Date: Fri, 04 Dec 1998 16:57:02 +0100 From: Dirk-Willem van Gulik <dirk.vangulik@jrc.it> To: freebsd-doc@FreeBSD.ORG Subject: On natd. Message-ID: <3668064E.5C28A67E@jrc.it>
index | next in thread | raw e-mail
[-- Attachment #1 --]
I kind of wasted two hours on getting natd to work; it turned out
that the LKM was used, and as it does not get re-compiled with
the IPDIVERT things kind of did not work.
For the customer I just wrote this bit of text. feel free to
abuse it for the FAQ, manual or manpage. I just found natd(8)
a bit thin on the ground with examples.
I am sure this can be improved; but currently there is very little
to copy from.
Dw.
-----
Item. How to map a few IP addresses from the clients 'internal'
network onto one or more 'external' addresses.
0. Throughout this example we have the following players:
vx0 external interface; connected to 139.191.145.0/24
xl0 internal interface; connected to 10.0.0.0/16
10.0.x.y 'internal' machines
139.191.145.x 'external' machines
139.191.145.80 the machine which runs natd
139.191.145.8x x=1..9 free IP addresses.
1. Follow the instructions in natd(8). In step 2, the kernel
rebuild, be aware that most 2.2 and up systems use an
LKM module. So you will have to recompile this module as
well. So after adding the IPFIREWALL and IPDIVERT
do something like:
# configure the kernel. do NOT use '-n'
#
config MYKERNEL
cd ../../compile/MYKERNEL
# compile the kernel
make && make install
# recompile the LKM
cd /usr/src/lkm/ipfw
make & make install
1. Create a small configuration file; /etc/natd.cf in
which you put something like
redirect_address 10.0.0.2 139.191.145.81
redirect_address 10.0.2.4 139.191.145.82
redirect_address 10.0.1.7 139.191.145.83
I.e in this case we are making the machines 10.2,
10.4 and 10.7 visible to the outside world in a
contineous 81 to 83 range.
2. Add a new firewall type in the rc.firwall file,
#... just after the 'open'
elif [ "${firewall_type}" = "natd" ]; then
/sbin/ipfw add divert natd all from any to any via vx0
/sbin/ipfw add pass all from any to any
elif [ "${firewall_type}" = "client" ]; then
....
3. Specify this firewall in the rc.conf
firewall_enable="YES" # Set to YES to enable firewall
functionality
firewall_type="natd" # Firewall type (see
/etc/rc.firewall)
4. And start natd, for example from your rc.local
if [ -f /etc/natd.cf && -x /usr/sbin/natd ]; then
outside_if = vx0
/usr/sbin/natd -f /etc/natd.cf -interface $outside_if \
&& echo -n ' natd'
5. If you are masqurading hosts onto the external
site, as in the above example, you will have
to add the 'alias' to the external interface.
You could use something like this:
# add the external address from the natd.cf mapping file
# to the aliases for our primary interface
#
strangers=`grep ^redirect_address /etc/natd.cf | awk '{ print
$3 }'`
for alien in $strangers; do
ifconfig $outside_if inet $alien netmask 0xffffff00
alias
done
fi
Dw.
[-- Attachment #2 --]
begin:vcard
n:van Gulik;Dirk-Willem
tel;fax:+39 0332 78 9185
tel;work:+39 0332 78 9549
x-mozilla-html:FALSE
url:http://me-www.jrc.it/~dirkx
org:Joint Research Center of the European Commission;Software Technology and Applications, Institute for Systems, Informatics and Security
version:2.1
email;internet:Dirk.vanGulik@jrc.it
title:Mr
adr;quoted-printable:;;TP 270 - ISIS/STA=0D=0AJoint Resarch Center;Ispra;VA;21020;Italy
x-mozilla-cpt:;0
fn:Dirk-Willem van Gulik
end:vcard
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3668064E.5C28A67E>