1SHOREWALL-SNAT(5)             Configuration Files            SHOREWALL-SNAT(5)
2
3
4

NAME

6       snat - Shorewall SNAT/Masquerade definition file
7

SYNOPSIS

9       /etc/shorewall[6]/snat
10

DESCRIPTION

12       This file is used to define dynamic NAT (Masquerading) and to define
13       Source NAT (SNAT). It superseded shorewall-masq[1](5) in Shorewall
14       5.0.14.
15
16           Warning
17           The entries in this file are order-sensitive. The first entry that
18           matches a particular connection will be the one that is used.
19
20           Warning
21           If you have more than one ISP link, adding entries to this file
22           will not force connections to go out through a particular link. You
23           must use entries in shorewall-rtrules[2](5) or PREROUTING entries
24           in shorewall-mangle[3](5) to do that.
25
26       Beginning with Shorewall 5.2.6, the snat file supports two different
27       formats:
28
29        1. The SPORT (source port) column is omitted. This is the default
30           unless a "?FORMAT 2" compiler directive is included.
31
32        2. The SPORT column immediately follows the DPORT column.
33
34       The columns in the file are as follows.
35
36       ACTION
37           Defines the type of rule to generate. Beginning with Shorewall
38           5.1.9, with the exception of NFLOG and ULOG, the action may be
39           followed by a colon (":") and a log level (see
40           shorewall-logging(5)[4]).
41
42           Choices for ACTION are:
43
44           action[+][(parameter,...)][:level]
45               where action is an action declared in shorewall-actions(5)[5]
46               with the nat option. See https://shorewall.org/Actions.html[6]
47               for further information.
48
49           CONTINUE[+]:level
50               Causes matching packets to be exempted from any following rules
51               in the file.
52
53           LOG:level
54               Added in Shorewall 5.1.9. Simply log the packet and continue
55               with the next rule.
56
57           MASQUERADE[+][([lowport[-highport]][random])][:level]
58               Causes matching outgoing packages to have their source IP
59               address set to the primary IP address of the interface
60               specified in the DEST column. if lowport-highport is given,
61               that port range will be used to assign a source port. If only
62               lowport is given, that port will be assigned, if possible. If
63               option random is used then port mapping will be randomized.
64               MASQUERADE should only be used when the DEST interface has a
65               dynamic IP address. Otherwise, SNAT should be used and should
66               specify the interface's static address.
67
68           NFLOG[(nflog-parameters)]
69               Added in Shorewall 5.1.9. Queues matching packets to a back end
70               logging daemon via a netlink socket then continues to the next
71               rule. See shorewall-logging(5)[4].
72
73               The nflog-parameters are a comma-separated list of up to 3
74               numbers:
75
76               ·   The first number specifies the netlink group (0-65535). If
77                   omitted (e.g., NFLOG(,0,10)) then a value of 0 is assumed.
78
79               ·   The second number specifies the maximum number of bytes to
80                   copy. If omitted, 0 (no limit) is assumed.
81
82               ·   The third number specifies the number of log messages that
83                   should be buffered in the kernel before they are sent to
84                   user space. The default is 1.
85
86               NFLOG is similar to LOG:NFLOG[(nflog-parameters)], except that
87               the log level is not changed when this ACTION is used in an
88               action or macro body and the invocation of that action or macro
89               specifies a log level.
90
91           SNAT[+]([address-or-address-range][:lowport[-highport]][:random][:persistent]|detect)[:level]
92               If you specify an address here, matching packets will have
93               their source address set to that address. If ADD_SNAT_ALIASES
94               is set to Yes or yes in shorewall.conf[7](5) then Shorewall
95               will automatically add this address to the INTERFACE named in
96               the first column (IPv4 only).
97
98               You may also specify a range of up to 256 IP addresses if you
99               want the SNAT address to be assigned from that range in a
100               round-robin fashion by connection. The range is specified by
101               first.ip.in.range-last.ip.in.range. You may follow the port
102               range with :random in which case assignment of ports from the
103               list will be random.  random may also be specified by itself in
104               this column in which case random local port assignments are
105               made for the outgoing connections.
106
107               Example: 206.124.146.177-206.124.146.180
108
109               You may follow the port range (or :random) with :persistent.
110               This is only useful when an address range is specified and
111               causes a client to be given the same source/destination IP
112               pair.
113
114               You may also use the special value detect which causes
115               Shorewall to determine the IP addresses configured on the
116               interface named in the DEST column and substitute them in this
117               column.
118
119               Finally, you may also specify a comma-separated list of ranges
120               and/or addresses in this column.
121
122               DNS Names names are not allowed.
123
124               Normally, Netfilter will attempt to retain the source port
125               number. You may cause netfilter to remap the source port by
126               following an address or range (if any) by ":" and a port range
127               with the format lowport-highport. If this is done, you must
128               specify "tcp", "udp", "dccp" or "stcp" in the PROTO column.
129
130               Examples:
131
132                           192.0.2.4:5000-6000
133                           :4000-5000
134
135               You may also specify a single port number, which will be
136               assigned to the outgoing connection, if possible.
137
138           ULOG[(ulog-parameters)]
139               IPv4 only. Added in Shorewall 5.1.9. Queues matching packets to
140               a back end logging daemon via a netlink socket then continues
141               to the next rule. See shorewall-logging(5)[4].
142
143               Similar to LOG:ULOG[(ulog-parameters)], except that the log
144               level is not changed when this ACTION is used in an action or
145               macro body and the invocation of that action or macro specifies
146               a log level.
147
148           Normally Masq/SNAT rules are evaluated after those for one-to-one
149           NAT (defined in shorewall-nat[8](5)). If you want the rule to be
150           applied before one-to-one NAT rules, follow the action name with
151           "+": This feature should only be required if you need to insert
152           rules in this file that preempt entries in shorewall-nat[8](5).
153
154       SOURCE (Optional) - [interface|address[,address...][exclusion]]
155           Set of hosts that you wish to masquerade. You can specify this as
156           an address (net or host) or as an interface. Unless you want to
157           perform SNAT in the INPUT chain (see DEST below), if you give the
158           name of an interface (deprecated), the interface must be up before
159           you start the firewall and the Shorewall rules compiler will warn
160           you of that fact. (Shorewall will use your main routing table to
161           determine the appropriate addresses to masquerade).
162
163           The preferred way to specify the SOURCE is to supply one or more
164           host or network addresses separated by comma. You may use ipset
165           names preceded by a plus sign (+) to specify a set of hosts.
166
167       DEST -
168       {interface[:digit][,interface[:digit]]...|$FW}[:[dest-address[,dest-address]...[exclusion]]
169           Outgoing interfaces and destination networks. Multiple interfaces
170           may be listed when the ACTION is MASQUERADE, but this is usually
171           just your internet interface. If ADD_SNAT_ALIASES=Yes in
172           shorewall.conf[7](5), you may add ":" and a digit to indicate that
173           you want the alias added with that name (e.g., eth0:0). This will
174           allow the alias to be displayed with ifconfig.  That is the only
175           use for the alias name; it may not appear in any other place in
176           your Shorewall configuration.
177
178           Beginning with Shorewall 5.1.12, SNAT may be performed in the nat
179           table's INPUT chain by specifying $FW rather than one or more
180           interfaces.
181
182           Each interface must match an entry in shorewall-interfaces[9](5).
183           Shorewall allows loose matches to wildcard entries in
184           shorewall-interfaces[9](5). For example, ppp0 in this file will
185           match a shorewall-interfaces[9](5) entry that defines ppp+.
186
187           Where more that one internet provider share a single interface[10],
188           the provider is specified by including the provider name or number
189           in parentheses:
190
191                       eth0(Avvanta)
192
193           In that case, you will want to specify the interface's address for
194           that provider as the SNAT parameter.
195
196           The interface may be qualified by adding the character ":" followed
197           by a comma-separated list of destination host or subnet addresses
198           to indicate that you only want to change the source IP address for
199           packets being sent to those particular destinations. Exclusion is
200           allowed (see shorewall-exclusion[11](5)) as are ipset names
201           preceded by a plus sign '+';
202
203           If you wish to inhibit the action of ADD_SNAT_ALIASES for this
204           entry then include the ":" but omit the digit:
205
206                       eth0(Avvanta):
207                       eth2::192.0.2.32/27
208
209           Comments may be attached to Netfilter rules generated from entries
210           in this file through the use of ?COMMENT lines. These lines begin
211           with ?COMMENT; the remainder of the line is treated as a comment
212           which is attached to subsequent rules until another ?COMMENT line
213           is found or until the end of the file is reached. To stop adding
214           comments to rules, use a line containing only ?COMMENT.
215
216       PROTO (Optional) - {-|[!]{protocol-name|protocol-number}[,...]|+ipset}
217           If you wish to restrict this entry to a particular protocol then
218           enter the protocol name (from protocols(5)) or number here. See
219           shorewall-rules(5)[12] for details.
220
221           Beginning with Shorewall 4.5.12, this column can accept a
222           comma-separated list of protocols.
223
224           Beginning with Shorewall 4.6.0, an ipset name can be specified in
225           this column. This is intended to be used with bitmap:port ipsets.
226
227       {PORT|DPORT} (Optional) -
228       {-|[!]port-name-or-number[,port-name-or-number]...|+ipset}
229           The column was renamed to DPORT in Shorewall 5.2.6. Beginning with
230           that release, both PORT and DPORT are accepted in the alternative
231           input format,
232
233           If the PROTO column specifies TCP (6), UDP (17), DCCP (33), SCTP
234           (132) or UDPLITE (136) then you may list one or more port numbers
235           (or names from services(5)) or port ranges separated by commas.
236
237           Port ranges are of the form lowport:highport.
238
239           Beginning with Shorewall 4.6.0, an ipset name can be specified in
240           this column. This is intended to be used with bitmap:port ipsets.
241
242       SPORT {-|[!]port-name-or-number[,port-name-or-number]...|+ipset}
243           FORMAT 2 only.
244
245           If the PROTO column specifies TCP (6), UDP (17), DCCP (33), SCTP
246           (132) or UDPLITE (136) then you may list one or more port numbers
247           (or names from services(5)) or port ranges separated by commas.
248
249           Port ranges are of the form lowport:highport.
250
251           An ipset name can be specified in this column. This is intended to
252           be used with bitmap:port ipsets.
253
254       IPSEC (Optional) - [option[,option]...]
255           If you specify a value other than "-" in this column, you must be
256           running kernel 2.6 and your kernel and iptables must include policy
257           match support.
258
259           Comma-separated list of options from the following. Only packets
260           that will be encrypted via an SA that matches these options will
261           have their source address changed.
262
263           reqid=number
264               where number is specified using setkey(8) using the
265               'unique:number option for the SPD level.
266
267           spi=<number>
268               where number is the SPI of the SA used to encrypt/decrypt
269               packets.
270
271           proto=ah|esp|ipcomp
272               IPSEC Encapsulation Protocol
273
274           mss=number
275               sets the MSS field in TCP packets
276
277           mode=transport|tunnel
278               IPSEC mode
279
280           tunnel-src=address[/mask]
281               only available with mode=tunnel
282
283           tunnel-dst=address[/mask]
284               only available with mode=tunnel
285
286           strict
287               Means that packets must match all rules.
288
289           next
290               Separates rules; can only be used with strict
291
292           yes
293               When used by itself, causes all traffic that will be
294               encrypted/encapsulated to match the rule.
295
296       MARK - [!]value[/mask][:C]
297           Defines a test on the existing packet or connection mark. The rule
298           will match only if the test returns true.
299
300           If you don't want to define a test but need to specify anything in
301           the following columns, place a "-" in this field.
302
303           !
304               Inverts the test (not equal)
305
306           value
307               Value of the packet or connection mark.
308
309           mask
310               A mask to be applied to the mark before testing.
311
312           :C
313               Designates a connection mark. If omitted, the packet mark's
314               value is tested.
315
316       USER (Optional) -
317       [!][user-name-or-number][:group-name-or-number][+program-name]
318           This column was formerly labelled USER/GROUP.
319
320           Only locally-generated connections will match if this column is
321           non-empty.
322
323           When this column is non-empty, the rule matches only if the program
324           generating the output is running under the effective user and/or
325           group specified (or is NOT running under that id if "!" is given).
326
327           Examples:
328
329           joe
330               program must be run by joe
331
332           :kids
333               program must be run by a member of the 'kids' group
334
335           !:kids
336               program must not be run by a member of the 'kids' group
337
338           +upnpd
339               #program named upnpd
340
341                   Important
342                   The ability to specify a program name was removed from
343                   Netfilter in kernel version 2.6.14.
344
345       SWITCH - [!]switch-name[={0|1}]
346           Added in Shorewall 4.5.1 and allows enabling and disabling the rule
347           without requiring shorewall restart.
348
349           The rule is enabled if the value stored in
350           /proc/net/nf_condition/switch-name is 1. The rule is disabled if
351           that file contains 0 (the default). If '!' is supplied, the test is
352           inverted such that the rule is enabled if the file contains 0.
353
354           Within the switch-name, '@0' and '@{0}' are replaced by the name of
355           the chain to which the rule is a added. The switch-name (after
356           '@...' expansion) must begin with a letter and be composed of
357           letters, decimal digits, underscores or hyphens. Switch names must
358           be 30 characters or less in length.
359
360           Switches are normally off. To turn a switch on:
361               echo 1 >
362                           /proc/net/nf_condition/switch-name
363           To turn it off again:
364               echo 0 >
365                           /proc/net/nf_condition/switch-name
366           Switch settings are retained over shorewall restart.
367
368           Beginning with Shorewall 4.5.10, when the switch-name is followed
369           by =0 or =1, then the switch is initialized to off or on
370           respectively by the start command. Other commands do not affect the
371           switch setting.
372
373       ORIGDEST - [-|address[,address]...[exclusion]|exclusion]
374           (Optional) Added in Shorewall 4.5.6. This column may be included
375           and may contain one or more addresses (host or network) separated
376           by commas. Address ranges are not allowed. When this column is
377           supplied, rules are generated that require that the original
378           destination address matches one of the listed addresses. It is
379           useful for specifying that SNAT should occur only for connections
380           that were acted on by a DNAT when they entered the firewall.
381
382           This column was formerly labelled ORIGINAL DEST.
383
384       PROBABILITY - [probability]
385           Added in Shorewall 5.0.0. When non-empty, requires the Statistics
386           Match capability in your kernel and ip6tables and causes the rule
387           to match randomly but with the given probability. The probability
388           is a number 0 < probability <= 1 and may be expressed at up to 8
389           decimal points of precision.
390

EXAMPLES

392       IPv4 Example 1:
393           You have a simple masquerading setup where eth0 connects to a DSL
394           or cable modem and eth1 connects to your local network with subnet
395           192.168.0.0/24.
396
397           Your entry in the file will be:
398
399                       #ACTION    SOURCE              DEST
400                       MASQUERADE 192.168.0.0/24      eth0
401
402       IPv4 Example 2:
403           You add a router to your local network to connect subnet
404           192.168.1.0/24 which you also want to masquerade. You then add a
405           second entry for eth0 to this file:
406
407                       #ACTION    SOURCE              DEST
408                       MASQUERADE 192.168.0.0/24      eth0
409                       MASQUERADE 192.168.1.0/24      eth0
410
411       IPv4 Example 3:
412           You want all outgoing traffic from 192.168.1.0/24 through eth0 to
413           use source address 206.124.146.176 which is NOT the primary address
414           of eth0. You want 206.124.146.176 to be added to eth0 with name
415           eth0:0.
416
417                       #ACTION                 SOURCE          DEST
418                       SNAT(206.124.146.176)   192.168.1.0/24  eth0:0
419
420       IPv4 Example 4:
421           You want all outgoing SMTP traffic entering the firewall from
422           172.20.1.0/29 to be sent from eth0 with source IP address
423           206.124.146.177. You want all other outgoing traffic from
424           172.20.1.0/29 to be sent from eth0 with source IP address
425           206.124.146.176.
426
427                       #INTERFACE   SOURCE           ADDRESS         PROTO   DPORT
428                       eth0         172.20.1.0/29    206.124.146.177 tcp     smtp
429                       eth0         172.20.1.0/29    206.124.146.176
430
431                       #ACTION                 SOURCE          DEST        PROTO     PORT
432                       SNAT(206.124.146.177)   172.20.1.0/29   eth0        tcp       smtp
433                       SNAT(206.124.146.176)   172.20.1.0/29   eth0
434
435               Warning
436               The order of the above two rules is significant!
437
438       IPv4 Example 5:
439           Connections leaving on eth0 and destined to any host defined in the
440           ipset myset should have the source IP address changed to
441           206.124.146.177.
442
443                       #ACTION                 SOURCE          DEST
444                       SNAT(206.124.146.177)   -               eth0:+myset[dst]
445
446       IPv4 Example 6:
447           SNAT outgoing connections on eth0 from 192.168.1.0/24 in
448           round-robin fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9
449           (Shorewall 4.5.9 and later).
450
451               /etc/shorewall/tcrules:
452
453                      #ACTION   SOURCE         DEST         PROTO   DPORT         SPORT    USER    TEST
454                      1-3:CF    192.168.1.0/24 eth0 ; state=NEW
455
456               /etc/shorewall/snat:
457
458                      #ACTION                 SOURCE          DEST
459                      SNAT(1.1.1.1)           192.168.1.0/24  eth0  { mark=1:C }
460                      SNAT(1.1.1.3)           192.168.1.0/24  eth0  { mark=2:C }
461                      SNAT(1.1.1.9)           192.168.1.0/24  eth0  { mark=3:C }
462
463       IPv6 Example 1:
464           You have a simple 'masquerading' setup where eth0 connects to a DSL
465           or cable modem and eth1 connects to your local network with subnet
466           2001:470:b:787::0/64
467
468           Your entry in the file will be:
469
470                       #ACTION      SOURCE                  DEST
471                       MASQUERADE   2001:470:b:787::0/64    eth0
472
473       IPv6 Example 2:
474           Your sit1 interface has two public IP addresses: 2001:470:a:227::1
475           and 2001:470:b:227::1. You want to use the iptables statistics
476           match to masquerade outgoing connections evenly between these two
477           addresses.
478
479               /etc/shorewall/snat:
480
481                      #ACTION                      SOURCE     DEST
482                      SNAT(2001:470:a:227::1)      ::/0       sit1              { probability=0.50 }
483                      SNAT(2001:470:a:227::2)      ::/0       sit
484

FILES

486       /etc/shorewall/snat
487
488       /etc/shorewall6/snat
489

SEE ALSO

491       https://shorewall.org/configuration_file_basics.htm#Pairs[13]
492
493       shorewall(8)
494

NOTES

496        1. shorewall-masq
497           https://shorewall.org/manpages/shorewall-masq.html
498
499        2. shorewall-rtrules
500           https://shorewall.org/manpages/shorewall-rtrules.html
501
502        3. shorewall-mangle
503           https://shorewall.org/manpages/shorewall-mangle.html
504
505        4. shorewall-logging(5)
506           https://shorewall.org/manpages/shorewall-logging.html
507
508        5. shorewall-actions(5)
509           https://shorewall.org/manpages/shorewall-actions.html
510
511        6. https://shorewall.org/Actions.html
512           https://shorewall.org/Actions.html
513
514        7. shorewall.conf
515           https://shorewall.org/manpages/shorewall.conf.html
516
517        8. shorewall-nat
518           https://shorewall.org/manpages/shorewall-nat.html
519
520        9. shorewall-interfaces
521           https://shorewall.org/manpages/shorewall-interfaces.html
522
523       10. more that one internet provider share a single interface
524           https://shorewall.org/4.4/MultiISP.html#Shared
525
526       11. shorewall-exclusion
527           https://shorewall.org/manpages/shorewall-exclusion.html
528
529       12. shorewall-rules(5)
530           https://shorewall.org/manpages/shorewall-rules.html
531
532       13. https://shorewall.org/configuration_file_basics.htm#Pairs
533           https://shorewall.org/configuration_file_basics.htm#Pairs
534
535
536
537Configuration Files               07/29/2020                 SHOREWALL-SNAT(5)
Impressum