IPNAT(8)                OpenBSD System Manager's Manual               IPNAT(8)

NAME
     ipnat - manage IP network address translation rules



SYNOPSIS
     ipnat [-CFlnrsv] [-f filename]

DESCRIPTION
     The ipnat utility provides control over the kernel's network address
     translation (NAT).  The NAT facility remaps IP addresses from one range
     the another.  It can be used to provide internal networks with Internet
     connectivity by mapping several private IP addresses to a single route-
     able (i.e., ``real'') Internet address.

     In other words, when properly configured on a gateway, the NAT provides
     Internet access to connected computers lacking officially assigned IP ad-
     dresses.  It is discussed in RFC 1631.

     The options are as follows:

     -f filename
             File from which rules are read.

     -C      Delete all entries in the NAT list.

     -F      Flush all active mappings from the NAT table.

     -l      Display the current rule list and active mappings.

     -n      Do not alter the NAT table.

     -r      Remove, rather than add, entries specified in the rule list.

     -s      Display statistics.

     -v      Verbosity. Displays detailed information pertaining to rule pro-
             cessing.

     Certain configuration requirements must be met before ipnat will work:

           1.   Network address translation requires packet forwarding capa-
                bilities.  Ensure the /etc/sysctl.conf file contains the as-
                signment net.inet.ip.forwarding=1.

           2.   Packet filtering (see ipf(8))  must be enabled, even if it's
                not being used. Check the /etc/rc.conf file and make sure it
                contains the assignment ipfilter=YES.

           3.   The kernel must be configured with option IPFILTER (and option
                IPFILTER_LOG if ipmon(8) is needed).  Both options are com-
                piled into the default (GENERIC) kernel that comes with the
                system.

           4.   Finally, enable NAT itself by setting ipnat=YES in
                /etc/rc.conf. This will cause /etc/netstart to run ipnat at
                boot-time with /etc/ipnat.rules as the rule list to install.

     The ipnat utility operates on a list of rules, specified by -f filename.
     This file is typically /etc/ipnat.rules; standard input is represented by
     a single dash (`-'). Each rule is parsed, then sequentially added to the
     kernel's internal NAT list. Like ipf(8),  if an entry contradicts another
     previously added, the newer will take precedence.

     Comments (beginning with a `#') and blank lines are ignored as ipnat
     parses the file. Entries may be separated by spaces or tabs. Each rule
     must begin with either map, bimap, or rdr. See below for rule syntax, or
     refer to /usr/share/ipf/nat.1 for sample rule entries.

   Mapping rules
     map tells the NAT how a range of addresses should be translated. The en-
     tries use the following format:

           map ifname internal/mask -> external/mask options

     The ifname field is the interface to which packets are sent. A gateway
     with a PPP link would probably use ``ppp0'' or ``tun0'', while an Ether-
     net connection would instead have the name of its device.  In the pres-
     ence of multiple network devices, you wish to use the device which is on
     the external side.

     As a quick example:

           map ep1 10.1.1.0/24 -> ep1/32 portmap tcp/udp 10000:20000

     This rule would remap all connections originating from 10.1.1.0 through
     10.1.1.254 to the externally-connected network.  Note that ``ep1'' is the
     name of the outside interface on the gateway; that is, the interface with
     the external (i.e., ``real'') IP address.  Do not specify internal inter-
     face names, use their addresses instead.

     The address range of the LAN goes in the internal field. This is usually
     one of the three blocks of address space the Internet Assigned Numbers
     Authority has allocated for private networks (RFC 1597):

           10.0.0.0    - 10.255.255.255
           172.16.0.0  - 172.31.255.255
           192.168.0.0 - 192.168.255.255

     The external address is the offically assigned IP number of the gateway
     or network.

     mask is the netmask of the address. This mask is 32 bits long, and is di-
     vided into four 8-bit numbers.

           11111111.0.0.0                          Class A - 8 bits set.
           11111111.11111111.0.0           Class B - 16 bits set.
           11111111.11111111.11111111.0    Class C - 24 bits set.

     The number of bits set in the mask is placed following the IP address.

     Both internal and external may be an actual IP address, the name of an
     interface, or a hostname. If it is a network number, however, a problem
     may arise. For example:

           map ppp0 10.0.0.0/8 -> 209.1.2.0/24

     16,000,000 IP addresses are being squeezed into an address space of only
     254.  This is solved by the portmap option, which remaps ports instead of
     IP addresses. The protocol is specified by following the option with ei-
     ther tcp, udp, tcp/udp, or tcpudp (the last two have the same effect).
     The syntax to assign a range of ports is ``portnumber:portnumber''. This
     looks like:

           map ppp0 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000
           map ppp0 10.0.0.0/8 -> 209.1.2.0/24

     That will cut the number down from ~16,000,000 addresses short to only
     527,566.

   Bidirectional mapping rules
     bimap is used to create static, bidirectional NAT mappings. Standard map
     rules only create NAT mappings when the connection is initiated from the
     internal IP address. For example, using the following rule:

           map ppp0 10.0.0.3/32 -> 209.1.2.3/32

     NAT mappings will only be created if the machine at 10.0.0.3 initiates
     the connection. To create a truly bidirectional NAT entry, bimap is nec-
     essary. Using the following rule, for example, clients on the ppp0 side
     of the NAT box can initiate requests to 209.1.2.3. This traffic will be
     mapped to 10.0.0.3 as expected:

           bimap ppp0 10.0.0.3/32 -> 209.1.2.3/32

     To be genuinely useful, bimap should be used in conjunction with either
     proxy arp, or ifconfig(8) aliases. For example, if we create two bimap
     entries such as:

           bimap fxp0 10.0.0.3/32 -> 209.1.2.3/32
           bimap fxp0 10.0.0.4/32 -> 209.1.2.4/32

     It is necessary to do either:

           arp -s 209.1.2.3 00:40:aa:bb:cc:dd pub
           arp -s 209.1.2.4 00:40:aa:bb:cc:dd pub

     (where 00:40:aa:bb:cc:dd is the MAC address of fxp0) or

           ifconfig fxp0 alias 209.1.2.3 netmask 255.255.255.255
           ifconfig fxp0 alias 209.1.2.4 netmask 255.255.255.255

   Redirection rules
     rdr tells the NAT how to redirect incoming packets. It is useful if one
     wishes to redirect a connection through a proxy, or to another box on the
     private network. The format of this directive is:

     rdr ifname external/mask port service -> internal port service protocol

     This setup is best described by an example of an actual entry:

           rdr xl0 0.0.0.0/0 port 25 -> 204.213.176.10 port smtp

     This redirects all smtp packets received on xl0 to 204.213.176.10, port
     25. A netmask is not needed on the internal address; it is always 32. The
     external and internal fields, similar to the map directive, may be actual
     addresses, hostnames, or interfaces. Likewise, the service field may be
     the name of a service, or a port number. The protocol of the service may
     be selected by appending tcp, udp, tcp/udp, or tcpudp (the last two have
     the same effect) to the end of the line. TCP is the default.

FILES
     /etc/ipnat.rules      default system rule list
     /usr/share/ipf/nat.1  example rules
     /usr/share/ipf/nat.2  system requirements for use of the NAT
     /dev/ipnat            device file

BUGS
     bimap should really only be used with single IP addresses (x.x.x.x/32).
     Bimapping other CIDR ranges will result in unexpected, and possibly ran-
     dom mappings into the destination address block.

SEE ALSO
     ipnat(4),  ipnat(5),  ipf(8)

     http://coombs.anu.edu.au/~avalon

OpenBSD 2.6                    October 10, 1998                              3