icon Top 9 categories map      RocketAware > man pages >


Tips: Browse or Search all pages for efficient awareness of more than 6000 of the most popular reusable and open source applications, functions, libraries, and FAQs.

The "RKT couplings" below include links to source code, updates, additional information, advice, FAQs, and overviews.


Search all pages


By activity
Professions, Sciences, Humanities, Business, ...

User Interface
Text-based, GUI, Audio, Video, Keyboards, Mouse, Images,...

Text Strings
Conversions, tests, processing, manipulation,...

Integer, Floating point, Matrix, Statistics, Boolean, ...

Algorithms, Memory, Process control, Debugging, ...

Stored Data
Data storage, Integrity, Encryption, Compression, ...

Networks, protocols, Interprocess, Remote, Client Server, ...

Hard World
Timing, Calendar and Clock, Audio, Video, Printer, Controls...

File System
Management, Filtering, File & Directory access, Viewers, ...


RocketLink!--> Man page versions:

IPNAT(8)                OpenBSD System Manager's Manual               IPNAT(8)

     ipnat - manage IP network address translation rules

     ipnat [-CFlnrsv] [-f filename]

     The ipnat utility provides control over the kernel's network address
     translation (NAT).  The NAT facility remaps IP addresses from one range
     the another.  It can be used to provide internal networks with Internet
     connectivity by mapping several private IP addresses to a single route-
     able (i.e., ``real'') Internet address.

     In other words, when properly configured on a gateway, the NAT provides
     Internet access to connected computers lacking officially assigned IP ad-
     dresses.  It is discussed in RFC 1631.

     The options are as follows:

     -f filename
             File from which rules are read.

     -C      Delete all entries in the NAT list.

     -F      Flush all active mappings from the NAT table.

     -l      Display the current rule list and active mappings.

     -n      Do not alter the NAT table.

     -r      Remove, rather than add, entries specified in the rule list.

     -s      Display statistics.

     -v      Verbosity. Displays detailed information pertaining to rule pro-

     Certain configuration requirements must be met before ipnat will work:

           1.   Network address translation requires packet forwarding capa-
                bilities.  Ensure the /etc/sysctl.conf file contains the as-
                signment net.inet.ip.forwarding=1.

           2.   Packet filtering (see ipf(8))  must be enabled, even if it's
                not being used. Check the /etc/rc.conf file and make sure it
                contains the assignment ipfilter=YES.

           3.   The kernel must be configured with option IPFILTER (and option
                IPFILTER_LOG if ipmon(8) is needed).  Both options are com-
                piled into the default (GENERIC) kernel that comes with the

           4.   Finally, enable NAT itself by setting ipnat=YES in
                /etc/rc.conf. This will cause /etc/netstart to run ipnat at
                boot-time with /etc/ipnat.rules as the rule list to install.

     The ipnat utility operates on a list of rules, specified by -f filename.
     This file is typically /etc/ipnat.rules; standard input is represented by
     a single dash (`-'). Each rule is parsed, then sequentially added to the
     kernel's internal NAT list. Like ipf(8),  if an entry contradicts another
     previously added, the newer will take precedence.

     Comments (beginning with a `#') and blank lines are ignored as ipnat
     parses the file. Entries may be separated by spaces or tabs. Each rule
     must begin with either map, bimap, or rdr. See below for rule syntax, or
     refer to /usr/share/ipf/nat.1 for sample rule entries.

   Mapping rules
     map tells the NAT how a range of addresses should be translated. The en-
     tries use the following format:

           map ifname internal/mask -> external/mask options

     The ifname field is the interface to which packets are sent. A gateway
     with a PPP link would probably use ``ppp0'' or ``tun0'', while an Ether-
     net connection would instead have the name of its device.  In the pres-
     ence of multiple network devices, you wish to use the device which is on
     the external side.

     As a quick example:

           map ep1 -> ep1/32 portmap tcp/udp 10000:20000

     This rule would remap all connections originating from through to the externally-connected network.  Note that ``ep1'' is the
     name of the outside interface on the gateway; that is, the interface with
     the external (i.e., ``real'') IP address.  Do not specify internal inter-
     face names, use their addresses instead.

     The address range of the LAN goes in the internal field. This is usually
     one of the three blocks of address space the Internet Assigned Numbers
     Authority has allocated for private networks (RFC 1597):


     The external address is the offically assigned IP number of the gateway
     or network.

     mask is the netmask of the address. This mask is 32 bits long, and is di-
     vided into four 8-bit numbers.

           11111111.0.0.0                          Class A - 8 bits set.
           11111111.11111111.0.0           Class B - 16 bits set.
           11111111.11111111.11111111.0    Class C - 24 bits set.

     The number of bits set in the mask is placed following the IP address.

     Both internal and external may be an actual IP address, the name of an
     interface, or a hostname. If it is a network number, however, a problem
     may arise. For example:

           map ppp0 ->

     16,000,000 IP addresses are being squeezed into an address space of only
     254.  This is solved by the portmap option, which remaps ports instead of
     IP addresses. The protocol is specified by following the option with ei-
     ther tcp, udp, tcp/udp, or tcpudp (the last two have the same effect).
     The syntax to assign a range of ports is ``portnumber:portnumber''. This
     looks like:

           map ppp0 -> portmap tcp/udp 1025:65000
           map ppp0 ->

     That will cut the number down from ~16,000,000 addresses short to only

   Bidirectional mapping rules
     bimap is used to create static, bidirectional NAT mappings. Standard map
     rules only create NAT mappings when the connection is initiated from the
     internal IP address. For example, using the following rule:

           map ppp0 ->

     NAT mappings will only be created if the machine at initiates
     the connection. To create a truly bidirectional NAT entry, bimap is nec-
     essary. Using the following rule, for example, clients on the ppp0 side
     of the NAT box can initiate requests to This traffic will be
     mapped to as expected:

           bimap ppp0 ->

     To be genuinely useful, bimap should be used in conjunction with either
     proxy arp, or ifconfig(8) aliases. For example, if we create two bimap
     entries such as:

           bimap fxp0 ->
           bimap fxp0 ->

     It is necessary to do either:

           arp -s 00:40:aa:bb:cc:dd pub
           arp -s 00:40:aa:bb:cc:dd pub

     (where 00:40:aa:bb:cc:dd is the MAC address of fxp0) or

           ifconfig fxp0 alias netmask
           ifconfig fxp0 alias netmask

   Redirection rules
     rdr tells the NAT how to redirect incoming packets. It is useful if one
     wishes to redirect a connection through a proxy, or to another box on the
     private network. The format of this directive is:

     rdr ifname external/mask port service -> internal port service protocol

     This setup is best described by an example of an actual entry:

           rdr xl0 port 25 -> port smtp

     This redirects all smtp packets received on xl0 to, port
     25. A netmask is not needed on the internal address; it is always 32. The
     external and internal fields, similar to the map directive, may be actual
     addresses, hostnames, or interfaces. Likewise, the service field may be
     the name of a service, or a port number. The protocol of the service may
     be selected by appending tcp, udp, tcp/udp, or tcpudp (the last two have
     the same effect) to the end of the line. TCP is the default.

     /etc/ipnat.rules      default system rule list
     /usr/share/ipf/nat.1  example rules
     /usr/share/ipf/nat.2  system requirements for use of the NAT
     /dev/ipnat            device file

     bimap should really only be used with single IP addresses (x.x.x.x/32).
     Bimapping other CIDR ranges will result in unexpected, and possibly ran-
     dom mappings into the destination address block.

     ipnat(4),  ipnat(5),  ipf(8)


OpenBSD 2.6                    October 10, 1998                              3

Source: OpenBSD 2.6 man pages. Copyright: Portions are copyrighted by BERKELEY
SOFTWARE DESIGN, INC., The Regents of the University of California, Massachusetts
Institute of Technology, Free Software Foundation, FreeBSD Inc., and others.

(Corrections, notes, and links courtesy of RocketAware.com)

[Detailed Topics]

[Overview Topics]

RocketLink!--> Man page versions:

Rapid-Links: Search | About | Comments | Submit Path: RocketAware > man pages > ipnat.8/
RocketAware.com is a service of Mib Software
Copyright 1999, Forrest J. Cavalier III. All Rights Reserved.
We welcome submissions and comments