HEX
Server: Apache/2.4.65 (Debian)
System: Linux web6 5.10.0-36-amd64 #1 SMP Debian 5.10.244-1 (2025-09-29) x86_64
User: innocamp (1028)
PHP: 7.4.33
Disabled: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,
$ pwd: /usr/share/shorewall/configfiles/
Upload Files
File: //usr/share/shorewall/configfiles/nat.annotated
#
# Shorewall -- /etc/shorewall/nat
#
# For information about entries in this file, type "man shorewall-nat"
#
# For additional information, see http://shorewall.net/NAT.htm
#
###############################################################################
# 
# This file is used to define one-to-one Network Address Translation (NAT).
# 
# Warning
# 
# If all you want to do is simple port forwarding, do NOT use this file. See
# http://www.shorewall.net/FAQ.htm#faq1. Also, in many cases, Proxy ARP (
# shorewall-proxyarp(5)) or Proxy-NDP(shorewall6-proxyndp(5)) is a better
# solution that one-to-one NAT.
# 
# The columns in the file are as follows (where the column name is followed by a
# different name in parentheses, the different name is used in the alternate
# specification syntax).
# 
# EXTERNAL - {address|?COMMENT}
# 
#     External IP Address - this should NOT be the primary IP address of the
#     interface named in the next column and must not be a DNS Name.
# 
#     If you put ?COMMENT in this column, the rest of the line will be attached
#     as a comment to the Netfilter rule(s) generated by the following entries in
#     the file. The comment will appear delimited by "/* ... */" in the output of
#     "shorewall show nat"
# 
#     To stop the comment from being attached to further rules, simply include ?
#     COMMENT on a line by itself.
# 
# INTERFACE - interfacelist[:[digit]]
# 
#     Interfaces that have the EXTERNAL address. If ADD_IP_ALIASES=Yes in
#     shorewall.conf(5), Shorewall will automatically add the EXTERNAL address to
#     this interface. Also if ADD_IP_ALIASES=Yes, you may follow the interface
#     name with ":" and a digit to indicate that you want Shorewall to add the
#     alias with this name (e.g., "eth0:0"). That allows you to see the alias
#     with ifconfig. That is the only thing that this name is good for -- you
#     cannot use it anywhere else in your Shorewall configuration.
# 
#     Each interface must match an entry in shorewall-interfaces(5). Shorewall
#     allows loose matches to wildcard entries in shorewall-interfaces(5). For
#     example, ppp0 in this file will match a shorewall-interfaces(5) entry that
#     defines ppp+.
# 
#     If you want to override ADD_IP_ALIASES=Yes for a particular entry, follow
#     the interface name with ":" and no digit (e.g., "eth0:").
# 
# INTERNAL - address
# 
#     Internal Address (must not be a DNS Name).
# 
# ALLINTS - [Yes|No]
# 
#     If Yes or yes, NAT will be effective from all hosts. If No or no (or left
#     empty) then NAT will be effective only through the interface named in the 
#     INTERFACE column.
# 
#     This column was formerly labelled ALL INTERFACES.
# 
# LOCAL - [Yes|No]
# 
#     If Yes or yes, NAT will be effective from the firewall system
# 
# RESTRICTIONS
# 
# DNAT rules always preempt one-to-one NAT rules. This has subtile consequences
# when there are sub-zones on an interface. Consider the following:
# 
# /etc/shorewall/zones:
# 
# #ZONE   TYPE    OPTIONS                 IN                      OUT
# #                                       OPTIONS                 OPTIONS
# fw      firewall
# net     ipv4
# loc     ipv4
# smc:net ipv4
# 
# /etc/shorewall/interfaces:
# 
# #ZONE   INTERFACE       OPTIONS
# net     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
# loc     eth1            tcpflags,nosmurfs,routefilter,logmartians
# 
# /etc/shorewall/hosts:
# 
# #ZONE   HOST(S)                                 OPTIONS
# smc     eth0:10.1.10.0/24
# 
# /etc/shorewall/nat:
# 
# #EXTERNAL       INTERFACE       INTERNAL        ALLINTS         LOCAL
# 10.1.10.100     eth0            172.20.1.100
# 
# Note that the EXTERNAL address is in the smc zone.
# 
# /etc/shorewall/rules:
# 
# #ACTION         SOURCE          DEST            PROTO   DPORT   SPORT           ORIGDEST        RATE            USER    MARK    CONNLIMIT       TIME            HEADERS     SWITCH           HELPER
# ?SECTION ALL
# ?SECTION ESTABLISHED
# ?SECTION RELATED
# ?SECTION INVALID
# ?SECTION UNTRACKED
# ?SECTION NEW
# ...
# DNAT            net             loc:172.20.1.4  tcp     80
# 
# For the one-to-one NAT to work correctly in this configuration, one of two
# approaches can be taken:
# 
#  1. Define a CONTINUE policy with smc as the SOURCE zone (preferred):
# 
#     #SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
#     smc             $FW             CONTINUE
#     loc             net             ACCEPT
#     net             all             DROP            info
#     # THE FOLLOWING POLICY MUST BE LAST
#     all             all             REJECT          info
# 
#  2. Set IMPLICIT_CONTINUE=Yes in shorewall.conf(5).
# 
###############################################################################
#EXTERNAL	INTERFACE	INTERNAL	ALLINTS		LOCAL
@ Telegram