friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
6290434003
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzajb_5.4.0.1/rzajbrzajb0fexample4.htm

243 lines
17 KiB
HTML
Raw Normal View History

Add readme and dist folders
2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Scenario: Combine NAT and IP filtering" />
<meta name="abstract" content="In this scenario, your company combines network address translation (NAT) and IP filtering together. Your company wants to hide its personal computers and Web server behind a single, public, IP address and to allow other companies to access the Web server." />
<meta name="description" content="In this scenario, your company combines network address translation (NAT) and IP filtering together. Your company wants to hide its personal computers and Web server behind a single, public, IP address and to allow other companies to access the Web server." />
<meta name="DC.Relation" scheme="URI" content="rzajbrzajb0awhyip.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajbrzajb8a1verifyingsd.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajbactivaterules.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzajb0f-example4" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Scenario: Combine NAT and IP filtering</title>
</head>
<body id="rzajb0f-example4"><a name="rzajb0f-example4"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Scenario: Combine NAT and IP filtering</h1>
<div><p>In this scenario, your company combines network address translation
(NAT) and IP filtering together. Your company wants to hide its personal computers
and Web server behind a single, public, IP address and to allow other companies
to access the Web server.</p>
<div class="section"><h4 class="sectiontitle">Situation</h4><p>Your business has a moderately sized internal
network that uses an iSeries™ server as its gateway. You want to transfer
all Web traffic from the gateway iSeries server to a dedicated Web server,
behind the gateway. The Web server runs on port 5000. You want to hide all
of your private personal computers and the Web server behind an address on
the gateway iSeries interface;
AS02 in the following diagram. You also want to allow other companies to
access the Web server. What should you do?</p>
</div>
<div class="section"><br /><img src="rzajb501.gif" alt="This picture shows&#xA;Company A and Company B. Each company resides on opposite sides of an Internet&#xA;cloud. Company A has an iSeries with the public IP address 192.27.1.1. On&#xA;the token ring behind this server is a private network with the following&#xA;IP addresses: 10.1.1.25110.1.1.254 and a Web server (10.1.1.250, port 5000)." /><br /></div>
<div class="section"><h4 class="sectiontitle">Solution</h4><p>You can use IP filtering and NAT together
to configure your personal computers and Web server.</p>
</div>
<div class="section"> <ul><li>Hide NAT to hide your personal computers behind a public address, 192.27.1.1,
so they can access the Internet.</li>
<li>Port-mapped NAT to hide your Web server address, 10.1.1.250, and port
number, 5000, behind a public address, 192.27.1.1, and port number, 80. Notice
that both NAT rules are hidden behind 192.27.1.1. This is acceptable as long
as the addresses you are hiding do not overlap. The port-mapped NAT rule will
only allow externally initiated traffic on port 80 to access your system.
If the externally initiated traffic does not match the exact address and
port number, NAT will not translate it and the packet will be discarded.</li>
<li>Rules that filter all inbound traffic destined for your private network
through to NAT and any outbound traffic out to the Internet.</li>
</ul>
</div>
<div class="section"><h4 class="sectiontitle">Configuration</h4><div class="p">To configure the hide NAT packet rules
described in this scenario, use the <span class="uicontrol">Address Translation</span> wizard
in iSeries Navigator.
The wizard requires the following information: <ul><li>The set of addresses you want to hide: 10.1.1.251 through 10.1.1.254</li>
<li>The interface address behind which you want to hide the set of addresses:
192.27.1.1</li>
</ul>
</div>
</div>
<div class="section"><p>To use the <span class="uicontrol">Address Translation</span> wizard,
follow these steps:</p>
</div>
<div class="section"> <ol><li>In iSeries Navigator,
select <span class="menucascade"><span class="uicontrol"><var class="varname">your server</var></span> &gt; <span class="uicontrol">Network</span> &gt; <span class="uicontrol">IP policies</span></span>.</li>
<li>Right-click <span class="uicontrol">Packet Rules</span>, and select <span class="uicontrol">Rules
Editor</span>.</li>
<li>From the <span class="uicontrol">Welcome Packet Rules Configuration</span> dialog,
select <span class="uicontrol">Create a new packet rules file</span>, and click <span class="uicontrol">OK</span>.</li>
<li>From the <span class="uicontrol">Wizards</span> menu, select <span class="uicontrol">Address
Translation</span>, and follow the wizard's instructions to configure
the hide address translation packet rules.</li>
</ol>
</div>
<div class="section"><p>This packet rule will hide your four personal computers behind
a public address, so they can access the Internet. Your hide NAT packet rule
looks like the following example: </p>
<br /><img src="rzajb509.gif" alt="How your hide NAT packet rules look like" /><br /></div>
<div class="section"><p>To configure the port-mapped NAT, follow these steps:</p>
</div>
<div class="section"> <ol><li>Access the Packet Rules Editor from iSeries Navigator.</li>
<li>Create a defined address for the Web server address and port 5000: <ol type="a"><li>From the <span class="uicontrol">Insert</span> menu, select <span class="uicontrol">Address...</span>.</li>
<li>On the <span class="uicontrol">General</span> page, enter <kbd class="userinput">Web250</kbd> in
the <span class="uicontrol">Address name</span> field.</li>
<li>Select <span class="uicontrol">IP addresses</span> in the <span class="uicontrol">Defined address</span> drop-down
list. Then click <span class="uicontrol">Add</span> and enter the IP address of the
Web server <kbd class="userinput">10.1.1.250</kbd> in the edit field.</li>
<li>Click <span class="uicontrol">OK</span>.</li>
</ol>
</li>
<li>Create a defined address to represent the public address 192.27.1.1:<div class="note"><span class="notetitle">Note:</span> Because
you already created a defined address to represent the public address 192.27.1.1
when you configured the hide NAT packet rules, you can omit this step for
this particular scenario and skip to Step 4. However, if you use these instructions
to configure the port-mapped NAT for your own network and you did not configure
the hide NAT packet rules, then continue with the instructions for this step.</div>
<ol type="a"><li>From the <span class="uicontrol">Insert</span> menu, select <span class="uicontrol">Address...</span>.</li>
<li>On the <span class="uicontrol">General</span> page, enter or select <kbd class="userinput">BEHIND1</kbd> in
the <span class="uicontrol">Address name</span> field.</li>
<li>Select <span class="uicontrol">IP addresses</span> in the <span class="uicontrol">Defined address</span> drop-down
list. Then click <span class="uicontrol">Add</span> and enter <kbd class="userinput">192.27.1.1</kbd> in
the <span class="uicontrol">IP addresses</span> edit field.</li>
<li>Click <span class="uicontrol">OK</span>.</li>
</ol>
</li>
<li>Create the port-mapped NAT rule: <ol type="a"><li>From the <span class="uicontrol">Insert</span> menu, select <span class="uicontrol">Hide...</span>.</li>
<li>On the <span class="uicontrol">General</span> page, select <kbd class="userinput">Web250</kbd> from
the <span class="uicontrol">Hide address name</span> drop-down list.</li>
<li>Select <span class="uicontrol">BEHIND1</span> from the <span class="uicontrol">Behind address
name</span> drop-down list.</li>
<li>Select <span class="uicontrol">Allow inbound connections</span>, and enter <kbd class="userinput">5000</kbd> in
the <span class="uicontrol">Hide port</span> field.</li>
<li>Enter <kbd class="userinput">80</kbd> in the <span class="uicontrol">Behind port</span> field.</li>
<li>Enter <kbd class="userinput">16</kbd> and select <span class="uicontrol">seconds</span> in
the <span class="uicontrol">Timeout</span> fields.</li>
<li>Enter <kbd class="userinput">64</kbd> in the <span class="uicontrol">Maximum conversations</span> field.</li>
<li>Select <span class="uicontrol">OFF</span> from the <span class="uicontrol">Journaling</span> drop-down
list.</li>
<li>Click <span class="uicontrol">OK</span>.</li>
</ol>
</li>
</ol>
</div>
<div class="section"><p>This port-mapped NAT will hide your Web server address and port
number behind a public address and port number. Notice that both NAT rules
are hidden behind one common IP address. This is acceptable as long as the
addresses you are hiding do not overlap. This port-mapped NAT rule will only
allow externally initiated traffic on port 80 to access your system.</p>
</div>
<div class="section"><p>The port-mapped NAT rule looks like the following example: </p>
<pre>ADDRESS Web250 IP = 10.1.1.250
ADDRESS BEHIND1 IP = 192.27.1.1
HIDE Web250:5000 BEHIND BEHIND1:80 TIMEOUT = 16 MAXCON = 64 JRN = OFF</pre>
</div>
<div class="section"><p>To create the filter rules described in this scenario, follow
these steps: </p>
<ol><li>Access the Packet Rules Editor from iSeries Navigator.</li>
<li>Create a filter rule to permit inbound traffic destined for your private
network. <ol type="a"><li>From the <span class="uicontrol">Welcome Packet Rules Configuration</span> dialog,
select <span class="uicontrol">Create a new packet rules file</span>, and click <span class="uicontrol">OK</span>.</li>
<li>From the <span class="uicontrol">Insert</span> menu, select <span class="uicontrol">Filter...</span>.</li>
<li>On the <span class="uicontrol">General</span> page, enter <kbd class="userinput">external_rules</kbd> in
the <span class="uicontrol">Set name</span> field. </li>
<li>Select <span class="uicontrol">PERMIT</span> from the <span class="uicontrol">Action</span> drop-down
list.</li>
<li>Select <span class="uicontrol">INBOUND</span> from the <span class="uicontrol">Direction</span> drop-down
list.</li>
<li>Select <kbd class="userinput">=</kbd> and <kbd class="userinput">*</kbd> from the <span class="uicontrol">Source
address name</span> drop-down lists.</li>
<li>Select <kbd class="userinput">=</kbd> and enter <kbd class="userinput">192.27.1.1</kbd> in
the <span class="uicontrol">Destination address name</span> fields.</li>
<li>Select <span class="uicontrol">OFF</span> from the <span class="uicontrol">Journaling</span> drop-down
list.</li>
<li>On the <span class="uicontrol">Services</span> page, select <span class="uicontrol">Service</span>.</li>
<li>Select <span class="uicontrol">TCP</span> from the <span class="uicontrol">Protocol</span> drop-down
list.</li>
<li>Select <kbd class="userinput">=</kbd> and <kbd class="userinput">*</kbd> from the <span class="uicontrol">Source
port</span> drop-down lists.</li>
<li>Select <kbd class="userinput">=</kbd> and <kbd class="userinput">*</kbd> from the <span class="uicontrol">Destination
port</span> drop-down lists.</li>
<li>Click <span class="uicontrol">OK</span>.</li>
</ol>
</li>
<li>Create a filter rule to permit outbound traffic from your private network
to the Internet. <ol type="a"><li>From the <span class="uicontrol">Welcome Packet Rules Configuration</span> dialog,
select <span class="uicontrol">Open an existing packet rules file</span>, and click <span class="uicontrol">OK</span>.</li>
<li>From the <span class="uicontrol">Open file</span> dialog, select the <span class="uicontrol">external_rules</span> file,
and click <span class="uicontrol">Open</span>.</li>
<li>From the <span class="uicontrol">Insert</span> menu, select <span class="uicontrol">Filter...</span>.</li>
<li>On the <span class="uicontrol">General</span> page, select <span class="uicontrol">external_rules</span> from
the <span class="uicontrol">Set name</span> drop-down list.</li>
<li>Select <span class="uicontrol">PERMIT</span> from the <span class="uicontrol">Action</span> drop-down
list.</li>
<li>Select <span class="uicontrol">OUTBOUND</span> from the <span class="uicontrol">Direction</span> drop-down
list.</li>
<li>Select <kbd class="userinput">=</kbd> and enter <kbd class="userinput">192.27.1.1</kbd> in
the <span class="uicontrol">Source address name</span> fields.</li>
<li>Select <kbd class="userinput">=</kbd> and <kbd class="userinput">*</kbd> from the <span class="uicontrol">Destination
address name</span> drop-down lists.</li>
<li>Select <span class="uicontrol">OFF</span> from the <span class="uicontrol">Journaling</span> drop-down
list.</li>
<li>On the <span class="uicontrol">Services</span> page, select <span class="uicontrol">Service</span>.</li>
<li>Select <span class="uicontrol">TCP</span> from the <span class="uicontrol">Protocol</span> drop-down
list.</li>
<li>Select <kbd class="userinput">=</kbd> and <kbd class="userinput">*</kbd> from the <span class="uicontrol">Source
port</span> drop-down lists.</li>
<li>Select <kbd class="userinput">=</kbd> and <kbd class="userinput">*</kbd> from the <span class="uicontrol">Destination
port</span> drop-down lists.</li>
<li>Click <span class="uicontrol">OK</span>.</li>
</ol>
</li>
<li>Define a filter interface for the filter set that you created: <ol type="a"><li>From the <span class="uicontrol">Insert</span> menu, select <span class="uicontrol">Filter
interface...</span>.</li>
<li>Select <span class="uicontrol">Line name</span> and select <span class="uicontrol">TRNLINE</span> from
the <span class="uicontrol">Line name</span> drop-down list.</li>
<li>On the <span class="uicontrol">Filter sets</span> page, select <span class="uicontrol">external_rules</span> from
the <span class="uicontrol">Filter set</span> drop-down list, and click <span class="uicontrol">Add</span>.</li>
<li>Click <span class="uicontrol">OK</span>.</li>
</ol>
</li>
</ol>
</div>
<div class="section"><p>These filters, in conjunction with the HIDE statement, will permit
any inbound traffic destined for your private network through to NAT and any
outbound traffic out to the Internet. However, NAT will only allow externally
initiated traffic on port 80 to enter the server. NAT will not translate externally
initiated traffic that does not match the port-mapped NAT rule. The filter
rules look like the following example: </p>
<pre>FILTER SET external_files ACTION = PERMIT DIRECTION = INBOUND SRCADDR = * DSTADDR = 192.27.1.1
PROTOCOL = TCP DSTPORT = * SRCPORT = * JRN = OFF</pre>
<pre>FILTER SET external_files ACTION = PERMIT DIRECTION = OUTBOUND SRCADDR = 192.27.1.1 DSTADDR = *
PROTOCOL = TCP DSTPORT = * SRCPORT = * JRN = OFF</pre>
<p>This statement binds (associates) the 'external_rules' filter
set with the correct physical interface.</p>
<pre>FILTER_INTERFACE LINE = TRNLINE SET = external_files</pre>
</div>
<div class="section"><p>After you finish creating these filter rules, you should verify
them to ensure they will activate without errors. After that, you can activate
them.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzajbrzajb0awhyip.htm" title="Use these scenarios to learn how you can use network address translation (NAT) and IP filtering to protect your network.">Scenarios: Packet rules</a></div>
</div>
<div class="reltasks"><strong>Related tasks</strong><br />
<div><a href="rzajbrzajb8a1verifyingsd.htm" title="Always verify your rules before you activate them. This helps ensure that the rules will be activated without problems.">Verify packet rules</a></div>
<div><a href="rzajbactivaterules.htm" title="Activating the packet rules that you create is the final step in configuring packet rules.">Activate packet rules</a></div>
</div>
</div>
</body>
</html>
Reference in New Issue Copy Permalink