Manualshelf

HP-UX IPFilter Version 16 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
51525354555657585960
map and portmap: Mapping Outbound Packets
The map keyword rewrites or translates source addresses for outbound packets. When used with
the portmap keyword, map also translates UDP or TCP port numbers. When an outbound packet
matches the selectors in a map rule, IPFilter rewrites the source IP address with the specified
target IP address. IPFilter also creates an entry in its map table, and checks this map table for
both inbound and outbound packets. Checking the map table for inbound packets enables IPFilter
to correctly remap and reroute the corresponding inbound packets to the original IP address.
To map IP addresses, use the following syntax:
map interface_name source_ip -> target_ip
where:
interface_name is the name of the network interface used to transmit the packets. For example,
lan1.
source_ip is the source IP address. This can a subnet address or 0/0 to match any address.
target_ip is the target IP address. IPFilter translates the source IP address to the target IP
address. This is usually the IP address assigned to the interface. If the interface has a dynamically
assigned address, specify 0/32, and IPFilter will use the currently assigned interface address as
the target IP address.
Examples
The following NAT rule replaces IP source addresses from the 192.168.1.0/24 subnet with the
address 20.20.20.1 and transmits the packets using the lan0 interface:
map lan0 192.168.1.0/24 -> 20.20.20.1/32
The following NAT rule replaces IP source addresses from the 192.168.1.0/24 subnet with the
current IP address for the lan0 interface, then transmits them using lan0:
map lan0 192.168.1.0/24 -> 0/32
portmap Keyword
You can use the portmap keyword to direct IPFilter to translate port numbers. When used with
the map keyword, IPFilter maps the source port number to a specific port number or range of
port numbers. You can use this feature to create a unique source IP address and source port
number pair. This provides unique port and IP address pairs after IP address translation when
the same source port number is used on multiple clients. It is also useful if there is another firewall
or filtering node the packet must pass through.
To use the portmap keyword with map rules, add the following options after the target_ip
address:
portmap [protocol] port_range|auto
where:
protocol is the upper-layer protocol. Valid values are:
tcp
udp
tcp/udp
The default is tcp.
port_range is the range of ports to use for the mapped ports.
auto directs IPFilter to automatically find an unused port to use as the mapped port.
In the following example, the source port numbers for the translated TCP and UDP packets are
translated to port numbers in the range 20000 - 30000.
map lan0 192.168.1.0/24 -> 0/32 portmap tcp/udp 20000:30000
58 Configuring and Loading Network Address Translation (NAT) Rules