1 Configuring NAT on your network. 2 ================================ 3 4 To start setting up NAT, we need to define which is your "internal" interface 5 and which is your "external" interface. The "internal" interface is the 6 network adapter connected to the network with private IP addresses which 7 you need to change for communicating on the Internet. The "external" 8 interface is configured with a valid internet address. 9 10 For example, your internal interface might have an IP# of 10.1.1.1 and be 11 connected to your ethernet, whilst your external interface might be a PPP 12 connection with an IP number of 204.51.62.176. 13 14 Thus your network might look like this: 15 16 <Internal Network> 17 [pc] [pc] 18 | | 19 +-+---------+------+ 20 | 21 [firewall] 22 | 23 | 24 Internet 25 <External Network> 26 27 28 Writing the map-rule. 29 --------------------- 30 When you're connected to the Internet, you will either have a block of IP 31 addresses assigned to you, maybe several different blocks, or you use a 32 single IP address, i.e. with dialup PPP. If you have a block of addresses 33 assigned, these can be used to create either a 1:1 mapping (if you have 34 only a few internal IP addresses) or N:1 mappings, where groups of internal 35 addresses map to a single IP address and unless you have enough Internet 36 addresses for a 1:1 mapping, you will want to do "portmapping" for TCP and 37 UDP port numbers. 38 39 For an N:1 situation, you might have: 40 41 map ppp0 10.1.0.0/16 -> 209.23.1.5/32 portmap tcp/udp 10000:40000 42 map ppp0 10.1.0.0/16 -> 209.23.1.5/32 portmap 43 44 where if you had 16 addresses available, you could do: 45 46 map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000 47 map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap 48 49 Or if you wanted to allocate subnets to each IP#, you might do: 50 51 map ppp0 10.1.1.0/24 -> 209.23.1.2/32 portmap tcp/udp 10000:40000 52 map ppp0 10.1.2.0/24 -> 209.23.1.3/32 portmap tcp/udp 10000:40000 53 map ppp0 10.1.3.0/24 -> 209.23.1.4/32 portmap tcp/udp 10000:40000 54 map ppp0 10.1.1.0/24 -> 209.23.1.2/32 portmap 55 map ppp0 10.1.2.0/24 -> 209.23.1.3/32 portmap 56 map ppp0 10.1.3.0/24 -> 209.23.1.4/32 portmap 57 58 *** NOTE: NAT rules are used on a first-match basis only! 59 60 61 Filtering with NAT. 62 ------------------- 63 IP Filter will always translate addresses in a packet _BEFORE_ it checks its 64 access list for inbound packets and translates addresses _AFTER_ it has 65 checked the access control lists for outbound packets. 66 67 For example (using the above NAT rules), if you wanted to prevent all hosts 68 in the 10.1.2.0/24 subnet from using NAT, you might use the following rule 69 with ipf: 70 71 block out on ppp0 from 10.1.2.0/24 to any 72 block in on ppp0 from any to 10.1.2.0/24 73 74 and use these with ipnat: 75 76 map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000 77 map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap 78
Indexes created Fri Apr 24 00:22:58 UTC 2026