'\" t .\" Title: shorewall-nat .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 09/24/2020 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL\-NAT" "5" "09/24/2020" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" nat \- Shorewall one\-to\-one NAT file .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall/nat\fR\ 'u \fB/etc/shorewall/nat\fR .SH "DESCRIPTION" .PP This file is used to define one\-to\-one Network Address Translation (NAT)\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBWarning\fR .ps -1 .br .PP If all you want to do is simple port forwarding, do NOT use this file\&. See \m[blue]\fBhttps://shorewall\&.org/FAQ\&.htm#faq1\fR\m[]\&\s-2\u[1]\d\s+2\&. Also, in many cases, Proxy ARP (\m[blue]\fBshorewall\-proxyarp\fR\m[]\&\s-2\u[2]\d\s+2(5)) or Proxy\-NDP(\m[blue]\fBshorewall6\-proxyndp\fR\m[]\&\s-2\u[3]\d\s+2(5)) is a better solution that one\-to\-one NAT\&. .sp .5v .RE .PP The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax)\&. .PP \fBEXTERNAL\fR \- {\fIaddress\fR|?COMMENT} .RS 4 External IP Address \- this should NOT be the primary IP address of the interface named in the next column and must not be a DNS Name\&. .sp If you put ?COMMENT in this column, the rest of the line will be attached as a comment to the Netfilter rule(s) generated by the following entries in the file\&. The comment will appear delimited by "/* \&.\&.\&. */" in the output of "shorewall show nat" .sp To stop the comment from being attached to further rules, simply include ?COMMENT on a line by itself\&. .RE .PP \fBINTERFACE\fR \- \fIinterfacelist\fR[\fB:\fR[\fIdigit\fR]] .RS 4 Interfaces that have the \fBEXTERNAL\fR address\&. If ADD_IP_ALIASES=Yes in \m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[4]\d\s+2(5), Shorewall will automatically add the EXTERNAL address to this interface\&. Also if ADD_IP_ALIASES=Yes, you may follow the interface name with ":" and a \fIdigit\fR to indicate that you want Shorewall to add the alias with this name (e\&.g\&., "eth0:0")\&. That allows you to see the alias with ifconfig\&. \fBThat is the only thing that this name is good for \-\- you cannot use it anywhere else in your Shorewall configuration\&. \fR .sp Each interface must match an entry in \m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[5]\d\s+2(5)\&. Shorewall allows loose matches to wildcard entries in \m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[5]\d\s+2(5)\&. For example, ppp0 in this file will match a \m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[5]\d\s+2(5) entry that defines ppp+\&. .sp If you want to override ADD_IP_ALIASES=Yes for a particular entry, follow the interface name with ":" and no digit (e\&.g\&., "eth0:")\&. .RE .PP \fBINTERNAL\fR \- \fIaddress\fR .RS 4 Internal Address (must not be a DNS Name)\&. .RE .PP \fBALLINTS\fR \- [\fBYes\fR|\fBNo\fR] .RS 4 If Yes or yes, NAT will be effective from all hosts\&. If No or no (or left empty) then NAT will be effective only through the interface named in the \fBINTERFACE\fR column\&. .sp This column was formerly labelled ALL INTERFACES\&. .RE .PP \fBLOCAL\fR \- [\fBYes\fR|\fBNo\fR] .RS 4 If \fBYes\fR or \fByes\fR, NAT will be effective from the firewall system .RE .SH "RESTRICTIONS" .PP DNAT rules always preempt one\-to\-one NAT rules\&. This has subtile consequences when there are sub\-zones on an \fIinterface\fR\&. Consider the following: .PP /etc/shorewall/zones: .sp .if n \{\ .RS 4 .\} .nf #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 loc ipv4 smc:net ipv4 .fi .if n \{\ .RE .\} .PP /etc/shorewall/interfaces: .sp .if n \{\ .RS 4 .\} .nf #ZONE INTERFACE OPTIONS net eth0 dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0 loc eth1 tcpflags,nosmurfs,routefilter,logmartians .fi .if n \{\ .RE .\} .PP /etc/shorewall/hosts: .sp .if n \{\ .RS 4 .\} .nf #ZONE HOST(S) OPTIONS smc eth0:10\&.1\&.10\&.0/24 .fi .if n \{\ .RE .\} .PP /etc/shorewall/nat: .sp .if n \{\ .RS 4 .\} .nf #EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL 10\&.1\&.10\&.100 eth0 172\&.20\&.1\&.100 .fi .if n \{\ .RE .\} .PP Note that the EXTERNAL address is in the \fBsmc\fR zone\&. .PP /etc/shorewall/rules: .sp .if n \{\ .RS 4 .\} .nf #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER ?SECTION ALL ?SECTION ESTABLISHED ?SECTION RELATED ?SECTION INVALID ?SECTION UNTRACKED ?SECTION NEW \&.\&.\&. DNAT net loc:172\&.20\&.1\&.4 tcp 80 .fi .if n \{\ .RE .\} .PP For the one\-to\-one NAT to work correctly in this configuration, one of two approaches can be taken: .sp .RS 4 .ie n \{\ \h'-04' 1.\h'+01'\c .\} .el \{\ .sp -1 .IP " 1." 4.2 .\} Define a CONTINUE policy with \fBsmc\fR as the SOURCE zone (preferred): .sp .if n \{\ .RS 4 .\} .nf #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST \fBsmc $FW CONTINUE\fR loc net ACCEPT net all DROP info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info .fi .if n \{\ .RE .\} .RE .sp .RS 4 .ie n \{\ \h'-04' 2.\h'+01'\c .\} .el \{\ .sp -1 .IP " 2." 4.2 .\} Set IMPLICIT_CONTINUE=Yes in \m[blue]\fBshorewall\&.conf(5)\fR\m[]\&\s-2\u[4]\d\s+2\&. .RE .SH "FILES" .PP /etc/shorewall/nat .PP /etc/shorewall6/nat .SH "SEE ALSO" .PP \m[blue]\fBhttps://shorewall\&.org/NAT\&.htm\fR\m[]\&\s-2\u[6]\d\s+2 .PP \m[blue]\fBhttps://shorewall\&.org/configuration_file_basics\&.htm#Pairs\fR\m[]\&\s-2\u[7]\d\s+2 .PP shorewall(8) .SH "NOTES" .IP " 1." 4 https://shorewall.org/FAQ.htm#faq1 .RS 4 \%https://shorewall.org/FAQ.htm#faq1 .RE .IP " 2." 4 shorewall-proxyarp .RS 4 \%https://shorewall.org/manpages/shorewall-proxyarp.html .RE .IP " 3." 4 shorewall6-proxyndp .RS 4 \%https://shorewall.org/manpages/shorewall-proxyndp.html .RE .IP " 4." 4 shorewall.conf .RS 4 \%https://shorewall.org/manpages/shorewall.conf.html .RE .IP " 5." 4 shorewall-interfaces .RS 4 \%https://shorewall.org/manpages/shorewall-interfaces.html .RE .IP " 6." 4 https://shorewall.org/NAT.htm .RS 4 \%https://shorewall.org/NAT.htm .RE .IP " 7." 4 https://shorewall.org/configuration_file_basics.htm#Pairs .RS 4 \%https://shorewall.org/configuration_file_basics.htm#Pairs .RE