shorewall_code/Shorewall-docs2/NAT.xml

115 lines
5.4 KiB
XML
Raw Normal View History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article id="NAT">
<!--$Id$-->
<articleinfo>
<title>One-to-one NAT</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate>2004-08-10</pubdate>
<copyright>
<year>2001-2004</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<section>
<title>One-to-one NAT</title>
<important>
<para><emphasis role="bold">If all you want to do is forward ports to
servers behind your firewall, you do NOT want to use one-to-one NAT.
Port forwarding can be accomplished with simple entries in the <ulink
url="Documentation.htm#Rules">rules file</ulink>.</emphasis></para>
</important>
<para>One-to-one NAT is a way to make systems behind a firewall and
configured with private IP addresses (those reserved for private use in
RFC 1918) appear to have public IP addresses. Before you try to use this
technique, I strongly recommend that you read the <ulink
url="shorewall_setup_guide.htm">Shorewall Setup Guide</ulink>.</para>
<para>The following figure represents a one-to-one NAT environment.</para>
<graphic fileref="images/staticnat.png" />
<para>One-to-one NAT can be used to make the systems with the 10.1.1.*
addresses appear to be on the upper (130.252.100.*) subnet. If we assume
that the interface to the upper subnet is eth0, then the following
<filename>/etc/shorewall/nat</filename> file would make the lower
left-hand system appear to have IP address 130.252.100.18 and the
right-hand one to have IP address 130.252.100.19. It should be stressed
that these entries in the <filename>/etc/shorewall/nat</filename> file do
not automatically enable traffic between the external network and the
internal host(s) — such traffic is still subject to your policies and
rules.</para>
<para><filename>/etc/shorewall/nat</filename><programlisting>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
130.252.100.18 eth0 10.1.1.2 no no
130.252.100.19 eth0 10.1.1.3 no no</programlisting></para>
<para>Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the
above example) is (are) not included in any specification in
<filename>/etc/shorewall/masq</filename> or <filename>/etc/shorewall/proxyarp</filename>.</para>
<note>
<para>The <quote>ALL INTERFACES</quote> column is used to specify
whether access to the external IP from all firewall interfaces should
undergo NAT (Yes or yes) or if only access from the interface in the
INTERFACE column should undergo NAT. If you leave this column empty,
<quote>No</quote> is assumed (Shorewall 2.0.0 and later -- prior to
this, <quote>Yes</quote> was assumed). <emphasis role="bold">Specifying
<quote>Yes</quote> in this column will not allow systems on the lower
LAN to access each other using their public IP addresses.</emphasis> For
example, the lower left-hand system (10.1.1.2) cannot connect to
130.252.100.19 and expect to be connected to the lower right-hand
system. <ulink url="FAQ.htm#faq2a">See FAQ 2a</ulink>.</para>
</note>
<note>
<para>Shorewall will automatically add the external address to the
specified interface unless you specify <ulink
url="Documentation.htm#Aliases">ADD_IP_ALIASES</ulink>=<quote>no</quote>
(or <quote>No</quote>) in <filename>/etc/shorewall/shorewall.conf</filename>;
If you do not set ADD_IP_ALIASES or if you set it to <quote>Yes</quote>
or <quote>yes</quote> then you must NOT configure your own alias(es).</para>
<para><important><para>Shorewall versions earlier than 1.4.6 can only
add external addresses to an interface that is configured with a single
subnetwork -- if your external interface has addresses in more than one
subnetwork, Shorewall 1.4.5 and earlier can only add addresses to the
first one.</para></important></para>
</note>
<note>
<para>The contents of the <quote>LOCAL</quote> column determine whether
packets originating on the firewall itself and destined for the EXTERNAL
address are redirected to the internal ADDRESS. If this column contains
<quote>yes</quote> or <quote>Yes</quote> (and the ALL INTERFACES COLUMN
also contains <quote>Yes</quote> or <quote>yes</quote>) then such
packets are redirected; otherwise, such packets are not redirected. This
feature requires kernel 2.4.19 or later and iptables 1.2.6a or later and
you must have enabled CONFIG_IP_NF_NAT_LOCAL in your kernel.</para>
</note>
</section>
</article>