NAT.CONF(5) OpenBSD Programmer's Manual NAT.CONF(5)
NAME
nat.conf - network address translation configuration file for packet fil-
tering
DESCRIPTION
The rules file for network address translation specify which addresses
are to be mapped and which are to be redirected.
A nat rule specifies that IP addresses are to be changed as the packet
traverses the given interface. This technique of network address trans-
lation (NAT) allows a single IP address on the translating host to sup-
port network traffic for a larger range of machines on an inside network.
Although in theory any IP address can be used on the inside, it is
strongly recommended that one of the address ranges defined by RFC 1918
be used. These netblocks are:
10.0.0.0 - 10.255.255.255 (all of net 10, i.e., 10/8)
172.16.0.0 - 172.31.255.255 (i.e., 172.16/12)
192.168.0.0 - 192.168.255.255 (i.e., 192.168/16)
A binat rule specifies a bidirectional map between an external IP address
and an an internal IP address.
An rdr rule specifies an incoming connection to be redirected to another
host and optionally a different port.
Note that all translation rules apply only to packets that pass through
the specified interface. For instance, redirecting port 80 on an exter-
nal interface to an internal web server will only work for connections
originating from the outside. Connections to the address of the external
interface from local hosts will not be redirected, since such packets do
not actually pass through the external interface. Redirections can't re-
flect packets back through the interface they arrive on, they can only be
redirected to hosts connected to different interfaces or to the firewall
itself.
Also note that all translations of packets occur before the filter rules
in pf.conf(5) are evaluated. Hence, 'pass in' rules for redirected pack-
ets should specify the address/port after translation.
GRAMMAR
Syntax for filter rules in BNF:
rule = [ "no" ] ( nat_rule | binat_rule | rdr_rule ) .
nat_rule = "nat" "on" [ "!" ] ifname [ protospec ] "from" ipspec
"to" ipspec [ "->" address ] .
binat_rule = "binat" "on" ifname [ protospec ] "from" address
"to" ipspec [ "->" address ] .
rdr_rule = "rdr" "on" [ "!" ] ifname [ protospec ] "from" ipspec
"to" ipspec [ portspec ] [ "->" address [ portspec ] ] .
protospec = "proto" ( number | "tcp" | "udp" | "icmp" ) .
ipspec = "any" | host .
host = [ "!" ] address [ "/" mask-bits ] .
portspec = "port" ( number | name ) [ ":" ( "*" | number | name ) ] .
Comments begin with the character `#'; empty lines are ignored. Rules
are processed in the order read, one rule per line. The first matching
rule is applied. Rules prefixed with "no" lead to no translation. Such
rules can be used to exclude certain connections from being translated.
An ifname is a network interface such as fxp4, ne0, or ep1. address can
be specified in CIDR notation (matching a netblock), as symbolic host
name or interface name. Host name resolution and interface to address
translation are done at rule set load-time. When the address of an in-
terface (or host name) changes (by DHCP or PPP, for instance), the rule
set must be reloaded for the change to be reflected in the kernel. See
dhclient-script(8) or ppp(8) for information on how to automate this
task. If specified, mask-bits refers to the number of bits in the net-
mask. The negation character, `!', may be used before an ifname or an
address. The protocol specification is optional. If it is omitted, the
rule applies to packets of all protocols.
rdr rules can optionally specify port ranges instead of single ports.
'rdr ... port 2000:2999 -> ... port 4000' redirects ports 2000 to 2999
(including port 2000 and 2999) to the same port 4000. 'rdr ... port
2000:2999 -> ... port 4000:*' redirects port 2000 to 4000, 2001 to 4001,
..., 2999 to 4999.
EXAMPLES
This example maps incoming requests on port 80 to port 8080, on which
Apache Tomcat is running (say Tomcat is not run as root, therefore lacks
permission to bind to port 80).
# map tomcat on 8080 to appear to be on 80
rdr on ne3 proto tcp from any to any port 80 -> 127.0.0.1 port 8080
In the example below, vlan12 is configured for the 192.168.168.1; the ma-
chine translates all packets coming from 192.168.168.0/24 to
204.92.77.111 when they are going out any interface except vlan12. This
has the net effect of making traffic from the 192.168.168.0/24 network
appear as though it is the Internet routeable address 204.92.77.111 to
nodes behind any interface on the router except for the nodes on vlan12.
(Thus, 192.168.168.1 can talk to the 192.168.168.0/24 nodes.)
nat on ! vlan12 from 192.168.168.0/24 to any -> 204.92.77.111
In the example below, fxp1 is the outside interface; the machine sits be-
tween a fake internal 144.19.74.* network, and a routable external IP of
204.92.77.100. The "no nat" rule excludes protocol AH from being trans-
lated.
no nat on fxp1 proto ah from 144.19.74.0/24 to any
nat on fxp1 from 144.19.74.0/24 to any -> 204.92.77.100
In the example below, fxp0 is the outside interface; a 1:1 bidirectional
map is created between the private address 192.168.1.5 and the routable
external address 204.92.77.113. (Thus, incoming traffic to 204.92.77.113
is mapped to the internal address 192.168.1.5.)
binat on fxp0 from 192.168.1.5 to any -> 204.92.77.113
This longer example uses both a NAT and a redirection. Interface kue0 is
the outside interface, and its external address is 157.161.48.183. In-
terface fxp0 is the inside interface, and we are running ftp-proxy(8)
listening for outbound ftp sessions captured to port 8081.
# NAT
# translate outgoing packets' source addresses (any protocol)
# in my case, any address but the gateway's external address is mapped
#
nat on kue0 from ! 157.161.48.183 to any -> 157.161.48.183
# BINAT
# translate outgoing packets' source address (any protocol)
# translate incoming packets' destination address to an internal machine
# (bidirectional)
binat on kue0 from 10.1.2.150 to any -> 157.161.48.184
# RDR
# translate incoming packets' destination addresses
# as an example, redirect a TCP and UDP port to an internal machine
# NOTE: the lines below are split for readability
#
rdr on kue0 proto tcp from any to 157.161.48.183/32 port 8080 \
-> 10.1.2.151 port 22
rdr on kue0 proto udp from any to 157.161.48.183/32 port 8080 \
-> 10.1.2.151 port 53
# RDR
# translate outgoing ftp control connections to send them to localhost
# for proxying with ftp-proxy(8) running on port 8081
rdr on fxp0 proto tcp from any to any port 21 -> 127.0.0.1 port 8081
FILES
/etc/hosts
/etc/nat.conf
/etc/protocols
/etc/services
SEE ALSO
pf(4), hosts(5), pf.conf(5), protocols(5), services(5), ftp-proxy(8),
pfctl(8)
HISTORY
The nat.conf file format appeared in OpenBSD 3.0.
OpenBSD 3.1 June 26, 2001 3