Static NAT is a way to make systems behind a
firewall and configured with private IP addresses (those
reserved for private use in RFC1918) appear to have public IP
addresses.
The following figure represents a static NAT
environment.

Static NAT can be used to make the systems with the
10.1.1.* addresses appear to be on the upper (130.252.100.*) subnet. If we
assume that the interface to the upper subnet is eth0, then the following
/etc/shorewall/NAT file would make the lower left-hand system appear to have
IP address 130.252.100.18 and the right-hand one to have IP address
130.252.100.19.
ADDRESS |
INTERFACE |
EXTERNAL |
ALL INTERFACES |
LOCAL |
10.1.1.2 |
eth0 |
130.252.100.18 |
yes |
yes |
10.1.1.3 |
eth0 |
130.252.100.19 |
yes |
yes |
Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the above
example) is (are) not included in any specification in /etc/shorewall/masq
or /etc/shorewall/proxyarp.
Note 1: The "ALL INTERFACES" column
is used to specify whether access to the external IP from all firewall
interfaces should undergo NAT (Yes or yes) or if only access from the
interface in the INTERFACE column should undergo NAT. If you leave this
column empty, "Yes" is assumed. The ALL INTERFACES column was
added in version 1.1.6.
Note 2: Shorewall will automatically add the external address to the
specified interface; you must NOT configure your own alias specifying that
address.
Note 3: The contents of the "LOCAL"
column determine whether packets originating on the firewall itself and
destined for the EXTERNAL address are redirected to the internal ADDRESS. If
this column contains "yes" or "Yes" (and the ALL
INTERFACES COLUMN also contains "Yes" or "yes") then
such packets are redirected; otherwise, such packets are not redirected. The
LOCAL column was added in version 1.1.8.