Securing the Network in Oracle^® Solaris 11.3

Managing NAT Rules for IP Filter

The following procedures manage, view, and modify NAT rules for IP Filter.

How to View Active NAT Rules in IP Filter

Before You Begin

You must become an administrator who is assigned the IP Filter Management rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

• View the active NAT rules.

  The following example shows the output from the active NAT rules set.

  # ipnat -l
  List of active MAP/Redirect filters:
  map net0 198.51.100.0/27 -> 192.0.2.0/27
  
  List of active sessions:

How to Deactivate NAT Rules in IP Filter

Before You Begin

You must become an administrator who is assigned the IP Filter Management rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

• Remove NAT rules from the kernel.

  # ipnat -FC

  The –C option removes all entries in the current NAT rule listing. The –F option removes all active entries in the current NAT translation table, which shows the currently active NAT mappings.

Example 16  Removing NAT Rules

The following example shows how to remove the entries in the current NAT rules.

# ipnat -l
List of active MAP/Redirect filters:
map net0 198.51.100.0/27 -> 192.0.2.0/27

List of active sessions:
# ipnat -C
1 entries flushed from NAT list
# ipnat -l
List of active MAP/Redirect filters:

List of active sessions:

How to Append Rules to the NAT Packet Filtering Rules

Appending rules to an existing rule set can be useful when testing or troubleshooting. The IP Filter service remains enabled when the rules are added. However, when the service is refreshed, restarted, or enabled, the NAT rules are lost, unless they exist in a file that is a property of the IP Filter service.

Before You Begin

You must become an administrator who is assigned the IP Filter Management rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

• Use one of the following methods to append rules to the active rule set:

  • Append rules to the NAT rule set at the command line using the ipnat -f - command.

    # echo "map net0 198.51.100.0/27 -> 192.0.2.0/27" | ipnat -f -

    These appended rules are not part of IP Filter configuration when the service is refreshed, restarted, or enabled.

  • Perform the following commands:

    1. Create additional NAT rules in a file of your choice.

    2. Add the rules that you have created to the active NAT rules.

       # ipnat -f filename

       The rules in filename are added to the end of the NAT rules.

       If filename is the value of one of the IP Filter configuration file properties, then the rules are reloaded when the service is enabled, restarted, or refreshed. Otherwise, the appended rules provide a temporary rule set.

Example 17  Appending Rules to the NAT Rule Set

The following example shows how to add a rule to the NAT rule set from the command line.

# ipnat -l
List of active MAP/Redirect filters:

List of active sessions:
# echo "map net0 198.51.100.0/27 -> 192.0.2.0/27" | ipnat -f -
# ipnat -l
List of active MAP/Redirect filters:
map net0 198.51.100.0/27 -> 192.0.2.0/27

List of active sessions: