shorewall-nat man page

nat — Shorewall one-to-one NAT file

Synopsis

/etc/shorewall/nat

Description

This file is used to define one-to-one Network Address Translation (NAT).

Warning

If all you want to do is simple port forwarding, do NOT use this file. See http://www.shorewall.net/FAQ.htm#faq1[1]. Also, in many cases, Proxy ARP (shorewall-proxyarp[2](5)) is a better solution that one-to-one NAT.

The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax).

EXTERNAL - {address|?COMMENT}

External IP Address - this should NOT be the primary IP address of the interface named in the next column and must not be a DNS Name.

If you put ?COMMENT in this column, the rest of the line will be attached as a comment to the Netfilter rule(s) generated by the following entries in the file. The comment will appear delimited by "/* ... */" in the output of "shorewall show nat"

To stop the comment from being attached to further rules, simply include ?COMMENT on a line by itself.

INTERFACE - interfacelist[:[digit]]

Interfaces that have the EXTERNAL address. If ADD_IP_ALIASES=Yes in shorewall.conf[3](5), Shorewall will automatically add the EXTERNAL address to this interface. Also if ADD_IP_ALIASES=Yes, you may follow the interface name with ":" and a digit to indicate that you want Shorewall to add the alias with this name (e.g., "eth0:0"). That allows you to see the alias with ifconfig. That is the only thing that this name is good for -- you cannot use it anywhere else in your Shorewall configuration.

Each interface must match an entry in shorewall-interfaces[4](5). Shorewall allows loose matches to wildcard entries in shorewall-interfaces[4](5). For example, ppp0 in this file will match a shorewall-interfaces[4](5) entry that defines ppp+.

If you want to override ADD_IP_ALIASES=Yes for a particular entry, follow the interface name with ":" and no digit (e.g., "eth0:").

INTERNAL - address

Internal Address (must not be a DNS Name).

ALLINTS - [Yes|No]

If Yes or yes, NAT will be effective from all hosts. If No or no (or left empty) then NAT will be effective only through the interface named in the INTERFACE column.

This column was formerly labelled ALL INTERFACES.

LOCAL - [Yes|No]

If Yes or yes, NAT will be effective from the firewall system

Restrictions

DNAT rules always preempt one-to-one NAT rules. This has subtile consequences when there are sub-zones on an interface. Consider the following:

/etc/shorewall/zones:

#ZONE   TYPE    OPTIONS                 IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
net     ipv4
loc     ipv4
smc:net ipv4

/etc/shorewall/interfaces:

#ZONE   INTERFACE       OPTIONS
net     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
loc     eth1            tcpflags,nosmurfs,routefilter,logmartians

/etc/shorewall/hosts:

#ZONE   HOST(S)                                 OPTIONS
smc     eth0:10.1.10.0/24

/etc/shorewall/nat:

#EXTERNAL       INTERFACE       INTERNAL        ALLINTS         LOCAL
10.1.10.100     eth0            172.20.1.100

Note that the EXTERNAL address is in the smc zone.

/etc/shorewall/rules:

#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT           ORIGDEST        RATE            USER    MARK    CONNLIMIT       TIME            HEADERS     SWITCH           HELPER
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
...
DNAT            net             loc:172.20.1.4  tcp     80

For the one-to-one NAT to work correctly in this configuration, one of two approaches can be taken:

1. Define a CONTINUE policy with smc as the SOURCE zone (preferred):

#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
smc		$FW		CONTINUE
loc		net		ACCEPT
net		all		DROP		info
# THE FOLLOWING POLICY MUST BE LAST
all		all		REJECT		info

2. Set IMPLICIT_CONTINUE=Yes in shorewall.conf(5)[5].

Files

/etc/shorewall/nat

See Also

http://www.shorewall.net/NAT.htm[6]

http://www.shorewall.net/configuration_…[7]

shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5), shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)

Notes

1.

http://www.shorewall.net/FAQ.htm#faq1

2.

shorewall-proxyarp

3.

shorewall.conf

4.

shorewall-interfaces

5.

shorewall.conf(5)

http://www.shorewall.netmanpages/shorewall.conf.html

6.

http://www.shorewall.net/NAT.htm

7.

http://www.shorewall.net/configuration_…

Referenced By

shorewall(8), shorewall6-stoppedrules(5), shorewall-accounting(5), shorewall-actions(5), shorewall.conf(5), shorewall-conntrack(5), shorewall-ecn(5), shorewall-exclusion(5), shorewall-hosts(5), shorewall-init(8), shorewall-interfaces(5), shorewall-ipsets(5), shorewall-lite(8), shorewall-lite.conf(5), shorewall-lite-vardir(5), shorewall-maclist(5), shorewall-mangle(5), shorewall-masq(5), shorewall-modules(5), shorewall-nesting(5), shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall-routes(5), shorewall-rtrules(5), shorewall-rules(5), shorewall-secmarks(5), shorewall-snat(5), shorewall-stoppedrules(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcfilters(5), shorewall-tcinterfaces(5), shorewall-tcpri(5), shorewall-tunnels(5), shorewall-vardir(5), shorewall-zones(5).

11/04/2016 Configuration Files Configuration Files