Solaris ipfilter/NAT Config

ruishi

Solaris ipfilter/NAT Config

Solaris ipfilter/NAT Config
一、What is NAT?
Network Address Translation (NAT) allows systems that are on an unregistered network of private IP addresses to access the Internet via a genuine
registered IP address, which is perhaps issued by your ISP when you login via a PPP connection.
NAT is the facility that translates all the source addresses and port numbers in IP packets originating from the unregistered private network to the public
IP address of the host running the NAT software.NAT will allow systems on a private network to share the single registered IP address to access network
services such as ftp, telnet, email and the World Wide Web.
二、RFC-1918 Address space
A private network in general consists of IP addresses especially put aside the purpose.  These IP addresses are referred to as "non routing" IP addresses
and allow hosts not connected to the Internet to provide connectivity with one another on their own private LAN or WAN, with full IP connectivity.
Three private address ranges have been allocated for this purpose:
10.0.0.0        -   10.255.255.255  (10/8 prefix)
172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
192.168.0.0     -   192.168.255.255 (192.168/16 prefix)
Each of these address ranges is a Class A, B, and C network, respectively. The complete specification for private non routing IP addresses can be
found in RCF-1918 at ftp://www.arin.net/rfc/rfc1918.txt
三、Obtaining the Binary
read the readme file and download the package file of ipfilter for Solarisx86 2.7 at: ftp://fishbutt.fiver.net/pub/solarisx86/net
四、Configuring the software
Once you have installed the software on your system, you'll have to reboot, to allow the device drivers to load. Before you do this it is suggested to make the following changes to your boot routine.
1.Ip_forwarding
Solaris' TCP implementation contains support for the forwarding of IP packets from one network to another, if the system is configured as a router.
To enable your system to correctly forward IP packets from within your private network, via NAT, you need to enable ip_forwarding on your NAT
system. IT WILL NOT WORK UNLESS THIS IS SET!!!
first check to see whether ip_forwarding is enabled via the ndd command:
# ndd -get /dev/tcp ip_forwarding
0
The zero indicates ip_forwarding is not enabled in the kernel. To enable ip_forwarding, pass the following command to ndd:
# ndd -set /dev/tcp ip_forwarding 1
You should now check that ip_forwarding is indeed enabled by checking as previously described, with the answer being the value "1".
The next step is to make these settings permanent. In most cases, the system running NAT will also be the system that runs some kind of
connectivity software, such as ppp. In this instance, you are treating your system as a kind of router. It is suggested therefore, that the
file /etc/defaultrouter be deleted if it is present.
In it's place, create the file /etc/gateways. This will tell the boot script /etc/init.d/inetsvc to enable
ip_forwarding with the correct value of "1" on the next reboot.
You should also now ensure that the default route for all systems wishing to connect to the Internet via the NAT box have that machine's IP
address set correctly as the default route.
2.NAT Rules
The final step in setting up your system to use NAT is to create some rules. My example below defines the rules required to allow Address
Translation for a private network in the 192.168.100/255 address range.
This is ample for a small LAN such as my home network, which consists of about 4 or 5 machines.
Create a file called /etc/opt/ipf/nat.conf. There will already be a file in the directory called /etc/opt/ipf/ipf.conf. It should at this time be empty. The  
file /etc/opt/ipf/ipf.conf is used to write your firewall rules, which is beyond the scope of this document.
Consult the ipfilter home page if you wish to practice firewalling your system.
The NAT rules I used for my private network look like this:
map ppp0 192.168.100.0/24 -> 0/32 proxy port ftp ftp/tcp
map ppp0 192.168.100.0/24 -> 0/32 portmap tcp/udp 10000:40000
map ppp0 192.168.100.0/24 -> 0/32
You can obtain the file here as nat.conf
Edit the subnet address to suit the configuration you wish for your own LAN.
Ensure you only use subnet addresses in the ranges laid down in RFC-1918.
The rules provided in nat.conf provide access on the private subnet 192.168.100/255 to anywhere on the Internet via the ppp0 interface.
If you are using the Solstice PPP-3.01 (for example), you'll have to change the name of the interface to something like ipdptp0.
The ordering of the rules is important - if you mix them up into a different order, they will not work.
The first rule allows FTP access from all hosts on your private network to the Internet.
The second rule maps high ports 10,000 to 40,000 for your network, allowing access to several network services.
The final rule maps general tcp traffic to and from the Internet for your network.
I was unable to get RealAudio transmissions to play on my internal LAN, so I had to install the RealAudio Proxy server.
Although I have the source code, I am unsure of my right to distribute it,so you are best to go and obtain it from http://www.real.com yourself.
Once you have configured your NAT rules in nat.conf you should stop and restart the ipf software by issuing the following command:
#/etc/init.d/ipfboot start | stop
You should now be ready to test your NAT setup.
3.Troubleshooting
Check your configuration against the following checklist:
The ipfilter package is correctly installed:
# modinfo | grep "IP Filter"
89 f5fa5000  11bc0  45   1  ipf (IP Filter v3.2.5)
ip_forwarding is enabled in the kernel:
# ndd -get /dev/tcp ip_forwarding
1
The file /etc/opt/ipf/nat.conf exists, and contains the rules as described above.
The rules should contain the correct mapping for your ppp device -
ppp0 or ipdptp0 if using Solstice PPP-3.01.
The nodes on your private network have their default route setup as the IP address of the NAT/PPP host.
4.Client configuration
Forthcoming basically set the default router or default gateway to the IP of the IPFILTER machine.
If all has gone well, you should now be able to telnet and ftp and use most all network services from a host within your private network. If not,  
double check my instructions, and especially the checklist.
Good Luck with your new NAT configuration!


本文来自ChinaUnix博客，如果查看原文请点：http://blog.chinaunix.net/u/17424/showart_176957.html