mirror of https://github.com/tLDP/LDP
155 lines
6.3 KiB
Plaintext
155 lines
6.3 KiB
Plaintext
# <!-- trick an XML parser sourcing us. Rest of file is CDATA --> <![CDATA[
|
|
# NAT configuration file
|
|
#
|
|
# -- This file is used to configure NAT routes and rules
|
|
# via the iproute2 package. A sysV init script (nat)
|
|
# uses this file to set up the routes/rules.
|
|
#
|
|
#
|
|
# Copyright (c)2002 SecurePipe, Inc. - http://www.securepipe.com/
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify it
|
|
# under the terms of the GNU General Public License as published by the
|
|
# Free Software Foundation; either version 2 of the License, or (at your
|
|
# option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful, but
|
|
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
|
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
# for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program; if not, write to the Free Software Foundation,
|
|
# Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
|
|
#
|
|
#
|
|
# -- file created by Matt Callaway <matt@securepipe.com>
|
|
# 2002-03-01; Martin A. Brown <mabrown@securepipe.com>
|
|
# - first major revision; added comments
|
|
# 2002-08-14; Martin A. Brown <mabrown@securepipe.com>
|
|
# - cleaned up the file; added copious commenting and examples
|
|
# - provided support for NAT only from specified networks (backwards
|
|
# incompatibility added here; benefit is huge flexibility gain)
|
|
# 2003-02-10; Martin A. Brown <mabrown@securepipe.com>
|
|
# - example #6 added. Thanks for identification and description of
|
|
# this scenario, and the example in the format of the other
|
|
# examples go to Shawn Balestracci <shawnb@securepipe.com>
|
|
#
|
|
# -- field descriptions:
|
|
# field 1 this field contains a network address. Any packets from
|
|
# this network will be translated according to fields two and
|
|
# three, with the exception of any networks specified in fields
|
|
# 6 and higher
|
|
# field 2 contains the NAT IP, the IP that only exists as a publicly
|
|
# reachable IP for an internal host
|
|
# field 3 contains the real IP of the machine, usually an internal IP
|
|
# field 4 contains the priority for the NAT rule itself in the RPDB
|
|
# field 5 contains the priority for the routing rule in the RPDB. In
|
|
# order for the internal networks to reach the real IP of the
|
|
# server/host, this priority must be higher than the priority
|
|
# for the NAT rule. **lower numbers == higher priority**
|
|
# field 6+ contains a whitespace separated list of networks which
|
|
# should be able to reach the real IP (field 2) directly.
|
|
# The entries into the rule policy database (RPDB) for these
|
|
# networks will prevent packets from real-IP to dest-network
|
|
# from being rewritten with the NAT IP as the source IP.
|
|
# Networks specified here should be subnets of the network
|
|
# specified in field 1.
|
|
#
|
|
# -- notes
|
|
#
|
|
# - white space, lines beginning with a comment and blank lines are ignored
|
|
# - field 5 should always be a lower number (higher priority) than field 4
|
|
# - fields 5 and 6+ are optional
|
|
# - fields 5 and 6+ must be used together, if used at all
|
|
#
|
|
# -- examples
|
|
#
|
|
# - each example is commented with an English description of the network
|
|
# address translation which will occur
|
|
# - followed by a pseudo shellcode description of how to understand
|
|
# exactly what the NAT will look like
|
|
#
|
|
# -- example #1; NAT a single IP from anywhere
|
|
#
|
|
# 0/0 10.10.0.14 172.31.254.1 1000
|
|
#
|
|
# for packets from any address (0/0);
|
|
# if destination_address is 10.10.0.14 ; then
|
|
# rewrite destination address from 10.10.0.14 to 172.31.254.1
|
|
# fi
|
|
# done
|
|
#
|
|
# -- example #2; NAT an entire network (from anywhere)
|
|
#
|
|
# 0/0 10.13.0.0/16 172.17.0.0/16 1000
|
|
#
|
|
# for packets from any address (0/0); do
|
|
# if destination_address is in 10.13.0.0/16 ; then
|
|
# rewrite destination address from 10.13.x.x to 172.17.x.x
|
|
# fi
|
|
# done
|
|
#
|
|
# -- example #3; NAT an entire network, but only from a specified nework
|
|
#
|
|
# 10.10.0.0/16 10.15.0.0/24 192.168.0.0/24 1000
|
|
#
|
|
# if packet is from 10.10.0.0/16 ; then
|
|
# if destination_address is in 10.15.0.0/24 ; then
|
|
# rewrite destination address from 10.15.0.x to 192.168.0.x
|
|
# fi
|
|
# fi
|
|
#
|
|
# -- example #4; NAT an entire network, but only from a specified nework;
|
|
# make an exception for certain IP ranges
|
|
#
|
|
# 10.10.0.0/16 10.15.2.0/24 192.168.2.0/24 1000 990 10.10.38.0/24
|
|
#
|
|
# if packet is from 10.10.0.0/16 and not from 10.10.38.0/24 ; then
|
|
# if destination_address is in 10.15.2.0/24 ; then
|
|
# rewrite destination address from 10.15.2.x to 192.168.2.x
|
|
# fi
|
|
# fi
|
|
#
|
|
# -- example #5; NAT a single IP from anywhere; don't NAT if from specified
|
|
# IP ranges
|
|
#
|
|
# 0/0 10.74.1.8 192.168.73.15 1000 990 192.168.71.0/24 192.168.70.0/24
|
|
#
|
|
# for packets from any address except 192.168.71.0/24 and 192.168.70.0/24; do
|
|
# if destination_address is 10.74.1.8 ; then
|
|
# rewrite destination address from 10.74.1.8 to 192.168.73.15
|
|
# fi
|
|
# done
|
|
#
|
|
# -- example #6; NAT to the same IP differently based on the source
|
|
# network IP ranges
|
|
#
|
|
# 0/0 10.74.1.8 192.168.73.15 1000
|
|
# 192.168.71.0/24 192.168.71.15 192.168.73.15 400
|
|
# 192.168.70.0/24 192.168.71.15 192.168.73.15 400
|
|
#
|
|
# N.B., the RPDB must traverse lines two and three first, hence the higher
|
|
# priority. If the source network is not 192.168.{71,70}.0/24 then
|
|
# the we'll meet the next entry, 1000.
|
|
# N.B., the third entry in this example will cause an RTNETLINK: file
|
|
# exists error, because there is already an entry in the local
|
|
# routing table for 192.168.71.15 --NAT--> 192.168.73.15. Known bug.
|
|
#
|
|
# for packets from 192.168.71.0/24 or 192.168.70.0/24; do
|
|
# if destination_address is 192.168.71.15 ; then
|
|
# rewrite destination address from 192.168.71.15 to 192.168.73.15
|
|
# fi
|
|
# done
|
|
#
|
|
# for packets from any address except 192.168.71.0/24 and 192.168.70.0/24; do
|
|
# if destination_address is 10.74.1.8 ; then
|
|
# rewrite destination address from 10.74.1.8 to 192.168.73.15
|
|
# fi
|
|
# done
|
|
#
|
|
# -- add your own configuration here
|
|
|
|
# -- end /etc/sysconfig/static-nat
|
|
# ]]> <!-- the line above closes the XML CDATA from above -->
|