<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article id="NAT">
  <!--$Id$-->

  <articleinfo>
    <title>One-to-one NAT</title>

    <authorgroup>
      <author>
        <firstname>Tom</firstname>

        <surname>Eastep</surname>
      </author>
    </authorgroup>

    <pubdate>2003-11-22</pubdate>

    <copyright>
      <year>2001</year>

      <year>2002</year>

      <year>2003</year>

      <holder>Thomas M. Eastep</holder>
    </copyright>

    <legalnotice>
      <para>Permission is granted to copy, distribute and/or modify this
      document under the terms of the GNU Free Documentation License, Version
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>

  <section>
    <title>One-to-one NAT</title>

    <important>
      <para><emphasis role="bold">If all you want to do is forward ports to
      servers behind your firewall, you do NOT want to use one-to-one NAT.
      Port forwarding can be accomplished with simple entries in the <ulink
      url="Documentation.htm#Rules">rules file</ulink>.</emphasis></para>
    </important>

    <para>One-to-one NAT is a way to make systems behind a firewall and
    configured with private IP addresses (those reserved for private use in
    RFC 1918) appear to have public IP addresses. Before you try to use this
    technique, I strongly recommend that you read the <ulink
    url="shorewall_setup_guide.htm">Shorewall Setup Guide</ulink>.</para>

    <para>The following figure represents a one-to-one NAT environment.</para>

    <graphic fileref="images/staticnat.png" />

    <para>One-to-one NAT can be used to make the systems with the 10.1.1.*
    addresses appear to be on the upper (130.252.100.*) subnet. If we assume
    that the interface to the upper subnet is eth0, then the following
    /etc/shorewall/NAT file would make the lower left-hand system appear to
    have IP address 130.252.100.18 and the right-hand one to have IP address
    130.252.100.19.</para>

    <table>
      <title>/etc/shorewall/NAT</title>

      <tgroup cols="5">
        <thead>
          <row>
            <entry align="center">EXTERNAL</entry>

            <entry align="center">INTERFACE</entry>

            <entry align="center">INTERNAL</entry>

            <entry align="center">ALL INTERFACES</entry>

            <entry align="center">LOCAL</entry>
          </row>
        </thead>

        <tbody>
          <row>
            <entry>130.252.100.18</entry>

            <entry>eth0</entry>

            <entry>10.1.1.2</entry>

            <entry>yes</entry>

            <entry>yes</entry>
          </row>

          <row>
            <entry>130.252.100.19</entry>

            <entry>eth0</entry>

            <entry>10.1.1.3</entry>

            <entry>yes</entry>

            <entry>yes</entry>
          </row>
        </tbody>
      </tgroup>
    </table>

    <para>Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the
    above example) is (are) not included in any specification in
    /etc/shorewall/masq or /etc/shorewall/proxyarp.</para>

    <note>
      <para>The <quote>ALL INTERFACES</quote> column is used to specify
      whether access to the external IP from all firewall interfaces should
      undergo NAT (Yes or yes) or if only access from the interface in the
      INTERFACE column should undergo NAT. If you leave this column empty,
      <quote>Yes</quote> is assumed. The ALL INTERFACES column was added in
      version 1.1.6. <emphasis role="bold">Specifying <quote>Yes</quote> in
      this column will not allow systems on the lower LAN to access each other
      using their public IP addresses.</emphasis> For example, the lower
      left-hand system (10.1.1.2) cannot connect to 130.252.100.19 and expect
      to be connected to the lower right-hand system. <ulink
      url="FAQ.htm#faq2a">See FAQ 2a</ulink>.</para>
    </note>

    <note>
      <para>Shorewall will automatically add the external address to the
      specified interface unless you specify <ulink
      url="Documentation.htm#Aliases">ADD_IP_ALIASES</ulink>=<quote>no</quote>
      (or <quote>No</quote>) in /etc/shorewall/shorewall.conf; If you do not
      set ADD_IP_ALIASES or if you set it to <quote>Yes</quote> or
      <quote>yes</quote> then you must NOT configure your own alias(es).</para>

      <para><important><para>Shorewall versions earlier than 1.4.6 can only
      add external addresses to an interface that is configured with a single
      subnetwork -- if your external interface has addresses in more than one
      subnetwork, Shorewall 1.4.5 and earlier can only add addresses to the
      first one.</para></important></para>
    </note>

    <note>
      <para>The contents of the <quote>LOCAL</quote> column determine whether
      packets originating on the firewall itself and destined for the EXTERNAL
      address are redirected to the internal ADDRESS. If this column contains
      <quote>yes</quote> or <quote>Yes</quote> (and the ALL INTERFACES COLUMN
      also contains <quote>Yes</quote> or <quote>yes</quote>) then such
      packets are redirected; otherwise, such packets are not redirected. The
      LOCAL column was added in version 1.1.8.</para>
    </note>
  </section>
</article>