mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-08 16:54:10 +01:00
291dc4df9d
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1533 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
115 lines
5.4 KiB
XML
115 lines
5.4 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
|
<article id="NAT">
|
|
<!--$Id$-->
|
|
|
|
<articleinfo>
|
|
<title>One-to-one NAT</title>
|
|
|
|
<authorgroup>
|
|
<author>
|
|
<firstname>Tom</firstname>
|
|
|
|
<surname>Eastep</surname>
|
|
</author>
|
|
</authorgroup>
|
|
|
|
<pubdate>2004-08-10</pubdate>
|
|
|
|
<copyright>
|
|
<year>2001-2004</year>
|
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
</copyright>
|
|
|
|
<legalnotice>
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
Texts. A copy of the license is included in the section entitled
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
|
</legalnotice>
|
|
</articleinfo>
|
|
|
|
<section>
|
|
<title>One-to-one NAT</title>
|
|
|
|
<important>
|
|
<para><emphasis role="bold">If all you want to do is forward ports to
|
|
servers behind your firewall, you do NOT want to use one-to-one NAT.
|
|
Port forwarding can be accomplished with simple entries in the <ulink
|
|
url="Documentation.htm#Rules">rules file</ulink>.</emphasis></para>
|
|
</important>
|
|
|
|
<para>One-to-one NAT is a way to make systems behind a firewall and
|
|
configured with private IP addresses (those reserved for private use in
|
|
RFC 1918) appear to have public IP addresses. Before you try to use this
|
|
technique, I strongly recommend that you read the <ulink
|
|
url="shorewall_setup_guide.htm">Shorewall Setup Guide</ulink>.</para>
|
|
|
|
<para>The following figure represents a one-to-one NAT environment.</para>
|
|
|
|
<graphic fileref="images/staticnat.png" />
|
|
|
|
<para>One-to-one NAT can be used to make the systems with the 10.1.1.*
|
|
addresses appear to be on the upper (130.252.100.*) subnet. If we assume
|
|
that the interface to the upper subnet is eth0, then the following
|
|
<filename>/etc/shorewall/nat</filename> file would make the lower
|
|
left-hand system appear to have IP address 130.252.100.18 and the
|
|
right-hand one to have IP address 130.252.100.19. It should be stressed
|
|
that these entries in the <filename>/etc/shorewall/nat</filename> file do
|
|
not automatically enable traffic between the external network and the
|
|
internal host(s) — such traffic is still subject to your policies and
|
|
rules.</para>
|
|
|
|
<para><filename>/etc/shorewall/nat</filename><programlisting>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
|
|
130.252.100.18 eth0 10.1.1.2 no no
|
|
130.252.100.19 eth0 10.1.1.3 no no</programlisting></para>
|
|
|
|
<para>Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the
|
|
above example) is (are) not included in any specification in
|
|
<filename>/etc/shorewall/masq</filename> or <filename>/etc/shorewall/proxyarp</filename>.</para>
|
|
|
|
<note>
|
|
<para>The <quote>ALL INTERFACES</quote> column is used to specify
|
|
whether access to the external IP from all firewall interfaces should
|
|
undergo NAT (Yes or yes) or if only access from the interface in the
|
|
INTERFACE column should undergo NAT. If you leave this column empty,
|
|
<quote>No</quote> is assumed (Shorewall 2.0.0 and later -- prior to
|
|
this, <quote>Yes</quote> was assumed). <emphasis role="bold">Specifying
|
|
<quote>Yes</quote> in this column will not allow systems on the lower
|
|
LAN to access each other using their public IP addresses.</emphasis> For
|
|
example, the lower left-hand system (10.1.1.2) cannot connect to
|
|
130.252.100.19 and expect to be connected to the lower right-hand
|
|
system. <ulink url="FAQ.htm#faq2a">See FAQ 2a</ulink>.</para>
|
|
</note>
|
|
|
|
<note>
|
|
<para>Shorewall will automatically add the external address to the
|
|
specified interface unless you specify <ulink
|
|
url="Documentation.htm#Aliases">ADD_IP_ALIASES</ulink>=<quote>no</quote>
|
|
(or <quote>No</quote>) in <filename>/etc/shorewall/shorewall.conf</filename>;
|
|
If you do not set ADD_IP_ALIASES or if you set it to <quote>Yes</quote>
|
|
or <quote>yes</quote> then you must NOT configure your own alias(es).</para>
|
|
|
|
<para><important><para>Shorewall versions earlier than 1.4.6 can only
|
|
add external addresses to an interface that is configured with a single
|
|
subnetwork -- if your external interface has addresses in more than one
|
|
subnetwork, Shorewall 1.4.5 and earlier can only add addresses to the
|
|
first one.</para></important></para>
|
|
</note>
|
|
|
|
<note>
|
|
<para>The contents of the <quote>LOCAL</quote> column determine whether
|
|
packets originating on the firewall itself and destined for the EXTERNAL
|
|
address are redirected to the internal ADDRESS. If this column contains
|
|
<quote>yes</quote> or <quote>Yes</quote> (and the ALL INTERFACES COLUMN
|
|
also contains <quote>Yes</quote> or <quote>yes</quote>) then such
|
|
packets are redirected; otherwise, such packets are not redirected. This
|
|
feature requires kernel 2.4.19 or later and iptables 1.2.6a or later and
|
|
you must have enabled CONFIG_IP_NF_NAT_LOCAL in your kernel.</para>
|
|
</note>
|
|
</section>
|
|
</article> |