From: Charles Sebold I've seen a few people asking how to do IP NAT (network address translation), and having finally figured it out, I thought I'd share it. Required: * (I think) two network interfaces, which for most of us will be one ethernet (ae0 or sn0) and a ppp link to an ISP (ppp0). * A -current snapshot (970601 works for me) and a kernel with IPFILTER options on, which I don't think the generic's have, although I haven't checked. (I'm sure everyone gets sick of hearing this, but if you're taking this much on, you ought to be compiling custom kernels. It's not hard, and you don't have to know C, although it helps when troubleshooting a bad sup day.) First of all, you need to set up the local network numbers. I use 192.168.1.1 for my NetBSD box, and (this is cool) you can set up the rest of the hosts on the network to get their numbers from the NetBSD box via DHCP if you like, but that's beyond the scope of this. You can set it up manually if that's too daunting. (See the dhcpd man page, though, as it makes it easier to put uninitiated users on the network if you can do it.) The other hosts I set up as 192.168.1.2, 192.168.1.3, etc., up to 254. Their gateway should be 192.168.1.1 (your NetBSD box's address). Then, make the connection to your ISP via PPP, and that also is explained very well in documents by Bill Studenmund and Paul Goyette (see the HOW-TO's). Now we give ipnat the rules it needs to translate. (xxx.xxx.xxx.xxx is your real IP address, assigned by the ISP. If you have static IP, you can set this up when you boot, or before you connect at least. Something I haven't tried yet is using the loopback address, which will allow you to do this automatically upon booting up.) Put the following into a text file (I called mine /etc/nat.rules, you can do what you like): map ppp0 192.168.1.0/24 -> xxx.xxx.xxx.xxx/32 portmap tcp/udp 10000:65000 map ppp0 192.168.1.0/24 -> xxx.xxx.xxx.xxx/32 The first rule maps all TCP and UDP accesses from the local network to the real IP address of the NetBSD box, but moves the port number up to the area between 10000 and 65000. The second rule handles everything else (like ICMP pings). Now, as root, type the command: ipnat -f /etc/nat.rules You can also put in a -v before the -f, if you want verbose mode on. If it accepts it, then you're done! If the clients on the local network still can't get outside, first have them try pinging 192.168.1.1 (the "router"). If you can't ping it successfully, you either have misconfigured the ethernet interface on the NetBSD box, or your local network isn't functioning. From: Scott Reynolds On Tue, 8 Jul 1997, Charles Sebold wrote: > >Q: Could this be done at boot time by using: > > map ppp0 192.168.1.0/24 -> 0.0.0.0/32 portmap tcp/udp 10000:65000 > > map ppp0 192.168.1.0/24 -> 0.0.0.0/32 > > I don't think so, since the whole point of this rule is to convert the fake > address (192.168.1.x) to an address that will work when sent to the > internet. if you are using PPP, which of course you are in this case, there is a better way. ---[/etc/ipnat.tmpl]--- # map all connections from 10.0.0.0/24 to @IPADDR@ map @IFACE@ 10.0.0.0/24 -> @IPADDR@/32 portmap tcp/udp 1025:65535 ---[/etc/ppp/ip-up]--- #!/bin/sh sed -e "s/@IFACE@/$1/" -e "s/@IPADDR@/$4/" /etc/ipnat.conf /usr/sbin/ipnat -C -f /etc/ipnat.conf This works regardless of whether you have a static or dynamic IP address. It's cool. :-) > Actually, I have had trouble with this too, since NetBSD seems to be > unwilling to route things through ppp0 when it has ae0 configured as an > inet network. The `defaultroute' option works fine for me. The relevant options in my /etc/ppp/options file are: defaultroute noipdefault ipcp-accept-local Also, the kernel you are using must have the GATEWAY option. GENERIC kernels are compiled this way. From: Dave Huang Have y'all taken a look at the following? http://coombs.anu.edu.au/~avalon/ipfilfaq.html#ppp That's what I use, and it works great for me, and seems much simpler, since you don't need to constantly change your mapping. Just do "ipf -y" in /etc/ppp/ip-up and NAT'll know about your new address. However, there's a bug in ipf that makes "ipf -y" not work... I mailed the IPFilter author about it a while back, but it's still not fixed in the final IPFilter 3.2 :( So, I've sent a PR about it, and hopefully it'll be fixed for NetBSD 1.3. That means that if you want to use the method described in the IPFilter FAQ, you'll have to get a new kernel and new ipf program. So if you don't feel like upgrading, you'll have to use the other method. But on the other hand, with the 1.3 release around the corner, it'd be really really great if everyone downloaded the new kernels and tested them :) If you're running 1.3ALPHA (or even 1.2G or thereabouts), the software comes with the OS. Make sure the kernel you're using has IPFilter in it; the GENERIC kernel does, if you're compiling your own, make sure the config file has "pseudo-device ipfilter" in it. Then "cd /dev; sh MAKEDEV ipl" to create the IP Filter devices. Look at the ipf and ipnat manpages, and also http://coombs.anu.edu.au/~avalon/. Also, if you've got the source, there are some sample configurations in /usr/src/usr.sbin/ipf/rules. (You can also get those at ftp://ftp.netbsd.org/pub/NetBSD/NetBSD-current/src/usr.sbin/ipf/rules/) I use the following ipnat rules: map ppp0 10.1.1.64/28 -> 0.0.0.0/32 portmap tcp 1025:65000 map ppp0 10.1.1.64/28 -> 0.0.0.0/32 and the following ipf rules: block out on ppp0 proto icmp from 10.1.1.64/28 to any icmp-type echo block out on ppp0 proto udp from 10.1.1.64/28 to any My local network is 10.1.1.64/28, and I use demand-dial PPP to my ISP, and get a single dynamically assigned address. The ipnat mappings are pretty standard, although I don't map UDP because I was having some trouble with that, mainly with DNS queries. If one of the machines sent a DNS query out, it would get the answer, but then ipnat would redirect all future DNS replies to that machine, and DNS would work for anyone else. I think there's a way to make UDP work though, but I haven't really been trying real hard :) The first ipf filter rule is mainly to stop pings from bringing up my ppp connection. For some reason, my Windows NT machine wants to ping a couple of web sites when I login... I have no idea why :) The second ipf rule is to make sure I don't accidentally leak any other UDP packets out (for the same reason that I'm not doing NAT with UDP). And make sure you do an "ipf -E" to enable IP Filter, otherwise neither ipf nor ipnat will work. You can do that by setting "ifpfilter=YES" in /etc/rc.conf and creating an /etc/ipf.conf file. If you don't want any ipfilter rules, you can just make an empty /etc/ipf.conf. From: Mark Andres For those out there who might have other UN*X computers connected to their LAN using IP-NAT, the magic to add is a "-p" in the command line. ftp ftp.mac68k.org becomes ftp -p ftp.mac68k.org If you are using other FTP clients (like Netscape), you need to put them into "passive" mode. From: tcjam hmm looks like you didn't read the examples but you probably didn't get them (I installed from the tarball on the ipfilter page). here is my /etc/ipnat.conf feel free to adapt it but it works for me. map ppp0 10.0.0.0/8 -> 0/32 portmap tcp/udp 40000:60000 map ppp0 10.0.0.0/8 -> 0/32 map ppp0 10.0.0.0/8 -> 0/32 proxy port 21 ftp/tcp and I just stuck an ipf -y in my /etc/ppp/ip-up. This was all in the examples directory or something close to that. On Sat, 24 Jan 1998, SamMaEl wrote: > > Well, I've been using IPNAT for quite awhile now, and I ran into a > little problem. I don't know if anybody else has noticed this or not, but > when I try to connect to a remote FTP server on the Internet (connecting > to my NetBSD machine with Fetch is fine) from any of my MacOS machines, I > cannot view file lists, upload or download files. > > I don't remember the exact error I get, but basically it just > won't work ;-) And, it's a pain to ftp to the machine from my NetBSD > machine, then FTP to my NetBSD machine from MacOS to get a file. > > Any ideas? Here's an 'ipnat -l': > > # my NetBSD machine is 192.168.3 and my main MacOS machine is 192.168.1.1 > # netmask 255.255.255.0 > > map ppp0 192.168.0.0/16 -> 206.163.4.228 portmap tcp/udp 10000:65000 > map ppp0 192.168.0.0/16 -> 206.163.4.228 > > What could cause this?