<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-nat</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
<refname>nat</refname>
<refpurpose>Shorewall one-to-one NAT file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/nat</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>This file is used to define one-to-one Network Address Translation
(NAT).</para>
<warning>
<para>If all you want to do is simple port forwarding, do NOT use this
file. See <ulink
url="/FAQ.htm#faq1">http://www.shorewall.net/FAQ.htm#faq1</ulink>. Also,
in many cases, Proxy ARP (<ulink
url="/manpages/shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5))
or Proxy-NDP(<ulink
url="/manpages6/shorewall6-proxyndp.html">shorewall6-proxyndp</ulink>(5))
is a better solution that one-to-one NAT.</para>
</warning>
<para>The columns in the file are as follows (where the column name is
followed by a different name in parentheses, the different name is used in
the alternate specification syntax).</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">EXTERNAL</emphasis> -
{<emphasis>address</emphasis>|?COMMENT}</term>
<listitem>
<para>External IP Address - this should NOT be the primary IP
address of the interface named in the next column and must not be a
DNS Name.</para>
<para>If you put ?COMMENT in this column, the rest of the line will
be attached as a comment to the Netfilter rule(s) generated by the
following entries in the file. The comment will appear delimited by
"/* ... */" in the output of "shorewall show nat"</para>
<para>To stop the comment from being attached to further rules,
simply include ?COMMENT on a line by itself.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">INTERFACE</emphasis> -
<emphasis>interfacelist</emphasis>[<emphasis
role="bold">:</emphasis>[<emphasis>digit</emphasis>]]</term>
<listitem>
<para>Interfaces that have the <emphasis
role="bold">EXTERNAL</emphasis> address. If ADD_IP_ALIASES=Yes in
<ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5),
Shorewall will automatically add the EXTERNAL address to this
interface. Also if ADD_IP_ALIASES=Yes, you may follow the interface
name with ":" and a <emphasis>digit</emphasis> to indicate that you
want Shorewall to add the alias with this name (e.g., "eth0:0").
That allows you to see the alias with ifconfig. <emphasis
role="bold">That is the only thing that this name is good for -- you
cannot use it anywhere else in your Shorewall configuration.
</emphasis></para>
<para>Each interface must match an entry in <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
Shorewall allows loose matches to wildcard entries in <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
For example, <filename class="devicefile">ppp0</filename> in this
file will match a <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
entry that defines <filename
class="devicefile">ppp+</filename>.</para>
<para>If you want to override ADD_IP_ALIASES=Yes for a particular
entry, follow the interface name with ":" and no digit (e.g.,
"eth0:").</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">INTERNAL</emphasis> -
<emphasis>address</emphasis></term>
<listitem>
<para>Internal Address (must not be a DNS Name).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">ALLINTS</emphasis> - [<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem>
<para>If Yes or yes, NAT will be effective from all hosts. If No or
no (or left empty) then NAT will be effective only through the
interface named in the <emphasis role="bold">INTERFACE</emphasis>
column.</para>
<para>This column was formerly labelled ALL INTERFACES.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">LOCAL</emphasis> - [<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem>
<para>If <emphasis role="bold">Yes</emphasis> or <emphasis
role="bold">yes</emphasis>, NAT will be effective from the firewall
system</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>RESTRICTIONS</title>
<para>DNAT rules always preempt one-to-one NAT rules. This has subtile
consequences when there are sub-zones on an
<replaceable>interface</replaceable>. Consider the following:</para>
<para><filename>/etc/shorewall/zones</filename>:</para>
<programlisting>#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
smc:net ipv4</programlisting>
<para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE OPTIONS
net eth0 dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
loc eth1 tcpflags,nosmurfs,routefilter,logmartians</programlisting>
<para><filename>/etc/shorewall/hosts</filename>:</para>
<programlisting>#ZONE HOST(S) OPTIONS
smc eth0:10.1.10.0/24</programlisting>
<para><filename>/etc/shorewall/nat</filename>:</para>
<programlisting>#EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL
10.1.10.100 eth0 172.20.1.100
</programlisting>
<para>Note that the EXTERNAL address is in the <emphasis
role="bold">smc</emphasis> zone.</para>
<para><filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
...
DNAT net loc:172.20.1.4 tcp 80</programlisting>
<para>For the one-to-one NAT to work correctly in this configuration, one
of two approaches can be taken:</para>
<orderedlist>
<listitem>
<para>Define a CONTINUE policy with <emphasis
role="bold">smc</emphasis> as the SOURCE zone (preferred):</para>
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
<emphasis role="bold">smc $FW CONTINUE</emphasis>
loc net ACCEPT
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
</programlisting>
</listitem>
<listitem>
<para>Set IMPLICIT_CONTINUE=Yes in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
</listitem>
</orderedlist>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall/nat</para>
<para>/etc/shorewall6/nat</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para><ulink
url="/NAT.htm">http://www.shorewall.net/NAT.htm</ulink></para>
<para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
<para>shorewall(8)</para>
</refsect1>
</refentry>