NAT rules – for IP Filter

NAT rules – for IP Filter

NAT, or Network Address Translation, is also referred to as IP Aliasing and IP
Masquerading.  NAT is a method for translating internal intranet (private) address to
external (public) Internet addresses.

In order for NAT to work, your box needs to be set
up as a gateway.  This allows your box to forward packets, which is what it does when
it acts as a gateway.  It receives packets from other machines on your subnet and
forwards them on to the ultimate destination.  You can enable packet forwarding by
issuing the following command:

sysctl -w net.inet.ip.forwarding=1

You can tell FreeBSD to set your box up as a gateway by including the following line in


This line will ensure the command is executed during the system startup process.

Example NAT rules

I’m using ipfilter and I
recommend it as a great packet filter tool for creating a firewall.  Included with
this product is ipnat, which does the NAT for ipfilter.  Here’s how
I invoke ipnat:

ipnat -f /etc/ipnat.conf

I am also using DHCP.  In such circumstances, you can substitute
for the otherwise unknown IP address.  ipfilter will determine the address
at run time.  Although this example is for dynamic IP addressees, I’m not sure, but I
strongly suspect that this will work for static addresses as well.  Here are the
contents of /etc/ipnat.conf:

map ed0 -> portmap tcp/udp 40000:65000
map ed0 ->

ed0 is the network which leads to the outside world.
represents the inside network.  If you are setting up a home network, I suggest you
use 192.168.0.* for your subnet.  In this case, the above examples will work for you.
  If they don’t, then please add your comments.

Put these rules before any redirects (i.e. rdr).

Redirect rules for ipfilter

I also used this ipnat rule for a short while to redirect traffic from the
firewall to a computer on my internal LAN:

rdr tun0 port 80 -> port 80

Where tun0 is the public interface on my firewall and is a box on my internal LAN which is running a webserver.  The above
goes into /etc/ipnat.conf.

NOTE: Do your redirection after your mapping.  That is, put the rdr
after any map directives.

8 thoughts on “NAT rules – for IP Filter”

  1. Hi,

    How do you go about in IPNAT/IPF with services like RealPlayer and DirectX that use a range of ports, not just 80 or 443?

    Do you think it is necessary to write an rdr line for each one of the ports? If yes, dont you believe that a 100 redirect lines is going to generate some overhead on the system?

    Thanks a lot,


  2. Followed instructions to the last letter, everything works fine for exactly 2 hours then my connection on my client to the net disappears, i can see packets going out the modem but nothing coming back in. I do a dhcp release renew and it starts working again……go figure, i can’t.

    1. Does sounds like a NAT problem. Sounds more like a DHCP problem. I had similar problems a week or two ago, but I would have to renew the lease manually and the problem reoccurred after about 4 days.

    2. try configuring crontab with:

      0 0 * * * /usr/bin/killall dhclient && dhclient ed0

      where 0 0 * * * is once a day. every day
      and /usr/bin/killall dhclient – releases your ip and
      dhclient ed0 – renews your ip ( the "&&" ensures the first command is complete before the second starts)

      If there is an error in the syntax ..sorry..I am extremely tired.
      But you get the idea.

  3. It is really surprizing that i tried every method written here.The redirector for the port 80 works very much fine .While when i tired to map the one local IP to live IP , It never worked in my case.I can see the NAT connection on different port.
    But none of services other then HTTP works. Can anybody give me wild guess where i might be worng.


    Zaheer Abbas

  4. After banging my head against a rock, and many many hours of debugging, i finally found some tiny thing on some backwater web page that talked about broadcast address.

    my internal nic was set as follows:
    inet netmask 0xffffff00 broadcast

    this did not work for the (now obvious) reason that nothing at was being broadcast!

    when i changed the broadcast address and netmask to:
    inet netmask 0xffff0000 broadcast

    sudenly the lights all came on and everything works!!

    just thought i’d forward that if anyone else who is stuck there, and to make all nat doc’s more complete – i’d have liked to see that about 6 hours earlier!


Leave a Comment

Scroll to Top