shorewall_code/Shorewall-docs/NAT.htm

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shorewall NAT</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<br>
<h1 style="text-align: center;">One-to-one NAT<br>
</h1>
<p><font color="#ff0000"><b>IMPORTANT: If all you want to do is forward
ports to servers behind your firewall, you do NOT want to use
one-to-one NAT. Port forwarding can be accomplished with simple entries
in the <a href="Documentation.htm#Rules">rules file</a>.</b></font></p>
<blockquote> </blockquote>
<p>One-to-one NAT is a way to make systems behind a firewall and
configured
with private IP addresses (those reserved for private use in RFC 1918)
appear to have public IP addresses. Before you try to use this
technique, I strongly recommend that you read the <a
 href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
<blockquote> </blockquote>
<p>The following figure represents a one-to-one NAT environment.</p>
<blockquote>
  <p align="center"><strong> <img src="images/staticnat.png"
 style="width: 456px; height: 397px;" title="" alt=""> </strong></p>
  <blockquote> </blockquote>
</blockquote>
<p align="left">One-to-one NAT can be used to make the systems with the
10.1.1.* addresses appear to be on the upper (130.252.100.*) subnet. If
we assume that the interface to the upper subnet is eth0, then the
following /etc/shorewall/NAT file would make the lower left-hand system
appear to have IP address 130.252.100.18 and the right-hand one to have
IP address 130.252.100.19.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
  <tbody>
    <tr>
      <td><b>EXTERNAL</b></td>
      <td><b>INTERFACE</b></td>
      <td><b>INTERNAL</b></td>
      <td><b>ALL INTERFACES</b></td>
      <td><b>LOCAL</b></td>
    </tr>
    <tr>
      <td>130.252.100.18</td>
      <td>eth0</td>
      <td>10.1.1.2</td>
      <td>yes</td>
      <td>yes</td>
    </tr>
    <tr>
      <td>130.252.100.19</td>
      <td>eth0</td>
      <td>10.1.1.3</td>
      <td>yes</td>
      <td>yes</td>
    </tr>
  </tbody>
</table>
<p>Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the
above example) is (are) not included in any specification in
/etc/shorewall/masq or /etc/shorewall/proxyarp.</p>
<p><a name="AllInterFaces"></a>Note 1: The "ALL INTERFACES" column is
used to specify whether access to the external IP from all firewall
interfaces should undergo NAT (Yes or yes) or if only access from the
interface in the INTERFACE column should undergo NAT. If you leave this
column empty, "Yes" is assumed.&nbsp;The ALL INTERFACES column was
added in version 1.1.6. <span style="font-weight: bold;">Specifying
"Yes" in this column will </span><span
 style="text-decoration: underline; font-weight: bold;">not</span><span
 style="font-weight: bold;"> allow systems on the lower LAN to access
each other using their public IP addresses.</span> For example, the
lower left-hand system (10.1.1.2) cannot connect to 130.252.100.19 and
expect to be connected to the lower right-hand system. <a
 href="FAQ.htm#faq2a">See FAQ 2a</a>.<br>
</p>
<p>Note 2: Shorewall will automatically add the external address to the
specified interface unless you specify <a
 href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>="no" (or "No") in
/etc/shorewall/shorewall.conf; If you do not set ADD_IP_ALIASES or
if you set it to "Yes" or "yes" then you must NOT configure your own
alias(es). <b>RESTRICTION: </b>Shorewall versions earlier than 1.4.6
can only add external addresses to an interface that is configured with
a single subnetwork -- if your external interface has addresses in more
than one subnetwork,
Shorewall 1.4.5 and earlier can only add addresses to the first one.</p>
<p><a name="LocalPackets"></a>Note 3: The contents of the "LOCAL"
column determine whether packets originating on the firewall itself and
destined for the EXTERNAL address are redirected to the internal
ADDRESS. If this column contains "yes" or "Yes" (and the ALL INTERFACES
COLUMN
also contains "Yes" or "yes") then such packets are redirected;
otherwise,
such packets are not redirected. The LOCAL column was added in version
1.1.8.</p>
<blockquote> </blockquote>
<p><font size="2">Last updated 11/222003 - </font><font size="2"> <a
 href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> <20> <font
 size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br>
<br>
</body>
</html>