2 .\" To view license terms, attribution, and copyright for IP Filter, the
3 .\" default path is /usr/lib/ipf/IPFILTER.LICENCE. If the Illumos operating
4 .\" environment has been installed anywhere other than the default, modify the
5 .\" given path to access the file at the installed location.
6 .\" Portions Copyright (c) 2015, Joyent, Inc.
7 .TH IPNAT 4 "Mar 18, 2015"
9 ipnat, ipnat.conf \- IP NAT file format
11 The format for files accepted by ipnat is described by the following grammar:
14 ipmap :: = mapblock | redir | map .
16 map ::= mapit ifname lhs "->" dstipmask [ mapicmp | mapport | mapproxy ]
18 mapblock ::= "map-block" ifname lhs "->" ipmask [ ports ] mapoptions .
19 redir ::= "rdr" ifname rlhs "->" ip [ "," ip ] rdrport rdroptions .
21 lhs ::= ipmask | fromto .
22 rlhs ::= ipmask dport | fromto .
23 dport ::= "port" portnum [ "-" portnum ] .
24 ports ::= "ports" numports | "auto" .
25 rdrport ::= "port" portnum .
26 mapit ::= "map" | "bimap" .
27 fromto ::= "from" object "to" object .
28 ipmask ::= ip "/" bits | ip "/" mask | ip "netmask" mask .
29 dstipmask ::= ipmask | "range" ip "-" ip .
30 mapicmp ::= "icmpidmap" "icmp" number ":" number .
31 mapport ::= "portmap" tcpudp portspec .
32 mapoptions ::= [ tcpudp ] [ "frag" ] [ age ] [ clamp ] .
33 rdroptions ::= rdrproto [ rr ] [ "frag" ] [ age ] [ clamp ] [ rdrproxy ] .
35 object :: = addr [ port-comp | port-range ] .
36 addr :: = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
37 port-comp :: = "port" compare port-num .
38 port-range :: = "port" port-num range port-num .
39 rdrproto ::= tcpudp | protocol .
41 rr ::= "round-robin" .
42 age ::= "age" decnumber [ "/" decnumber ] .
43 clamp ::= "mssclamp" decnumber .
44 tcpudp ::= "tcp/udp" | protocol .
45 mapproxy ::= "proxy" "port" port proxy-name '/' protocol
46 rdrproxy ::= "proxy" proxy-name .
48 protocol ::= protocol-name | decnumber .
49 nummask ::= host-name [ "/" decnumber ] .
50 portspec ::= "auto" | portnumber ":" portnumber .
51 port ::= portnumber | port-name .
52 portnumber ::= number { numbers } .
53 ifname ::= 'A' - 'Z' { 'A' - 'Z' } numbers .
55 numbers ::= '0' | '1' | '2' | '3' | '4' | '5' | '6' | '7' | '8' | '9' .
58 For standard NAT functionality, a rule should start with \fBmap\fP and then
59 proceeds to specify the interface for which outgoing packets will have their
60 source address rewritten.
62 Packets which will be rewritten can only be selected by matching the original
63 source address. A netmask must be specified with the IP address.
65 The address selected for replacing the original is chosen from an IP#/netmask
66 pair. A netmask of all 1's indicating a hostname is valid. A netmask of
67 31 1's (255.255.255.254) is considered invalid as there is no space for
68 allocating host IP#'s after consideration for broadcast and network
71 When remapping TCP and UDP packets, it is also possible to change the source
72 port number. Either TCP or UDP or both can be selected by each rule, with a
73 range of port numbers to remap into given as \fBport-number:port-number\fP.
75 There are four commands recognised by IP Filter's NAT code:
78 that is used for mapping one address or network to another in an unregulated
82 that is used for redirecting packets to one IP address and port pair to
86 for setting up bidirectional NAT between an external IP address and an internal
90 which sets up static IP address based translation, based on a algorithm to
91 squeeze the addresses to be translated into the destination range.
94 For basic NAT and redirection of packets, the address subject to change is used
95 along with its protocol to check if a packet should be altered. The packet
96 \fImatching\fP part of the rule is to the left of the "->" in each rule.
98 Matching of packets has now been extended to allow more complex compares.
99 In place of the address which is to be translated, an IP address and port
100 number comparison can be made using the same expressions available with
101 \fBipf\fP. A simple NAT rule could be written as:
104 map de0 10.1.0.0/16 -> 201.2.3.4/32
110 map de0 from 10.1.0.0/16 to any -> 201.2.3.4/32
113 Only IP address and port numbers can be compared against. This is available
117 To the right of the "->" is the address and port specification which will be
118 written into the packet providing it has already successfully matched the
119 prior constraints. The case of redirections (\fBrdr\fP) is the simplest:
120 the new destination address is that specified in the rule. For \fBmap\fP
121 rules, the destination address will be one for which the tuple combining
122 the new source and destination is known to be unique. If the packet is
123 either a TCP or UDP packet, the destination and source ports come into the
124 equation too. If the tuple already exists, IP Filter will increment the
125 port number first, within the available range specified with \fBportmap\fP
126 and if there exists no unique tuple, the source address will be incremented
127 within the specified netmask. If a unique tuple cannot be determined, then
128 the packet will not be translated. The \fBmap-block\fP is more limited in
129 how it searches for a new, free and unique tuple, in that it will used an
130 algorithm to determine what the new source address should be, along with the
131 range of available ports - the IP address is never changed and nor does the
132 port number ever exceed its allotted range.
135 ICMP messages can be divided into two groups: "errors" and "queries". ICMP
136 errors are generated as a response of another IP packet. IP Filter will take
137 care that ICMP errors that are the response of a NAT-ed IP packet are
140 For 4 types of ICMP queries (echo request, timestamp request, information
141 request and address mask request) IP Filter supports an additional mapping
142 called "ICMP id mapping". All these 4 types of ICMP queries use a unique
143 identifier called the ICMP id. This id is set by the process sending the
144 ICMP query and it is usually equal to the process id. The receiver of the
145 ICMP query will use the same id in its response, thus enabling the
146 sender to recognize that the incoming ICMP reply is intended for him and is
147 an answer to a query that he made. The "ICMP id mapping" feature modifies
148 these ICMP id in a way identical to \fBportmap\fP for TCP or UDP.
150 The reason that you might want this, is that using this feature you don't
151 need an IP address per host behind the NAT box, that wants to do ICMP queries.
152 The two numbers behind the \fBicmpidmap\fP keyword are the first and the
153 last icmp id number that can be used. There is one important caveat: if you
154 map to an IP address that belongs to the NAT box itself (notably if you have
155 only a single public IP address), then you must ensure that the NAT box does
156 not use the \fBicmpidmap\fP range that you specified in the \fBmap\fP rule.
159 IP Filter comes with a few, simple, proxies built into the code that is loaded
160 into the kernel to allow secondary channels to be opened without forcing the
161 packets through a user program. The current state of the proxies is listed
162 below, as one of three states:
164 Aging - protocol is roughly understood from
165 the time at which the proxy was written but it is not well tested or
168 Developmental - basic functionality exists, works most of the time but
169 may be problematic in extended real use;
171 Experimental - rough support for the protocol at best, may or may not
172 work as testing has been at best sporadic, possible large scale changes
173 to the code in order to properly support the protocol.
175 Mature - well tested, protocol is properly
176 understood by the proxy;
178 The currently compiled in proxy list is as follows:
184 rpcbind - Experimental
188 Real Audio (PNA) - Aging
190 IPsec - Developmental
192 netbios - Experimental
196 .SH TRANSPARENT PROXIES
198 True transparent proxying should be performed using the redirect (\fBrdr\fP)
199 rules directing ports to localhost (127.0.0.1) with the proxy program doing
200 a lookup through \fB/dev/ipnat\fP to determine the real source and address
204 Two options for use with \fBrdr\fP are available to support primitive,
205 \fIround-robin\fP based load balancing. The first option allows for a
206 \fBrdr\fP to specify a second destination, as follows:
209 rdr le0 203.1.2.3/32 port 80 -> 203.1.2.3,203.1.2.4 port 80 tcp
212 This would send alternate connections to either 203.1.2.3 or 203.1.2.4.
213 In scenarios where the load is being spread amongst a larger set of
214 servers, you can use:
217 rdr le0 203.1.2.3/32 port 80 -> 203.1.2.3,203.1.2.4 port 80 tcp round-robin
218 rdr le0 203.1.2.3/32 port 80 -> 203.1.2.5 port 80 tcp round-robin
221 In this case, a connection will be redirected to 203.1.2.3, then 203.1.2.4
222 and then 203.1.2.5 before going back to 203.1.2.3. In accomplishing this,
223 the rule is removed from the top of the list and added to the end,
224 automatically, as required. This will not effect the display of rules
225 using "ipnat -l", only the internal application order.
228 This section deals with the \fBmap\fP command and its variations.
230 To change IP#'s used internally from network 10 into an ISP provided 8 bit
231 subnet at 209.1.2.0 through the ppp0 interface, the following would be used:
234 map ppp0 10.0.0.0/8 -> 209.1.2.0/24
237 The obvious problem here is we're trying to squeeze over 16,000,000 IP
238 addresses into a 254 address space. To increase the scope, remapping for TCP
239 and/or UDP, port remapping can be used;
242 map ppp0 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000
245 which falls only 527,566 `addresses' short of the space available in network
246 10. If we were to combine these rules, they would need to be specified as
250 map ppp0 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000
251 map ppp0 10.0.0.0/8 -> 209.1.2.0/24
254 so that all TCP/UDP packets were port mapped and only other protocols, such as
255 ICMP, only have their IP# changed. In some instances, it is more appropriate
256 to use the keyword \fBauto\fP in place of an actual range of port numbers if
257 you want to guarantee simultaneous access to all within the given range.
258 However, in the above case, it would default to 1 port per IP address, since
259 we need to squeeze 24 bits of address space into 8. A good example of how
260 this is used might be:
263 map ppp0 172.192.0.0/16 -> 209.1.2.0/24 portmap tcp/udp auto
266 which would result in each IP address being given a small range of ports to
267 use (252). In all cases, the new port number that is used is deterministic.
268 That is, port X will always map to port Y.
269 WARNING: It is not advisable to use the \fBauto\fP feature if you are map'ing
270 to a /32 (i.e. 0/32) because the NAT code will try to map multiple hosts to
271 the same port number, outgoing and ultimately this will only succeed for one
273 The problem here is that the \fBmap\fP directive tells the NAT
274 code to use the next address/port pair available for an outgoing connection,
275 resulting in no easily discernible relation between external addresses/ports
276 and internal ones. This is overcome by using \fBmap-block\fP as follows:
279 map-block ppp0 172.192.0.0/16 -> 209.1.2.0/24 ports auto
282 For example, this would result in 172.192.0.0/24 being mapped to 209.1.2.0/32
283 with each address, from 172.192.0.0 to 172.192.0.255 having 252 ports of its
284 own. As opposed to the above use of \fBmap\fP, if for some reason the user
285 of (say) 172.192.0.2 wanted 260 simultaneous connections going out, they would
286 be limited to 252 with \fBmap-block\fP but would just \fImove on\fP to the next
287 IP address with the \fBmap\fP command.
294 \fBhosts\fR(4), \fBipf\fR(4), \fBservices\fR(4), \fBipf\fR(1M),
295 \fBipnat\fR(1M), \fBipfilter\fR(5)