Previous
Using Solaris IP Filter's NAT Feature
NAT sets up mapping rules that translate source and destination IP addresses into other Internet or intranet addresses. These rules modify the source and destination addresses of incoming or outgoing IP packets and send the packets on. You can also use NAT to redirect traffic from one port to another port. NAT maintains the integrity of the packet during any modification or redirection done on the packet.
Use the ipnat command to work with NAT rule lists. For more information on the ipnat command, see the ipnat(1M) command.
You can create NAT rules either at the command line, using the ipnat command, or in a NAT configuration file. NAT configuration rules reside in the ipnat.conf file. If you want the NAT rules to be loaded at boot time, create a file called /etc/ipf/ipnat.conf in which to put NAT rules. If you do not want the NAT rules loaded at boot time, put the ipnat.conf file in a location of your choice, and manually activate packet filtering with the ipnat command.
Configuring NAT Rules
Use the following syntax to create NAT rules:
command interface-name parameters
Each rule begins with one of the following commands:
map
Maps one IP address or network to another IP address or network in an unregulated round-robin process.
rdr
Redirects packets from one IP address and port pair to another IP address and port pair.
bimap
Establishes a bidirectional NAT between an external IP address and an internal IP address.
map-block
Establishes static IP address-based translation. This command is based on an algorithm that forces addresses to be translated into a destination range.
Following the command, the next word is the interface name, such as hme0.
Next, you can choose from a variety of parameters, which determine the NAT configuration. Some of the parameters include:
ipmask
Designates the network mask.
dstipmask
Designates the address that ipmask is translated to.
mapport
Designates tcp, udp, or tcp/udp protocols, along with a range of port numbers.
The following example illustrates how to put together the NAT rule syntax together to create a NAT rule. To rewrite a packet that goes out on the de0 device with a source address of 192.168.1.0/24 and to externally show its source address as 10.1.0.0/16, you would include the following rule in the NAT rule set:
map de0 192.168.1.0/24 -> 10.1.0.0/16 |
For the complete grammar and syntax used to write NAT rules, see the ipnat(4) man page.
Using Solaris IP Filter's Address Pools Feature
Address pools establish a single reference that is used to name a group of address/netmask pairs. Address pools provide processes to reduce the time needed to match IP addresses with rules. Address pools also make managing large groups of addresses easier.
Address pool configuration rules reside in the ippool.conf file. If you want the address pool rules to be loaded at boot time, create a file called /etc/ipf/ippool.conf in which to put address pool rules. If you do not want the address pool rules loaded at boot time, put the ippool.conf file in a location of your choice, and manually activate packet filtering with the ippool command.
Configuring Address Pools
Use the following syntax to create an address pool:
table role = role-name type = storage-format number = reference-number |
table | Defines the reference for the multiple addresses. |
role | Specifies the role of the pool in Solaris IP Filter. At this time, the only role you can reference is ipf. |
type | Specifies the storage format for the pool. |
number | Specifies the reference number that is used by the filtering rule. |
For example, to reference the group of addresses 10.1.1.1 and 10.1.1.2, and the network 192.16.1.0 as pool number 13, you would include the following rule in the address pool configuration file:
table role = ipf type = tree number = 13
{ 10.1.1.1/32, 10.1.1.2/32, 192.168.1.0/24 };
|
Then, to reference pool number 13 in a filtering rule, you would construct the rule similar to the following example:
pass in from pool/13 to any |
Note that you must load the pool file before loading the rules file that contains a reference to the pool. If you do not, the pool is undefined, as shown in the following output:
# ipfstat -io empty list for ipfilter(out) block in from pool/13(!) to any |
Even if you add the pool later, the addition of the pool does not update the kernel rule set. You also need to reload the rules file that references the pool.
For the complete grammar and syntax used to write packet filtering rules, see the ippool(4) man page.
Packet Filter Hooks
Beginning with the Solaris Express, Developer Edition 2/07 release, packet filter hooks replace the pfil module to enable Solaris IP filter. In previous Solaris releases, configuration of the pfil module was required as an additional step to set up Solaris IP Filter. This extra configuration requirement increased the risk of errors that would cause Solaris IP Filter to work improperly. The insertion of the pfil STREAMS module between IP and the device driver also caused performance degradation. Lastly, the pfil module could not perform packet interception between zones.
The use of packet filter hooks streamlines the procedure to enable Solaris IP Filter. Through these hooks, Solaris IP Filter uses pre-routing (input) and post-routing (output) filter taps to control packet flow into and out of the Solaris system.
Packet filter hooks eliminate the need for the pfil module. Thus the following components that are associated with the module are also removed.
pfil driver
pfil daemon
svc:/network/pfil SMF service
For tasks associated with enabling Solaris IP Filter, see Chapter 26, Solaris IP Filter (Tasks).
IPv6 for Solaris IP Filter
Beginning with the Solaris 10 6/06 release, support for IPv6 is available with Solaris IP Filter. IPv6 packet filtering can filter based on the source/destination IPv6 address, pools containing IPv6 addresses, and IPv6 extension headers.
IPv6 is similar to IPv4 in many ways. However, header and packet size differ between the two versions of IP, which is an important consideration for IP Filter. IPv6 packets known as jumbograms contain a datagram longer than 65,535 bytes. Solaris IP Filter does not support IPv6 jumbograms. To learn more about other IPv6 features, see Major Features of IPv6.
Note - For more information on jumbograms, refer to the document IPv6 Jumbograms, RFC 2675 from the Internet Engineering Task Force (IETF). [http://www.ietf.org/rfc/rfc2675.txt]
IP Filter tasks associated with IPv6 do not differ substantially from IPv4. The most notable difference is the use of the -6 option with certain commands. Both the ipf command and the ipfstat command include the -6 option for use with IPv6 packet filtering. Use the -6 option with the ipf command to load and flush IPv6 packet filtering rules. To display IPv6 statistics, use the -6 option with the ipfstat command. The ipmon and ippool commands also support IPv6, although there is no associated option for IPv6 support. The ipmon command has been enhanced to accommodate the logging of IPv6 packets. The ippool command supports the pools with IPv6 addresses. You can create pools of only IPv4 or IPv6 addresses, or a pool containing both IPv4 and IPv6 addresses within the same pool.
You can use the ipf6.conf file to create packet filtering rule sets for IPv6. By default, the ipf6.conf configuration file is included in the /etc/ipf directory. As with the other filtering configuration files, the ipf6.conf file loads automatically during the boot process when it is stored in the /etc/ipf directory. You can also create and store an IPv6 configuration file in another location and load the file manually.
Note - Network Address Translation (NAT) does not support IPv6.
Once packet filtering rules for IPv6 have been set up, activate IPv6 packet filtering capabilities by plumbing the inet6 version of the interface.
For more information on IPv6, see Chapter 3, Planning an IPv6 Addressing Scheme (Overview). For tasks associated with Solaris IP Filter, see Chapter 26, Solaris IP Filter (Tasks).