71 lines
2.3 KiB
Groff
71 lines
2.3 KiB
Groff
.TH IPNAT 5
|
|
.SH NAME
|
|
ipnat \- IP NAT file format
|
|
.SH DESCRIPTION
|
|
The format for files accepted by ipnat is described by the following grammar:
|
|
.LP
|
|
.nf
|
|
ipmap :: = mapit ifname ipmask "->" ipmask [ mapport ] .
|
|
|
|
mapit ::= "map" | "rdr" .
|
|
ipmask ::= ip "/" bits | ip "/" mask | ip "netmask" mask .
|
|
mapport ::= "portmap" tcpudp portnumber ":" portnumber .
|
|
|
|
tcpudp ::= "tcp" | "udp" | "tcp/udp" .
|
|
portnumber ::= number { numbers } .
|
|
ifname ::= 'A' - 'Z' { 'A' - 'Z' } numbers .
|
|
|
|
numbers ::= '0' | '1' | '2' | '3' | '4' | '5' | '6' | '7' | '8' | '9' .
|
|
.fi
|
|
.PP
|
|
For standard NAT functionality, a rule should start with \fBmap\fP and then
|
|
proceeds to specify the interface for which outgoing packets will have their
|
|
source address rewritten.
|
|
.PP
|
|
Packets which will be rewritten can only be selected by matching the original
|
|
source address. A netmask must be specified with the IP address.
|
|
.PP
|
|
The address selected for replacing the original is chosen from an IP#/netmask
|
|
pair. A netmask of all 1's indicating a hostname is valid. A netmask of
|
|
31 1's (255.255.255.254) is considered invalid as there is no space for
|
|
allocating host IP#'s after consideration for broadcast and network
|
|
addresses.
|
|
.PP
|
|
When remapping TCP and UDP packets, it is also possible to change the source
|
|
port number. Either TCP or UDP or both can be selected by each rule, with a
|
|
range of port numbers to remap into given as \fBport-number:port-number\fP.
|
|
.SH Examples
|
|
.PP
|
|
To change IP#'s used internally from network 10 into an ISP provided 8 bit
|
|
subnet at 209.1.2.0, the following would be used:
|
|
.LP
|
|
.nf
|
|
map 10.0.0.0/8 -> 209.1.2.0/24
|
|
.fi
|
|
.PP
|
|
The obvious problem here is we're trying to squeeze over 16,000,000 IP
|
|
addresses into a 254 address space. To increase the scope, remapping for TCP
|
|
and/or UDP, port remapping can be used;
|
|
.LP
|
|
.nf
|
|
map 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000
|
|
.fi
|
|
.PP
|
|
which falls only 527,566 `addresses' short of the space available in network
|
|
10. If we were to combine these rules, they would need to be specified as
|
|
follows:
|
|
.LP
|
|
.nf
|
|
map 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000
|
|
map 10.0.0.0/8 -> 209.1.2.0/24
|
|
.fi
|
|
.PP
|
|
so that all TCP/UDP packets were port mapped and only other protocols, such as
|
|
ICMP, only have their IP# changed.
|
|
.SH FILES
|
|
/etc/services
|
|
.br
|
|
/etc/hosts
|
|
.SH SEE ALSO
|
|
ipnat(1), ipf(5), ipnat(4)
|