BSD Today: Setting up OpenBSD 2.7 as a cable NAT systemJul 25, 2000, 21:05 (0 Talkback[s])
(Other stories by Vlad Sedach)
[ Thanks to Jeremy C. Reed for this link. ]
"The first thing I did upon getting cable modem access in my apartment was to get an old Pentium 133 computer, put in two NICs, and fire up the OpenBSD 2.7 boot floppy. I did this for several reasons: first, because I heard that OpenBSD runs as a fast network node even with old hardware; and second, because I knew that it was probably the most secure operating system I can get in that price range. While some people may view OpenBSD security as overkill for a simple home cable modem setup, upon closer examination I found that OpenBSD's secure upon install feature did save my butt more than once; right now, the logfiles show that (literally) not an hour goes by without my system being scanned by someone on the internet."
"The first thing I did after that point [after installing OpenBSD] was to try to set up Network Address translation for the rest of my lan. Being familiar with doing that on a Linux box with a dial-up link, I looked for familiar tools. ipchains wasn't there, and neither were the slackware config files. Once again I hit the OpenBSD FAQ. Upon reading it, I changed my /etc/rc.local file to start up the NAT and IP Filtering services on bootup (change the ipfilter= and ipnat= lines to YES). Because I used the GENERIC kernel that came with the installation, I also had to enable ip forwarding in the /etc/sysctl.conf file (change the net.inet.ip.forwarding= from a 0 to a 1). I then edited the /etc/ipf.rules file to pass in packets from both sides to see how it would work."
"Next, I had to edit the /etc/ipnat.rules file to set up the NAT rules (a simple syntax is map [outside interface] [internal network/netmask (in CIDR format - 255.255.255.0 corresponds to a 24)] -> [name of outside interface OR ip of outside interface/netmask] ). My /etc/ipnat.rules looks like the following:
map ep0 172.16.10.0/24 -> ep0/32 portmap tcp/udp 10000:20000 map ep0 172.16.10.0/24 -> ep0/32For some reason, the two of those lines are necessary to get things working."