HP-UX IPFilter v18.21 Administrator Guide HP-UX 11i v3 (761995-001, March 2014)
# Redirection is triggered for input packets.
# For example, to redirect FTP connections through this box
# to the local ftp port and force them to connect
# through a proxy, you would use:
# rdr lan0 0.0.0.0/0 port ftp -> 127.0.0.1 port ftp
nat-setup
Configuring NAT on your network.
================================
To start setting up NAT, we need to define which is your
"internal" interface and which is your "external" interface.
The "internal" interface is the network adapter connected to
the network with private IP addresses which you need to change
for communicating on the Internet. The "external" interface is
configured with a valid internet address.
For example, your internal interface might have an IP address
of 10.1.1.1 and be connected to the Ethernet, while your
external interface might be a PPP connection with an IP number
of 204.51.62.176.
Thus your network might look like this:
<Internal Network>
[pc] [pc]
| |
+-+---------+------+
|
[firewall]
|
|
Internet
<External Network>
Writing the map-rule.
---------------------
When you're connected to the Internet, you will either have a
block of IP addresses assigned to you, maybe several different
blocks, or you use a single IP address, i.e. with dialup PPP.
If you have a block of addresses assigned, these can be used to
create either a 1:1 mapping (if you have only a few internal IP
addresses) or N:1 mappings, where groups of internal addresses
map to a single IP address and unless you have enough Internet
addresses for a 1:1 mapping, you will want to do "portmapping"
for TCP and UDP port numbers.
For an N:1 situation, you might have:
map ppp0 10.1.0.0/16 -> 209.23.1.5/32 portmap tcp/udp 10000:40000
map ppp0 10.1.0.0/16 -> 209.23.1.5/32 portmap
where if you had 16 addresses available, you could do:
map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000
map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap
Or if you wanted to allocate subnets to each IP#, you might do:
map ppp0 10.1.1.0/24 -> 209.23.1.2/32 portmap tcp/udp 10000:40000
map ppp0 10.1.2.0/24 -> 209.23.1.3/32 portmap tcp/udp 10000:40000
map ppp0 10.1.3.0/24 -> 209.23.1.4/32 portmap tcp/udp 10000:40000
map ppp0 10.1.1.0/24 -> 209.23.1.2/32 portmap
map ppp0 10.1.2.0/24 -> 209.23.1.3/32 portmap
map ppp0 10.1.3.0/24 -> 209.23.1.4/32 portmap
*** NOTE: NAT rules are used on a first-match basis only!
Filtering with NAT.
-------------------
IP Filter translates addresses in a packet _BEFORE_
verifying the access list for inbound packets and translates
addresses _AFTER_ verifying the access control lists for
outbound packets.
For example (using the previous NAT rules), if you wanted to
prevent all hosts in the 10.1.2.0/24 subnet from using NAT, you
might use the following rule with ipf:
nat-setup 115