User Guide
Chapter 4. Configuring Special Features 95
NAT swaps the local IP address with a global IP address: the IP address and port information that the PC uses
are remapped (changed) to the IP address that was assigned to the router and a new port number is assigned.
Note:
The preceding section,
Filters and Interfaces
, describes how NAT “behaves” for each filtering phase.
Filter Actions
For an IP packet to be forwarded successfully, a filter at each implementation point (Input, Forward, and Output)
must
accept the IP packet.
If
no
filter at a particular point matches the incoming IP packet, it is assumed that the packet is accepted.
Each IP filter can initiate one of the following three possible actions:
Accept
When the packet is accepted at a filter interface (Input, Forward, or Output), the router lets it proceed for
further processing.
Drop
With Drop, the packet is discarded.
Reject
With Reject, an ICMP REJECT (Internet Control Management Protocol) is sent to reject the packet.
IP Filter Commands
The following two commands are used respectively to define IP filters on the Ethernet interface and on the remote
interface. For extensive information on the syntax of these two commands, refer to the
Command Line Interface
Reference
chapter.
eth ip filter
<command> <type> <action> <parameters> [<port#>]
remote ipfilter
<command> <type> <action> <parameters> <remoteName>
Special Notes
IP filters of Input type are checked
before
the IP packet is redirected by ICMP. This could adversely affect local
LANs that use ICMP redirect to dynamically learn IP routes. IP filters of Input type are checked
before
the IP
packet is sent to the router itself as a host.
Example:
The following commands will stop
any
attempt by a host coming from the remote internet from sending an IP
packet to the telnet port. Hence, the router will not see the packet, and the packet will not be forwarded.
remote ipfilter insert input drop -p tcp -dp 23 internet
save