1SHOREWALL-NAT(5)              Configuration Files             SHOREWALL-NAT(5)
2
3
4

NAME

6       nat - Shorewall one-to-one NAT file
7

SYNOPSIS

9       /etc/shorewall/nat
10

DESCRIPTION

12       This file is used to define one-to-one Network Address Translation
13       (NAT).
14
15           Warning
16           If all you want to do is simple port forwarding, do NOT use this
17           file. See http://www.shorewall.net/FAQ.htm#faq1[1]. Also, in many
18           cases, Proxy ARP (shorewall-proxyarp[2](5)) or
19           Proxy-NDP(shorewall6-proxyndp[3](5)) is a better solution that
20           one-to-one NAT.
21
22       The columns in the file are as follows (where the column name is
23       followed by a different name in parentheses, the different name is used
24       in the alternate specification syntax).
25
26       EXTERNAL - {address|?COMMENT}
27           External IP Address - this should NOT be the primary IP address of
28           the interface named in the next column and must not be a DNS Name.
29
30           If you put ?COMMENT in this column, the rest of the line will be
31           attached as a comment to the Netfilter rule(s) generated by the
32           following entries in the file. The comment will appear delimited by
33           "/* ... */" in the output of "shorewall show nat"
34
35           To stop the comment from being attached to further rules, simply
36           include ?COMMENT on a line by itself.
37
38       INTERFACE - interfacelist[:[digit]]
39           Interfaces that have the EXTERNAL address. If ADD_IP_ALIASES=Yes in
40           shorewall.conf[4](5), Shorewall will automatically add the EXTERNAL
41           address to this interface. Also if ADD_IP_ALIASES=Yes, you may
42           follow the interface name with ":" and a digit to indicate that you
43           want Shorewall to add the alias with this name (e.g., "eth0:0").
44           That allows you to see the alias with ifconfig.  That is the only
45           thing that this name is good for -- you cannot use it anywhere else
46           in your Shorewall configuration.
47
48           Each interface must match an entry in shorewall-interfaces[5](5).
49           Shorewall allows loose matches to wildcard entries in
50           shorewall-interfaces[5](5). For example, ppp0 in this file will
51           match a shorewall-interfaces[5](5) entry that defines ppp+.
52
53           If you want to override ADD_IP_ALIASES=Yes for a particular entry,
54           follow the interface name with ":" and no digit (e.g., "eth0:").
55
56       INTERNAL - address
57           Internal Address (must not be a DNS Name).
58
59       ALLINTS - [Yes|No]
60           If Yes or yes, NAT will be effective from all hosts. If No or no
61           (or left empty) then NAT will be effective only through the
62           interface named in the INTERFACE column.
63
64           This column was formerly labelled ALL INTERFACES.
65
66       LOCAL - [Yes|No]
67           If Yes or yes, NAT will be effective from the firewall system
68

RESTRICTIONS

70       DNAT rules always preempt one-to-one NAT rules. This has subtile
71       consequences when there are sub-zones on an interface. Consider the
72       following:
73
74       /etc/shorewall/zones:
75
76           #ZONE   TYPE    OPTIONS                 IN                      OUT
77           #                                       OPTIONS                 OPTIONS
78           fw      firewall
79           net     ipv4
80           loc     ipv4
81           smc:net ipv4
82
83       /etc/shorewall/interfaces:
84
85           #ZONE   INTERFACE       OPTIONS
86           net     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
87           loc     eth1            tcpflags,nosmurfs,routefilter,logmartians
88
89       /etc/shorewall/hosts:
90
91           #ZONE   HOST(S)                                 OPTIONS
92           smc     eth0:10.1.10.0/24
93
94       /etc/shorewall/nat:
95
96           #EXTERNAL       INTERFACE       INTERNAL        ALLINTS         LOCAL
97           10.1.10.100     eth0            172.20.1.100
98
99       Note that the EXTERNAL address is in the smc zone.
100
101       /etc/shorewall/rules:
102
103           #ACTION         SOURCE          DEST            PROTO   DPORT   SPORT           ORIGDEST        RATE            USER    MARK    CONNLIMIT       TIME            HEADERS     SWITCH           HELPER
104           ?SECTION ALL
105           ?SECTION ESTABLISHED
106           ?SECTION RELATED
107           ?SECTION INVALID
108           ?SECTION UNTRACKED
109           ?SECTION NEW
110           ...
111           DNAT            net             loc:172.20.1.4  tcp     80
112
113       For the one-to-one NAT to work correctly in this configuration, one of
114       two approaches can be taken:
115
116        1. Define a CONTINUE policy with smc as the SOURCE zone (preferred):
117
118               #SOURCE        DEST      POLICY         LOG LEVEL LIMIT:BURST
119               smc       $FW       CONTINUE
120               loc       net       ACCEPT
121               net       all       DROP      info
122               # THE FOLLOWING POLICY MUST BE LAST
123               all       all       REJECT         info
124
125        2. Set IMPLICIT_CONTINUE=Yes in shorewall.conf(5)[4].
126

FILES

128       /etc/shorewall/nat
129
130       /etc/shorewall6/nat
131

SEE ALSO

133       http://www.shorewall.net/NAT.htm[6]
134
135       http://www.shorewall.net/configuration_file_basics.htm#Pairs[7]
136
137       shorewall(8)
138

NOTES

140        1. http://www.shorewall.net/FAQ.htm#faq1
141           http://www.shorewall.net/FAQ.htm#faq1
142
143        2. shorewall-proxyarp
144           http://www.shorewall.net/manpages/shorewall-proxyarp.html
145
146        3. shorewall6-proxyndp
147           http://www.shorewall.net/manpages6/shorewall6-proxyndp.html
148
149        4. shorewall.conf
150           http://www.shorewall.net/manpages/shorewall.conf.html
151
152        5. shorewall-interfaces
153           http://www.shorewall.net/manpages/shorewall-interfaces.html
154
155        6. http://www.shorewall.net/NAT.htm
156           http://www.shorewall.net/NAT.htm
157
158        7. http://www.shorewall.net/configuration_file_basics.htm#Pairs
159           http://www.shorewall.net/configuration_file_basics.htm#Pairs
160
161
162
163Configuration Files               08/05/2018                  SHOREWALL-NAT(5)
Impressum