shorewall-nat 5 Configuration Files nat Shorewall one-to-one NAT file /etc/shorewall/nat Description This file is used to define one-to-one Network Address Translation (NAT). If all you want to do is simple port forwarding, do NOT use this file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in many cases, Proxy ARP (shorewall-proxyarp(5)) is a better solution that one-to-one NAT. The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax). EXTERNAL - {address|?COMMENT} External IP Address - this should NOT be the primary IP address of the interface named in the next column and must not be a DNS Name. If you put ?COMMENT in this column, the rest of the line will be attached as a comment to the Netfilter rule(s) generated by the following entries in the file. The comment will appear delimited by "/* ... */" in the output of "shorewall show nat" To stop the comment from being attached to further rules, simply include ?COMMENT on a line by itself. INTERFACE - interfacelist[:[digit]] Interfaces that have the EXTERNAL address. If ADD_IP_ALIASES=Yes in shorewall.conf(5), Shorewall will automatically add the EXTERNAL address to this interface. Also if ADD_IP_ALIASES=Yes, you may follow the interface name with ":" and a digit to indicate that you want Shorewall to add the alias with this name (e.g., "eth0:0"). That allows you to see the alias with ifconfig. That is the only thing that this name is good for -- you cannot use it anywhere else in your Shorewall configuration. Each interface must match an entry in shorewall-interfaces(5). Shorewall allows loose matches to wildcard entries in shorewall-interfaces(5). For example, ppp0 in this file will match a shorewall-interfaces(5) entry that defines ppp+. If you want to override ADD_IP_ALIASES=Yes for a particular entry, follow the interface name with ":" and no digit (e.g., "eth0:"). INTERNAL - address Internal Address (must not be a DNS Name). ALL INTERFACES (allints) - [Yes|No] If Yes or yes, NAT will be effective from all hosts. If No or no (or left empty) then NAT will be effective only through the interface named in the INTERFACE column. LOCAL - [Yes|No] If Yes or yes, NAT will be effective from the firewall system RESTRICTIONS DNAT rules always preempt one-to-one NAT rules. This has subtile consequences when there are sub-zones on an interface. Consider the following: /etc/shorewall/zones: #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 loc ipv4 smc:net ipv4 /etc/shorewall/interfaces: #ZONE INTERFACE OPTIONS net eth0 dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0 loc eth1 tcpflags,nosmurfs,routefilter,logmartians /etc/shorewall/hosts: #ZONE HOST(S) OPTIONS smc eth0:10.1.10.0/24 /etc/shorewall/nat: #EXTERNAL INTERFACE INTERNAL ALL LOCAL # INTERFACES 10.1.10.100 eth0 172.20.1.100 Note that the EXTERNAL address is in the smc zone. /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER # PORT PORT(S) DEST LIMIT GROUP ?SECTION ALL ?SECTION ESTABLISHED ?SECTION RELATED ?SECTION INVALID ?SECTION UNTRACKED ?SECTION NEW ... DNAT net loc:172.20.1.4 tcp 80 For the one-to-one NAT to work correctly in this configuration, one of two approaches can be taken: Define a CONTINUE policy with smc as the SOURCE zone (preferred): #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST smc $FW CONTINUE loc net ACCEPT net all DROP info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info Set IMPLICIT_CONTINUE=Yes in shorewall.conf(5). FILES /etc/shorewall/nat See ALSO http://www.shorewall.net/NAT.htm http://www.shorewall.net/configuration_file_basics.htm#Pairs shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5), shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)