Manualshelf

HP-UX IPFilter Version 16 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
51525354555657585960
6 Configuring and Loading Network Address Translation
(NAT) Rules
This chapter contains the following sections:
“NAT Rules Configuration File” (page 55)
“Format” (page 55)
“Rule Order and Processing” (page 55)
“NAT Keywords” (page 57)
“map and portmap: Mapping Outbound Packets” (page 58)
“rdr: Redirecting Inbound Packets” (page 60)
“bimap: Bidirectional Mapping” (page 62)
“Loading NAT Rules” (page 63)
NAT Rules Configuration File
IPFilter loads and evaluates NAT rules separately from filter rules. Do not configure NAT rules
in the same file with filter rules. The default name for the HP-UX IPFilter NAT rules file is /etc/
opt/ipf/ipnat.conf. To specify an alternate NAT rules file name, set the IPNAT_CONF
parameter in the IPFilter startup file, /etc/rc.config.d/ipfconf.
To load NAT rules, use the ipnat utility. See “Loading NAT Rules” (page 63) for more
information.
NOTE: NAT rules are not supported with IPv6 addresses or interfaces.
Format
Entries in IPFilter rule files must meet the following requirements:
Each rule must be contained on one line. Line continuation characters are not supported.
IPFilter interprets all text to the right of a number symbol (#) as a comment.
Extra white space is allowed and encouraged to keep the rules readable.
Rule Order and Processing
Rules are processed in order from top to bottom of the rules file. By default, IPFilter uses the
first NAT rule that matches the packet it is evaluating.
NOTE: The selection algorithm that IPFilter uses for NAT rules (use the first matching rule) is
the opposite of the default selection algorithm it uses for filter rules (use the last matching rule).
Using NAT Rules with Filter Rules
The order that IPFilter evaluates NAT rules and filter rules depends on the direction of the packet.
Inbound Packets
When processing inbound packets, IPFilter evaluates rules in the following order:
1. NAT rules
2. Filter rules
If you want to use filter and NAT rules to process inbound packets, you must specify the translated
(target) IP address in the filter rules.
NAT Rules Configuration File 55