IPNAT(4)IPNAT(4)NAME
ipnat, ipnat.conf - IP NAT file format
DESCRIPTION
By default, HP-UX IPFilter reads Network Address Translation (NAT)
rules from the file at system startup time. You can specify an alter‐
nate rule file for system startup time in the file You can also specify
an alternate NAT rule file in the runstring.
GRAMMAR
The format for rules can be described using the following grammar in
Backus-Naur Form (BNF):
ipmap :: = mapblock | redir | map .
map ::= "map" ifname ipmask "->" ipmask [ mapport ] .
map ::= "map" ifname fromto "->" ipmask [ mapport ] .
bimap ::= "bimap" ifname ipmask "->" ipmask .
bimap ::= "bimap" ifname fromto "->" ipmask .
mapblock ::= "map-block" ifname ipmask "->" ipmask [ ports ] .
redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] rdrport [ options ] .
dport ::= "port" portnum [ "-" portnum ] .
ports ::= "ports" numports | "auto" .
rdrport ::= "port" portnum .
fromto ::= "from" object "to" object .
ipmask ::= ip "/" bits | ip "/" mask | ip "netmask" mask .
mapport ::= "portmap" tcpudp portnumber ":" portnumber .
options ::= [ tcpudp ] [ rr ] .
object = addr [ port-comp | port-range ] .
addr = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
port-comp = "port" compare port-num .
port-range = "port" port-num range port-num .
rr ::= "round-robin" .
tcpudp ::= "tcp" | "udp" | "tcp/udp" .
portnumber ::= number { numbers } | "auto" .
ifname ::= 'A' - 'Z' { 'A' - 'Z' } numbers .
numbers ::= '0' | '1' | '2' | '3' | '4' | '5' | '6' | '7' | '8' | '9' .
For standard NAT functionality, a rule should start with followed by
the name of the interface for which outgoing packets will have their
source address rewritten.
Packets that will be rewritten can only be selected by matching the
original source address. A netmask must be specified with the IP
address.
The address selected for replacing the original is chosen from an pair.
A netmask of all 1's indicates a hostname is valid. A netmask of 31
1's (255.255.255.254) is considered invalid as there is no space for
allocating host IP#'s after consideration for broadcast and network
addresses.
When remapping TCP and UDP packets, it is also possible to change the
source port number. Either TCP or UDP or both can be selected by each
rule, with a range of port numbers to map to specified as
COMMANDS
There are four keywords recognised by IP Filter's NAT code:
Is used for mapping one address or network to another in an unregulated
round robin fashion;
Is used for redirecting packets to one IP address and port pair to
another;
for setting up bidirectional NAT between an external IP address and an
internal
IP address;
which sets up static IP address based translation, based on a algorithm
to
squeeze the addresses to be translated into the destination
range.
MATCHING
For basic NAT and redirection of packets, the address subject to change
is used along with its protocol to check if a packet should be altered.
The packet matching part of the rule is to the left of the
Matching of packets has now been extended to allow more complex compar‐
isons. In place of the address which is to be translated, an IP
address and port number comparison can be made using the same expres‐
sions supported in filter rules. A simple NAT rule could be written
as:
or as:
Only IP address and port numbers can be used to select packets for map‐
ping. This is available with NAT rules.
TRANSLATION
The descriptors to the right of the is the address and port specifica‐
ton that will be written into the packet if it has already successfully
matched the prior constraints. The case of redirections is the simpli‐
est; the new destination address is that specified in the rule. For
rules, the destination address and port number combination will be one
for which the tuple combining the new source and destination is known
to be unique. If the packet is either a TCP or UDP packet, the desti‐
nation and source ports come into the equation too. If the tuple
already exists, IP Filter will increment the port number first, within
the available range specified with and if there exists no unique tuple,
the source address will be incremented within the specified netmask.
If a unique tuple cannot be determined, then the packet will not be
translated. The behavior is more limited in how it searches for a new,
free and unique tuple, in that it will use an algorithm to determine
what the new source address should be, along with the range of avail‐
able ports - the IP address is never changed and nor does the port num‐
ber ever exceed its alloted range.
KERNEL PROXIES
IP Filter comes with a few simple proxies built into the code that are
loaded into the kernel to allow secondary channels to be opened without
forcing the packets through a user program.
TRNSPARENT PROXIES
True transparent proxying should be performed using the redirect rules
directing ports to localhost (127.0.0.1) with the proxy program doing a
lookup through /dev/ipnat to determine the real source and address of
the connection.
LOAD-BALANCING
Two options for use with are available to support primitive, round-
robin based load balancing. The first option allows for a to specify a
second destination, as follows:
This would send alternate connections to either 203.1.2.3 or 203.1.2.4.
In scenarios where the load is being spread amongst a larger set of
servers, you can use:
In this case, a connection will be redirected to 203.1.2.3, then
203.1.2.4 and then 203.1.2.5 before going back to 203.1.2.3. In accom‐
plishing this, the rule is removed from the top of the list and added
to the end, automatically, as required. This will not effect the dis‐
play of rules using "ipnat -l", only the internal application order.
EXAMPLES
This examples in this section shows with the command and its varia‐
tions.
To map internal IP addresses from the private network 10.0.0.0/8 to an
ISP-provided, 8-bit subnet 209.1.2.0/24 through the ppp0 interface, the
following could be used:
The problem is that over 16,000,000 IP addresses must be mapped into a
address space with 254 addresses. To increase the address space, port
remapping can be used:
This provides 527,566 combinations of IP addresses and port numbers,
but still less than the number of IP addresses in the 10.0.0.0/8 net‐
work. If we were to combine these rules, they would need to be speci‐
fied as follows:
This directs IPFilter to apply port mapping for all TCP and UDP and to
apply only IP address mapping for other protocols, such as ICMP.
In some instaces, it is more appropriate to use the keyword you want to
guarantee simultaneous access to all within the given range. However,
in the above case, it would default to 1 port per IP address, since we
need to squeeze 24 bits of address space into 8. A good example of how
this is used might be:
which would result in each IP address being given a small range of
ports to use (252). The problem here is that the directive tells the
NAT code to use the next address/port pair available for an outgoing
connection, resulting in no easily discernable relation between exter‐
nal addresses/ports and internal ones. This is overcome by using as
follows:
For example, this would result in 172.192.0.0/24 being mapped to
209.1.2.0/32 with each address, from 172.192.0.0 to 172.192.0.255 hav‐
ing 252 ports of its own. In comparison to the above use of if for
some reason the user of 172.192.0.2 wanted 260 simultaneous connections
going out, they would be limited to 252 with but would just use the
next IP address with the keyword.
FILES
SEE ALSOipnat(7), hosts(4), ipf(4), services(4), ipf(1M)AUTHOR
IPFilter was originally developed by Darren Reed. This HP-UX
enhanced version of IPFilter is based on the open source version
3.5 Alpha 5.
IPNAT(4)