This document is written with the intention of providing enough
information on setting up Solaris x86 as a NAT gateway, as simply as possible.
The article does not attempt to introduce firewalling rules, which are
a highly personal and technical project, and is beyond the scope
of this document.
If you are looking for a more technical explanation of how NAT or
ipfilter works, consult the ipfilter home page<
at the URL:
http://cheops.anu.edu.au/~avalon/ip-filter.html
or
The simplest ipnat.conf (adjustments for your envirnonment may be necessary):
map iprb0 192.168.1.0/24 -> 12.25.234.183/32 proxy port ftp ftp/tcp map iprb0 192.168.1.0/24 -> 12.25.234.183/32 portmap tcp/udp 10000:40000 map iprb0 192.168.1.0/24 -> 12.25.234.183/32http://www.obfuscation.org/ipf/ipf-howto.txt
For more substantial dirt.
What is NAT?
Network Address Translation (NAT) allows systems that are on an unregistered network of private IP addresses to access the Internet via a genuine registered IP address, which is perhaps issued by your ISP when you login via a PPP connection.
NAT is the facility that translates all the source addresses and port numbers in IP packets originating from the unregistered private network to the public IP address of the host running the NAT software. NAT will allow systems on a private network to share the single registered IP address to access network services such as ftp, telnet, email and the World Wide Web.RFC-1918 Address space
A private network in general consists of IP addresses especially put aside the purpose. These IP addresses are referred to as "non routing" IP addresses and allow hosts not connected to the Internet to provide connectivity with one another on their own private LAN or WAN, with full IP connectivity.
Three private address ranges have been allocated for this purpose:
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
Each of these address ranges is a Class A, B, and C network, respectively.
The complete specification for private non routing IP addresses can be found in RCF-1918 at ftp://www.arin.net/rfc/rfc1918.txtObtaining the Binary
read the readme file and download the package file of ipfilter for Solarisx86 2.7 at: ftp://fishbutt.fiver.net/pub/solarisx86/net
Configuring the software
Once you have installed the software on your system, you'll have to reboot, to allow the device drivers to load.
Before you do this it is suggested to make the following changes to your boot routine.Ip_forwarding
Solaris' TCP implementation contains support for the forwarding of IP packets from one network to another, if the system is configured as a router.
To enable your system to correctly forward IP packets from within your private network, via NAT, you need to enable ip_forwarding on your NAT system. IT WILL NOT WORK UNLESS THIS IS SET!!!
first check to see whether ip_forwarding is enabled via the ndd command:
# ndd -get /dev/tcp ip_forwarding
0
The zero indicates ip_forwarding is not enabled in the kernel. To enable ip_forwarding, pass the following command to ndd:
# ndd -set /dev/tcp ip_forwarding 1
You should now check that ip_forwarding is indeed enabled by checking as previously described, with the answer being the value "1".The next step is to make these settings permanent. In most cases, the system running NAT will also be the system that runs some kind of connectivity software, such as ppp.
In this instance, you are treating your system as a kind of router.
It is suggested therefore, that the file /etc/defaultrouter be deleted if it is present. In it's place, create the file /etc/gateways.
This will tell the boot script /etc/init.d/inetsvc to enable ip_forwarding with the correct value of "1" on the next reboot.You should also now ensure that the default route for all systems wishing to connect to the Internet via the NAT box have that machine's IP address set correctly as the default route.
NAT Rules
The final step in setting up your system to use NAT is to create some rules. My example below defines the rules required to allow Address Translation for a private network in the 192.168.100/255 address range. This is ample for a small LAN such as my home network, which consists of about 4 or 5 machines.
Create a file called /etc/opt/ipf/nat.conf.
There will already be a file in the directory called /etc/opt/ipf/ipf.conf.
It should at this time be empty.
The file /etc/opt/ipf/ipf.conf is used to write your firewall rules, which is beyond the scope of this document.
Consult the ipfilter home page if you wish to practice firewalling your system.The NAT rules I used for my private network look like this:
The rules provided in nat.conf provide access on the private subnet 192.168.100/255 to anywhere on the Internet via the ppp0 interface.
map ppp0 192.168.100.0/24 -> 0/32 proxy port ftp ftp/tcp
map ppp0 192.168.100.0/24 -> 0/32 portmap tcp/udp 10000:40000
map ppp0 192.168.100.0/24 -> 0/32
You can obtain the file here as nat.conf
Edit the subnet address to suit the configuration you wish for your own LAN.
Ensure you only use subnet addresses in the ranges laid down in RFC-1918.
If you are using the Solstice PPP-3.01 (for example), you'll have to change the name of the interface to something like ipdptp0.The ordering of the rules is important - if you mix them up into a different order, they will not work.
Once you have configured your NAT rules in nat.conf
you should stop and restart the ipf software by issuing the
following command:
#/etc/init.d/ipfboot start | stop
You should now be ready to test your NAT setup.
Check your configuration against the following checklist:
If all has gone well, you should now be able to telnet and ftp and
use most all network services from a host within your private network.
If not, double check my instructions, and especially the checklist.