Manualshelf

HP-UX IPFilter v18.21 Administrator Guide HP-UX 11i v3 (761995-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
41424344454647484950
address, specify 0/32, and IPFilter will use the currently assigned interface address as the target
IP address.
Examples
The following NAT rule replaces IP source addresses from the 192.168.1.0/24 subnet with the
address 20.20.20.1 and transmits the packets using the lan0 interface:
map lan0 192.168.1.0/24 -> 20.20.20.1/32
The following NAT rule replaces IP source addresses from the 192.168.1.0/24 subnet with the
current IP address for the lan0 interface, then transmits them using lan0:
map lan0 192.168.1.0/24 -> 0/32
portmap keyword
You can use the portmap keyword to direct IPFilter to translate port numbers. When used with
the map keyword, IPFilter maps the source port number to a specific port number or range of port
numbers. You can use this feature to create a unique source IP address and source port number
pair. This provides unique port and IP address pairs after IP address translation when the same
source port number is used on multiple clients. It is also useful if there is another firewall or filtering
node the packet must pass through.
To use the portmap keyword with map rules, add the following options after the target_ip
address:
portmap [protocol] port_range|auto
where:
protocol is the upper-layer protocol. Valid values are:
tcp
udp
tcp/udp
The default is tcp.
port_range is the range of ports to use for the mapped ports.
auto directs IPFilter to automatically find an unused port to use as the mapped port.
In the following example, the source port numbers for the translated TCP and UDP packets are
translated to port numbers in the range 20000 - 30000.
map lan0 192.168.1.0/24 -> 0/32 portmap tcp/udp 20000:30000
Mapping to a block of addresses: map-block
IPFilter NAT can map an IP address to a specific block of IP addresses in two ways.
You can use the map-block keyword to statically map sessions from a host to a selected block
of IP addresses. Configure the following rule:
map-block lan0 192.168.1.0/24 -> 20.20.20.0/24
Any outgoing packet with an IP address beginning with 192.168.1 is mapped to an IP address
beginning with 20.20.20.
Alternately, you can configure IPFilter NAT to translate to a block of IP addresses using only the
map and portmap keywords. Configure the following rule:
map lan0 192.168.0.0/16 -> 20.20.20.0/24 portmap tcp/udp 20000:60000
Redirecting inbound packets: rdr
The rdr keyword redirects inbound packets and rewrites the destination address. To redirect
inbound packets, use the following syntax:
rdr interface_name destination_ip -> target_ip
46 Configuring and loading NAT rules