Setting Up NAT on Solaris Using IP Filter

Introduction

So, you've got several computers on your home or
business network, and you'd like to be able to
access the Internet from all of them, probably
via a cable (or DSL) modem. Basically you have
three options:

You connect all your machines and your cable modem
to a hub, set them all up as DHCP clients (see
this page
for how to do this on Solaris), and go for it.

You set up one of your machines to do NAT (Network
Address Translation), hiding the rest behind a firewall
using RFC 1918
compliant addresses on your network.

You use one of those Netgear routers, or someting
similar (e.g., those from Linksys), as your firewall,
and let it perform NAT for you.



The last option is very popular, and is better than
nothing, but you can't beat having your own dedicated
firewall machine. The first method, as well as being
insecure, lacks a certain je ne sais quoi, so
I'll show you how to set up NAT using Darren Reed's
IP Filter.
If you want to use the first or last methods, you're on your own!

Hardware

In my experiments, I could only get NAT to work reliably
when I had two physical interfaces (i.e., using two
virtual interfaces, say hme0 and hme0:1, didn't work).
I used hme1 to connect directly to my cable modem, and
hme0 as the connection to the rest of my network via a
100 baseT switch. hme1 is under DHCP control per
these instructions, and hme0
was set up the conventional way, with the hostname in
/etc/hostname.hme0, and the corresponding IP address
in /etc/hosts.

Installing IP Filter

By far the best way to get IP Filter is install Solaris 10,
which comes with Solaris IP Filter (which is based on IP Filter).
For previous versions of Solaris, the best way to get IP Filter
is to compile a copy of the latest source code, which can be downloaded
from the IP Filter home page.
As an alternative, I have a compiled version of the package
here. This is IP Filter version 3.3.11,
compiled on a Sun SPARCstation 20, running Solaris 2.6. I've also used
it on a SPARCstation 2 running Solaris 7, but it is provided here without
any support (I currently use the Solaris 10 version of IP Filter on a Sun Netra T1 105).
You should probably download a more recent binary from
Marauding Pirates.

Configuring IP Filter on Solaris 10

Once you've successfully installed IP Filter,
you need to configure it. First of all, you
need to make sure that your NAT box will forward
IP packets (it's possible this ability was disabled
for security reasons). As root, run this command:



routeadm



If the "Current Configuration" column of the "IPv4 forwarding"
row says "disabled", then you must enable it. You do this by
running the following command (again, as root):



routeadm -u -e ipv4-forwarding



The -e ipv4-forwarding option causes IPv4 forwarding
to be enabled, and the -u flag causes the change to
be applied to the running system (in addition to changing the
settings when the system is next rebooted).



When you're happy that IP forwarding is enabled, you need to set
up your NAT rules. The file /etc/ipf/ipnat.conf
contains the rules you want to use.
This is the ipnat.conf
file I use, bearing in mind that all of my machines have
an IP address in the 192.168.0.1 to 192.168.0.254 range;
you should change the addresses between "hme1" and the "->"
to suit your needs (note also that I've specified hme1;
put the name of your outbound interface here instead):




map hme1 192.168.0.0/24 -> 0/32 proxy port ftp ftp/tcp

map hme1 192.168.0.0/24 -> 0/32 portmap tcp/udp auto

map hme1 192.168.0.0/24 -> 0/32







The 0/32 stuff is some magic to tell IP Filter
to use the address currently assigned to the interface - very
useful in DHCP client environments!



The order of the rules is important; don't change
them unless you know what you're doing, otherwise
things will break! The first rule allows FTP access
from all of your hosts. The second maps the source
port numbers to a high range (10000 to 40000 by default),
and the third rule maps all other TCP traffic.



Once you've set up your NAT rules, you need to enable packet
filtering for the interface type you're using. This is
done by uncommenting the appropriate line(s) in /etc/ipf/pfil.ap:



#le -1 0 pfil

#qe -1 0 pfil

hme -1 0 pfil





When you're happy with your configuration, start the
IP filter services:



svcadm restart network/pfil

svcadm restart ipfilter



The interfaces that you enabled packet filtering on by editing
/etc/ipf/pfil.ap must be replumbed before you can use
them. Here's how to do it, assuming your machine is set up
like mine:



ifconfig hme1 unplumb

ifconfig hme1 plumb dhcp start



Another, perhaps easier, way is to simply reboot your machine.
Although it smells like a typical Windoze "admin" kind of way
of doing this, it does have the advantage of testing that your
modifications will survive a reboot.



Assuming all is well, your firewall should now correctly handle NAT,
even after a reboot. Assuming this is the case, enjoy! If this page
has been useful to you, please consider buying a copy of my book,
Solaris Systems Programming.

Configuring IP Filter for Previous Versions of Solaris

If you're using a version of Solaris prior to Solaris 10,
and assuming you have Solaris 10-capable hardware, I don't know
why you wouldn't use Solaris 10, here is the older version
of these instructions. But really, you should upgrade to Solaris 10!



First of all, you need to make sure that your NAT box will forward
IP packets (it's possible this ability was disabled
for security reasons). As root, run this command:



ndd -get /dev/tcp ip_forwarding



If the result is "1", you're all set. Zero means
that IP forwarding is not enabled. To enable it,
delete the file /etc/notrouter, and
possibly /etc/defaultrouter too. Create
an empty /etc/gateways file, and IP forwarding
will be enabled at the next reboot.



One caveat applies, though: if you're using NAT and
DHCP on the same server (like I do), IP forwarding will not
get enabled. So, I install this script
as /etc/init.d/ip_forwarding, with a symbolic
link to it from /etc/rc2.d/S69ip_forwarding.
With this script in place, IP forwarding will be enabled
even if you are using a DHCP client.



When you're happy that IP Filter is running, and
IP forwarding is enabled, you need to set up your
NAT rules. The file /etc/opt/ipf/ipnat.conf
contains the rules you want to use.
This is the ipnat.conf
file I use, bearing in mind that all of my machines have
an IP address in the 192.168.0.1 to 192.168.0.254 range;
you should change the addresses between "hme1" and the "->"
to suit your needs (note also that I've specified hme1;
put the name of your outbound interface here instead):



map hme1 192.168.0.0/24 -> 0/32 proxy port ftp ftp/tcp

map hme1 192.168.0.0/24 -> 0/32 portmap tcp/udp auto

map hme1 192.168.0.0/24 -> 0/32






The 0/32 stuff is some magic to tell IP Filter
to use the address currently assigned to the interface - very
useful in DHCP client environments!



The order of the rules is important; don't change
them unless you know what you're doing, otherwise
things will break! The first rule allows FTP access
from all of your hosts. The second maps the source
port numbers to a high range (10000 to 40000 by default),
and the third rule maps all other TCP traffic.



Use /etc/init.d/ipfboot stop and
/etc/init.d/ipfboot start to test your
configuration, and when you're happy that all is
working well, reboot. This will make sure that everything
still works as expected, even after a reboot.