DocBook XML conversion

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@881 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-docs/NAT.xml

@@ -0,0 +1,153 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+<article id="NAT">
+  <articleinfo>
+    <title>One-to-one NAT</title>
+
+    <authorgroup>
+      <author>
+        <firstname>Tom</firstname>
+
+        <surname>Eastep</surname>
+      </author>
+    </authorgroup>
+
+    <pubdate>2003-11-22</pubdate>
+
+    <copyright>
+      <year>2001</year>
+
+      <year>2002</year>
+
+      <year>2003</year>
+
+      <holder>Thomas M. Eastep</holder>
+    </copyright>
+
+    <legalnotice>
+      <para>Permission is granted to copy, distribute and/or modify this
+      document under the terms of the GNU Free Documentation License, Version
+      1.2 or any later version published by the Free Software Foundation; with
+      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      Texts. A copy of the license is included in the section entitled &#34;<ulink
+      url="GnuCopyright.htm">GNU Free Documentation License</ulink>&#34;.</para>
+    </legalnotice>
+  </articleinfo>
+
+  <section>
+    <title>One-to-one NAT</title>
+
+    <important>
+      <para><emphasis role="bold">If all you want to do is forward ports to
+      servers behind your firewall, you do NOT want to use one-to-one NAT.
+      Port forwarding can be accomplished with simple entries in the <ulink
+      url="Documentation.htm#Rules">rules file</ulink>.</emphasis></para>
+    </important>
+
+    <para>One-to-one NAT is a way to make systems behind a firewall and
+    configured with private IP addresses (those reserved for private use in
+    RFC 1918) appear to have public IP addresses. Before you try to use this
+    technique, I strongly recommend that you read the <ulink
+    url="shorewall_setup_guide.htm">Shorewall Setup Guide</ulink>.</para>
+
+    <para>The following figure represents a one-to-one NAT environment.</para>
+
+    <graphic fileref="images/staticnat.png" />
+
+    <para>One-to-one NAT can be used to make the systems with the 10.1.1.*
+    addresses appear to be on the upper (130.252.100.*) subnet. If we assume
+    that the interface to the upper subnet is eth0, then the following
+    /etc/shorewall/NAT file would make the lower left-hand system appear to
+    have IP address 130.252.100.18 and the right-hand one to have IP address
+    130.252.100.19.</para>
+
+    <table>
+      <title>/etc/shorewall/NAT</title>
+
+      <tgroup cols="5">
+        <thead>
+          <row>
+            <entry align="center">EXTERNAL</entry>
+
+            <entry align="center">INTERFACE</entry>
+
+            <entry align="center">INTERNAL</entry>
+
+            <entry align="center">ALL INTERFACES</entry>
+
+            <entry align="center">LOCAL</entry>
+          </row>
+        </thead>
+
+        <tbody>
+          <row>
+            <entry>130.252.100.18</entry>
+
+            <entry>eth0</entry>
+
+            <entry>10.1.1.2</entry>
+
+            <entry>yes</entry>
+
+            <entry>yes</entry>
+          </row>
+
+          <row>
+            <entry>130.252.100.19</entry>
+
+            <entry>eth0</entry>
+
+            <entry>10.1.1.3</entry>
+
+            <entry>yes</entry>
+
+            <entry>yes</entry>
+          </row>
+        </tbody>
+      </tgroup>
+    </table>
+
+    <para>Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the
+    above example) is (are) not included in any specification in
+    /etc/shorewall/masq or /etc/shorewall/proxyarp.</para>
+
+    <note>
+      <para>The &#34;ALL INTERFACES&#34; column is used to specify whether
+      access to the external IP from all firewall interfaces should undergo
+      NAT (Yes or yes) or if only access from the interface in the INTERFACE
+      column should undergo NAT. If you leave this column empty, &#34;Yes&#34;
+      is assumed. The ALL INTERFACES column was added in version 1.1.6.
+      <emphasis role="bold">Specifying &#34;Yes&#34; in this column will not
+      allow systems on the lower LAN to access each other using their public
+      IP addresses.</emphasis> For example, the lower left-hand system
+      (10.1.1.2) cannot connect to 130.252.100.19 and expect to be connected
+      to the lower right-hand system. <ulink url="FAQ.htm#faq2a">See FAQ 2a</ulink>.</para>
+    </note>
+
+    <note>
+      <para>Shorewall will automatically add the external address to the
+      specified interface unless you specify <ulink
+      url="Documentation.htm#Aliases">ADD_IP_ALIASES</ulink>=&#34;no&#34; (or
+      &#34;No&#34;) in /etc/shorewall/shorewall.conf; If you do not set
+      ADD_IP_ALIASES or if you set it to &#34;Yes&#34; or &#34;yes&#34; then
+      you must NOT configure your own alias(es).</para>
+
+      <para><important><para>Shorewall versions earlier than 1.4.6 can only
+      add external addresses to an interface that is configured with a single
+      subnetwork -- if your external interface has addresses in more than one
+      subnetwork, Shorewall 1.4.5 and earlier can only add addresses to the
+      first one.</para></important></para>
+    </note>
+
+    <note>
+      <para>The contents of the &#34;LOCAL&#34; column determine whether
+      packets originating on the firewall itself and destined for the EXTERNAL
+      address are redirected to the internal ADDRESS. If this column contains
+      &#34;yes&#34; or &#34;Yes&#34; (and the ALL INTERFACES COLUMN also
+      contains &#34;Yes&#34; or &#34;yes&#34;) then such packets are
+      redirected; otherwise, such packets are not redirected. The LOCAL column
+      was added in version 1.1.8.</para>
+    </note>
+  </section>
+</article>