> I can't find in the documentation if the rdr statement redirects packets
> depending on source adresses or destination adresses. All examples are
> used with 0.0.0.0/0, whitout more explanation.
> And does it work for tcp, udp or both?
Alors, 0/0 is to use any existing external ip in the NAT box. You can
do either 0/0 or YourExternalIP/32. Hope your question has been
Below is taken from faq 6.3.2 Links down there point to extensive
At times you may need to redirect incoming or outgoing traffic for a
certain protocol or port. A good example of this is if there were a
server residing inside the LAN running a web server. Incoming
connections to your valid Internet IP will find that unless your NAT
box is running a web server, no connection can be made. For this
purpose we use the NAT 'rdr' directive in the rules file to instruct
where to redirect (or route) a particular connection to.
For our example, lets say a web server resides on the LAN with IP
address of 192.168.1.80. The NAT rules file needs a new directive to
handle this. Add a line similar to the following one to your
rdr pn0 184.108.40.206/32 port 80 -> 192.168.1.80 port 80
The reason for each line is this:
This is the command you are giving ipnat. It is telling ipnat
this entry is an entry to redirect a connection.
This is the network interface that is connected to the Internet.
This means an incoming connection to this IP address (only on
This is the port (80) that should be redirected. The number "80"
didn't have to be used. You can use "port www" also to specify a
redirection of port 80. If you would like to use a name instead
a number, the service name and corresponding port, must exist in
the file /etc/services.
The IP address and netmask of the LAN machine which the packets
are redirected to. The netmask is always "/32" (and therefore not
needed to be specified) so the packets can be redirected to a
When the addition is complete reload the NAT rules, and the
redirection will start immediately.
NAT versus Proxy
The difference between NAT and an application-based proxy is that the
proxy software acts as a middle-man between the Internet and the
machines connected on the LAN. This is fine, however each application
you want to run on your machine and connect to the Internet through
the proxy server MUST be proxy-aware (be able to use a proxy server).
Not all applications are able to do this (especially games).
Furthermore, there simply are not proxy server applications for all
the Internet services out there. NAT transparently maps your internal
network so that it may connect to the Internet. The only security
advantage to using a proxy software over NAT is that the proxy
software may have been made security aware, and can filter based on
content, to keep your Windows machine from getting a macro virus, it
can protect against buffer overflows to your client software, and
more. To maintain these filters is often a high-maintenance job.
6.3.4 Links and X-References
* /etc/ipnat.rules - NAT rules file
* /etc/rc.conf - need to edit to start up ipnat and ipf at boot
* /etc/sysctl.conf - need to edit to enable IP forwarding
* /usr/share/ipf/nat.1 - samples of ipnat.rules
NAT Internet Links:
* Man page showing correct ipnat.rules syntax