NAT.CONF(5) OpenBSD Programmer's Manual NAT.CONF(5) NAME nat.conf - network address translation configuration file for packet fil- tering DESCRIPTION The rules file for network address translation specify which addresses are to be mapped and which are to be redirected. A nat rule specifies that IP addresses are to be changed as the packet traverses the given interface. This technique of network address trans- lation (NAT) allows a single IP address on the translating host to sup- port network traffic for a larger range of machines on an inside network. Although in theory any IP address can be used on the inside, it is strongly recommended that one of the address ranges defined by RFC 1918 be used. These netblocks are: 10.0.0.0 - 10.255.255.255 (all of net 10, i.e., 10/8) 172.16.0.0 - 172.31.255.255 (i.e., 172.16/12) 192.168.0.0 - 192.168.255.255 (i.e., 192.168/16) A binat rule specifies a bidirectional map between an external IP address and an an internal IP address. An rdr rule specifies an incoming connection to be redirected to another host and optionally a different port. Note that all translation rules apply only to packets that pass through the specified interface. For instance, redirecting port 80 on an exter- nal interface to an internal web server will only work for connections originating from the outside. Connections to the address of the external interface from local hosts will not be redirected, since such packets do not actually pass through the external interface. Redirections can't re- flect packets back through the interface they arrive on, they can only be redirected to hosts connected to different interfaces or to the firewall itself. Also note that all translations of packets occur before the filter rules in pf.conf(5) are evaluated. Hence, 'pass in' rules for redirected pack- ets should specify the address/port after translation. GRAMMAR Syntax for filter rules in BNF: rule = [ "no" ] ( nat_rule | binat_rule | rdr_rule ) . nat_rule = "nat" "on" [ "!" ] ifname [ protospec ] "from" ipspec "to" ipspec [ "->" address ] . binat_rule = "binat" "on" ifname [ protospec ] "from" address "to" ipspec [ "->" address ] . rdr_rule = "rdr" "on" [ "!" ] ifname [ protospec ] "from" ipspec "to" ipspec [ portspec ] [ "->" address [ portspec ] ] . protospec = "proto" ( number | "tcp" | "udp" | "icmp" ) . ipspec = "any" | host . host = [ "!" ] address [ "/" mask-bits ] . portspec = "port" ( number | name ) [ ":" ( "*" | number | name ) ] . Comments begin with the character `#'; empty lines are ignored. Rules are processed in the order read, one rule per line. The first matching rule is applied. Rules prefixed with "no" lead to no translation. Such rules can be used to exclude certain connections from being translated. An ifname is a network interface such as fxp4, ne0, or ep1. address can be specified in CIDR notation (matching a netblock), as symbolic host name or interface name. Host name resolution and interface to address translation are done at rule set load-time. When the address of an in- terface (or host name) changes (by DHCP or PPP, for instance), the rule set must be reloaded for the change to be reflected in the kernel. See dhclient-script(8) or ppp(8) for information on how to automate this task. If specified, mask-bits refers to the number of bits in the net- mask. The negation character, `!', may be used before an ifname or an address. The protocol specification is optional. If it is omitted, the rule applies to packets of all protocols. rdr rules can optionally specify port ranges instead of single ports. 'rdr ... port 2000:2999 -> ... port 4000' redirects ports 2000 to 2999 (including port 2000 and 2999) to the same port 4000. 'rdr ... port 2000:2999 -> ... port 4000:*' redirects port 2000 to 4000, 2001 to 4001, ..., 2999 to 4999. EXAMPLES This example maps incoming requests on port 80 to port 8080, on which Apache Tomcat is running (say Tomcat is not run as root, therefore lacks permission to bind to port 80). # map tomcat on 8080 to appear to be on 80 rdr on ne3 proto tcp from any to any port 80 -> 127.0.0.1 port 8080 In the example below, vlan12 is configured for the 192.168.168.1; the ma- chine translates all packets coming from 192.168.168.0/24 to 204.92.77.111 when they are going out any interface except vlan12. This has the net effect of making traffic from the 192.168.168.0/24 network appear as though it is the Internet routeable address 204.92.77.111 to nodes behind any interface on the router except for the nodes on vlan12. (Thus, 192.168.168.1 can talk to the 192.168.168.0/24 nodes.) nat on ! vlan12 from 192.168.168.0/24 to any -> 204.92.77.111 In the example below, fxp1 is the outside interface; the machine sits be- tween a fake internal 144.19.74.* network, and a routable external IP of 204.92.77.100. The "no nat" rule excludes protocol AH from being trans- lated. no nat on fxp1 proto ah from 144.19.74.0/24 to any nat on fxp1 from 144.19.74.0/24 to any -> 204.92.77.100 In the example below, fxp0 is the outside interface; a 1:1 bidirectional map is created between the private address 192.168.1.5 and the routable external address 204.92.77.113. (Thus, incoming traffic to 204.92.77.113 is mapped to the internal address 192.168.1.5.) binat on fxp0 from 192.168.1.5 to any -> 204.92.77.113 This longer example uses both a NAT and a redirection. Interface kue0 is the outside interface, and its external address is 157.161.48.183. In- terface fxp0 is the inside interface, and we are running ftp-proxy(8) listening for outbound ftp sessions captured to port 8081. # NAT # translate outgoing packets' source addresses (any protocol) # in my case, any address but the gateway's external address is mapped # nat on kue0 from ! 157.161.48.183 to any -> 157.161.48.183 # BINAT # translate outgoing packets' source address (any protocol) # translate incoming packets' destination address to an internal machine # (bidirectional) binat on kue0 from 10.1.2.150 to any -> 157.161.48.184 # RDR # translate incoming packets' destination addresses # as an example, redirect a TCP and UDP port to an internal machine # NOTE: the lines below are split for readability # rdr on kue0 proto tcp from any to 157.161.48.183/32 port 8080 \ -> 10.1.2.151 port 22 rdr on kue0 proto udp from any to 157.161.48.183/32 port 8080 \ -> 10.1.2.151 port 53 # RDR # translate outgoing ftp control connections to send them to localhost # for proxying with ftp-proxy(8) running on port 8081 rdr on fxp0 proto tcp from any to any port 21 -> 127.0.0.1 port 8081 FILES /etc/hosts /etc/nat.conf /etc/protocols /etc/services SEE ALSO pf(4), hosts(5), pf.conf(5), protocols(5), services(5), ftp-proxy(8), pfctl(8) HISTORY The nat.conf file format appeared in OpenBSD 3.0. OpenBSD 3.1 June 26, 2001 3