The construction of the form is very close to the construction of the Firewall module.
When a packet comes in, the NAT rules are processed from above to below, until the options of a rule match the incoming packet. Therefore the ranking of the rules is enormously important. After a track has been chosen from the selection field Track, the NAT rules according to this track are listed in the element group below. In the overview the range can be changed. Also editing and deleting of single rules is done here.
NOTE: "Originated from Gibraltar" is a special track. It enables you to mask packets that are sent from a service that runs on Gibraltar. Take an HTTP proxy for example: Only a certain number of users - limited by authentication - are allowed to access homepages via HTTP proxy. But you also have an own homepage in the DMZ, which also is accessible for this limited group of users only. Whenever these users access to your own homepage, their browser will send an inquiry to the Gibraltar HTTP proxy. Afterwards the proxy sends an inquiry to the DNS server, that should convert the name of the own homepage into an IP address. This IP address is the external IP address of Gibraltar. Inquiries from outside are forwarded to the webserver in the DMZ by Gibraltar correctly. But if the HTTP proxy sends it's inquiry to the external IP address now, the answer packets won't be served correctly. Thus it is necessary to mask the own homepage with the address of the webserver in the DMZ when an inquiry is sent from the own network to the own homepage. Only thereby the packets will find the right way. This track will be used only in exceptional cases.
• | Active: Mark or unmark this checkbox if you want to activate / deactivate the rule. |
• | Source: Shows the source IP address of the rule. If no IP address is set (ANY), the source IP address is irrelevant for this rule, and all source IP addresses are accepted. If - in front of the IP address - an exclamation mark is shown, all source IP addresses except the listed one will be proven (negation). |
• | Destination: Shows the destination IP address/destination subnet of the rule. If no IP address is set (ANY), the destination IP address is irrelevant for this rule, and all destination IP addresses are accepted. If in front of the IP address an exclamation mark is shown, all destination IP addresses except the listed one will be proven (negation). |
• | Service: Shows the service or the protocol for the rule. If no protocol is set (ANY), the field will be ignored. |
• | Dest. port: Shows the destination port for this rule. Because of this setting, the service, that matches for this rule is identified. For example dest.port 80 filters all packets that come from http connections. In this column entries are only allowed at the protocols TCP and UDP, because only this ports work. If no destination port is set for the shown rule, ANY will be displayed in the overview. |
• | Action: Enter the further treatment of the packet if all the set options are complied. If you are editing the NAT rules of an incoming track, DNAT and REDIRECT are visible. If you are editing the NAT rules of an outgoing track, SNAT and MASQUERADE are visible. |
• | DNAT (Destination NAT): The destination address of a packet is translated to redirect a packet to another host. If you are running a web server in your internal network, all requests are arriving at the external interface of Gibraltar and are redirected to the internal IP address of your web server. Also all further packets of this inquiry are modified. |
• | REDIRECT: All packets are redirected to another local port on Gibraltar. Using this option you can reroute all public requests to a proxy server without changing the destionation address of the packet. |
• | SNAT (Source NAT): Using this option, the source address of a packet is translated. For example: A client from the internal network sends an request. He uses the IP address 192.168.0.36 and sends an HTTP request to 193.172.22.54. As the internal client uses a private IP address, the packet would be dropped when leaving the private network. For this reason, Gibraltar translates the source IP address using SNAT. In succession Gibraltar accepts the reply and forwards it to the requesting client. |
• | MASQUERADE: This option is used in association with dynamically assigned public IP addresses (e.g. dial-in connections). If a connection terminates, all corresponding connections will be deleted. This is necessary because of the possibility that another member could receive the IP address you were using before, which could lead to a misuse of this corresponding connections. |
• | --to: Shows the IP address which is used to masquerade the packet. |
ATTENTION: The translation of packets using NAT does no packet filtering. You have to configure separate filter rules for all modified packets, because packet filtering is - in case of incoming packets - done after translation and - in case of outgoing packets - before translation.

|