Setting Up NAT on Solaris Using IP Filter

 

Introduction

So, you've got several computers on your home orbusiness network, and you'd like to be able toaccess the Internet from all of them, probablyvia a cable (or DSL) modem. Basically you havethree options:

1. You connect all your machines and your cable modemto a hub, set them all up as DHCP clients (seethis pagefor how to do this on Solaris), and go for it.
2. You set up one of your machines to do NAT (NetworkAddress Translation), hiding the rest behind a firewallusing RFC 1918compliant addresses on your network.
3. You use one of those Netgear routers, or sometingsimilar (e.g., those from Linksys), as your firewall,and let it perform NAT for you.

The last option is very popular, and is better thannothing, but you can't beat having your own dedicatedfirewall machine. The first method, as well as beinginsecure, lacks a certain je ne sais quoi, soI'll show you how to set up NAT using Darren Reed'sIP Filter.If you want to use the first or last methods, you're on your own!

Hardware

In my experiments, I could only get NAT to work reliablywhen I had two physical interfaces (i.e., using twovirtual interfaces, say hme0 and hme0:1, didn't work).I used hme1 to connect directly to my cable modem, andhme0 as the connection to the rest of my network via a100 baseT switch. hme1 is under DHCP control perthese instructions, and hme0was set up the conventional way, with the hostname in/etc/hostname.hme0, and the corresponding IP addressin /etc/hosts.

Installing IP Filter

By far the best way to get IP Filter is install Solaris 10,which comes with Solaris IP Filter (which is based on IP Filter).For previous versions of Solaris, the best way to get IP Filteris to compile a copy of the latest source code, which can be downloadedfrom the IP Filter home page.As an alternative, I have a compiled version of the packagehere. This is IP Filter version 3.3.11,compiled on a Sun SPARCstation 20, running Solaris 2.6. I've also usedit on a SPARCstation 2 running Solaris 7, but it is provided here withoutany support (I currently use the Solaris 10 version of IP Filter on a Sun Netra T1 105).You should probably download a more recent binary fromMarauding Pirates.

Configuring IP Filter on Solaris 10

Once you've successfully installed IP Filter,you need to configure it. First of all, youneed to make sure that your NAT box will forwardIP packets (it's possible this ability was disabledfor security reasons). As root, run this command:

    routeadm

If the "Current Configuration" column of the "IPv4 forwarding"row says "disabled", then you must enable it. You do this byrunning the following command (again, as root):

    routeadm -u -e ipv4-forwarding

The -e ipv4-forwarding option causes IPv4 forwardingto be enabled, and the -u flag causes the change tobe applied to the running system (in addition to changing thesettings when the system is next rebooted).

When you're happy that IP forwarding is enabled, you need to setup your NAT rules. The file /etc/ipf/ipnat.confcontains the rules you want to use.This is the ipnat.conffile I use, bearing in mind that all of my machines havean IP address in the 192.168.0.1 to 192.168.0.254 range;you should change the addresses between "hme1" and the "->"to suit your needs (note also that I've specified hme1;put the name of your outbound interface here instead):

    map hme1 192.168.0.0/24 -> 0/32 proxy port ftp ftp/tcp
    map hme1 192.168.0.0/24 -> 0/32 portmap tcp/udp auto
    map hme1 192.168.0.0/24 -> 0/32

The 0/32 stuff is some magic to tell IP Filterto use the address currently assigned to the interface - veryuseful in DHCP client environments!

The order of the rules is important; don't changethem unless you know what you're doing, otherwisethings will break! The first rule allows FTP accessfrom all of your hosts. The second maps the sourceport numbers to a high range (10000 to 40000 by default),and the third rule maps all other TCP traffic.

Once you've set up your NAT rules, you need to enable packetfiltering for the interface type you're using. This isdone by uncommenting the appropriate line(s) in /etc/ipf/pfil.ap:

    #le     -1      0       pfil
    #qe     -1      0       pfil
    hme     -1      0       pfil

When you're happy with your configuration, start theIP filter services:

    svcadm restart network/pfil
    svcadm restart ipfilter

The interfaces that you enabled packet filtering on by editing/etc/ipf/pfil.ap must be replumbed before you can usethem. Here's how to do it, assuming your machine is set uplike mine:

    ifconfig hme1 unplumb
    ifconfig hme1 plumb dhcp start

Another, perhaps easier, way is to simply reboot your machine.Although it smells like a typical Windoze "admin" kind of wayof doing this, it does have the advantage of testing that yourmodifications will survive a reboot.

Assuming all is well, your firewall should now correctly handle NAT,even after a reboot. Assuming this is the case, enjoy! If this pagehas been useful to you, please consider buying a copy of my book,Solaris Systems Programming.

Configuring IP Filter for Previous Versions of Solaris

If you're using a version of Solaris prior to Solaris 10,and assuming you have Solaris 10-capable hardware, I don't knowwhy you wouldn't use Solaris 10, here is the older versionof these instructions. But really, you should upgrade to Solaris 10!

First of all, you need to make sure that your NAT box will forwardIP packets (it's possible this ability was disabledfor security reasons). As root, run this command:

    ndd -get /dev/tcp ip_forwarding

If the result is "1", you're all set. Zero meansthat IP forwarding is not enabled. To enable it,delete the file /etc/notrouter, andpossibly /etc/defaultrouter too. Createan empty /etc/gateways file, and IP forwardingwill be enabled at the next reboot.

One caveat applies, though: if you're using NAT andDHCP on the same server (like I do), IP forwarding will notget enabled. So, I install this scriptas /etc/init.d/ip_forwarding, with a symboliclink to it from /etc/rc2.d/S69ip_forwarding.With this script in place, IP forwarding will be enabledeven if you are using a DHCP client.

When you're happy that IP Filter is running, andIP forwarding is enabled, you need to set up yourNAT rules. The file /etc/opt/ipf/ipnat.confcontains the rules you want to use.This is the ipnat.conffile I use, bearing in mind that all of my machines havean IP address in the 192.168.0.1 to 192.168.0.254 range;you should change the addresses between "hme1" and the "->"to suit your needs (note also that I've specified hme1;put the name of your outbound interface here instead):

    map hme1 192.168.0.0/24 -> 0/32 proxy port ftp ftp/tcp
    map hme1 192.168.0.0/24 -> 0/32 portmap tcp/udp auto
    map hme1 192.168.0.0/24 -> 0/32

The 0/32 stuff is some magic to tell IP Filterto use the address currently assigned to the interface - veryuseful in DHCP client environments!

The order of the rules is important; don't changethem unless you know what you're doing, otherwisethings will break! The first rule allows FTP accessfrom all of your hosts. The second maps the sourceport numbers to a high range (10000 to 40000 by default),and the third rule maps all other TCP traffic.

Use /etc/init.d/ipfboot stop and/etc/init.d/ipfboot start to test yourconfiguration, and when you're happy that all isworking well, reboot. This will make sure that everythingstill works as expected, even after a reboot.

That's about it - enjoy! If this page has been useful to you, please consider buyinga copy of my book, Solaris Systems Programming.