Rite logo
Setting Up NAT on Solaris Using IP Filter
Contents

Introduction

So, you've got several computers on your home or business network, and you'd like to be able to access the Internet from all of them, probably via a cable (or DSL) modem. Basically you have three options:

  1. You connect all your machines and your cable modem to a hub, set them all up as DHCP clients (see this page for how to do this on Solaris), and go for it.
  2. You set up one of your machines to do NAT (Network Address Translation), hiding the rest behind a firewall using RFC 1918 compliant addresses on your network.
  3. You use one of those Netgear routers, or someting similar (e.g., those from Linksys), as your firewall, and let it perform NAT for you.

The last option is very popular, and is better than nothing, but you can't beat having your own dedicated firewall machine. The first method, as well as being insecure, lacks a certain je ne sais quoi, so I'll show you how to set up NAT using Darren Reed's IP Filter. If you want to use the first or last methods, you're on your own!

Hardware

In my experiments, I could only get NAT to work reliably when I had two physical interfaces (i.e., using two virtual interfaces, say hme0 and hme0:1, didn't work). I used hme1 to connect directly to my cable modem, and hme0 as the connection to the rest of my network via a 100 baseT switch. hme1 is under DHCP control per these instructions, and hme0 was set up the conventional way, with the hostname in /etc/hostname.hme0, and the corresponding IP address in /etc/hosts.

Installing IP Filter

By far the best way to get IP Filter is install Solaris 10, which comes with Solaris IP Filter (which is based on IP Filter). For previous versions of Solaris, the best way to get IP Filter is to compile a copy of the latest source code, which can be downloaded from the IP Filter home page. As an alternative, I have a compiled version of the package here. This is IP Filter version 3.3.11, compiled on a Sun SPARCstation 20, running Solaris 2.6. I've also used it on a SPARCstation 2 running Solaris 7, but it is provided here without any support (I currently use the Solaris 10 version of IP Filter on a Sun Netra T1 105). You should probably download a more recent binary from Marauding Pirates.

Configuring IP Filter on Solaris 10

Once you've successfully installed IP Filter, you need to configure it. First of all, you need to make sure that your NAT box will forward IP packets (it's possible this ability was disabled for security reasons). As root, run this command:

    routeadm

If the "Current Configuration" column of the "IPv4 forwarding" row says "disabled", then you must enable it. You do this by running the following command (again, as root):

    routeadm -u -e ipv4-forwarding

The -e ipv4-forwarding option causes IPv4 forwarding to be enabled, and the -u flag causes the change to be applied to the running system (in addition to changing the settings when the system is next rebooted).

When you're happy that IP forwarding is enabled, you need to set up your NAT rules. The file /etc/ipf/ipnat.conf contains the rules you want to use. This is the ipnat.conf file I use, bearing in mind that all of my machines have an IP address in the 192.168.0.1 to 192.168.0.254 range; you should change the addresses between "hme1" and the "->" to suit your needs (note also that I've specified hme1; put the name of your outbound interface here instead):

    map hme1 192.168.0.0/24 -> 0/32 proxy port ftp ftp/tcp
    map hme1 192.168.0.0/24 -> 0/32 portmap tcp/udp auto
    map hme1 192.168.0.0/24 -> 0/32

The 0/32 stuff is some magic to tell IP Filter to use the address currently assigned to the interface - very useful in DHCP client environments!

The order of the rules is important; don't change them unless you know what you're doing, otherwise things will break! The first rule allows FTP access from all of your hosts. The second maps the source port numbers to a high range (10000 to 40000 by default), and the third rule maps all other TCP traffic.

Once you've set up your NAT rules, you need to enable packet filtering for the interface type you're using. This is done by uncommenting the appropriate line(s) in /etc/ipf/pfil.ap:

    #le     -1      0       pfil
    #qe     -1      0       pfil
    hme     -1      0       pfil

When you're happy with your configuration, start the IP filter services:

    svcadm restart network/pfil
    svcadm restart ipfilter

The interfaces that you enabled packet filtering on by editing /etc/ipf/pfil.ap must be replumbed before you can use them. Here's how to do it, assuming your machine is set up like mine:

    ifconfig hme1 unplumb
    ifconfig hme1 plumb dhcp start

Another, perhaps easier, way is to simply reboot your machine. Although it smells like a typical Windoze "admin" kind of way of doing this, it does have the advantage of testing that your modifications will survive a reboot.

Assuming all is well, your firewall should now correctly handle NAT, even after a reboot. Assuming this is the case, enjoy! If this page has been useful to you, please consider buying a copy of my book, Solaris Systems Programming.

Configuring IP Filter for Previous Versions of Solaris

If you're using a version of Solaris prior to Solaris 10, and assuming you have Solaris 10-capable hardware, I don't know why you wouldn't use Solaris 10, here is the older version of these instructions. But really, you should upgrade to Solaris 10!

First of all, you need to make sure that your NAT box will forward IP packets (it's possible this ability was disabled for security reasons). As root, run this command:

    ndd -get /dev/tcp ip_forwarding

If the result is "1", you're all set. Zero means that IP forwarding is not enabled. To enable it, delete the file /etc/notrouter, and possibly /etc/defaultrouter too. Create an empty /etc/gateways file, and IP forwarding will be enabled at the next reboot.

One caveat applies, though: if you're using NAT and DHCP on the same server (like I do), IP forwarding will not get enabled. So, I install this script as /etc/init.d/ip_forwarding, with a symbolic link to it from /etc/rc2.d/S69ip_forwarding. With this script in place, IP forwarding will be enabled even if you are using a DHCP client.

When you're happy that IP Filter is running, and IP forwarding is enabled, you need to set up your NAT rules. The file /etc/opt/ipf/ipnat.conf contains the rules you want to use. This is the ipnat.conf file I use, bearing in mind that all of my machines have an IP address in the 192.168.0.1 to 192.168.0.254 range; you should change the addresses between "hme1" and the "->" to suit your needs (note also that I've specified hme1; put the name of your outbound interface here instead):

    map hme1 192.168.0.0/24 -> 0/32 proxy port ftp ftp/tcp
    map hme1 192.168.0.0/24 -> 0/32 portmap tcp/udp auto
    map hme1 192.168.0.0/24 -> 0/32

The 0/32 stuff is some magic to tell IP Filter to use the address currently assigned to the interface - very useful in DHCP client environments!

The order of the rules is important; don't change them unless you know what you're doing, otherwise things will break! The first rule allows FTP access from all of your hosts. The second maps the source port numbers to a high range (10000 to 40000 by default), and the third rule maps all other TCP traffic.

Use /etc/init.d/ipfboot stop and /etc/init.d/ipfboot start to test your configuration, and when you're happy that all is working well, reboot. This will make sure that everything still works as expected, even after a reboot.

That's about it - enjoy! If this page has been useful to you, please consider buying a copy of my book, Solaris Systems Programming.



Send any questions or comments to: rich.teer@rite-group.com
Copyright © 1997-2006 by Rich Teer

Valid HTML 4.01!