ipnat man page on HP-UX

Man page or keyword search:  
man Server   10987 pages
apropos Keyword Search (all sections)
Output format
HP-UX logo
[printable version]

IPNAT(4)							      IPNAT(4)

       ipnat, ipnat.conf - IP NAT file format

       By  default,  HP-UX  IPFilter  reads  Network Address Translation (NAT)
       rules from the file at system startup time.  You can specify an	alter‐
       nate rule file for system startup time in the file You can also specify
       an alternate NAT rule file in the runstring.

       The format for rules can be described using the	following  grammar  in
       Backus-Naur Form (BNF):

       ipmap :: = mapblock | redir | map .

       map ::= "map" ifname ipmask "->" ipmask [ mapport ] .
       map ::= "map" ifname fromto "->" ipmask [ mapport ] .
       bimap ::= "bimap" ifname ipmask "->" ipmask .
       bimap ::= "bimap" ifname fromto "->" ipmask .
       mapblock ::= "map-block" ifname ipmask "->" ipmask [ ports ] .
       redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] rdrport [ options ] .

       dport ::= "port" portnum [ "-" portnum ] .
       ports ::= "ports" numports | "auto" .
       rdrport ::= "port" portnum .
       fromto ::= "from" object "to" object .
       ipmask ::= ip "/" bits | ip "/" mask | ip "netmask" mask .
       mapport ::= "portmap" tcpudp portnumber ":" portnumber .
       options ::= [ tcpudp ] [ rr ] .

       object  = addr [ port-comp | port-range ] .
       addr    = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
       port-comp = "port" compare port-num .
       port-range = "port" port-num range port-num .

       rr ::= "round-robin" .
       tcpudp ::= "tcp" | "udp" | "tcp/udp" .
       portnumber ::= number { numbers } | "auto" .
       ifname ::= 'A' - 'Z' { 'A' - 'Z' } numbers .

       numbers ::= '0' | '1' | '2' | '3' | '4' | '5' | '6' | '7' | '8' | '9' .

       For  standard  NAT  functionality, a rule should start with followed by
       the name of the interface for which outgoing packets  will  have	 their
       source address rewritten.

       Packets	that  will  be	rewritten can only be selected by matching the
       original source address.	 A netmask  must  be  specified	 with  the  IP

       The address selected for replacing the original is chosen from an pair.
       A netmask of all 1's indicates a hostname is valid.  A  netmask	of  31
       1's  (  is  considered invalid as there is no space for
       allocating host IP#'s after consideration  for  broadcast  and  network

       When  remapping	TCP and UDP packets, it is also possible to change the
       source port number.  Either TCP or UDP or both can be selected by  each
       rule, with a range of port numbers to map to specified as

       There are four keywords recognised by IP Filter's NAT code:

       Is used for mapping one address or network to another in an unregulated
	      round robin fashion;

       Is used for redirecting packets to one IP address and port pair to

       for  setting up bidirectional NAT between an external IP address and an
	      IP address;

       which sets up static IP address based translation, based on a algorithm
	      squeeze  the  addresses  to  be  translated into the destination

       For basic NAT and redirection of packets, the address subject to change
       is used along with its protocol to check if a packet should be altered.
       The packet matching part of the rule is to the left of the

       Matching of packets has now been extended to allow more complex compar‐
       isons.	In  place  of  the  address  which  is to be translated, an IP
       address and port number comparison can be made using the	 same  expres‐
       sions  supported	 in  filter rules.  A simple NAT rule could be written
       or as:

       Only IP address and port numbers can be used to select packets for map‐
       ping.  This is available with NAT rules.

       The  descriptors to the right of the is the address and port specifica‐
       ton that will be written into the packet if it has already successfully
       matched the prior constraints.  The case of redirections is the simpli‐
       est; the new destination address is that specified in  the  rule.   For
       rules,  the destination address and port number combination will be one
       for which the tuple combining the new source and destination  is	 known
       to  be unique.  If the packet is either a TCP or UDP packet, the desti‐
       nation and source ports come into  the  equation	 too.	If  the	 tuple
       already	exists, IP Filter will increment the port number first, within
       the available range specified with and if there exists no unique tuple,
       the  source  address  will be incremented within the specified netmask.
       If a unique tuple cannot be determined, then the	 packet	 will  not  be
       translated.  The behavior is more limited in how it searches for a new,
       free and unique tuple, in that it will use an  algorithm	 to  determine
       what  the  new source address should be, along with the range of avail‐
       able ports - the IP address is never changed and nor does the port num‐
       ber ever exceed its alloted range.

       IP  Filter comes with a few simple proxies built into the code that are
       loaded into the kernel to allow secondary channels to be opened without
       forcing the packets through a user program.

       True  transparent proxying should be performed using the redirect rules
       directing ports to localhost ( with the proxy program doing a
       lookup  through	/dev/ipnat to determine the real source and address of
       the connection.

       Two options for use with are available  to  support  primitive,	round-
       robin based load balancing.  The first option allows for a to specify a
       second destination, as follows:
       This would send alternate connections to either or
       In  scenarios  where  the  load is being spread amongst a larger set of
       servers, you can use:
       In this case, a	connection  will  be  redirected  to,  then and then before going back to  In accom‐
       plishing this, the rule is removed from the top of the list  and	 added
       to  the end, automatically, as required.	 This will not effect the dis‐
       play of rules using "ipnat -l", only the internal application order.

       This examples in this section shows with the  command  and  its	varia‐

       To  map internal IP addresses from the private network to an
       ISP-provided, 8-bit subnet through the ppp0 interface, the
       following could be used:

       The  problem is that over 16,000,000 IP addresses must be mapped into a
       address space with 254 addresses.  To increase the address space,  port
       remapping can be used:

       This  provides  527,566	combinations of IP addresses and port numbers,
       but still less than the number of IP addresses in the  net‐
       work.   If we were to combine these rules, they would need to be speci‐
       fied as follows:

       This directs IPFilter to apply port mapping for all TCP and UDP and  to
       apply only IP address mapping for other protocols, such as ICMP.

       In some instaces, it is more appropriate to use the keyword you want to
       guarantee simultaneous access to all within the given range.   However,
       in  the above case, it would default to 1 port per IP address, since we
       need to squeeze 24 bits of address space into 8.	 A good example of how
       this is used might be:

       which  would  result  in	 each  IP address being given a small range of
       ports to use (252).  The problem here is that the directive  tells  the
       NAT  code  to  use the next address/port pair available for an outgoing
       connection, resulting in no easily discernable relation between	exter‐
       nal  addresses/ports  and  internal ones.  This is overcome by using as

       For example, this  would	 result	 in  being  mapped  to  with each address, from to hav‐
       ing 252 ports of its own.  In comparison to the above  use  of  if  for
       some reason the user of wanted 260 simultaneous connections
       going out, they would be limited to 252 with but	 would	just  use  the
       next IP address with the keyword.


       ipnat(7), hosts(4), ipf(4), services(4), ipf(1M)

       IPFilter	  was	originally   developed	 by  Darren  Reed.  This HP-UX
       enhanced	 version  of IPFilter  is based	 on the	 open  source  version
       3.5  Alpha 5.


List of man pages available for HP-UX

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
Vote for polarhome
Free Shell Accounts :: the biggest list on the net