Solaris Resources at Kempston
Configuring Network Address Translation on Solaris 7 and 8
| www.kempston.net/solaris/ | www.kempston.org/solaris/ |
THIS IS A DRAFT PAGE - NOT YET FINISHED!
This page contains detailed step-by-step instructions to configure a Solaris 7 or Solaris 8 system to act as a dial-up gateway for a local network consisting of any combination of Solaris, Windows and Linux systems. This gives internet access to all systems on a local network as if each system had its own connection to the Internet.
These instructions assume that the Solaris system has already been configured for dial-up access as described in Configuring PPP on Solaris to connect to an ISP, that the physical local network exists, that TCP/IP networking is installed on each local machine and that each machine can ping every other machine on the local network. For the purpose of these instructions, it's assumed that each machine on the local network has been configured with a local network IP address from the private address range 192.168.1.1 to 192.168.1.254 and that the local network address of the Solaris system is 192.168.1.1. If you've used a different IP address range, simply subsititue your own IP addresses for the addresses mentioned in this guide.
Network Address Translation (NAT)
A Solaris system on a local network has an IP address associated with its network interface card, perhaps 192.168.1.1, and all TCP/IP traffic between it and other machines on the local network is routed through this network interface. When the Solaris system is connected to the Internet through a dial-up PPP link, it has another IP address associated with its dial-up interface ipdptp0. This IP address may be a fixed static address but is more commonly a dynamic address assigned by the ISP when the dial-up connection is made.
It would be possible to assign a public IP address, probably from the ISP's address space, to each machine on a local network and arrange for the Solaris dial-up gateway to act as a router, forwarding packets from the local machines which arrive on its local network interface out through its dial-up network interface. But few ISPs are willing to allocate multiple IP addresses to dial-up customers and the private address ranges such as 192.168.1.1 to 192.168.1.254 are not routable on the Internet.
The solution is to run network address translation software on the Solaris system. In brief, the way this works is that the local machines are configured with a default route pointing at the Solaris system so that packets addressed to host machines on the Internet are sent first to the Solaris system. Solaris is configured as a router so that it receives incoming packets on its local network interface and sends them out on its dial-up interface. Before retransmitting the packets, the Solaris system performs network address translation, replacing the source address (of the sending machine on the local network) with its own dial-up interface address. The reverse happens with packets incoming from the Internet: the Solaris system receives these on its dial-up interface, checks from its tables which local machine the packet is destined for and replaces the destination address in the packet before retransmitting it on the local network.
The following instructions cover the installation and configuration of NAT software called ipfilter on the Solaris dial-up system and the configuration of DNS and a default route on the other machines on the local network. Specific instructions are provided for Solaris 7 and 8, Windows 95 and 98, and RedHat Linux 6.1. The general principle of setting a default route applies to other operating systems.
Installing and configuring NAT on Solaris
Please note that you must be logged in as root while implementing these instructions.
The ipfilter software is supplied in source form and you need to compile it. This isn't difficult! Before doing so, you need to have installed the g(un)zip program and a C compiler. All of these are freely downloadable from the Net and instructions for installing C and gzip are here.
The source of ipfilter is available from http://coombs.anu.edu.au/ipfilter/ip-filter.html. At the time of writing, the latest version is 3.3.12 and the source code is provided as a compressed tar archive in the file ip-fil3.3.12.tar.gz.
Make a directory at a convenient point in the file system to hold the source code and copy the source into this directory. For example:
# mkdir -p /opt/source/ipfilter # cd /opt/source/ipfilter # cp /tmp/ip-fil3.3.12.tar.gz .
Unzip and untar the source and then change to the directory created by tar:
# gunzip ip-fil* # tar xvf ip-fil* # cd ip_fil3.3.12
At this point, you may like to have a look at the README file which contains a short list of features.
Note that ipfilter cannot be compiled using the GNU "make" program. If you've installed this, make sure that the Solaris "make" program is found first:
# which make /usr/ccs/bin/make
If the "which" command finds GNU make, you'll need to adjust your search path so that /usr/ccs/bin/make is found first.
Compile the ipfilter program:
# make solaris
A set of NAT rules has to be given to ipfilter to tell it how to translate IP addresses. A simple rule is:
map ipdptp0 192.168.1.0/24 -> 50.50.50.50/32
and this is interpreteted as follows:
"map ipdptp0" tells ipfilter to examine the source address of all packets about to be sent through the PPP dial-up interface ipdptp0 and change the source address if it matches the next element in the rule. "192.168.1.0/24" is a standard way of denoting an IP address block. IP addresses consist of 32 bits and are written as four decimal number separated by dots. The "/24" denotes the number of bits which comprise the network part of the address and is this example is the 24 bits 192.168.1. So, 192.168.1.0/24 indicates that ipfilter should change the source address when it's in the range 192.168.1.1 to 192.168.1.254. The rest of this rule, "-> 50.50.50.50/32" tells ipfilter to replace the source address in these packets with 50.50.50.50, the "/32" indicating that this is a host address. Such a rule could be used to translate a local network of 192.168.1 so that all packets going out on the dial-up interface have the source address of the dial-up interface.
There's a small complication in that most ISPs allocate dynamic unpredictable IP addresses to dial-up clients. IPfilter copes with this by allowing us to specify "0" as the address of the dial-up interface and it replaces this with the actual IP address assigned to the interface. So, a more general rule can be written as:
map ipdptp0 192.168.1.0/24 -> 0/32
but it is necessary to run the command:
# ipf -y
to refresh the actual address whenever a dial-up connection is made.
This one simple NAT rule is sufficient for most outgoing TCP/IP connections from the local network but it doesn't map source port numbers. It isn't strictly necessary to provide port mapping rules and ipfilter will, by default, simply select the next available local port when translating an IP address. But it's better to specify the range of source ports to be used as in the rule:
map ipdptp0 192.168.1.0/24 -> 0/32 portmap tcp/udp 10000:40000
which tells ipfilter to use source port numbers in the range 10,000 to 40,000.
Another rule is needed to cope with active FTP. FTP is unusual in that one of its modes of operation requires the server to open a data port on the client and there's no general way of allowing incoming connections to a local network when using NAT. To cope with this requirement, ipfilter contains an FTP proxy which opens a hole to allow the server to connect back to the client. The format of this proxy rule is:
map ipdptp0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
NAT configuration rules are stored in the file /etc/opt/ipf/nat.conf and this file is created in the next step.
If you're interested in a more complete discussion of NAT rules, the standard guide is the IP Filter Based Firewalls HOWTO.
Use a text editor to create the file /etc/opt/ipf/nat.conf containing the following lines:
map ipdptp0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp map ipdptp0 192.168.1.0/24 -> 0/32 portmap tcp/udp 10000:40000 map ipdptp0 192.168.1.0/24 -> 0/32
As described earlier, these rules provide access on the private network 192.168.1.1 - 192.168.1.254 through the Solaris NAT system to any host on the Internet via the dial-up ipdptp0 interface.
The order of the rules is important and they must be specified exactly as shown above unless you're quite sure of the effect any differences will make. The first rule allows FTP access from all hosts on the local network to the Internet, the second rule maps high ports 10,000 to 40,000 for the local network and the third rule maps general TCP traffic to and from the local network and the Internet.
When the nat.conf file has been created, stop and restart the ipf software:
# /etc/init.d/ipfboot stop # /etc/init.d/ipfboot start
Issue the following command to switch on IP forwarding in the Solaris kernel:
# ndd -set /dev/tcp ip_forwarding 1
This tells Solaris to forward packets from one network to another and enables packets arriving on the local network interface to be forwarded out on the dial-up ipdptp0 interface and vice versa.
# /sbin/ipnat -C -f /etc/opt/ipf/nat.conf # /sbin/ipf -y
Further information about ipfilter is available from the following sources:
The IP Filter Based Firewalls HOWTO by Brendan Conoboy and Erik Fichtner
The Solaris IPNAT Howto by Rachel Polanskis
Has this guide been useful?
I hope these instructions prove useful. If you have any comments or suggestions for improvement, or have found any technical errors, please email me at mike@kempston.net
This page is copyright © mike@kempston.net 2000. Reproduction is forbidden without the author's permission. You are welcome to link to these pages if you wish but please point to the pages at www.kempston.net: Solaris Resources at Kempston
| Home | Free Solaris | Connecting to an ISP |
| Configuring mail | Configuring modem dialup | Configuring a PPP server |
| Installing Software | Solaris FAQs and Software | Site Index |
This page is maintained by the
Kempston Webmaster
Last updated 8 August 2000