| Setting Up NAT on Solaris Using IP Filter |
Contents |
 |
Introduction
So, you've got several computers on your home or business network, and you'd like to be able to access the Internet from all of them, probably via a cable (or DSL) modem. Basically you have three options:
- You connect all your machines and your cable modem to a hub, set them all up as DHCP clients (see this page for how to do this on Solaris), and go for it.
- You set up one of your machines to do NAT (Network Address Translation), hiding the rest behind a firewall using RFC 1918 compliant addresses on your network.
- You use one of those Netgear routers, or someting similar (e.g., those from Linksys), as your firewall, and let it perform NAT for you.
The last option is very popular, and is better than nothing, but you can't beat having your own dedicated firewall machine. The first method, as well as being insecure, lacks a certain je ne sais quoi, so I'll show you how to set up NAT using Darren Reed's IP Filter. If you want to use the first or last methods, you're on your own!
Hardware
In my experiments, I could only get NAT to work reliably when I had two physical interfaces (i.e., using two virtual interfaces, say hme0 and hme0:1, didn't work). I used hme1 to connect directly to my cable modem, and hme0 as the connection to the rest of my network via a 100 baseT switch. hme1 is under DHCP control per these instructions, and hme0 was set up the conventional way, with the hostname in /etc/hostname.hme0, and the corresponding IP address in /etc/hosts.
Installing IP Filter
By far the best way to get IP Filter is install Solaris 10, which comes with Solaris IP Filter (which is based on IP Filter). For previous versions of Solaris, the best way to get IP Filter is to compile a copy of the latest source code, which can be downloaded from the IP Filter home page. As an alternative, I have a compiled version of the package here. This is IP Filter version 3.3.11, compiled on a Sun SPARCstation 20, running Solaris 2.6. I've also used it on a SPARCstation 2 running Solaris 7, but it is provided here without any support (I currently use the Solaris 10 version of IP Filter on a Sun Netra T1 105). You should probably download a more recent binary from Marauding Pirates.
Configuring IP Filter on Solaris 10
Once you've successfully installed IP Filter,
you need to configure it. First of all, you
need to make sure that your NAT box will forward
IP packets (it's possible this ability was disabled
for security reasons). As root, run this command:
routeadm
If the "Current Configuration" column of the "IPv4 forwarding"
row says "disabled", then you must enable it. You do this by
running the following command (again, as root):
routeadm -u -e ipv4-forwarding
The -e ipv4-forwarding option causes IPv4 forwarding
to be enabled, and the -u flag causes the change to
be applied to the running system (in addition to changing the
settings when the system is next rebooted).
When you're happy that IP forwarding is enabled, you need to set
up your NAT rules. The file /etc/ipf/ipnat.conf
contains the rules you want to use.
This is the ipnat.conf
file I use, bearing in mind that all of my machines have
an IP address in the 192.168.0.1 to 192.168.0.254 range;
you should change the addresses between "hme1" and the "->"
to suit your needs (note also that I've specified hme1;
put the name of your outbound interface here instead):
map hme1 192.168.0.0/24 -> 0/32 proxy port ftp ftp/tcp
map hme1 192.168.0.0/24 -> 0/32 portmap tcp/udp auto
map hme1 192.168.0.0/24 -> 0/32
The 0/32 stuff is some magic to tell IP Filter to use the address currently assigned to the interface - very useful in DHCP client environments!
The order of the rules is important; don't change them unless you know what you're doing, otherwise things will break! The first rule allows FTP access from all of your hosts. The second maps the source port numbers to a high range (10000 to 40000 by default), and the third rule maps all other TCP traffic.
Once you've set up your NAT rules, you need to enable packet
filtering for the interface type you're using. This is
done by uncommenting the appropriate line(s) in /etc/ipf/pfil.ap:
#le -1 0 pfil
#qe -1 0 pfil
hme -1 0 pfil
When you're happy with your configuration, start the
IP filter services:
svcadm restart network/pfil
svcadm restart ipfilter
The interfaces that you enabled packet filtering on by editing
/etc/ipf/pfil.ap must be replumbed before you can use
them. Here's how to do it, assuming your machine is set up
like mine:
ifconfig hme1 unplumb
ifconfig hme1 plumb dhcp start
Another, perhaps easier, way is to simply reboot your machine.
Although it smells like a typical Windoze "admin" kind of way
of doing this, it does have the advantage of testing that your
modifications will survive a reboot.
Assuming all is well, your firewall should now correctly handle NAT, even after a reboot. Assuming this is the case, enjoy! If this page has been useful to you, please consider buying a copy of my book, Solaris Systems Programming.
Configuring IP Filter for Previous Versions of Solaris
If you're using a version of Solaris prior to Solaris 10, and assuming you have Solaris 10-capable hardware, I don't know why you wouldn't use Solaris 10, here is the older version of these instructions. But really, you should upgrade to Solaris 10!
First of all, you need to make sure that your NAT box will forward
IP packets (it's possible this ability was disabled
for security reasons). As root, run this command:
ndd -get /dev/tcp ip_forwarding
If the result is "1", you're all set. Zero means
that IP forwarding is not enabled. To enable it,
delete the file /etc/notrouter, and
possibly /etc/defaultrouter too. Create
an empty /etc/gateways file, and IP forwarding
will be enabled at the next reboot.
One caveat applies, though: if you're using NAT and DHCP on the same server (like I do), IP forwarding will not get enabled. So, I install this script as /etc/init.d/ip_forwarding, with a symbolic link to it from /etc/rc2.d/S69ip_forwarding. With this script in place, IP forwarding will be enabled even if you are using a DHCP client.
When you're happy that IP Filter is running, and
IP forwarding is enabled, you need to set up your
NAT rules. The file /etc/opt/ipf/ipnat.conf
contains the rules you want to use.
This is the ipnat.conf
file I use, bearing in mind that all of my machines have
an IP address in the 192.168.0.1 to 192.168.0.254 range;
you should change the addresses between "hme1" and the "->"
to suit your needs (note also that I've specified hme1;
put the name of your outbound interface here instead):
map hme1 192.168.0.0/24 -> 0/32 proxy port ftp ftp/tcp
map hme1 192.168.0.0/24 -> 0/32 portmap tcp/udp auto
map hme1 192.168.0.0/24 -> 0/32
The 0/32 stuff is some magic to tell IP Filter to use the address currently assigned to the interface - very useful in DHCP client environments!
The order of the rules is important; don't change them unless you know what you're doing, otherwise things will break! The first rule allows FTP access from all of your hosts. The second maps the source port numbers to a high range (10000 to 40000 by default), and the third rule maps all other TCP traffic.
Use /etc/init.d/ipfboot stop and /etc/init.d/ipfboot start to test your configuration, and when you're happy that all is working well, reboot. This will make sure that everything still works as expected, even after a reboot.
That's about it - enjoy! If this page has been useful to you, please consider buying a copy of my book, Solaris Systems Programming.