| ipnat.5 (110917) | ipnat.5 (130887) |
|---|---|
| 1.TH IPNAT 5 2.SH NAME 3ipnat, ipnat.conf \- IP NAT file format 4.SH DESCRIPTION 5The format for files accepted by ipnat is described by the following grammar: 6.LP 7.nf 8ipmap :: = mapblock | redir | map . 9 10map ::= mapit ifname ipmask "->" dstipmask [ mapport ] mapoptions. 11map ::= mapit ifname fromto "->" dstipmask [ mapport ] mapoptions. 12mapblock ::= "map-block" ifname ipmask "->" ipmask [ ports ] mapoptions. 13redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] rdrport rdroptions . 14 | 1.TH IPNAT 5 2.SH NAME 3ipnat, ipnat.conf \- IP NAT file format 4.SH DESCRIPTION 5The format for files accepted by ipnat is described by the following grammar: 6.LP 7.nf 8ipmap :: = mapblock | redir | map . 9 10map ::= mapit ifname ipmask "->" dstipmask [ mapport ] mapoptions. 11map ::= mapit ifname fromto "->" dstipmask [ mapport ] mapoptions. 12mapblock ::= "map-block" ifname ipmask "->" ipmask [ ports ] mapoptions. 13redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] rdrport rdroptions . 14 |
| 15dport ::= "port" portnum [ "-" portnum ] . 16ports ::= "ports" numports | "auto" . 17rdrport ::= "port" portnum . | 15dport ::= "port" number [ "-" number ] . 16ports ::= "ports" number | "auto" . 17rdrport ::= "port" number . |
| 18mapit ::= "map" | "bimap" . 19fromto ::= "from" object "to" object . 20ipmask ::= ip "/" bits | ip "/" mask | ip "netmask" mask . 21dstipmask ::= ipmask | "range" ip "-" ip . 22mapport ::= "portmap" tcpudp portspec . 23mapoptions ::= [ tcpudp ] [ "frag" ] [ age ] [ clamp ] . | 18mapit ::= "map" | "bimap" . 19fromto ::= "from" object "to" object . 20ipmask ::= ip "/" bits | ip "/" mask | ip "netmask" mask . 21dstipmask ::= ipmask | "range" ip "-" ip . 22mapport ::= "portmap" tcpudp portspec . 23mapoptions ::= [ tcpudp ] [ "frag" ] [ age ] [ clamp ] . |
| 24rdroptions ::= [ tcpudp ] [ rr ] [ "frag" ] [ age ] [ clamp ] . | 24rdroptions ::= [ tcpudp | protocol ] [ rr ] [ "frag" ] [ age ] [ clamp ] . |
| 25 26object :: = addr [ port-comp | port-range ] . 27addr :: = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] . 28port-comp :: = "port" compare port-num . 29port-range :: = "port" port-num range port-num . 30 31rr ::= "round-robin" . 32age ::= "age" decnumber [ "/" decnumber ] . 33clamp ::= "mssclamp" decnumber . | 25 26object :: = addr [ port-comp | port-range ] . 27addr :: = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] . 28port-comp :: = "port" compare port-num . 29port-range :: = "port" port-num range port-num . 30 31rr ::= "round-robin" . 32age ::= "age" decnumber [ "/" decnumber ] . 33clamp ::= "mssclamp" decnumber . |
| 34tcpudp ::= "tcp/udp" | protocol . | 34tcpudp ::= "tcp/udp" | "tcp" | "udp" . |
| 35 36protocol ::= protocol-name | decnumber . | 35 36protocol ::= protocol-name | decnumber . |
| 37nummask ::= host-name [ "/" decnumber ] . 38portspec ::= "auto" | portnumber ":" portnumber . 39portnumber ::= number { numbers } . | 37nummask ::= host-name [ "/" number ] . 38portspec ::= "auto" | number ":" number . |
| 40ifname ::= 'A' - 'Z' { 'A' - 'Z' } numbers . 41 | 39ifname ::= 'A' - 'Z' { 'A' - 'Z' } numbers . 40 |
| 41number ::= numbers [ number ] . |
|
| 42numbers ::= '0' | '1' | '2' | '3' | '4' | '5' | '6' | '7' | '8' | '9' . 43.fi 44.PP 45In addition to this, # is used to mark the start of a comment and may 46appear at the end of a line with a NAT rule (as described above) or on its 47own lines. Blank lines are ignored. 48.PP 49For standard NAT functionality, a rule should start with \fBmap\fP and then --- 79 unchanged lines hidden (view full) --- 129.B frag 130This qualifier is currently has no impact on NAT operation. 131.TP 132.B age 133If more refined timeouts are required than those available globally for 134NAT settings, this allows you to set them for \fBnon-TCP\fP use. 135.SH TRANSLATION 136.PP | 42numbers ::= '0' | '1' | '2' | '3' | '4' | '5' | '6' | '7' | '8' | '9' . 43.fi 44.PP 45In addition to this, # is used to mark the start of a comment and may 46appear at the end of a line with a NAT rule (as described above) or on its 47own lines. Blank lines are ignored. 48.PP 49For standard NAT functionality, a rule should start with \fBmap\fP and then --- 79 unchanged lines hidden (view full) --- 129.B frag 130This qualifier is currently has no impact on NAT operation. 131.TP 132.B age 133If more refined timeouts are required than those available globally for 134NAT settings, this allows you to set them for \fBnon-TCP\fP use. 135.SH TRANSLATION 136.PP |
| 137To the right of the "->" is the address and port specificaton which will be | 137To the right of the "->" is the address and port specification which will be |
| 138written into the packet providing it has already successful matched the | 138written into the packet providing it has already successful matched the |
| 139prior constraints. The case of redirections (\fBrdr\fP) is the simpliest: | 139prior constraints. The case of redirections (\fBrdr\fP) is the simplest: |
| 140the new destination address is that specified in the rule. For \fBmap\fP 141rules, the destination address will be one for which the tuple combining 142the new source and destination is known to be unique. If the packet is 143either a TCP or UDP packet, the destination and source ports come into the 144equation too. If the tuple already exists, IP Filter will increment the 145port number first, within the available range specified with \fBportmap\fP 146and if there exists no unique tuple, the source address will be incremented 147within the specified netmask. If a unique tuple cannot be determined, then --- 34 unchanged lines hidden (view full) --- 182.LP 183In this case, a connection will be redirected to 203.1.2.3, then 203.1.2.4 184and then 203.1.2.5 before going back to 203.1.2.3. In accomplishing this, 185the rule is removed from the top of the list and added to the end, 186automatically, as required. This will not effect the display of rules 187using "ipnat -l", only the internal application order. 188.SH EXAMPLES 189.PP | 140the new destination address is that specified in the rule. For \fBmap\fP 141rules, the destination address will be one for which the tuple combining 142the new source and destination is known to be unique. If the packet is 143either a TCP or UDP packet, the destination and source ports come into the 144equation too. If the tuple already exists, IP Filter will increment the 145port number first, within the available range specified with \fBportmap\fP 146and if there exists no unique tuple, the source address will be incremented 147within the specified netmask. If a unique tuple cannot be determined, then --- 34 unchanged lines hidden (view full) --- 182.LP 183In this case, a connection will be redirected to 203.1.2.3, then 203.1.2.4 184and then 203.1.2.5 before going back to 203.1.2.3. In accomplishing this, 185the rule is removed from the top of the list and added to the end, 186automatically, as required. This will not effect the display of rules 187using "ipnat -l", only the internal application order. 188.SH EXAMPLES 189.PP |
| 190This section deals with the \fBmap\fP command and it's variations. | 190This section deals with the \fBmap\fP command and its variations. |
| 191.PP 192To change IP#'s used internally from network 10 into an ISP provided 8 bit 193subnet at 209.1.2.0 through the ppp0 interface, the following would be used: 194.LP 195.nf 196map ppp0 10.0.0.0/8 -> 209.1.2.0/24 197.fi 198.PP --- 10 unchanged lines hidden (view full) --- 209follows: 210.LP 211.nf 212map ppp0 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000 213map ppp0 10.0.0.0/8 -> 209.1.2.0/24 214.fi 215.PP 216so that all TCP/UDP packets were port mapped and only other protocols, such as | 191.PP 192To change IP#'s used internally from network 10 into an ISP provided 8 bit 193subnet at 209.1.2.0 through the ppp0 interface, the following would be used: 194.LP 195.nf 196map ppp0 10.0.0.0/8 -> 209.1.2.0/24 197.fi 198.PP --- 10 unchanged lines hidden (view full) --- 209follows: 210.LP 211.nf 212map ppp0 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000 213map ppp0 10.0.0.0/8 -> 209.1.2.0/24 214.fi 215.PP 216so that all TCP/UDP packets were port mapped and only other protocols, such as |
| 217ICMP, only have their IP# changed. In some instaces, it is more appropriate | 217ICMP, only have their IP# changed. In some instances, it is more appropriate |
| 218to use the keyword \fBauto\fP in place of an actual range of port numbers if 219you want to guarantee simultaneous access to all within the given range. 220However, in the above case, it would default to 1 port per IP address, since 221we need to squeeze 24 bits of address space into 8. A good example of how 222this is used might be: 223.LP 224.nf 225map ppp0 172.192.0.0/16 -> 209.1.2.0/24 portmap tcp/udp auto 226.fi 227.PP 228which would result in each IP address being given a small range of ports to 229use (252). The problem here is that the \fBmap\fP directive tells the NAT 230code to use the next address/port pair available for an outgoing connection, | 218to use the keyword \fBauto\fP in place of an actual range of port numbers if 219you want to guarantee simultaneous access to all within the given range. 220However, in the above case, it would default to 1 port per IP address, since 221we need to squeeze 24 bits of address space into 8. A good example of how 222this is used might be: 223.LP 224.nf 225map ppp0 172.192.0.0/16 -> 209.1.2.0/24 portmap tcp/udp auto 226.fi 227.PP 228which would result in each IP address being given a small range of ports to 229use (252). The problem here is that the \fBmap\fP directive tells the NAT 230code to use the next address/port pair available for an outgoing connection, |
| 231resulting in no easily discernable relation between external addresses/ports | 231resulting in no easily discernible relation between external addresses/ports |
| 232and internal ones. This is overcome by using \fBmap-block\fP as follows: 233.LP 234.nf 235map-block ppp0 172.192.0.0/16 -> 209.1.2.0/24 ports auto 236.fi 237.PP 238For example, this would result in 172.192.0.0/24 being mapped to 209.1.2.0/32 239with each address, from 172.192.0.0 to 172.192.0.255 having 252 ports of its --- 12 unchanged lines hidden --- | 232and internal ones. This is overcome by using \fBmap-block\fP as follows: 233.LP 234.nf 235map-block ppp0 172.192.0.0/16 -> 209.1.2.0/24 ports auto 236.fi 237.PP 238For example, this would result in 172.192.0.0/24 being mapped to 209.1.2.0/32 239with each address, from 172.192.0.0 to 172.192.0.255 having 252 ports of its --- 12 unchanged lines hidden --- |