mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-15 19:01:19 +01:00
DocBook XML conversion
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@881 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
e73ea20dde
commit
612237f0d5
153
Shorewall-docs/NAT.xml
Normal file
153
Shorewall-docs/NAT.xml
Normal file
@ -0,0 +1,153 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||
<article id="NAT">
|
||||
<articleinfo>
|
||||
<title>One-to-one NAT</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
<firstname>Tom</firstname>
|
||||
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2003-11-22</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001</year>
|
||||
|
||||
<year>2002</year>
|
||||
|
||||
<year>2003</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
<legalnotice>
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled "<ulink
|
||||
url="GnuCopyright.htm">GNU Free Documentation License</ulink>".</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<section>
|
||||
<title>One-to-one NAT</title>
|
||||
|
||||
<important>
|
||||
<para><emphasis role="bold">If all you want to do is forward ports to
|
||||
servers behind your firewall, you do NOT want to use one-to-one NAT.
|
||||
Port forwarding can be accomplished with simple entries in the <ulink
|
||||
url="Documentation.htm#Rules">rules file</ulink>.</emphasis></para>
|
||||
</important>
|
||||
|
||||
<para>One-to-one NAT is a way to make systems behind a firewall and
|
||||
configured with private IP addresses (those reserved for private use in
|
||||
RFC 1918) appear to have public IP addresses. Before you try to use this
|
||||
technique, I strongly recommend that you read the <ulink
|
||||
url="shorewall_setup_guide.htm">Shorewall Setup Guide</ulink>.</para>
|
||||
|
||||
<para>The following figure represents a one-to-one NAT environment.</para>
|
||||
|
||||
<graphic fileref="images/staticnat.png" />
|
||||
|
||||
<para>One-to-one NAT can be used to make the systems with the 10.1.1.*
|
||||
addresses appear to be on the upper (130.252.100.*) subnet. If we assume
|
||||
that the interface to the upper subnet is eth0, then the following
|
||||
/etc/shorewall/NAT file would make the lower left-hand system appear to
|
||||
have IP address 130.252.100.18 and the right-hand one to have IP address
|
||||
130.252.100.19.</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/NAT</title>
|
||||
|
||||
<tgroup cols="5">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">EXTERNAL</entry>
|
||||
|
||||
<entry align="center">INTERFACE</entry>
|
||||
|
||||
<entry align="center">INTERNAL</entry>
|
||||
|
||||
<entry align="center">ALL INTERFACES</entry>
|
||||
|
||||
<entry align="center">LOCAL</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>130.252.100.18</entry>
|
||||
|
||||
<entry>eth0</entry>
|
||||
|
||||
<entry>10.1.1.2</entry>
|
||||
|
||||
<entry>yes</entry>
|
||||
|
||||
<entry>yes</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>130.252.100.19</entry>
|
||||
|
||||
<entry>eth0</entry>
|
||||
|
||||
<entry>10.1.1.3</entry>
|
||||
|
||||
<entry>yes</entry>
|
||||
|
||||
<entry>yes</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para>Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the
|
||||
above example) is (are) not included in any specification in
|
||||
/etc/shorewall/masq or /etc/shorewall/proxyarp.</para>
|
||||
|
||||
<note>
|
||||
<para>The "ALL INTERFACES" column is used to specify whether
|
||||
access to the external IP from all firewall interfaces should undergo
|
||||
NAT (Yes or yes) or if only access from the interface in the INTERFACE
|
||||
column should undergo NAT. If you leave this column empty, "Yes"
|
||||
is assumed. The ALL INTERFACES column was added in version 1.1.6.
|
||||
<emphasis role="bold">Specifying "Yes" in this column will not
|
||||
allow systems on the lower LAN to access each other using their public
|
||||
IP addresses.</emphasis> For example, the lower left-hand system
|
||||
(10.1.1.2) cannot connect to 130.252.100.19 and expect to be connected
|
||||
to the lower right-hand system. <ulink url="FAQ.htm#faq2a">See FAQ 2a</ulink>.</para>
|
||||
</note>
|
||||
|
||||
<note>
|
||||
<para>Shorewall will automatically add the external address to the
|
||||
specified interface unless you specify <ulink
|
||||
url="Documentation.htm#Aliases">ADD_IP_ALIASES</ulink>="no" (or
|
||||
"No") in /etc/shorewall/shorewall.conf; If you do not set
|
||||
ADD_IP_ALIASES or if you set it to "Yes" or "yes" then
|
||||
you must NOT configure your own alias(es).</para>
|
||||
|
||||
<para><important><para>Shorewall versions earlier than 1.4.6 can only
|
||||
add external addresses to an interface that is configured with a single
|
||||
subnetwork -- if your external interface has addresses in more than one
|
||||
subnetwork, Shorewall 1.4.5 and earlier can only add addresses to the
|
||||
first one.</para></important></para>
|
||||
</note>
|
||||
|
||||
<note>
|
||||
<para>The contents of the "LOCAL" column determine whether
|
||||
packets originating on the firewall itself and destined for the EXTERNAL
|
||||
address are redirected to the internal ADDRESS. If this column contains
|
||||
"yes" or "Yes" (and the ALL INTERFACES COLUMN also
|
||||
contains "Yes" or "yes") then such packets are
|
||||
redirected; otherwise, such packets are not redirected. The LOCAL column
|
||||
was added in version 1.1.8.</para>
|
||||
</note>
|
||||
</section>
|
||||
</article>
|
Loading…
Reference in New Issue
Block a user