1SHOREWALL-SNAT(5) Configuration Files SHOREWALL-SNAT(5)
2
6 snat - Shorewall SNAT/Masquerade definition file
7
9 /etc/shorewall[6]/snat
10
12 This file is used to define dynamic NAT (Masquerading) and to define
13 Source NAT (SNAT). It superseded shorewall-masq[1](5) in Shorewall
14 5.0.14.
15 Warning
17 The entries in this file are order-sensitive. The first entry that
18 matches a particular connection will be the one that is used.
19 Warning
21 If you have more than one ISP link, adding entries to this file
22 will not force connections to go out through a particular link. You
23 must use entries in shorewall-rtrules[2](5) or PREROUTING entries
24 in shorewall-mangle[3](5) to do that.
25 The columns in the file are as follows.
27 ACTION
29 Defines the type of rule to generate. Beginning with Shorewall
30 5.1.9, with the exception of NFLOG and ULOG, the action may be
31 followed by a colon (":") and a log level (see
32 shorewall-logging(5)[4]).
33 Choices for ACTION are:
35 action[+][(parameter,...)][:level]
37 where action is an action declared in shorewall-actions(5)[5]
38 with the nat option. See www.shorewall.net/Actions.html[6] for
39 further information.
40 CONTINUE[+]:level
42 Causes matching packets to be exempted from any following rules
43 in the file.
44 LOG:level
46 Added in Shorewall 5.1.9. Simply log the packet and continue
47 with the next rule.
48 MASQUERADE[+][([lowport[-highport]][random])][:level]
50 Causes matching outgoing packages to have their source IP
51 address set to the primary IP address of the interface
52 specified in the DEST column. if lowport-highport is given,
53 that port range will be used to assign a source port. If only
54 lowport is given, that port will be assigned, if possible. If
55 option random is used then port mapping will be randomized.
56 MASQUERADE should only be used when the DEST interface has a
57 dynamic IP address. Otherwise, SNAT should be used and should
58 specify the interface's static address.
59 NFLOG[(nflog-parameters)]
61 Added in Shorewall 5.1.9. Queues matching packets to a back end
62 logging daemon via a netlink socket then continues to the next
63 rule. See shorewall-logging(5)[4].
64 The nflog-parameters are a comma-separated list of up to 3
66 numbers:
67 · The first number specifies the netlink group (0-65535). If
69 omitted (e.g., NFLOG(,0,10)) then a value of 0 is assumed.
70 · The second number specifies the maximum number of bytes to
72 copy. If omitted, 0 (no limit) is assumed.
73 · The third number specifies the number of log messages that
75 should be buffered in the kernel before they are sent to
76 user space. The default is 1.
77 NFLOG is similar to LOG:NFLOG[(nflog-parameters)], except that
79 the log level is not changed when this ACTION is used in an
80 action or macro body and the invocation of that action or macro
81 specifies a log level.
82 SNAT[+]([address-or-address-range][:lowport[-highport]][:random][:persistent]|detect)[:level]
84 If you specify an address here, matching packets will have
85 their source address set to that address. If ADD_SNAT_ALIASES
86 is set to Yes or yes in shorewall.conf[7](5) then Shorewall
87 will automatically add this address to the INTERFACE named in
88 the first column (IPv4 only).
89 You may also specify a range of up to 256 IP addresses if you
91 want the SNAT address to be assigned from that range in a
92 round-robin fashion by connection. The range is specified by
93 first.ip.in.range-last.ip.in.range. You may follow the port
94 range with :random in which case assignment of ports from the
95 list will be random. random may also be specified by itself in
96 this column in which case random local port assignments are
97 made for the outgoing connections.
98 Example: 206.124.146.177-206.124.146.180
100 You may follow the port range (or :random) with :persistent.
102 This is only useful when an address range is specified and
103 causes a client to be given the same source/destination IP
104 pair.
105 You may also use the special value detect which causes
107 Shorewall to determine the IP addresses configured on the
108 interface named in the DEST column and substitute them in this
109 column.
110 Finally, you may also specify a comma-separated list of ranges
112 and/or addresses in this column.
113 DNS Names names are not allowed.
115 Normally, Netfilter will attempt to retain the source port
117 number. You may cause netfilter to remap the source port by
118 following an address or range (if any) by ":" and a port range
119 with the format lowport-highport. If this is done, you must
120 specify "tcp", "udp", "dccp" or "stcp" in the PROTO column.
121 Examples:
123 192.0.2.4:5000-6000
125 :4000-5000
126 You may also specify a single port number, which will be
128 assigned to the outgoing connection, if possible.
129 ULOG[(ulog-parameters)]
131 IPv4 only. Added in Shorewall 5.1.9. Queues matching packets to
132 a back end logging daemon via a netlink socket then continues
133 to the next rule. See shorewall-logging(5)[4].
134 Similar to LOG:ULOG[(ulog-parameters)], except that the log
136 level is not changed when this ACTION is used in an action or
137 macro body and the invocation of that action or macro specifies
138 a log level.
139 Normally Masq/SNAT rules are evaluated after those for one-to-one
141 NAT (defined in shorewall-nat[8](5)). If you want the rule to be
142 applied before one-to-one NAT rules, follow the action name with
143 "+": This feature should only be required if you need to insert
144 rules in this file that preempt entries in shorewall-nat[8](5).
145 SOURCE (Optional) - [interface|address[,address...][exclusion]]
147 Set of hosts that you wish to masquerade. You can specify this as
148 an address (net or host) or as an interface. Unless you want to
149 perform SNAT in the INPUT chain (see DEST below), if you give the
150 name of an interface (deprecated), the interface must be up before
151 you start the firewall and the Shorewall rules compiler will warn
152 you of that fact. (Shorewall will use your main routing table to
153 determine the appropriate addresses to masquerade).
154 The preferred way to specify the SOURCE is to supply one or more
156 host or network addresses separated by comma. You may use ipset
157 names preceded by a plus sign (+) to specify a set of hosts.
158 DEST -
160 {interface[:digit][,interface[:digit]]...|$FW}[:[dest-address[,dest-address]...[exclusion]]
161 Outgoing interfaces and destination networks. Multiple interfaces
162 may be listed when the ACTION is MASQUERADE, but this is usually
163 just your internet interface. If ADD_SNAT_ALIASES=Yes in
164 shorewall.conf[7](5), you may add ":" and a digit to indicate that
165 you want the alias added with that name (e.g., eth0:0). This will
166 allow the alias to be displayed with ifconfig. That is the only
167 use for the alias name; it may not appear in any other place in
168 your Shorewall configuration.
169 Beginning with Shorewall 5.1.12, SNAT may be performed in the nat
171 table's INPUT chain by specifying $FW rather than one or more
172 interfaces.
173 Each interface must match an entry in shorewall-interfaces[9](5).
175 Shorewall allows loose matches to wildcard entries in
176 shorewall-interfaces[9](5). For example, ppp0 in this file will
177 match a shorewall-interfaces[9](5) entry that defines ppp+.
178 Where more that one internet provider share a single interface[10],
180 the provider is specified by including the provider name or number
181 in parentheses:
182 eth0(Avvanta)
184 In that case, you will want to specify the interface's address for
186 that provider as the SNAT parameter.
187 The interface may be qualified by adding the character ":" followed
189 by a comma-separated list of destination host or subnet addresses
190 to indicate that you only want to change the source IP address for
191 packets being sent to those particular destinations. Exclusion is
192 allowed (see shorewall-exclusion[11](5)) as are ipset names
193 preceded by a plus sign '+';
194 If you wish to inhibit the action of ADD_SNAT_ALIASES for this
196 entry then include the ":" but omit the digit:
197 eth0(Avvanta):
199 eth2::192.0.2.32/27
200 Comments may be attached to Netfilter rules generated from entries
202 in this file through the use of ?COMMENT lines. These lines begin
203 with ?COMMENT; the remainder of the line is treated as a comment
204 which is attached to subsequent rules until another ?COMMENT line
205 is found or until the end of the file is reached. To stop adding
206 comments to rules, use a line containing only ?COMMENT.
207 PROTO (Optional) - {-|[!]{protocol-name|protocol-number}[,...]|+ipset}
209 If you wish to restrict this entry to a particular protocol then
210 enter the protocol name (from protocols(5)) or number here. See
211 shorewall-rules(5)[12] for details.
212 Beginning with Shorewall 4.5.12, this column can accept a
214 comma-separated list of protocols.
215 Beginning with Shorewall 4.6.0, an ipset name can be specified in
217 this column. This is intended to be used with bitmap:port ipsets.
218 PORT (Optional) -
220 {-|[!]port-name-or-number[,port-name-or-number]...|+ipset}
221 If the PROTO column specifies TCP (6), UDP (17), DCCP (33), SCTP
222 (132) or UDPLITE (136) then you may list one or more port numbers
223 (or names from services(5)) or port ranges separated by commas.
224 Port ranges are of the form lowport:highport.
226 Beginning with Shorewall 4.6.0, an ipset name can be specified in
228 this column. This is intended to be used with bitmap:port ipsets.
229 IPSEC (Optional) - [option[,option]...]
231 If you specify a value other than "-" in this column, you must be
232 running kernel 2.6 and your kernel and iptables must include policy
233 match support.
234 Comma-separated list of options from the following. Only packets
236 that will be encrypted via an SA that matches these options will
237 have their source address changed.
238 reqid=number
240 where number is specified using setkey(8) using the
241 'unique:number option for the SPD level.
242 spi=<number>
244 where number is the SPI of the SA used to encrypt/decrypt
245 packets.
246 proto=ah|esp|ipcomp
248 IPSEC Encapsulation Protocol
249 mss=number
251 sets the MSS field in TCP packets
252 mode=transport|tunnel
254 IPSEC mode
255 tunnel-src=address[/mask]
257 only available with mode=tunnel
258 tunnel-dst=address[/mask]
260 only available with mode=tunnel
261 strict
263 Means that packets must match all rules.
264 next
266 Separates rules; can only be used with strict
267 yes
269 When used by itself, causes all traffic that will be
270 encrypted/encapsulated to match the rule.
271 MARK - [!]value[/mask][:C]
273 Defines a test on the existing packet or connection mark. The rule
274 will match only if the test returns true.
275 If you don't want to define a test but need to specify anything in
277 the following columns, place a "-" in this field.
278 !
280 Inverts the test (not equal)
281 value
283 Value of the packet or connection mark.
284 mask
286 A mask to be applied to the mark before testing.
287 :C
289 Designates a connection mark. If omitted, the packet mark's
290 value is tested.
291 USER (Optional) -
293 [!][user-name-or-number][:group-name-or-number][+program-name]
294 This column was formerly labelled USER/GROUP.
295 Only locally-generated connections will match if this column is
297 non-empty.
298 When this column is non-empty, the rule matches only if the program
300 generating the output is running under the effective user and/or
301 group specified (or is NOT running under that id if "!" is given).
302 Examples:
304 joe
306 program must be run by joe
307 :kids
309 program must be run by a member of the 'kids' group
310 !:kids
312 program must not be run by a member of the 'kids' group
313 +upnpd
315 #program named upnpd
316 Important
318 The ability to specify a program name was removed from
319 Netfilter in kernel version 2.6.14.
320 SWITCH - [!]switch-name[={0|1}]
322 Added in Shorewall 4.5.1 and allows enabling and disabling the rule
323 without requiring shorewall restart.
324 The rule is enabled if the value stored in
326 /proc/net/nf_condition/switch-name is 1. The rule is disabled if
327 that file contains 0 (the default). If '!' is supplied, the test is
328 inverted such that the rule is enabled if the file contains 0.
329 Within the switch-name, '@0' and '@{0}' are replaced by the name of
331 the chain to which the rule is a added. The switch-name (after
332 '@...' expansion) must begin with a letter and be composed of
333 letters, decimal digits, underscores or hyphens. Switch names must
334 be 30 characters or less in length.
335 Switches are normally off. To turn a switch on:
337 echo 1 >
338 /proc/net/nf_condition/switch-name
339 To turn it off again:
340 echo 0 >
341 /proc/net/nf_condition/switch-name
342 Switch settings are retained over shorewall restart.
343 Beginning with Shorewall 4.5.10, when the switch-name is followed
345 by =0 or =1, then the switch is initialized to off or on
346 respectively by the start command. Other commands do not affect the
347 switch setting.
348 ORIGDEST - [-|address[,address]...[exclusion]|exclusion]
350 (Optional) Added in Shorewall 4.5.6. This column may be included
351 and may contain one or more addresses (host or network) separated
352 by commas. Address ranges are not allowed. When this column is
353 supplied, rules are generated that require that the original
354 destination address matches one of the listed addresses. It is
355 useful for specifying that SNAT should occur only for connections
356 that were acted on by a DNAT when they entered the firewall.
357 This column was formerly labelled ORIGINAL DEST.
359 PROBABILITY - [probability]
361 Added in Shorewall 5.0.0. When non-empty, requires the Statistics
362 Match capability in your kernel and ip6tables and causes the rule
363 to match randomly but with the given probability. The probability
364 is a number 0 < probability <= 1 and may be expressed at up to 8
365 decimal points of precision.
366
368 IPv4 Example 1:
369 You have a simple masquerading setup where eth0 connects to a DSL
370 or cable modem and eth1 connects to your local network with subnet
371 192.168.0.0/24.
372 Your entry in the file will be:
374 #ACTION SOURCE DEST
376 MASQUERADE 192.168.0.0/24 eth0
377 IPv4 Example 2:
379 You add a router to your local network to connect subnet
380 192.168.1.0/24 which you also want to masquerade. You then add a
381 second entry for eth0 to this file:
382 #ACTION SOURCE DEST
384 MASQUERADE 192.168.0.0/24 eth0
385 MASQUERADE 192.168.1.0/24 eth0
386 IPv4 Example 3:
388 You want all outgoing traffic from 192.168.1.0/24 through eth0 to
389 use source address 206.124.146.176 which is NOT the primary address
390 of eth0. You want 206.124.146.176 to be added to eth0 with name
391 eth0:0.
392 #ACTION SOURCE DEST
394 SNAT(206.124.146.176) 192.168.1.0/24 eth0:0
395 IPv4 Example 4:
397 You want all outgoing SMTP traffic entering the firewall from
398 172.20.1.0/29 to be sent from eth0 with source IP address
399 206.124.146.177. You want all other outgoing traffic from
400 172.20.1.0/29 to be sent from eth0 with source IP address
401 206.124.146.176.
402 #INTERFACE SOURCE ADDRESS PROTO DPORT
404 eth0 172.20.1.0/29 206.124.146.177 tcp smtp
405 eth0 172.20.1.0/29 206.124.146.176
406 #ACTION SOURCE DEST PROTO PORT
408 SNAT(206.124.146.177) 172.20.1.0/29 eth0 tcp smtp
409 SNAT(206.124.146.176) 172.20.1.0/29 eth0
410 Warning
412 The order of the above two rules is significant!
413 IPv4 Example 5:
415 Connections leaving on eth0 and destined to any host defined in the
416 ipset myset should have the source IP address changed to
417 206.124.146.177.
418 #ACTION SOURCE DEST
420 SNAT(206.124.146.177) - eth0:+myset[dst]
421 IPv4 Example 6:
423 SNAT outgoing connections on eth0 from 192.168.1.0/24 in
424 round-robin fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9
425 (Shorewall 4.5.9 and later).
426 /etc/shorewall/tcrules:
428 #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
430 1-3:CF 192.168.1.0/24 eth0 ; state=NEW
431 /etc/shorewall/snat:
433 #ACTION SOURCE DEST
435 SNAT(1.1.1.1) 192.168.1.0/24 eth0 { mark=1:C }
436 SNAT(1.1.1.3) 192.168.1.0/24 eth0 { mark=2:C }
437 SNAT(1.1.1.9) 192.168.1.0/24 eth0 { mark=3:C }
438 IPv6 Example 1:
440 You have a simple 'masquerading' setup where eth0 connects to a DSL
441 or cable modem and eth1 connects to your local network with subnet
442 2001:470:b:787::0/64
443 Your entry in the file will be:
445 #ACTION SOURCE DEST
447 MASQUERADE 2001:470:b:787::0/64 eth0
448 IPv6 Example 2:
450 Your sit1 interface has two public IP addresses: 2001:470:a:227::1
451 and 2001:470:b:227::1. You want to use the iptables statistics
452 match to masquerade outgoing connections evenly between these two
453 addresses.
454 /etc/shorewall/snat:
456 #ACTION SOURCE DEST
458 SNAT(2001:470:a:227::1) ::/0 sit1 { probability=0.50 }
459 SNAT(2001:470:a:227::2) ::/0 sit
460
462 /etc/shorewall/snat
463 /etc/shorewall6/snat
465
467 http://www.shorewall.net/configuration_file_basics.htm#Pairs[13]
468 shorewall(8)
470
472 1. shorewall-masq
473 https://shorewall.org/manpages/shorewall-masq.html
474 2. shorewall-rtrules
476 https://shorewall.org/manpages/shorewall-rtrules.html
477 3. shorewall-mangle
479 https://shorewall.org/manpages/shorewall-mangle.html
480 4. shorewall-logging(5)
482 https://shorewall.orgshorewall-logging.html
483 5. shorewall-actions(5)
485 https://shorewall.org/manpages/shorewall-actions.html
486 6. www.shorewall.net/Actions.html
488 https://shorewall.org/Actions.html
489 7. shorewall.conf
491 https://shorewall.org/manpages/shorewall.conf.html
492 8. shorewall-nat
494 https://shorewall.org/manpages/shorewall-nat.html
495 9. shorewall-interfaces
497 https://shorewall.org/manpages/shorewall-interfaces.html
498 10. more that one internet provider share a single interface
500 https://shorewall.org/4.4/MultiISP.html#Shared
501 11. shorewall-exclusion
503 https://shorewall.org/manpages/shorewall-exclusion.html
504 12. shorewall-rules(5)
506 https://shorewall.org/manpages/shorewall-rules.html
507 13. http://www.shorewall.net/configuration_file_basics.htm#Pairs
509 https://shorewall.org/configuration_file_basics.htm#Pairs
510Configuration Files 01/15/2020 SHOREWALL-SNAT(5)