From 612237f0d540ae91ec2e17559a6afed0ae5ada59 Mon Sep 17 00:00:00 2001 From: mhnoyes Date: Wed, 17 Dec 2003 19:43:08 +0000 Subject: [PATCH] DocBook XML conversion git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@881 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-docs/NAT.xml | 153 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 153 insertions(+) create mode 100644 Shorewall-docs/NAT.xml diff --git a/Shorewall-docs/NAT.xml b/Shorewall-docs/NAT.xml new file mode 100644 index 000000000..c2ae72e5b --- /dev/null +++ b/Shorewall-docs/NAT.xml @@ -0,0 +1,153 @@ + + +
+ + One-to-one NAT + + + + Tom + + Eastep + + + + 2003-11-22 + + + 2001 + + 2002 + + 2003 + + Thomas M. Eastep + + + + Permission is granted to copy, distribute and/or modify this + document under the terms of the GNU Free Documentation License, Version + 1.2 or any later version published by the Free Software Foundation; with + no Invariant Sections, with no Front-Cover, and with no Back-Cover + Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". + + + +
+ One-to-one NAT + + + If all you want to do is forward ports to + servers behind your firewall, you do NOT want to use one-to-one NAT. + Port forwarding can be accomplished with simple entries in the rules file. + + + One-to-one NAT is a way to make systems behind a firewall and + configured with private IP addresses (those reserved for private use in + RFC 1918) appear to have public IP addresses. Before you try to use this + technique, I strongly recommend that you read the Shorewall Setup Guide. + + The following figure represents a one-to-one NAT environment. + + + + One-to-one NAT can be used to make the systems with the 10.1.1.* + addresses appear to be on the upper (130.252.100.*) subnet. If we assume + that the interface to the upper subnet is eth0, then the following + /etc/shorewall/NAT file would make the lower left-hand system appear to + have IP address 130.252.100.18 and the right-hand one to have IP address + 130.252.100.19. + + + /etc/shorewall/NAT + + + + + EXTERNAL + + INTERFACE + + INTERNAL + + ALL INTERFACES + + LOCAL + + + + + + 130.252.100.18 + + eth0 + + 10.1.1.2 + + yes + + yes + + + + 130.252.100.19 + + eth0 + + 10.1.1.3 + + yes + + yes + + + +
+ + Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the + above example) is (are) not included in any specification in + /etc/shorewall/masq or /etc/shorewall/proxyarp. + + + The "ALL INTERFACES" column is used to specify whether + access to the external IP from all firewall interfaces should undergo + NAT (Yes or yes) or if only access from the interface in the INTERFACE + column should undergo NAT. If you leave this column empty, "Yes" + is assumed. The ALL INTERFACES column was added in version 1.1.6. + Specifying "Yes" in this column will not + allow systems on the lower LAN to access each other using their public + IP addresses. For example, the lower left-hand system + (10.1.1.2) cannot connect to 130.252.100.19 and expect to be connected + to the lower right-hand system. See FAQ 2a. + + + + Shorewall will automatically add the external address to the + specified interface unless you specify ADD_IP_ALIASES="no" (or + "No") in /etc/shorewall/shorewall.conf; If you do not set + ADD_IP_ALIASES or if you set it to "Yes" or "yes" then + you must NOT configure your own alias(es). + + Shorewall versions earlier than 1.4.6 can only + add external addresses to an interface that is configured with a single + subnetwork -- if your external interface has addresses in more than one + subnetwork, Shorewall 1.4.5 and earlier can only add addresses to the + first one. + + + + The contents of the "LOCAL" column determine whether + packets originating on the firewall itself and destined for the EXTERNAL + address are redirected to the internal ADDRESS. If this column contains + "yes" or "Yes" (and the ALL INTERFACES COLUMN also + contains "Yes" or "yes") then such packets are + redirected; otherwise, such packets are not redirected. The LOCAL column + was added in version 1.1.8. + +
+
\ No newline at end of file