1SHOREWALL-NAT(5) Configuration Files SHOREWALL-NAT(5)
2
3
4
6 nat - Shorewall one-to-one NAT file
7
9 /etc/shorewall/nat
10
12 This file is used to define one-to-one Network Address Translation
13 (NAT).
14
15 Warning
16 If all you want to do is simple port forwarding, do NOT use this
17 file. See http://www.shorewall.net/FAQ.htm#faq1[1]. Also, in many
18 cases, Proxy ARP (shorewall-proxyarp[2](5)) or
19 Proxy-NDP(shorewall6-proxyndp[3](5)) is a better solution that
20 one-to-one NAT.
21
22 The columns in the file are as follows (where the column name is
23 followed by a different name in parentheses, the different name is used
24 in the alternate specification syntax).
25
26 EXTERNAL - {address|?COMMENT}
27 External IP Address - this should NOT be the primary IP address of
28 the interface named in the next column and must not be a DNS Name.
29
30 If you put ?COMMENT in this column, the rest of the line will be
31 attached as a comment to the Netfilter rule(s) generated by the
32 following entries in the file. The comment will appear delimited by
33 "/* ... */" in the output of "shorewall show nat"
34
35 To stop the comment from being attached to further rules, simply
36 include ?COMMENT on a line by itself.
37
38 INTERFACE - interfacelist[:[digit]]
39 Interfaces that have the EXTERNAL address. If ADD_IP_ALIASES=Yes in
40 shorewall.conf[4](5), Shorewall will automatically add the EXTERNAL
41 address to this interface. Also if ADD_IP_ALIASES=Yes, you may
42 follow the interface name with ":" and a digit to indicate that you
43 want Shorewall to add the alias with this name (e.g., "eth0:0").
44 That allows you to see the alias with ifconfig. That is the only
45 thing that this name is good for -- you cannot use it anywhere else
46 in your Shorewall configuration.
47
48 Each interface must match an entry in shorewall-interfaces[5](5).
49 Shorewall allows loose matches to wildcard entries in
50 shorewall-interfaces[5](5). For example, ppp0 in this file will
51 match a shorewall-interfaces[5](5) entry that defines ppp+.
52
53 If you want to override ADD_IP_ALIASES=Yes for a particular entry,
54 follow the interface name with ":" and no digit (e.g., "eth0:").
55
56 INTERNAL - address
57 Internal Address (must not be a DNS Name).
58
59 ALLINTS - [Yes|No]
60 If Yes or yes, NAT will be effective from all hosts. If No or no
61 (or left empty) then NAT will be effective only through the
62 interface named in the INTERFACE column.
63
64 This column was formerly labelled ALL INTERFACES.
65
66 LOCAL - [Yes|No]
67 If Yes or yes, NAT will be effective from the firewall system
68
70 DNAT rules always preempt one-to-one NAT rules. This has subtile
71 consequences when there are sub-zones on an interface. Consider the
72 following:
73
74 /etc/shorewall/zones:
75
76 #ZONE TYPE OPTIONS IN OUT
77 # OPTIONS OPTIONS
78 fw firewall
79 net ipv4
80 loc ipv4
81 smc:net ipv4
82
83 /etc/shorewall/interfaces:
84
85 #ZONE INTERFACE OPTIONS
86 net eth0 dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
87 loc eth1 tcpflags,nosmurfs,routefilter,logmartians
88
89 /etc/shorewall/hosts:
90
91 #ZONE HOST(S) OPTIONS
92 smc eth0:10.1.10.0/24
93
94 /etc/shorewall/nat:
95
96 #EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL
97 10.1.10.100 eth0 172.20.1.100
98
99 Note that the EXTERNAL address is in the smc zone.
100
101 /etc/shorewall/rules:
102
103 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER
104 ?SECTION ALL
105 ?SECTION ESTABLISHED
106 ?SECTION RELATED
107 ?SECTION INVALID
108 ?SECTION UNTRACKED
109 ?SECTION NEW
110 ...
111 DNAT net loc:172.20.1.4 tcp 80
112
113 For the one-to-one NAT to work correctly in this configuration, one of
114 two approaches can be taken:
115
116 1. Define a CONTINUE policy with smc as the SOURCE zone (preferred):
117
118 #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
119 smc $FW CONTINUE
120 loc net ACCEPT
121 net all DROP info
122 # THE FOLLOWING POLICY MUST BE LAST
123 all all REJECT info
124
125 2. Set IMPLICIT_CONTINUE=Yes in shorewall.conf(5)[4].
126
128 /etc/shorewall/nat
129
130 /etc/shorewall6/nat
131
133 http://www.shorewall.net/NAT.htm[6]
134
135 http://www.shorewall.net/configuration_file_basics.htm#Pairs[7]
136
137 shorewall(8)
138
140 1. http://www.shorewall.net/FAQ.htm#faq1
141 http://www.shorewall.net/FAQ.htm#faq1
142
143 2. shorewall-proxyarp
144 http://www.shorewall.net/manpages/shorewall-proxyarp.html
145
146 3. shorewall6-proxyndp
147 http://www.shorewall.net/manpages6/shorewall6-proxyndp.html
148
149 4. shorewall.conf
150 http://www.shorewall.net/manpages/shorewall.conf.html
151
152 5. shorewall-interfaces
153 http://www.shorewall.net/manpages/shorewall-interfaces.html
154
155 6. http://www.shorewall.net/NAT.htm
156 http://www.shorewall.net/NAT.htm
157
158 7. http://www.shorewall.net/configuration_file_basics.htm#Pairs
159 http://www.shorewall.net/configuration_file_basics.htm#Pairs
160
161
162
163Configuration Files 08/05/2018 SHOREWALL-NAT(5)