test

System Administration Guide: IP Services

Using Oracle Solaris IP Filter's NAT Feature

NAT sets up mapping rules that translate source and destination IP addresses into other Internet or intranet addresses. These rules modify the source and destination addresses of incoming or outgoing IP packets and send the packets on. You can also use NAT to redirect traffic from one port to another port. NAT maintains the integrity of the packet during any modification or redirection done on the packet.

Use the ipnat command to work with NAT rule lists. For more information on the ipnat command, see the ipnat(1M) command.

You can create NAT rules either at the command line, using the ipnat command, or in a NAT configuration file. NAT configuration rules reside in the ipnat.conf file. If you want the NAT rules to be loaded at boot time, create a file called /etc/ipf/ipnat.conf in which to put NAT rules. If you do not want the NAT rules loaded at boot time, put the ipnat.conf file in a location of your choice, and manually activate packet filtering with the ipnat command.

Configuring NAT Rules

Use the following syntax to create NAT rules:

command interface-name parameters

  1. Each rule begins with one of the following commands:

    map

    Maps one IP address or network to another IP address or network in an unregulated round-robin process.

    rdr

    Redirects packets from one IP address and port pair to another IP address and port pair.

    bimap

    Establishes a bidirectional NAT between an external IP address and an internal IP address.

    map-block

    Establishes static IP address-based translation. This command is based on an algorithm that forces addresses to be translated into a destination range.

  2. Following the command, the next word is the interface name, such as hme0.

  3. Next, you can choose from a variety of parameters, which determine the NAT configuration. Some of the parameters include:

    ipmask

    Designates the network mask.

    dstipmask

    Designates the address that ipmask is translated to.

    mapport

    Designates tcp, udp, or tcp/udp protocols, along with a range of port numbers.

The following example illustrates how to put together the NAT rule syntax together to create a NAT rule. To rewrite a packet that goes out on the de0 device with a source address of 192.168.1.0/24 and to externally show its source address as 10.1.0.0/16, you would include the following rule in the NAT rule set:


map de0 192.168.1.0/24 -> 10.1.0.0/16

For the complete grammar and syntax used to write NAT rules, see the ipnat(4) man page.