# # 2002-03-01; Martin A. Brown # - first major revision; added comments # 2002-08-14; Martin A. Brown # - cleaned up the file; added copious commenting and examples # - provided support for NAT only from specified networks (backwards # incompatibility added here; benefit is huge flexibility gain) # 2003-02-10; Martin A. Brown # - example #6 added. Thanks for identification and description of # this scenario, and the example in the format of the other # examples go to Shawn Balestracci # # -- field descriptions: # field 1 this field contains a network address. Any packets from # this network will be translated according to fields two and # three, with the exception of any networks specified in fields # 6 and higher # field 2 contains the NAT IP, the IP that only exists as a publicly # reachable IP for an internal host # field 3 contains the real IP of the machine, usually an internal IP # field 4 contains the priority for the NAT rule itself in the RPDB # field 5 contains the priority for the routing rule in the RPDB. In # order for the internal networks to reach the real IP of the # server/host, this priority must be higher than the priority # for the NAT rule. **lower numbers == higher priority** # field 6+ contains a whitespace separated list of networks which # should be able to reach the real IP (field 2) directly. # The entries into the rule policy database (RPDB) for these # networks will prevent packets from real-IP to dest-network # from being rewritten with the NAT IP as the source IP. # Networks specified here should be subnets of the network # specified in field 1. # # -- notes # # - white space, lines beginning with a comment and blank lines are ignored # - field 5 should always be a lower number (higher priority) than field 4 # - fields 5 and 6+ are optional # - fields 5 and 6+ must be used together, if used at all # # -- examples # # - each example is commented with an English description of the network # address translation which will occur # - followed by a pseudo shellcode description of how to understand # exactly what the NAT will look like # # -- example #1; NAT a single IP from anywhere # # 0/0 10.10.0.14 172.31.254.1 1000 # # for packets from any address (0/0); # if destination_address is 10.10.0.14 ; then # rewrite destination address from 10.10.0.14 to 172.31.254.1 # fi # done # # -- example #2; NAT an entire network (from anywhere) # # 0/0 10.13.0.0/16 172.17.0.0/16 1000 # # for packets from any address (0/0); do # if destination_address is in 10.13.0.0/16 ; then # rewrite destination address from 10.13.x.x to 172.17.x.x # fi # done # # -- example #3; NAT an entire network, but only from a specified nework # # 10.10.0.0/16 10.15.0.0/24 192.168.0.0/24 1000 # # if packet is from 10.10.0.0/16 ; then # if destination_address is in 10.15.0.0/24 ; then # rewrite destination address from 10.15.0.x to 192.168.0.x # fi # fi # # -- example #4; NAT an entire network, but only from a specified nework; # make an exception for certain IP ranges # # 10.10.0.0/16 10.15.2.0/24 192.168.2.0/24 1000 990 10.10.38.0/24 # # if packet is from 10.10.0.0/16 and not from 10.10.38.0/24 ; then # if destination_address is in 10.15.2.0/24 ; then # rewrite destination address from 10.15.2.x to 192.168.2.x # fi # fi # # -- example #5; NAT a single IP from anywhere; don't NAT if from specified # IP ranges # # 0/0 10.74.1.8 192.168.73.15 1000 990 192.168.71.0/24 192.168.70.0/24 # # for packets from any address except 192.168.71.0/24 and 192.168.70.0/24; do # if destination_address is 10.74.1.8 ; then # rewrite destination address from 10.74.1.8 to 192.168.73.15 # fi # done # # -- example #6; NAT to the same IP differently based on the source # network IP ranges # # 0/0 10.74.1.8 192.168.73.15 1000 # 192.168.71.0/24 192.168.71.15 192.168.73.15 400 # 192.168.70.0/24 192.168.71.15 192.168.73.15 400 # # N.B., the RPDB must traverse lines two and three first, hence the higher # priority. If the source network is not 192.168.{71,70}.0/24 then # the we'll meet the next entry, 1000. # N.B., the third entry in this example will cause an RTNETLINK: file # exists error, because there is already an entry in the local # routing table for 192.168.71.15 --NAT--> 192.168.73.15. Known bug. # # for packets from 192.168.71.0/24 or 192.168.70.0/24; do # if destination_address is 192.168.71.15 ; then # rewrite destination address from 192.168.71.15 to 192.168.73.15 # fi # done # # for packets from any address except 192.168.71.0/24 and 192.168.70.0/24; do # if destination_address is 10.74.1.8 ; then # rewrite destination address from 10.74.1.8 to 192.168.73.15 # fi # done # # -- add your own configuration here # -- end /etc/sysconfig/static-nat # ]]>