独学而无友,则孤陋而寡闻!
分类: BSD
2008-03-15 23:39:37
The nat configuration command is the following:
nat nat_number config nat-configuration
The following parameters can be configured:
ip ip_address
Define an ip address to use for aliasing.
if nic Use ip addres of NIC for aliasing, dynamically changing it if
NIC's ip address change.
log Enable logging on this nat instance.
deny_in
Deny any incoming connection from outside world.
same_ports
Try to leave the alias port numbers unchanged from the actual
local port numbers.
unreg_only
Traffic on the local network not originating from an unregistered
address spaces will be ignored.
reset Reset table of the packet aliasing engine on address change.
reverse
Reverse the way libalias handles aliasing.
proxy_only
Obey transparent proxy rules only, packet aliasing is not per-
formed.
To let the packet continue after being (de)aliased, set the sysctl vari-
able net.inet.ip.fw.one_pass to 0. For more information about aliasing
modes, refer to See Section EXAMPLES for some examples about
nat usage.
Redirect and LSNAT support follow closely the syntax used in See
Section EXAMPLES for some examples on how to do redirect and lsnat.
NAT, REDIRECT AND LSNAT
First redirect all the traffic to nat instance 123:
ipfw add nat 123 all from any to any
Then to configure nat instance 123 to alias all the outgoing traffic with
ip 192.168.0.123, blocking all incoming connections, trying to keep same
ports on both sides, clearing aliasing table on address change and keep-
ing a log of traffic/link statistics:
ipfw nat 123 config ip 192.168.0.123 log deny_in reset same_ports
Or to change address of instance 123, aliasing table will be cleared (see
reset option):
ipfw nat 123 config ip 10.0.0.1
To see configuration of nat instance 123:
ipfw nat 123 show config
To show logs of all the instances in range 111-999:
ipfw nat 111-999 show
To see configurations of all instances:
ipfw nat show config
Or a redirect rule with mixed modes could looks like:
ipfw nat 123 config redirect_addr 10.0.0.1 10.0.0.66
redirect_port tcp 192.168.0.1:80 500
redirect_proto udp 192.168.1.43 192.168.1.1
redirect_addr 192.168.0.10,192.168.0.11
10.0.0.100 # LSNAT
redirect_port tcp 192.168.0.1:80,192.168.0.10:22
500 # LSNAT
or it could be splitted in:
ipfw nat 1 config redirect_addr 10.0.0.1 10.0.0.66
ipfw nat 2 config redirect_port tcp 192.168.0.1:80 500
ipfw nat 3 config redirect_proto udp 192.168.1.43 192.168.1.1
ipfw nat 4 config redirect_addr
192.168.0.10,192.168.0.11,192.168.0.12
10.0.0.100
ipfw nat 5 config redirect_port tcp
192.168.0.1:80,192.168.0.10:22,192.168.0.20:25 500
