicts another
previously added, the newer will take precedence.
Comments (beginning with a `#') and blank lines are ignored as ipnat
parses the file. Entries may be separated by spaces or tabs. Each rule
must begin with either map, bimap, or rdr. See below for rule syntax, or
refer to /usr/share/ipf/nat.1 for sample rule entries.
map tells the NAT how a range of addresses should be translated. The en-
tries use the following format:
map ifname internal/mask -> external/mask options
The ifname field is the interface to which packets are sent. A gateway
with a PPP link would probably use ``ppp0'' or ``tun0'', while an Ether-
net connection would instead have the name of its device. In the pres-
ence of multiple network devices, you wish to use the device which is on
the external side.
As a quick example:
map ep1 10.1.1.0/24 -> ep1/32 portmap tcp/udp 10000:20000
This rule would remap all connections originating from 10.1.1.0 through
10.1.1.254 to the externally-connected network. Note that ``ep1'' is the
name of the outside interface on the gateway; that is, the interface with
the external (i.e., ``real'') IP address. Do not specify internal inter-
face names, use their addresses instead.
The address range of the LAN goes in the internal field. This is usually
one of the three blocks of address space the Internet Assigned Numbers
Authority has allocated for private networks (RFC 1597):
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
The external address is the offically assigned IP number of the gateway
mask is the netmask of the address. This mask is 32 bits long, and is di-
vided into four 8-bit numbers.
11111126.96.36.199 Class A - 8 bits set.
11111111.11111111.0.0 Class B - 16 bits set.
11111111.11111111.11111111.0 Class C - 24 bits set.
The number of bits set in the mask is placed following the IP address.
Both internal and external may be an actual IP address, the name of an
interface, or a hostname. If it is a network number, however, a problem
may arise. For example:
map ppp0 10.0.0.0/8 -> 188.8.131.52/24
16,000,000 IP addresses are being squeezed into an address space of only
254. This is solved by the portmap option, which remaps ports instead of
IP addresses. The protocol is specified by following the option with ei-
ther tcp, udp, tcp/udp, or tcpudp (the last two have the same effect).
The syntax to assign a range of ports is ``portnumber:portnumber''. This
map ppp0 10.0.0.0/8 -> 184.108.40.206/24 portmap tcp/udp 1025:65000
map ppp0 10.0.0.0/8 -> 220.127.116.11/24
That will cut the number down from ~16,000,000 addresses short to only
Bidirectional mapping rules
bimap is used to create static, bidirectional NAT mappings. Standard map
rules only create NAT mappings when the connection is initiated from the
internal IP address. For example, using the following rule:
map ppp0 10.0.0.3/32 -> 18.104.22.168/32
NAT mappings will only be created if the machine at 10.0.0.3 initiates
the connection. To create a truly bidirectional NAT entry, bimap is nec-
essary. Using the following rule, for example, clients on the ppp0 side
of the NAT box can initiate requests to 22.214.171.124. This traffic will be
mapped to 10.0.0.3 as expected:
bimap ppp0 10.0.0.3/32 -> 126.96.36.199/32
To be genuinely useful, bimap should be used in conjunction with either
proxy arp, or ifconfig(8) aliases. For example, if we create two bimap
entries such as:
bimap fxp0 10.0.0.3/32 -> 188.8.131.52/32
bimap fxp0 10.0.0.4/32 -> 184.108.40.206/32
It is necessary to do either:
arp -s 220.127.116.11 00:40:aa:bb:cc:dd pub
arp -s 18.104.22.168 00:40:aa:bb:cc:dd pub
(where 00:40:aa:bb:cc:dd is the MAC address of fxp0) or
ifconfig fxp0 alias 22.214.171.124 netmask 255.255.255.255
ifconfig fxp0 alias 126.96.36.199 netmask 255.255.255.255
rdr tells the NAT how to redirect incoming packets. It is useful if one
wishes to redirect a connection through a proxy, or to another box on the
private network. The format of this directive is:
rdr ifname external/mask port service -> internal port service protocol
This setup is best described by an example of an actual entry:
rdr xl0 0.0.0.0/0 port 25 -> 188.8.131.52 port smtp
This redirects all smtp packets received on xl0 to 184.108.40.206, port
25. A netmask is not needed on the internal address; it is always 32. The
external and internal fields, similar to the map directive, may be actual
addresses, hostnames, or interfaces. Likewise, the service field may be
the name of a service, or a port number. The protocol of the service may
be selected by appending tcp, udp, tcp/udp, or tcpudp (the last two have
the same effect) to the end of the line. TCP is the default.
/etc/ipnat.rules default system rule list
/usr/share/ipf/nat.1 example rules
/usr/share/ipf/nat.2 system requirements for use of the NAT
/dev/ipnat device file
bimap should really only be used with single IP addresses (x.x.x.x/32).
Bimapping other CIDR ranges will result in unexpected, and possibly ran-
dom mappings into the destination address block.
ipnat(4), ipnat(5), ipf(8)
OpenBSD 2.6 October 10, 1998 3
Source: OpenBSD 2.6 man pages. Copyright: Portions are copyrighted by BERKELEY
SOFTWARE DESIGN, INC., The Regents of the University of California, Massachusetts
Institute of Technology, Free Software Foundation, FreeBSD Inc., and others.
(Corrections, notes, and links courtesy of RocketAware.com)
RocketLink!--> Man page versions:
Search | About | Comments | Submit Path: RocketAware > man pages >
RocketAware.com is a service of Mib Software
Copyright 1999, Forrest J. Cavalier III. All Rights Reserved.
We welcome submissions and comments