Friday, September 17, 2010

NAT on Solaris

Solaris is different from Linux (obviously) and so are the most of the admin commands.
I was faced with the a situation in which I had to implement port forwarding. Privileged ports like smb, cifs (138,139) which only root has access to, had to opened up by a process run by an unprivileged user account.

For this here are the steps.

1. Enable ip filtering or NATting.
svcadm enable ipfilter

2. Create of update the following files in the /etc/ipf folder (if the folder does not exist, create it)
ipf.conf, ipnat.conf, pfil.ap (ipmon.pid not required)

3. ipf.conf is for startup loading. My entries are all commented in this one.
-bash-3.00# cat /etc/ipf/ipf.conf
#
# ipf.conf
#
# IP Filter rules to be loaded during startup
#
# See ipf(4) manpage for more information on
# IP Filter rules syntax.
-bash-3.00# 

4. ipnat.conf is the main file which has the relevant entries.
 -bash-3.00# cat /etc/ipf/ipnat.conf
rdr e1000g0 0.0.0.0/0 port 445 -> 134.56.55.209 port 1445
rdr e1000g0 0.0.0.0/0 port 139 -> 134.56.55.209 port 1139

Here e1000g0 is the identifier of the NIC (Network Interface Card) and 134.56.55.209 is the ip address of the current machine
If you don't know the NIC identifier, issue the command ifconfig to find out.

5. Here's how the pfil.ap should look like.
-bash-3.00# cat /etc/ipf/pfil.ap   
# IP Filter pfil autopush setup
#
# See the autopush(1M) manpage for more information.
#
# Format of the entries in this file is:
#
#major  minor lastminor modules
#iprb-1 0 pfil
#elxl-1 0 pfil
e1000g-1 0 pfil
#bge-1 0 pfil
#nf-1 0 pfil
#fa-1 0 pfil
#ci-1 0 pfil
#el-1 0 pfil
#ipdptp-1 0 pfil
#lane-1 0 pfil
#dnet-1 0 pfil
#pcelx-1 0 pfil
#spwr-1 0 pfil
#ce-1 0 pfil
-bash-3.00#
Note that only the NIC identifier's row is uncommented.

6. Once the above configuration is done, issue the following command to check whether the OS has picked up the ipfilters.
ipnat -l -f /etc/ipf/ipnat.conf


7. Reboot the machine if needed and test drive the NATting. 


It could take some time to propagate through the company's network DNS servers. The propagation should not take more than 24 hrs however for internal LAN having about 25 DNS points.
Powered by Blogger.