Static NAT

IMPORTANT: If all you want to do is forward ports to servers behind your firewall, you do NOT want to use static NAT. Port forwarding can be accomplished with simple entries in the rules file.

Static NAT is a way to make systems behind a firewall and configured with private IP addresses (those reserved for private use in RFC1918) appear to have public IP addresses.

The following figure represents a static NAT environment.

Static NAT can be used to make the systems with the 10.1.1.* addresses appear to be on the upper (130.252.100.*) subnet. If we assume that the interface to the upper subnet is eth0, then the following /etc/shorewall/NAT file would make the lower left-hand system appear to have IP address 130.252.100.18 and the right-hand one to have IP address 130.252.100.19.

EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
130.252.100.18 eth0 10.1.1.2 yes yes
130.252.100.19 eth0 10.1.1.3 yes yes

Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the above example) is (are) not included in any specification in /etc/shorewall/masq or /etc/shorewall/proxyarp.

Note 1: The "ALL INTERFACES" column is used to specify whether access to the external IP from all firewall interfaces should undergo NAT (Yes or yes) or if only access from the interface in the INTERFACE column should undergo NAT. If you leave this column empty, "Yes" is assumed. The ALL INTERFACES column was added in version 1.1.6.

Note 2: Shorewall will automatically add the external address to the specified interface unless you specify ADD_IP_ALIASES="no" (or "No") in /etc/shorewall/shorewall.conf; If you do not set ADD_IP_ALIASES or if you set it to "Yes" or "yes" then you must NOT configure your own alias(es).

Note 3: The contents of the "LOCAL" column determine whether packets originating on the firewall itself and destined for the EXTERNAL address are redirected to the internal ADDRESS. If this column contains "yes" or "Yes" (and the ALL INTERFACES COLUMN also contains "Yes" or "yes") then such packets are redirected; otherwise, such packets are not redirected. The LOCAL column was added in version 1.1.8.

Last updated 3/27/2002 - Tom Eastep

Copyright © 2001, 2002 Thomas M. Eastep.