1SHOREWALL-SNAT(5)             Configuration Files            SHOREWALL-SNAT(5)
2
3
4

NAME

6       snat - Shorewall SNAT/Masquerade definition file
7

SYNOPSIS

9       /etc/shorewall[6]/snat
10

DESCRIPTION

12       This file is used to define dynamic NAT (Masquerading) and to define
13       Source NAT (SNAT). It superseded shorewall-masq[1](5) in Shorewall
14       5.0.14.
15
16           Warning
17           The entries in this file are order-sensitive. The first entry that
18           matches a particular connection will be the one that is used.
19
20           Warning
21           If you have more than one ISP link, adding entries to this file
22           will not force connections to go out through a particular link. You
23           must use entries in shorewall-rtrules[2](5) or PREROUTING entries
24           in shorewall-mangle[3](5) to do that.
25
26       The columns in the file are as follows.
27
28       ACTION
29           Defines the type of rule to generate. Beginning with Shorewall
30           5.1.9, with the exception of NFLOG and ULOG, the action may be
31           followed by a colon (":") and a log level (see
32           shorewall-logging(5)[4]).
33
34           Choices for ACTION are:
35
36           action[+][(parameter,...)][:level]
37               where action is an action declared in shorewall-actions(5)[5]
38               with the nat option. See www.shorewall.net/Actions.html[6] for
39               further information.
40
41           CONTINUE[+]:level
42               Causes matching packets to be exempted from any following rules
43               in the file.
44
45           LOG:level
46               Added in Shorewall 5.1.9. Simply log the packet and continue
47               with the next rule.
48
49           MASQUERADE[+][([lowport[-highport]][random])][:level]
50               Causes matching outgoing packages to have their source IP
51               address set to the primary IP address of the interface
52               specified in the DEST column. if lowport-highport is given,
53               that port range will be used to assign a source port. If only
54               lowport is given, that port will be assigned, if possible. If
55               option random is used then port mapping will be randomized.
56               MASQUERADE should only be used when the DEST interface has a
57               dynamic IP address. Otherwise, SNAT should be used and should
58               specify the interface's static address.
59
60           NFLOG[(nflog-parameters)]
61               Added in Shorewall 5.1.9. Queues matching packets to a back end
62               logging daemon via a netlink socket then continues to the next
63               rule. See shorewall-logging(5)[4].
64
65               The nflog-parameters are a comma-separated list of up to 3
66               numbers:
67
68               ·   The first number specifies the netlink group (0-65535). If
69                   omitted (e.g., NFLOG(,0,10)) then a value of 0 is assumed.
70
71               ·   The second number specifies the maximum number of bytes to
72                   copy. If omitted, 0 (no limit) is assumed.
73
74               ·   The third number specifies the number of log messages that
75                   should be buffered in the kernel before they are sent to
76                   user space. The default is 1.
77
78               NFLOG is similar to LOG:NFLOG[(nflog-parameters)], except that
79               the log level is not changed when this ACTION is used in an
80               action or macro body and the invocation of that action or macro
81               specifies a log level.
82
83           SNAT[+]([address-or-address-range][:lowport[-highport]][:random][:persistent]|detect)[:level]
84               If you specify an address here, matching packets will have
85               their source address set to that address. If ADD_SNAT_ALIASES
86               is set to Yes or yes in shorewall.conf[7](5) then Shorewall
87               will automatically add this address to the INTERFACE named in
88               the first column (IPv4 only).
89
90               You may also specify a range of up to 256 IP addresses if you
91               want the SNAT address to be assigned from that range in a
92               round-robin fashion by connection. The range is specified by
93               first.ip.in.range-last.ip.in.range. You may follow the port
94               range with :random in which case assignment of ports from the
95               list will be random.  random may also be specified by itself in
96               this column in which case random local port assignments are
97               made for the outgoing connections.
98
99               Example: 206.124.146.177-206.124.146.180
100
101               You may follow the port range (or :random) with :persistent.
102               This is only useful when an address range is specified and
103               causes a client to be given the same source/destination IP
104               pair.
105
106               You may also use the special value detect which causes
107               Shorewall to determine the IP addresses configured on the
108               interface named in the DEST column and substitute them in this
109               column.
110
111               Finally, you may also specify a comma-separated list of ranges
112               and/or addresses in this column.
113
114               DNS Names names are not allowed.
115
116               Normally, Netfilter will attempt to retain the source port
117               number. You may cause netfilter to remap the source port by
118               following an address or range (if any) by ":" and a port range
119               with the format lowport-highport. If this is done, you must
120               specify "tcp", "udp", "dccp" or "stcp" in the PROTO column.
121
122               Examples:
123
124                           192.0.2.4:5000-6000
125                           :4000-5000
126
127               You may also specify a single port number, which will be
128               assigned to the outgoing connection, if possible.
129
130           ULOG[(ulog-parameters)]
131               IPv4 only. Added in Shorewall 5.1.9. Queues matching packets to
132               a back end logging daemon via a netlink socket then continues
133               to the next rule. See shorewall-logging(5)[4].
134
135               Similar to LOG:ULOG[(ulog-parameters)], except that the log
136               level is not changed when this ACTION is used in an action or
137               macro body and the invocation of that action or macro specifies
138               a log level.
139
140           Normally Masq/SNAT rules are evaluated after those for one-to-one
141           NAT (defined in shorewall-nat[8](5)). If you want the rule to be
142           applied before one-to-one NAT rules, follow the action name with
143           "+": This feature should only be required if you need to insert
144           rules in this file that preempt entries in shorewall-nat[8](5).
145
146       SOURCE (Optional) - [interface|address[,address...][exclusion]]
147           Set of hosts that you wish to masquerade. You can specify this as
148           an address (net or host) or as an interface. Unless you want to
149           perform SNAT in the INPUT chain (see DEST below), if you give the
150           name of an interface (deprecated), the interface must be up before
151           you start the firewall and the Shorewall rules compiler will warn
152           you of that fact. (Shorewall will use your main routing table to
153           determine the appropriate addresses to masquerade).
154
155           The preferred way to specify the SOURCE is to supply one or more
156           host or network addresses separated by comma. You may use ipset
157           names preceded by a plus sign (+) to specify a set of hosts.
158
159       DEST -
160       {interface[:digit][,interface[:digit]]...|$FW}[:[dest-address[,dest-address]...[exclusion]]
161           Outgoing interfaces and destination networks. Multiple interfaces
162           may be listed when the ACTION is MASQUERADE, but this is usually
163           just your internet interface. If ADD_SNAT_ALIASES=Yes in
164           shorewall.conf[7](5), you may add ":" and a digit to indicate that
165           you want the alias added with that name (e.g., eth0:0). This will
166           allow the alias to be displayed with ifconfig.  That is the only
167           use for the alias name; it may not appear in any other place in
168           your Shorewall configuration.
169
170           Beginning with Shorewall 5.1.12, SNAT may be performed in the nat
171           table's INPUT chain by specifying $FW rather than one or more
172           interfaces.
173
174           Each interface must match an entry in shorewall-interfaces[9](5).
175           Shorewall allows loose matches to wildcard entries in
176           shorewall-interfaces[9](5). For example, ppp0 in this file will
177           match a shorewall-interfaces[9](5) entry that defines ppp+.
178
179           Where more that one internet provider share a single interface[10],
180           the provider is specified by including the provider name or number
181           in parentheses:
182
183                       eth0(Avvanta)
184
185           In that case, you will want to specify the interface's address for
186           that provider as the SNAT parameter.
187
188           The interface may be qualified by adding the character ":" followed
189           by a comma-separated list of destination host or subnet addresses
190           to indicate that you only want to change the source IP address for
191           packets being sent to those particular destinations. Exclusion is
192           allowed (see shorewall-exclusion[11](5)) as are ipset names
193           preceded by a plus sign '+';
194
195           If you wish to inhibit the action of ADD_SNAT_ALIASES for this
196           entry then include the ":" but omit the digit:
197
198                       eth0(Avvanta):
199                       eth2::192.0.2.32/27
200
201           Comments may be attached to Netfilter rules generated from entries
202           in this file through the use of ?COMMENT lines. These lines begin
203           with ?COMMENT; the remainder of the line is treated as a comment
204           which is attached to subsequent rules until another ?COMMENT line
205           is found or until the end of the file is reached. To stop adding
206           comments to rules, use a line containing only ?COMMENT.
207
208       PROTO (Optional) - {-|[!]{protocol-name|protocol-number}[,...]|+ipset}
209           If you wish to restrict this entry to a particular protocol then
210           enter the protocol name (from protocols(5)) or number here. See
211           shorewall-rules(5)[12] for details.
212
213           Beginning with Shorewall 4.5.12, this column can accept a
214           comma-separated list of protocols.
215
216           Beginning with Shorewall 4.6.0, an ipset name can be specified in
217           this column. This is intended to be used with bitmap:port ipsets.
218
219       PORT (Optional) -
220       {-|[!]port-name-or-number[,port-name-or-number]...|+ipset}
221           If the PROTO column specifies TCP (6), UDP (17), DCCP (33), SCTP
222           (132) or UDPLITE (136) then you may list one or more port numbers
223           (or names from services(5)) or port ranges separated by commas.
224
225           Port ranges are of the form lowport:highport.
226
227           Beginning with Shorewall 4.6.0, an ipset name can be specified in
228           this column. This is intended to be used with bitmap:port ipsets.
229
230       IPSEC (Optional) - [option[,option]...]
231           If you specify a value other than "-" in this column, you must be
232           running kernel 2.6 and your kernel and iptables must include policy
233           match support.
234
235           Comma-separated list of options from the following. Only packets
236           that will be encrypted via an SA that matches these options will
237           have their source address changed.
238
239           reqid=number
240               where number is specified using setkey(8) using the
241               'unique:number option for the SPD level.
242
243           spi=<number>
244               where number is the SPI of the SA used to encrypt/decrypt
245               packets.
246
247           proto=ah|esp|ipcomp
248               IPSEC Encapsulation Protocol
249
250           mss=number
251               sets the MSS field in TCP packets
252
253           mode=transport|tunnel
254               IPSEC mode
255
256           tunnel-src=address[/mask]
257               only available with mode=tunnel
258
259           tunnel-dst=address[/mask]
260               only available with mode=tunnel
261
262           strict
263               Means that packets must match all rules.
264
265           next
266               Separates rules; can only be used with strict
267
268           yes
269               When used by itself, causes all traffic that will be
270               encrypted/encapsulated to match the rule.
271
272       MARK - [!]value[/mask][:C]
273           Defines a test on the existing packet or connection mark. The rule
274           will match only if the test returns true.
275
276           If you don't want to define a test but need to specify anything in
277           the following columns, place a "-" in this field.
278
279           !
280               Inverts the test (not equal)
281
282           value
283               Value of the packet or connection mark.
284
285           mask
286               A mask to be applied to the mark before testing.
287
288           :C
289               Designates a connection mark. If omitted, the packet mark's
290               value is tested.
291
292       USER (Optional) -
293       [!][user-name-or-number][:group-name-or-number][+program-name]
294           This column was formerly labelled USER/GROUP.
295
296           Only locally-generated connections will match if this column is
297           non-empty.
298
299           When this column is non-empty, the rule matches only if the program
300           generating the output is running under the effective user and/or
301           group specified (or is NOT running under that id if "!" is given).
302
303           Examples:
304
305           joe
306               program must be run by joe
307
308           :kids
309               program must be run by a member of the 'kids' group
310
311           !:kids
312               program must not be run by a member of the 'kids' group
313
314           +upnpd
315               #program named upnpd
316
317                   Important
318                   The ability to specify a program name was removed from
319                   Netfilter in kernel version 2.6.14.
320
321       SWITCH - [!]switch-name[={0|1}]
322           Added in Shorewall 4.5.1 and allows enabling and disabling the rule
323           without requiring shorewall restart.
324
325           The rule is enabled if the value stored in
326           /proc/net/nf_condition/switch-name is 1. The rule is disabled if
327           that file contains 0 (the default). If '!' is supplied, the test is
328           inverted such that the rule is enabled if the file contains 0.
329
330           Within the switch-name, '@0' and '@{0}' are replaced by the name of
331           the chain to which the rule is a added. The switch-name (after
332           '@...' expansion) must begin with a letter and be composed of
333           letters, decimal digits, underscores or hyphens. Switch names must
334           be 30 characters or less in length.
335
336           Switches are normally off. To turn a switch on:
337               echo 1 >
338                           /proc/net/nf_condition/switch-name
339           To turn it off again:
340               echo 0 >
341                           /proc/net/nf_condition/switch-name
342           Switch settings are retained over shorewall restart.
343
344           Beginning with Shorewall 4.5.10, when the switch-name is followed
345           by =0 or =1, then the switch is initialized to off or on
346           respectively by the start command. Other commands do not affect the
347           switch setting.
348
349       ORIGDEST - [-|address[,address]...[exclusion]|exclusion]
350           (Optional) Added in Shorewall 4.5.6. This column may be included
351           and may contain one or more addresses (host or network) separated
352           by commas. Address ranges are not allowed. When this column is
353           supplied, rules are generated that require that the original
354           destination address matches one of the listed addresses. It is
355           useful for specifying that SNAT should occur only for connections
356           that were acted on by a DNAT when they entered the firewall.
357
358           This column was formerly labelled ORIGINAL DEST.
359
360       PROBABILITY - [probability]
361           Added in Shorewall 5.0.0. When non-empty, requires the Statistics
362           Match capability in your kernel and ip6tables and causes the rule
363           to match randomly but with the given probability. The probability
364           is a number 0 < probability <= 1 and may be expressed at up to 8
365           decimal points of precision.
366

EXAMPLES

368       IPv4 Example 1:
369           You have a simple masquerading setup where eth0 connects to a DSL
370           or cable modem and eth1 connects to your local network with subnet
371           192.168.0.0/24.
372
373           Your entry in the file will be:
374
375                       #ACTION    SOURCE              DEST
376                       MASQUERADE 192.168.0.0/24      eth0
377
378       IPv4 Example 2:
379           You add a router to your local network to connect subnet
380           192.168.1.0/24 which you also want to masquerade. You then add a
381           second entry for eth0 to this file:
382
383                       #ACTION    SOURCE              DEST
384                       MASQUERADE 192.168.0.0/24      eth0
385                       MASQUERADE 192.168.1.0/24      eth0
386
387       IPv4 Example 3:
388           You want all outgoing traffic from 192.168.1.0/24 through eth0 to
389           use source address 206.124.146.176 which is NOT the primary address
390           of eth0. You want 206.124.146.176 to be added to eth0 with name
391           eth0:0.
392
393                       #ACTION                 SOURCE          DEST
394                       SNAT(206.124.146.176)   192.168.1.0/24  eth0:0
395
396       IPv4 Example 4:
397           You want all outgoing SMTP traffic entering the firewall from
398           172.20.1.0/29 to be sent from eth0 with source IP address
399           206.124.146.177. You want all other outgoing traffic from
400           172.20.1.0/29 to be sent from eth0 with source IP address
401           206.124.146.176.
402
403                       #INTERFACE   SOURCE           ADDRESS         PROTO   DPORT
404                       eth0         172.20.1.0/29    206.124.146.177 tcp     smtp
405                       eth0         172.20.1.0/29    206.124.146.176
406
407                       #ACTION                 SOURCE          DEST        PROTO     PORT
408                       SNAT(206.124.146.177)   172.20.1.0/29   eth0        tcp       smtp
409                       SNAT(206.124.146.176)   172.20.1.0/29   eth0
410
411               Warning
412               The order of the above two rules is significant!
413
414       IPv4 Example 5:
415           Connections leaving on eth0 and destined to any host defined in the
416           ipset myset should have the source IP address changed to
417           206.124.146.177.
418
419                       #ACTION                 SOURCE          DEST
420                       SNAT(206.124.146.177)   -               eth0:+myset[dst]
421
422       IPv4 Example 6:
423           SNAT outgoing connections on eth0 from 192.168.1.0/24 in
424           round-robin fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9
425           (Shorewall 4.5.9 and later).
426
427               /etc/shorewall/tcrules:
428
429                      #ACTION   SOURCE         DEST         PROTO   DPORT         SPORT    USER    TEST
430                      1-3:CF    192.168.1.0/24 eth0 ; state=NEW
431
432               /etc/shorewall/snat:
433
434                      #ACTION                 SOURCE          DEST
435                      SNAT(1.1.1.1)           192.168.1.0/24  eth0  { mark=1:C }
436                      SNAT(1.1.1.3)           192.168.1.0/24  eth0  { mark=2:C }
437                      SNAT(1.1.1.9)           192.168.1.0/24  eth0  { mark=3:C }
438
439       IPv6 Example 1:
440           You have a simple 'masquerading' setup where eth0 connects to a DSL
441           or cable modem and eth1 connects to your local network with subnet
442           2001:470:b:787::0/64
443
444           Your entry in the file will be:
445
446                       #ACTION      SOURCE                  DEST
447                       MASQUERADE   2001:470:b:787::0/64    eth0
448
449       IPv6 Example 2:
450           Your sit1 interface has two public IP addresses: 2001:470:a:227::1
451           and 2001:470:b:227::1. You want to use the iptables statistics
452           match to masquerade outgoing connections evenly between these two
453           addresses.
454
455               /etc/shorewall/snat:
456
457                      #ACTION                      SOURCE     DEST
458                      SNAT(2001:470:a:227::1)      ::/0       sit1              { probability=0.50 }
459                      SNAT(2001:470:a:227::2)      ::/0       sit
460

FILES

462       /etc/shorewall/snat
463
464       /etc/shorewall6/snat
465

SEE ALSO

467       http://www.shorewall.net/configuration_file_basics.htm#Pairs[13]
468
469       shorewall(8)
470

NOTES

472        1. shorewall-masq
473           http://www.shorewall.net/manpages/shorewall-masq.html
474
475        2. shorewall-rtrules
476           http://www.shorewall.net/manpages/shorewall-rtrules.html
477
478        3. shorewall-mangle
479           http://www.shorewall.net/manpages/shorewall-mangle.html
480
481        4. shorewall-logging(5)
482           http://www.shorewall.netshorewall-logging.html
483
484        5. shorewall-actions(5)
485           http://www.shorewall.net/manpages/shorewall-actions.html
486
487        6. www.shorewall.net/Actions.html
488           http://www.shorewall.net/Actions.html
489
490        7. shorewall.conf
491           http://www.shorewall.net/manpages/shorewall.conf.html
492
493        8. shorewall-nat
494           http://www.shorewall.net/manpages/shorewall-nat.html
495
496        9. shorewall-interfaces
497           http://www.shorewall.net/manpages/shorewall-interfaces.html
498
499       10. more that one internet provider share a single interface
500           http://www.shorewall.net/4.4/MultiISP.html#Shared
501
502       11. shorewall-exclusion
503           http://www.shorewall.net/manpages/shorewall-exclusion.html
504
505       12. shorewall-rules(5)
506           http://www.shorewall.net/manpages/shorewall-rules.html
507
508       13. http://www.shorewall.net/configuration_file_basics.htm#Pairs
509           http://www.shorewall.net/configuration_file_basics.htm#Pairs
510
511
512
513Configuration Files               08/05/2018                 SHOREWALL-SNAT(5)
Impressum