|
|
ipmap :: = mapit ifname ipmask "->" ipmask [ mapport ] .mapit ::= "map" | "rdr" . ipmask ::= ip "/" bits | ip "/" mask | ip "netmask" mask . mapport ::= "portmap" tcpudp portnumber ":" portnumber .
tcpudp ::= "tcp" | "udp" | "tcp/udp" . portnumber ::= number { numbers } . ifname ::= 'A' - 'Z' { 'A' - 'Z' } numbers .
numbers ::= '0' | '1' | '2' | '3' | '4' | '5' | '6' | '7' | '8' | '9' .
For standard NAT functionality, a rule should start with map and then proceeds to specify the interface for which outgoing packets will have their source address rewritten.
Packets which will be rewritten can only be selected by matching the original source address. A netmask must be specified with the IP address.
The address selected for replacing the original is chosen from an IP number/netmask pair. A netmask of all 1's indicating a hostname is valid. A netmask of 31 1's (255.255.255.254) is considered invalid as there is no space for allocating host IP numbers after consideration for broadcast and network addresses.
When remapping TCP and UDP packets, it is also possible to change the source port number. Either TCP or UDP or both can be selected by each rule, with a range of port numbers to remap into given as port-number:port-number.
map ppp0 10.0.0.0/8 -> 209.1.2.0/24
The obvious problem here is we're trying to squeeze over 16,000,000 IP addresses into a 254 address space. To increase the scope, remapping for TCP and/or UDP, port remapping can be used;
map ppp0 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000
which falls only 527,566 `addresses' short of the space available in network 10. If we were to combine these rules, they would need to be specified as follows:
map ppp0 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000 map ppp0 10.0.0.0/8 -> 209.1.2.0/24so that all TCP/UDP packets were port mapped and only other protocols, such as ICMP, only have their IP number changed.