Network Address Translation (NAT)
AbstractThis is a quick tutorial on how to set up an OpenBSD 3.0 system to run as a firewall, NAT proxy, time and DHCP server on a system connected to the Internet via broadband like DSL or cable. The reader is not expected to be a Unix expert (why would a Unix expert need this how-to?) -- if you don't understand something, or something looks intimidating, read on and come back to it. If something still doesn't make sense, let me know.
Caveat: There may be instances of hyperbole and irony (perhaps even syncopy) in this document. Brush up your critical reasoning.
I have a shell script that sets up everything mentioned
here. This is still experimental but if you try it, please
let me know how it goes. Save
this file to disk and run it by typing
"sh config30-fw.sh". (Doesn't handle PPPoE [the beast].)
There is a new section called Tips and Stuff where I put things I've found or written that are useful sysadmin tools.
Why OpenBSD? It's simple and secure. Your firewall machine
should not have lots of things installed on it; therefore
no exotic hardware, graphical desktops, X11 servers etc. --
put those on your desktop machine. A simpler system is more
robust and more secure; this machine only offers
SMTP (email), ssh, ping/traceroute and optionally HTTP
(web) to the outside world. And since it's running Unix,
you can log in to it -- securely -- using ssh from anywhere
on the Internet and make any changes you need to. (N.B.:
never use telnet to connect to a machine
over the Internet! Anyone can eavesdrop and grab
important information like passwords. Only use
ssh, which encrypts all communication so that
eavesdroppers don't get any information. And verify those key
fingerprints or you leave yourself open to a man-in-the-middle
attack.)
The utility and security of having this kind of machine: a firewall protects your data and systems from the Big, Bad Internet. When the bad guys are out to vandalise machines on the Internet, MS-Windows machines of various kinds are prime targets because they suck. Er, I mean, Windows is really hard to secure. (Not that an incompetently run Unix machine is any better, of course.) When you dialled in on the phone, your machine was on the 'net for brief periods; with DSL or cable it's vulnerable all the time.
This tutorial assumes that you have some familiarity with
using Unix: what filenames look like, how to copy and edit
files etc. There's a decent
Unix
tutorial on the web. The most important command to
remember is man (short for "manual") -- if I say
something like "read the documentation for foobar
it means you should type man foobar. One other
piece of Unix argot: if you hear someone write
select(2) it indicates that the manual for
select is in section 2, i.e. you would read the
manpage by typing man 2 select.
NAT allows you to connect lots of PCs up to one network connection. When any of the machines wants to make a connection to some server out there, the NAT box intercepts that request, and sends the request off as though it came from the NAT machine. When the reply arrives, it is sent off to the machine that made the connection. Neither the server nor the machines on the inside know that all this is going on.
Aside: NAT is also called PAT, for "Port Address
Translation." Also, read
this interesting
article by HRH Prince Philip, Duke of Edinburgh, on
setting up PAT and DHCP on Cisco routers. The whole
routergod.com site
features many celebrities offering helpful tips on various
network issues.
Even if you don't want plan on having more than one PC at
home, NAT is useful, because it allows the machine running
your firewall to be different from your main
workstation. You probably want to install fancy hardware and
software on your machine; but every additional package
installed on a firewall makes it more vulnerable.
Note: if you only have one machine on the "inside", you don't need an ethernet hub; use a crossover cable to connect the two machines directly. This also has the advantage that you can get a full-duplex connection between the machines (a hub only allows a half-duplex connection).
Note: you can buy little NAT/DHCP boxes from various manufacturers for about $150, but where's the fun in that? Besides, who knows how strong the security is on those things. With OpenBSD you know you're getting the best.
The machine itself: I prefer to build these machines up from individual components rather than buying a pre-made box. That way I can get name-brand supported components, and it works out slightly cheaper since I don't have to get exotic video cards, sound cards, CD-ROM drives etc. (Not to mention a Fisher-Price operating system that you will be required to pay for.)
Can you build a PC? Well, no one showed me how, but I've managed to put together about 10 or so systems, so it can't be that hard. If you've assembed anything with screwdrivers etc. you'll be fine. There are numerous sites on the web that walk you through building a PC. Go do a Google search and read those. I especially like the one at Acme Labs by Jef Poskanzer. There's also an excellent motherboard finder at Acme.
Caveat: specific recommendations will be outdated as soon as I write them! I like to use AMD CPUs because I believe Intel is evil and as far as possible I'd like to not buy their products. I'd get the current not-top-of-the-line CPU i.e. the one that costs about $50 and a compatible motherboard that costs in the range of $70. I stay away from integrated components because they're usually garbage. (For a server that I don't use directly I might get integrated video.) Spend about $30-50 on RAM, $30 on ethernet, $60 on an IDE disk, $30 for a case (with power supply). I usually find the best prices on components at Directron and CompuVest. These have both been non-sleazy (everything was as described in their catalog and shipping was prompt) in all my dealings with them -- but let me know if you find any evidence of sleaziness.
All these components add up to around $300 -- and that's brand-new stuff. If you have any old components lying around, they will be fine. You don't need a keyboard, mouse or monitor when the system is up and running -- all maintenance on it can be done over the network. (While you're installing the OS on the machine you will need to hook up a keyboard, monitor and CD-ROM drive to it, of course.)
While installing the system, I plug in a spare CD-ROM drive, keyboard and monitor. Change the BIOS settings so that the machine will boot without a keyboard etc. Boot off the OpenBSD 3.0 CD and install the system. All the hardware should be recognised without any problems. (The installation guide booklet that comes with the CDs is excellent.)
The easiest way to install OpenBSD is to buy the distribution on CDs. Although you can install it via the network, buying the CD will help make sure that the OpenBSD project will continue to improve and better the system. If you can afford an outlay of US$30, please buy the CDs from the OpenBSD ordering site.
When you're installing OpenBSD, the installer program will
ask you for disklabel information (partitions). On a Unix
system, a group of files organised together is called a
filesystem. The disk is partitioned into various pieces
each of which will hold one filesystem.
This is the filesystem breakup and partition sizes I'd use for a
12GB disk (if your disk is bigger, you can just increase the
size of /var (for web files) or /home (for
your personal files) -- the system will be more than happy with
these sizes for /, /tmp and /usr):
/dev/wd0a 100M /
/dev/wd0d 400M /tmp
/dev/wd0e 4GB /var
/dev/wd0g 2GB /usr
/dev/wd0h 5GB /home
(The convention is that a is always /,
b is swap and c is the whole disk.) Your web
files will live in /var, and your other files in
/home.
This is all overkill; /usr only needs about 600M
or so. Say pad it to 1GB. A 2GB disk would be plenty for
the system, but if the cheapest disk you can get is 13GB....
Note for Unix newcomers: the disk is named
/dev/wd0, and in this case it has 5 partitions
with names /dev/wd0a, /dev/wd0d,
/dev/wd0e, /dev/wd0g and
/dev/wd0h. And the different partitions don't
get different "drive letters" as in some primitive
operating systems; once the system is installed, it
looks to the user that there is just one bunch of files;
Unix will figure out the right thing to do. After the
system has been installed and you've booted off the hard
disk, log in and (this is important!) type
man afterboot; it will remind of some things
that you need to do to complete the installation -- pick
passwords, create user accounts, check network settings
etc. Also, man hier will introduce you to the
way the system is organised -- which files live where. In
fact, let me say that again:
After the first normal boot of the system, be
sure to read these manpages:
$ man afterboot
$ man hier
There! And make sure you keep reading the manpages -- OpenBSD manpages are a thing of beauty, complete, up-to-date and informative. And also read the OpenBSD FAQ on the web -- much of this information is also found there.
For my outside connection I have DSL and a static IP number (from Speakeasy -- I recommend them over PacBell etc. -- I'm so happy I switched). Other DSL options are PPPoE that PacBell likes to set people up with, or DHCP which is what you usually get over cable. A completely bogus DSL installation is the USB device they try to foist on customers with Windows. Danger, Will Robinson! They stink; they're unsupported on any free O/S, and even on Windows they work about half the time.
In *BSD the network cards are named according to the
driver used. For the D-Link cards, the driver is called
rl, so my two ethernet cards are rl0
and rl1. For the inside network I use the
"private" (non-routable) IP numbers 192.168.1.* which
will make the inward-facing network card
192.168.1.1. The OpenBSD initialization asks you for IP
numbers for the two cards. Enter the appropriate ones -
the IP number your ISP gave you for rl0, and
192.168.1.1 for rl1. For PPPoE, the outside
interface is tun0 and it will figure out its
own IP address. If you're supposed use DHCP on your DSL
or cable connection, type in dhcp.
It is important to remember which network will be the outside and which the inside. If the two cards are identical, the easiest way is to look at the MAC number. Every ethernet card ever made has a unique ID called its MAC number. This will be printed on the card, usually as a sticker. When the kernel boots up, it will print the MAC numbers of each card it finds:
rl0 at pci0 dev 9 function 0 "Realtek 8139" rev 0x10: irq 11 address 00:50:ba:44:ab:1c
rl1 at pci0 dev 10 function 0 "Realtek 8139" rev 0x10: irq 10 address 00:50:ba:44:9c:3e
So the card that has a MAC number ending ab1c is rl0;
the other is rl1. (If the two network cards you have are
different types, there's no problem, of course. The kernel
bootup messages will still be useful to tell you what names the
system is using for them.)
(There's some rule about where the cards are plugged in so which one gets number 0 and which no. 1, but I can never remember that.)
The beast! PPPoE is a pain in the ass but ISPs like it because it makes things simpler for them -- they don't have to maintain lists of IP numbers. Also, they can run a crappy service and keep dropping the connection and that's ok, you're expected to reconnect. It's the Micros**t philosophy of "make something really crappy and expect people to just re-start the whole system a couple of times a day." It's a pain in the ass for us because its MTU is 1492 instead of 1500 which used to require changes on every machine inside the network -- but now thanks to the "mssfixup" flag we don't have to any more.
The files you will need to change for PPPoE all live in
/etc/ppp/.
To set up the system, the files you will be editing
are:/etc/rc.conf, /etc/myname,
/etc/mygate, /etc/pf.conf,
/etc/nat.conf, /etc/*.conf,
/etc/hostname.interface,
/var/named/*.
Edit /etc/rc.conf. On my servers I run SMTP,
Apache, and ssh. In other words, from the outside it
handles email, web acess and secure shell for remote
logins. For convenience, on the inside I have a private
name server (DNS) and NTP server for accurate time. To get
sendmail, NTP, httpd, and NAT to work, these are the lines
to change:
sendmail_flags="-bd -q30m" # for normal use: "-bd -q30m"
named_flags="" # for normal use: ""
ntpdate_flags="put.server.here" # for normal use: NTP server; run before ntpd starts
httpd_flags="" # for normal use: "" (or "-DSSL" after reading ssl(8))
dhcpd_flags=-q # for normal use: "-q"
pf=YES # Packet filter / NAT
ntpd=YES # run ntpd if it exists
pf_rules=/etc/pf.conf # Packet filter rules file
nat_rules=/etc/nat.conf # NAT rules file
Make sure that /etc/sysctl.conf has this line in
it:
net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of packets
Get the names of NTP servers close to where you are and put
that name in the ntpdate value. Here's a list
of public NTP servers.
OpenBSD 3.0 has a new packet filter -- 2.9 used ipf but
3.0 has a re-written from scratch one called pf. The
details are not important; pf config files are much
simpler.
I decided that my outside interface would be rl0,
and the inside one rl1. (If you're using PPPoE,
the outside interface will be tun0.) Firewall
rules (they tell
the gateway what kind of network traffic should be allowed
into the internal network) live in
/etc/pf.conf; NAT configuration is in
/etc/nat.conf.
Here's a sample /etc/pf.conf -- very little is
accessible from the outside, but machines on the inside can
go out with no restrictions. In your files you'd replace
rl0 and rl1 with the names of your
outward- and inward-facing ethernet cards,
respectively.
#####################################################################
#
# IP packet filtering rules (firewall)
# Shamim Mohamed 3/2002
# See pf.conf(5) for syntax and examples
# If you change this file, run
# pfctl -R /etc/pf.conf
# to update kernel tables (also run "pfctl -e" if pf was not running)
# Network interfaces
internal = "rl1"
external = "rl0"
# Services visible from the outside -- remove any you're not using
services = "{ ssh, http, https, smtp }"
# You shouldn't need to change anything below this line
#####################################################################
# Non-routable IP numbers
nonroutable = "{ 192.168.0.0/16, 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8,
0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3,
255.255.255.255/32 }"
# All rules are "quick" so go strictly top to bottom
# Fix fragmented packets
scrub in all
# Don't bug loopback
#
pass out quick on lo0 from any to any
pass in quick on lo0 from any to any
# Don't bother the inside interface either
#
pass out quick on $internal from any to any
pass in quick on $internal from any to any
#####################################################################
#
# First, we deal with bogus packets.
#
# Block any inherently bad packets coming in from the outside world.
# These include ICMP redirect packets and IP fragments so short the
# filtering rules won't be able to examine the whole UDP/TCP header.
#
block in log quick on $external inet proto icmp from any to any icmp-type redir
# Block any IP spoofing atempts. (Packets "from" non-routable
# addresses shouldn't be coming in from the outside).
#
block in quick on $external from $nonroutable to any
# Don't allow non-routable packets to leave our network
#
block out quick on $external from any to $nonroutable
#
#####################################################################
#####################################################################
#
# Now the normal filtering rules
#
# ICMP: allow incoming ping and traceroute only
#
pass in quick on $external inet proto icmp from any to any icmp-type { \
echorep, echoreq, timex, unreach }
block in log quick on $external inet proto icmp from any to any
# TCP: Allow ssh, smtp, http and https incoming. Only match
# SYN packets, and allow the state table to handle the rest of the
# connection.
#
pass in quick on $external inet proto tcp from any to any port $services flags S/SA keep state
# Of course we need to allow packets coming in as replies to our
# connections so we keep state. Strictly speaking, with packets
# coming from our network we don't have to only match SYN, but
# what the hell.
#
pass out quick on $external inet proto tcp from any to any flags S/SA keep state
pass out quick on $external inet proto udp all keep state
pass out quick on $external inet proto icmp from any to any keep state
# End of rules. Block everything to all ports, all protocols and return
# RST (TCP) or ICMP/port-unreachable (UDP).
#
block return-rst in log quick on $external inet proto tcp from any to any
block return-icmp in log quick on $external inet proto udp from any to any
block in quick on $external all
#
# End of file
#
#####################################################################
Read the pf documentation and understand these rules.
This is the NAT config /etc/nat.conf -- this
allows machines on the inside network to transparently make
connections to the outside world:
#####################################################################
#
# NAT rules
# Shamim Mohamed 3/2002
# See nat.conf(5) for syntax and examples
# replace rl0 with external interface name, 192.168.1.0/24 with internal
# network (if different) and 123.45.67.89 with your external address
# nat: packets going out through rl0 with source address 10.0.0.0/8 will get
# translated as coming from 192.168.1.1. State is created for such packets,
# and incoming packets will be redirected to the internal address.
nat on rl0 from 192.168.1.0/24 to any -> 123.45.67.89
# End of file
########################################################################
The system should already have setup
/etc/hostname.rl0 and /etc/hostname.rl1
(or whatever your network device names are) for you. Each
file will have the IP number and netmask. This is what these
files would look like:
bash-2.05$ cat /etc/hostname.rl1
inet 192.168.1.1 255.255.255.0 NONE
bash-2.05$ cat /etc/hostname.rl0
inet 123.45.67.89 255.255.255.0 NONE
(The bash-2.05$ is the prompt; cat types
a file out to the output.) If you're using DHCP, the outside
interface's hostname file will say dhcp.
Other important files are /etc/myname -- your
hostname -- and /etc/mygate -- your default gateway
to the outside world (your ISP told you what this should be
-- it's usually the same as your IP number except that the
last number is replaced with a 1 or 254.)
/etc/mygate; and
the file describing the outside interface,
/etc/hostname.rl0 in my example, will only have
one word in it: up. This tells the system to
bring up the interface at boot time, but to do nothing
else -- pppoe will do the rest.
The main file is /etc/ppp/ppp.conf and this is
what it should look like:
default:
set log Phase Chat LCP IPCP CCP tun command
set redial 15 0
set reconnect 15 10000
pppoe:
set device "!/usr/sbin/pppoe -i rl0"
disable acfcomp protocomp
deny acfcomp
set mtu 1492
set speed sync
enable lqr
set lqrperiod 5
set cd 5
set dial
set login
set timeout 0
set authname login
set authkey password
enable dns
enable mssfixup
Use your login name and password where indicated. The "set
device" line tells ppp which physical device to use to
talk to the outside world. You also have to tell the
system to start PPPoE at boot time. That can be done with
this little snippet of shell script:
echo -n "Trying to establish PPPoE DSL"; ppp -ddial pppoe
for i in 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0; do
sleep 5
echo -n.$i"
if /usr/local/sbin/adsl-status>/dev/null; then
break
fi
done
echo
/usr/local/sbin/adsl-status
Where adsl-status is a little shell-script that
tests to see whether the PPP link has come up
properly:
#!/bin/sh
IP=$(/sbin/ifconfig tun0 | awk '/netmask/{print $2}')
if [ -z "$IP" ]; then
echo "ADSL link is down."
exit 1
else
echo "ADSL is up, IP address $IP"
exit 0
fi
Now the question is: where should we put the little loop
that tries to get ppp going? The right place to put all
these is in /etc/rc.local. However this has the
drawback that the outside network hasn't been initialised
while the rest of the system is coming up, which causes
some scary-looking error messages from NAT to be printed
at boot time. So I do something a little un-kosher: I put
the ppp initialisation in /etc/netstart right at
the end:
...
echo -n ' ADSL... '; ; ppp -ddial pppoe
for i in 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0; do
sleep 5
echo -n.$i"
if /usr/local/sbin/adsl-status>/dev/null; then
break
fi
done
echo
/usr/local/sbin/adsl-status
Now remember that each time the PPP link goes up or down,
the IPF and NAT rules must be re-done. The files
/etc/ppp/ppp.linkup and /etc/ppp/linkdown are
scripts that get run by ppp. Here's /etc/ppp/ppp.linkup:
MYADDR:
! sh -c "/sbin/route del default"
! sh -c "/sbin/route add default HISADDR -mtu 1492"
! sh -c "/sbin/pfctl -F all -R /etc/pf.conf -N /etc/nat.conf -e"
! sh -c "/usr/local/sbin/ntpd -p /var/run/ntpd.pid"
And this is /etc/ppp/linkdown:
MYADDR:
! sh -c "/sbin/pfctl -F all -d"
Sendmail should have been setup automatically since you
edited /etc/rc.conf but I've occasionally had to
make one change in /etc/mail/sendmail.cf:
Djmy-domain-name.com
(If you don't own a domain, or plan on having it point to
your DSL machine, you don't need sendmail.)
You should have a normal user account that you're
going to use (never log in as root! Always use su
or sudo). Administrative email should be forwarded
to you; if your normal username is zippy edit
/etc/mail/aliases and make sure you make the
appropriate lines look like this:
# Well-known aliases -- these should be filled in!
root: zippy
manager: zippy
dumper: zippy
One thing you should consider is being an email handler for
friends. My DSL service goes down too often --
every few months. This is too unreliable for my tastes. What I do
is collaborate with friends to accept and queue email for
them, and they do the same for me. For my domain
foo.com the primary mail exchanger is
gateway.foo.com, the OpenBSD firewall/gateway. But
a secondary mail exchanger (which someone out there on the
network will use if my DSL is down) will be
gateway.bar.com, and email will wait on that site
until my machine is back on the network. I want to perform
the same service for my friend -- if gateway.bar.com
is down, I want people to be able to send my machine the
email destined for bar.com. This goes in the file
/etc/mail/relay-domains:
bar.com
fubar.org
Now the machine will accept email for bar.com and
fubar.org as well as for itself and then forward
the messages on. If the machine it's trying to forward to
is down, it will put them in the queue and keep re-trying
for a while.
You probably shouldn't be running the primary DNS server for your domain on your DSL box; DSL may not be reliable enough for that. Get someone else to do it for you for free, like www.zoneedit.com.
However, it is nice to have a local private DNS because lots of daemons (services that run in the background, like the web server) like to do reverse lookups of IP numbers, so we should have a DNS server for the private network. Also, this installation will give you a caching nameserver which should improve your browsing speed.
The files live in /var/named. Edit
named.boot and add these lines:
primary fake-domain.org fake-domain.db
primary 1.168.192.in-addr.arpa fake-domain.rev
; your static IP number, reversed
primary 89.67.45.123.in-addr.arpa dsl.rev
; remember to add your nameservers here!
forwarders 1.2.3.4 5.4.3.2
(Anything starting with a semicolon is a comment.)
Here fakedomain.org can be a real domain you have or a
fake; and instead of 89.67.45.123 use your static IP but
reversed i.e. you would use that line if your IP
number were 123.45.67.89. And change the IP numbers on the
forwarders line to the nameservers your ISP told
you to use.
Other files you need are
/var/named/namedb/fake-domain.db:
@ IN SOA gateway.fake-domain.org. root.fake-domain.org.
(
14 ; Serial
10800 ; Refresh
3600 ; Retry
604800 ; Expire
86400 ) ; Minimum
IN NS gateway.fake-domain.org.
gateway IN A 192.168.1.1
libelle IN A 192.168.1.2
discus IN A 192.168.1.4
ventus IN A 192.168.1.3
wander IN A 192.168.1.5
brad IN A 192.168.1.12
jack IN A 192.168.1.13
; your static IP number
dsl IN A 123.45.67.89
www IN CNAME dsl
mail IN CNAME dsl
In this network, there are six machines on the inside and
those are their names and IP Number assignments. The OpenBSD
gateway machine is named "gateway". Change these entries to
names of the machines on your private network. You can give
them any IP number that starts with 192.168.1. Of course if
you have three machines on your network, there will only by
three entries.)
This is /var/named/fake-domain.rev:
@ IN SOA gateway.fake-domain.org. root.fake-domain.org.
(
14 ; Serial
10800 ; Refresh
3600 ; Retry
604800 ; Expire
86400 ) ; Minimum
IN NS gateway.fake-domain.org.
1 IN PTR gateway.fake-domain.org.
2 IN PTR libelle.fake-domain.org
3 IN PTR ventus.fake-domain.org
4 IN PTR discus.fake-domain.org.
5 IN PTR wander.fake-domain.org.
12 IN PTR brad.fake-domain.org.
13 IN PTR jack.fake-domain.org.
(Those trailing dots are important.) And here's
/var/named/namedb/dsl.rev:
@ IN SOA gateway.fake-domain.org. root.fake-domain.org.
(
14 ; Serial
10800 ; Refresh
3600 ; Retry
604800 ; Expire
86400 ) ; Minimum
IN NS gateway.fake-domain.org.
IN PTR dsl.fake-domain.org.
dsl.rev doesn't
apply. However, more important: you don't know what your
ISP's DNS servers are! And they could change which
machines you're supposed to use each time you connect!
What you have to do is: connect "by hand" one time, and see which DNS
servers you got. After ppp.conf has been written, you can run
ppp -ddial pppoe and pray. If all goes well, ifconfig
tun0 should show you two lines:
