Network address translation rules

The network address translation rules are used to alter either the source or the destination of a packet. This can be used to redirect requests and for masquerading.

Redirect

Redirect rules can alter the destination of connection attempts. These rules only apply packets originating from the current zone. Redirect rules are sets of rules on the form redirect as given below.

$\begin{grammar} \par <address_opt> ::= ',' <ip_address> <address_opt> \alt <empt... ...> <address_opt> \par <redirect> ::= <proto_ip> <redir_dest> <port> \end{grammar}$
If packets originating from the current zone matches <proto_ip>, then the destination of the packets are changed to the destination as specified by <redir_dest> <port>. If a range of ip addresses is specified for the new destination, then redirection will be done to each ip in a round robin fashion. This is often used to load balance servers.

Example

REDIRECT_SSH="tcp :22 10.0.0.1:22"

This will redirect any ssh queries to be redirect to address 10.0.0.1.

Masquerading/SNAT

Masquerading is used when no public network is available. It changes the source ip and source port of any packet coming from this zone. The rules are sets on the form <snat> as given below.

$\begin{grammar} \par <snat> ::= ( <zone name> \vert <ip> ) <proto_port_ip> \end{grammar}$
The <zone name> specifies the destination zone of the packets. All packets originating from the current zone toward the specified zone are masqueraded, and will have their source address changed to the ip address of the zone specified, in a round robin manner.

Example

SNAT[0]="EXT ALL 0.0.0.0/0=>0.0.0.0/0"

In this example, all packets send from the current zone to zone EXT will be masqueraded, and the source of the packets will be changed to the ip of zone EXT. The source ports will be changed to be with in the range [32768 - 65535].

Anders Peter Fugmann 2004-02-26