shorewall-nat
5
Configuration Files
nat
Shorewall one-to-one NAT file
/etc/shorewall/nat
Description
This file is used to define one-to-one Network Address Translation
(NAT).
If all you want to do is simple port forwarding, do NOT use this
file. See http://www.shorewall.net/FAQ.htm#faq1. Also,
in many cases, Proxy ARP (shorewall-proxyarp(5))
is a better solution that one-to-one NAT.
The columns in the file are as follows (where the column name is
followed by a different name in parentheses, the different name is used in
the alternate specification syntax).
EXTERNAL -
{address|?COMMENT}
External IP Address - this should NOT be the primary IP
address of the interface named in the next column and must not be a
DNS Name.
If you put ?COMMENT in this column, the rest of the line will
be attached as a comment to the Netfilter rule(s) generated by the
following entries in the file. The comment will appear delimited by
"/* ... */" in the output of "shorewall show nat"
To stop the comment from being attached to further rules,
simply include ?COMMENT on a line by itself.
INTERFACE -
interfacelist[:[digit]]
Interfaces that have the EXTERNAL address. If ADD_IP_ALIASES=Yes in
shorewall.conf(5),
Shorewall will automatically add the EXTERNAL address to this
interface. Also if ADD_IP_ALIASES=Yes, you may follow the interface
name with ":" and a digit to indicate that you
want Shorewall to add the alias with this name (e.g., "eth0:0").
That allows you to see the alias with ifconfig. That is the only thing that this name is good for -- you
cannot use it anywhere else in your Shorewall configuration.
Each interface must match an entry in shorewall-interfaces(5).
Shorewall allows loose matches to wildcard entries in shorewall-interfaces(5).
For example, ppp0 in this
file will match a shorewall-interfaces(5)
entry that defines ppp+.
If you want to override ADD_IP_ALIASES=Yes for a particular
entry, follow the interface name with ":" and no digit (e.g.,
"eth0:").
INTERNAL -
address
Internal Address (must not be a DNS Name).
ALL INTERFACES (allints) -
[Yes|No]
If Yes or yes, NAT will be effective from all hosts. If No or
no (or left empty) then NAT will be effective only through the
interface named in the INTERFACE
column.
LOCAL - [Yes|No]
If Yes or yes, NAT will be effective from the firewall
system
RESTRICTIONS
DNAT rules always preempt one-to-one NAT rules. This has subtile
consequences when there are sub-zones on an
interface. Consider the following:
/etc/shorewall/zones:
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
smc:net ipv4
/etc/shorewall/interfaces:
#ZONE INTERFACE OPTIONS
net eth0 dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
loc eth1 tcpflags,nosmurfs,routefilter,logmartians
/etc/shorewall/hosts:
#ZONE HOST(S) OPTIONS
smc eth0:10.1.10.0/24
/etc/shorewall/nat:
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
# INTERFACES
10.1.10.100 eth0 172.20.1.100
Note that the EXTERNAL address is in the smc zone.
/etc/shorewall/rules:
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
...
DNAT net loc:172.20.1.4 tcp 80
For the one-to-one NAT to work correctly in this configuration, one
of two approaches can be taken:
Define a CONTINUE policy with smc as the SOURCE zone (preferred):
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
smc $FW CONTINUE
loc net ACCEPT
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
Set IMPLICIT_CONTINUE=Yes in shorewall.conf(5).
FILES
/etc/shorewall/nat
See ALSO
http://www.shorewall.net/NAT.htm
http://www.shorewall.net/configuration_file_basics.htm#Pairs
shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)