netbsd-help: Re: Configuring IPNat

Subject: Re: Configuring IPNat
To: Frederick Bruckman <fb@enteract.com>
From: James Webster <James3838@tsi-net.com>
List: netbsd-help
Date: 07/28/1999 03:31:34
I did have it backwards.  I think I have it licked, but have to go home to
try it out...  (working really late)
I now have the following:
map ep0 10.0.0.1/32 -> a.b.c.d/32
rdr ne1 0.0.0.0/0 port 2300 -> 10.0.0.1 port 2300
rdr ne1 0.0.0.0/0 port 2301 -> 10.0.0.1 port 2301
rdr ne1 0.0.0.0/0 port 2302 -> 10.0.0.1 port 2302
rdr ne1 0.0.0.0/0 port 2303 -> 10.0.0.1 port 2303
rdr ne1 0.0.0.0/0 port 2304 -> 10.0.0.1 port 2304
rdr ne1 0.0.0.0/0 port 28800 -> 10.0.0.1 port 28800
rdr ne1 0.0.0.0/0 port 28801 -> 10.0.0.1 port 28801
rdr ne1 0.0.0.0/0 port 28802 -> 10.0.0.1 port 28802
rdr ne1 0.0.0.0/0 port 28803 -> 10.0.0.1 port 28803
rdr ne1 0.0.0.0/0 port 28804 -> 10.0.0.1 port 28804

There doesn't seem to be a method to redirect a range of ports, nor to
specify which inbound IP the rdr apply to (not that it matters in my case as
I only need these rules for 1 machine).

----- Original Message -----
From: Frederick Bruckman <fb@enteract.com>
To: James Webster <James3838@tsi-net.com>
Cc: <netbsd-help@netbsd.org>
Sent: Wednesday, July 28, 1999 3:12 AM
Subject: Re: Configuring IPNat


> On Wed, 28 Jul 1999, James Webster wrote:
>
> > Still not working...   so I'm taking a different approach..
> > I have an extra IP, so I want to do a 1:1 mapping.  I've added the IP to
> > ifaliases, and want to confirm the following mapping makes sense.
>
> That's making more sense than your earlier plan...
>
> > rdr ep0 10.0.0.1/0 -> a.b.c.d/0        # changes source from 10.0.0.1 to
> > a.b.c.d to all external (internet) ports
> > map ne1 a.b.c.d/0 -> 10.0.0.1/0    # changes destination from a.b.c.d to
> > 10.0.0.1 for all ports
>
> The comment doesn't sound quite right. On any particular interface,
> "rdr" rewrites the destination of the incoming packets; wheras "map"
> rewrites the source addr of outgoing packets. I forgot already which
> interface is external and which is internal, but it sounds like you're
> getting close.
>
> Remember that you can enter and delete rules interactively. If you can
> open a bunch of telnet sessions, or xterms, just run "ipnat -f -" in
> one, "ipnat -rf -" in another, and repeat "ipnat -l" in a third. Or
> you can clear all the rules with "ipnat -l | ipnat -rf -", and then
> enter new ones with "ipnat -f -". Ipfilter ("ipf") works along the
> same lines.
>
> Here's some references:
>
> The IP-Filter Home Page
>
> <http://coombs.anu.edu.au/~avalon/ip-filter.html>
>
> The NAT FAQ
>
> <http://radon.moof.ai.mit.edu/~armenb/ipnat.html>
>
>
>