<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
                
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shorewall NAT</title>
                            
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
                
  <meta name="ProgId" content="FrontPage.Editor.Document">
</head>
  <body>
                                
<table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#3366ff" height="90">
       <tbody>
        <tr>
         <td width="100%">                            
      <h1 align="center"><font color="#ffffff">Static Nat</font></h1>
         </td>
       </tr>
                
  </tbody>    
</table>
<br>
                <br>
                
<p><font color="#ff0000"><b>IMPORTANT: If all you want to do is forward  
     ports to servers behind your firewall, you do NOT want to use static
  NAT.      Port forwarding can be accomplished with simple entries in the
    <a href="Documentation.htm#Rules">rules file</a>.</b></font></p>
<blockquote>                </blockquote>
<p>Static NAT is a way to make systems behind a     firewall and configured
  with private IP addresses (those     reserved for private use in RFC1918)
  appear to have public IP     addresses. Before you try to use this technique,
  I strongly recommend that you read the <a
 href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
<blockquote>                </blockquote>
<p>The following figure represents a static NAT     environment.</p>
<blockquote>                
  <p align="center"><strong>     <img src="images/staticnat.png"
 width="435" height="397">
      </strong></p>
                
  <blockquote>     </blockquote>
                </blockquote>
<p align="left">Static NAT can be used to make the systems with the  10.1.1.* 
 addresses appear to be on the upper (130.252.100.*) subnet. If we     assume 
 that the interface to the upper subnet is eth0, then the following     /etc/shorewall/NAT 
 file would make the lower left-hand system appear to have     IP address 
130.252.100.18 and the right-hand one to have IP address     130.252.100.19.</p>
                
<table border="2" cellpadding="2" style="border-collapse: collapse;">
           <tbody>
          <tr>
             <td><b>EXTERNAL</b></td>
             <td><b>INTERFACE</b></td>
             <td><b>INTERNAL</b></td>
             <td><b>ALL INTERFACES</b></td>
             <td><b>LOCAL</b></td>
           </tr>
           <tr>
             <td>130.252.100.18</td>
             <td>eth0</td>
             <td>10.1.1.2</td>
             <td>yes</td>
             <td>yes</td>
           </tr>
           <tr>
             <td>130.252.100.19</td>
             <td>eth0</td>
             <td>10.1.1.3</td>
             <td>yes</td>
             <td>yes</td>
           </tr>
                        
  </tbody>            
</table>
                
<p>Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the above
      example) is (are) not included in any specification in /etc/shorewall/masq
      or /etc/shorewall/proxyarp.</p>
                
<p><a name="AllInterFaces"></a>Note 1: The "ALL INTERFACES" column is used 
 to specify whether access to the external IP from all firewall   interfaces 
 should undergo NAT (Yes or yes) or if only access from the    interface in
 the INTERFACE column should undergo NAT. If you leave this     column empty,
 "Yes" is assumed.�The ALL INTERFACES column was     added in version 1.1.6.</p>
                
<p>Note 2: Shorewall will automatically add the external address to the  
    specified interface unless you specify <a
 href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>="no"     (or "No") in
  /etc/shorewall/shorewall.conf; If you do not set     ADD_IP_ALIASES or
if   you set it to "Yes" or "yes" then you must NOT configure your own alias(es). 
   <b>RESTRICTION: </b>Shorewall versions earlier than 1.4.6 can only add
 external addresses to an interface that is configured with a single subnetwork
 -- if your external interface has addresses in more than one subnetwork,
Shorewall 1.4.5 and earlier can only add addresses to the first one.</p>
                
<p><a name="LocalPackets"></a>Note 3: The contents of the "LOCAL"     column
  determine whether packets originating on the firewall itself and     destined
  for the EXTERNAL address are redirected to the internal ADDRESS. If   
 this  column contains "yes" or "Yes" (and the ALL     INTERFACES COLUMN
also contains  "Yes" or "yes") then     such packets are redirected; otherwise,
such packets  are not redirected. The     LOCAL column was added in version
1.1.8.</p>
             
<blockquote> </blockquote>
        
<p><font size="2">Last updated 7/6/2003 - </font><font size="2"> <a
 href="support.htm">Tom Eastep</a></font> </p>
     <a href="copyright.htm"><font size="2">Copyright</font>  � <font
 size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
  <br>
 <br>
</body>
</html>