Manualshelf

HP-UX IPFilter Version 17 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
61626364656667686970
6 Configuring and Loading Network Address Translation
(NAT) Rules
This chapter contains the following sections:
“NAT Rules Configuration File” (page 63)
“Format” (page 63)
“Rule Order and Processing” (page 63)
“NAT Keywords” (page 65)
“map and portmap: Mapping Outbound Packets” (page 66)
“rdr: Redirecting Inbound Packets” (page 68)
“Redirecting Packets to a Specific Port” (page 68)
“Using NAT Redirection with Filtering” (page 68)
“Using the rdr and round-robin Keywords for Load Balancing” (page 69)
“Sticky NAT Sessions” (page 69)
“Checking Connection Health with l4check” (page 69)
“bimap: Bidirectional Mapping” (page 71)
“Loading NAT Rules” (page 72)
6.1 NAT Rules Configuration File
IPFilter loads and evaluates NAT rules separately from filter rules. Do not configure NAT rules
in the same file with filter rules. The default name for the HP-UX IPFilter NAT rules file is /etc/
opt/ipf/ipnat.conf. To specify an alternate NAT rules file name, set the IPNAT_CONF
parameter in the IPFilter startup file, /etc/rc.config.d/ipfconf.
To load NAT rules, use the ipnat utility. See “Loading NAT Rules” (page 72) for more
information. See also, “Rule Tags” (page 43).
NOTE: NAT rules are not supported with IPv6 addresses or interfaces.
6.1.1 Format
Entries in IPFilter rule files must meet the following requirements:
Each rule must be contained on one line. Line continuation characters are not supported.
IPFilter interprets all text to the right of a number symbol (#) as a comment.
Extra white space is allowed and encouraged to keep the rules readable.
6.1.2 Rule Order and Processing
Rules are processed in order from top to bottom of the rules file. By default, IPFilter uses the
first NAT rule that matches the packet it is evaluating.
NOTE: The selection algorithm that IPFilter uses for NAT rules (use the first matching rule) is
the opposite of the default selection algorithm it uses for filter rules (use the last matching rule).
6.1.2.1 Using NAT Rules with Filter Rules
The order that IPFilter evaluates NAT rules and filter rules depends on the direction of the packet.
6.1.2.1.1 Inbound Packets
When processing inbound packets, IPFilter evaluates rules in the following order:
1. NAT rules
6.1 NAT Rules Configuration File 63