分类:
2006-09-26 19:16:49
Solaris ipfilter/NAT Config |
---|
registered IP address, which is perhaps issued by your ISP when you login via a PPP connection. IP address of the host running the NAT software.NAT will allow systems on a private network to share the single registered IP address to access network services such as ftp, telnet, email and the World Wide Web. and allow hosts not connected to the Internet to provide connectivity with one another on their own private LAN or WAN, with full IP connectivity. found in RCF-1918 at ftp:// Solaris' TCP implementation contains support for the forwarding of IP packets from one network to another, if the system is configured as a router. To enable your system to correctly forward IP packets from within your private network, via NAT, you need to enable ip_forwarding on your NAT system. IT WILL NOT WORK UNLESS THIS IS SET!!! connectivity software, such as ppp. In this instance, you are treating your system as a kind of router. It is suggested therefore, that the file /etc/defaultrouter be deleted if it is present. address set correctly as the default route. Translation for a private network in the 192.168.100/255 address range. |
file /etc/opt/ipf/ipf.conf is used to write your firewall rules, which is beyond the scope of this document.
Consult the ipfilter home page if you wish to practice firewalling your system.
The NAT rules I used for my private network look like this:
map ppp0 192.168.100.0/24 -> 0/32 proxy port ftp ftp/tcp
map ppp0 192.168.100.0/24 -> 0/32 portmap tcp/udp 10000:40000
map ppp0 192.168.100.0/24 -> 0/32
You can obtain the file here as nat.conf
Edit the subnet address to suit the configuration you wish for your own LAN.
Ensure you only use subnet addresses in the ranges laid down in RFC-1918.
The rules provided in nat.conf provide access on the private subnet 192.168.100/255 to anywhere on the Internet via the ppp0 interface.
If you are using the Solstice PPP-3.01 (for example), you'll have to change the name of the interface to something like ipdptp0.
The ordering of the rules is important - if you mix them up into a different order, they will not work.
The first rule allows FTP access from all hosts on your private network to the Internet.
The second rule maps high ports 10,000 to 40,000 for your network, allowing access to several network services.
The final rule maps general tcp traffic to and from the Internet for your network.
I was unable to get RealAudio transmissions to play on my internal LAN, so I had to install the RealAudio Proxy server.
Although I have the source code, I am unsure of my right to distribute it,so you are best to go and obtain it from
Once you have configured your NAT rules in nat.conf you should stop and restart the ipf software by issuing the following command:
#/etc/init.d/ipfboot start | stop
You should now be ready to test your NAT setup.
3.Troubleshooting
Check your configuration against the following checklist:
The ipfilter package is correctly installed:
# modinfo | grep "IP Filter"
89 f5fa5000 11bc0 45 1 ipf (IP Filter v3.2.5)
ip_forwarding is enabled in the kernel:
# ndd -get /dev/tcp ip_forwarding
1
The file /etc/opt/ipf/nat.conf exists, and contains the rules as described above.
The rules should contain the correct mapping for your ppp device -
ppp0 or ipdptp0 if using Solstice PPP-3.01.
The nodes on your private network have their default route setup as the IP address of the NAT/PPP host.
4.Client configuration
Forthcoming basically set the default router or default gateway to the IP of the IPFILTER machine.
If all has gone well, you should now be able to telnet and ftp and use most all network services from a host within your private network. If not,
double check my instructions, and especially the checklist.
Good Luck with your new NAT configuration!