diff options
author | Robert Göhler <github@ghlr.de> | 2023-10-12 21:07:31 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-10-12 21:07:31 +0200 |
commit | c2c8d3628661dadf42f86d884e6c7c3205f6b1d9 (patch) | |
tree | f1c7d83b38f16e195fba921fe6d59ae5a8863f2d /docs/configuration/nat/nat44.rst | |
parent | e0fa88b183d5851f2b1466cf032be23a9a25b50a (diff) | |
parent | 54525f31cee8bf9546d4a564cf12459a8c381cea (diff) | |
download | vyos-documentation-c2c8d3628661dadf42f86d884e6c7c3205f6b1d9.tar.gz vyos-documentation-c2c8d3628661dadf42f86d884e6c7c3205f6b1d9.zip |
Merge pull request #1112 from vyos/revert-1111-nat_interfaces_group
Revert "NAT: add interface-group documentation. "
Diffstat (limited to 'docs/configuration/nat/nat44.rst')
-rw-r--r-- | docs/configuration/nat/nat44.rst | 108 |
1 files changed, 43 insertions, 65 deletions
diff --git a/docs/configuration/nat/nat44.rst b/docs/configuration/nat/nat44.rst index 9c1d1423..c660f8f4 100644 --- a/docs/configuration/nat/nat44.rst +++ b/docs/configuration/nat/nat44.rst @@ -148,35 +148,23 @@ rule. * **outbound-interface** - applicable only to :ref:`source-nat`. It configures the interface which is used for the outside traffic that - this translation rule applies to. Interface groups, inverted - selection and wildcard, are also supported. + this translation rule applies to. - Examples: + Example: .. code-block:: none - set nat source rule 20 outbound-interface interface-name eth0 - set nat source rule 30 outbound-interface interface-name bond1* - set nat source rule 20 outbound-interface interface-name !vtun2 - set nat source rule 20 outbound-interface interface-group GROUP1 - set nat source rule 20 outbound-interface interface-group !GROUP2 - + set nat source rule 20 outbound-interface eth0 * **inbound-interface** - applicable only to :ref:`destination-nat`. It configures the interface which is used for the inside traffic the - translation rule applies to. Interface groups, inverted - selection and wildcard, are also supported. + translation rule applies to. Example: .. code-block:: none - set nat destination rule 20 inbound-interface interface-name eth0 - set nat destination rule 30 inbound-interface interface-name bond1* - set nat destination rule 20 inbound-interface interface-name !vtun2 - set nat destination rule 20 inbound-interface interface-group GROUP1 - set nat destination rule 20 inbound-interface interface-group !GROUP2 - + set nat destination rule 20 inbound-interface eth1 * **protocol** - specify which types of protocols this translation rule applies to. Only packets matching the specified protocol are NATed. @@ -335,7 +323,7 @@ demonstrate the following configuration: .. code-block:: none - set nat source rule 100 outbound-interface interface-name 'eth0' + set nat source rule 100 outbound-interface 'eth0' set nat source rule 100 source address '192.168.0.0/24' set nat source rule 100 translation address 'masquerade' @@ -344,9 +332,7 @@ Which generates the following configuration: .. code-block:: none rule 100 { - outbound-interface { - interface-name eth0 - } + outbound-interface eth0 source { address 192.168.0.0/24 } @@ -438,19 +424,19 @@ Example: set nat destination rule 100 description 'Regular destination NAT from external' set nat destination rule 100 destination port '3389' - set nat destination rule 100 inbound-interface interface-name 'pppoe0' + set nat destination rule 100 inbound-interface 'pppoe0' set nat destination rule 100 protocol 'tcp' set nat destination rule 100 translation address '192.0.2.40' set nat destination rule 110 description 'NAT Reflection: INSIDE' set nat destination rule 110 destination port '3389' - set nat destination rule 110 inbound-interface interface-name 'eth0.10' + set nat destination rule 110 inbound-interface 'eth0.10' set nat destination rule 110 protocol 'tcp' set nat destination rule 110 translation address '192.0.2.40' set nat source rule 110 description 'NAT Reflection: INSIDE' set nat source rule 110 destination address '192.0.2.0/24' - set nat source rule 110 outbound-interface interface-name 'eth0.10' + set nat source rule 110 outbound-interface 'eth0.10' set nat source rule 110 protocol 'tcp' set nat source rule 110 source address '192.0.2.0/24' set nat source rule 110 translation address 'masquerade' @@ -466,9 +452,7 @@ Which results in a configuration of: destination { port 3389 } - inbound-interface { - interface-name pppoe0 - } + inbound-interface pppoe0 protocol tcp translation { address 192.0.2.40 @@ -479,9 +463,7 @@ Which results in a configuration of: destination { port 3389 } - inbound-interface { - interface-name eth0.10 - } + inbound-interface eth0.10 protocol tcp translation { address 192.0.2.40 @@ -494,9 +476,7 @@ Which results in a configuration of: destination { address 192.0.2.0/24 } - outbound-interface { - interface-name eth0.10 - } + outbound-interface eth0.10 protocol tcp source { address 192.0.2.0/24 @@ -535,7 +515,7 @@ Our configuration commands would be: set nat destination rule 10 description 'Port Forward: HTTP to 192.168.0.100' set nat destination rule 10 destination port '80' - set nat destination rule 10 inbound-interface interface-name 'eth0' + set nat destination rule 10 inbound-interface 'eth0' set nat destination rule 10 protocol 'tcp' set nat destination rule 10 translation address '192.168.0.100' @@ -550,9 +530,7 @@ Which would generate the following NAT destination configuration: destination { port 80 } - inbound-interface { - interface-name eth0 - } + inbound-interface eth0 protocol tcp translation { address 192.168.0.100 @@ -568,45 +546,43 @@ Which would generate the following NAT destination configuration: This establishes our Port Forward rule, but if we created a firewall policy it will likely block the traffic. -Firewall rules for Destination NAT -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -It is important to note that when creating firewall rules, the DNAT +It is important to note that when creating firewall rules that the DNAT translation occurs **before** traffic traverses the firewall. In other words, the destination address has already been translated to 192.168.0.100. -So in our firewall ruleset, we want to allow traffic which previously matched -a destination nat rule. In order to avoid creating many rules, one for each -destination nat rule, we can accept all **'dnat'** connections with one simple -rule, using ``connection-status`` matcher: +So in our firewall policy, we want to allow traffic coming in on the +outside interface, destined for TCP port 80 and the IP address of +192.168.0.100. .. code-block:: none - set firewall ipv4 forward filter rule 10 action accept - set firewall ipv4 forward filter rule 10 connection-status nat destination - set firewall ipv4 forward filter rule 10 state new enable + set firewall name OUTSIDE-IN rule 20 action 'accept' + set firewall name OUTSIDE-IN rule 20 destination address '192.168.0.100' + set firewall name OUTSIDE-IN rule 20 destination port '80' + set firewall name OUTSIDE-IN rule 20 protocol 'tcp' + set firewall name OUTSIDE-IN rule 20 state new 'enable' This would generate the following configuration: .. code-block:: none - ipv4 { - forward { - filter { - rule 10 { - action accept - connection-status { - nat destination - } - state { - new enable - } - } - } + rule 20 { + action accept + destination { + address 192.168.0.100 + port 80 + } + protocol tcp + state { + new enable } } +.. note:: + + If you have configured the `INSIDE-OUT` policy, you will need to add + additional rules to permit inbound NAT traffic. 1-to-1 NAT ---------- @@ -634,10 +610,10 @@ and one external interface: set interfaces ethernet eth1 description 'Outside interface' set nat destination rule 2000 description '1-to-1 NAT example' set nat destination rule 2000 destination address '192.0.2.30' - set nat destination rule 2000 inbound-interface interface-name 'eth1' + set nat destination rule 2000 inbound-interface 'eth1' set nat destination rule 2000 translation address '192.168.1.10' set nat source rule 2000 description '1-to-1 NAT example' - set nat source rule 2000 outbound-interface interface-name 'eth1' + set nat source rule 2000 outbound-interface 'eth1' set nat source rule 2000 source address '192.168.1.10' set nat source rule 2000 translation address '192.0.2.30' @@ -663,7 +639,7 @@ We will use source and destination address for hash generation. .. code-block:: none - set nat destination rule 10 inbound-interface inbound-interface eth0 + set nat destination rule 10 inbound-interface eth0 set nat destination rule 10 protocol tcp set nat destination rule 10 destination port 80 set nat destination rule 10 load-balance hash source-address @@ -679,7 +655,7 @@ We will generate the hash randomly. .. code-block:: none - set nat source rule 10 outbound-interface interface-name eth0 + set nat source rule 10 outbound-interface eth0 set nat source rule 10 source address 10.0.0.0/8 set nat source rule 10 load-balance hash random set nat source rule 10 load-balance backend 192.0.2.251 weight 33 @@ -733,10 +709,12 @@ NAT Configuration set nat source rule 110 description 'Internal to ASP' set nat source rule 110 destination address '172.27.1.0/24' + set nat source rule 110 outbound-interface 'any' set nat source rule 110 source address '192.168.43.0/24' set nat source rule 110 translation address '172.29.41.89' set nat source rule 120 description 'Internal to ASP' set nat source rule 120 destination address '10.125.0.0/16' + set nat source rule 120 outbound-interface 'any' set nat source rule 120 source address '192.168.43.0/24' set nat source rule 120 translation address '172.29.41.89' |