1SHOREWALL-SNAT(5)             Configuration Files            SHOREWALL-SNAT(5)
2
3
4

NAME

6       snat - Shorewall SNAT/Masquerade definition file
7

SYNOPSIS

9       /etc/shorewall[6]/snat
10

DESCRIPTION

12       This file is used to define dynamic NAT (Masquerading) and to define
13       Source NAT (SNAT). It superseded shorewall-masq[1](5) in Shorewall
14       5.0.14.
15
16           Warning
17           The entries in this file are order-sensitive. The first entry that
18           matches a particular connection will be the one that is used.
19
20           Warning
21           If you have more than one ISP link, adding entries to this file
22           will not force connections to go out through a particular link. You
23           must use entries in shorewall-rtrules[2](5) or PREROUTING entries
24           in shorewall-mangle[3](5) to do that.
25
26       Beginning with Shorewall 5.2.6, the snat file supports two different
27       formats:
28
29        1. The SPORT (source port) column is omitted. This is the default
30           unless a "?FORMAT 2" compiler directive is included.
31
32        2. The SPORT column immediately follows the DPORT column.
33
34       The columns in the file are as follows.
35
36       ACTION
37           Defines the type of rule to generate. Beginning with Shorewall
38           5.1.9, with the exception of NFLOG and ULOG, the action may be
39           followed by a colon (":") and a log level (see
40           shorewall-logging(5)[4]).
41
42           Choices for ACTION are:
43
44           action[+][(parameter,...)][:level]
45               where action is an action declared in shorewall-actions(5)[5]
46               with the nat option. See https://shorewall.org/Actions.html[6]
47               for further information.
48
49           CONTINUE[+]:level
50               Causes matching packets to be exempted from any following rules
51               in the file.
52
53           LOG:level
54               Added in Shorewall 5.1.9. Simply log the packet and continue
55               with the next rule.
56
57           MASQUERADE[+][([lowport[-highport]][random])][:level]
58               Causes matching outgoing packages to have their source IP
59               address set to the primary IP address of the interface
60               specified in the DEST column. if lowport-highport is given,
61               that port range will be used to assign a source port. If only
62               lowport is given, that port will be assigned, if possible. If
63               option random is used then port mapping will be randomized.
64               MASQUERADE should only be used when the DEST interface has a
65               dynamic IP address. Otherwise, SNAT should be used and should
66               specify the interface's static address.
67
68           NFLOG[(nflog-parameters)]
69               Added in Shorewall 5.1.9. Queues matching packets to a back end
70               logging daemon via a netlink socket then continues to the next
71               rule. See shorewall-logging(5)[4].
72
73               The nflog-parameters are a comma-separated list of up to 3
74               numbers:
75
76               •   The first number specifies the netlink group (0-65535). If
77                   omitted (e.g., NFLOG(,0,10)) then a value of 0 is assumed.
78
79               •   The second number specifies the maximum number of bytes to
80                   copy. If omitted, 0 (no limit) is assumed.
81
82               •   The third number specifies the number of log messages that
83                   should be buffered in the kernel before they are sent to
84                   user space. The default is 1.
85
86               NFLOG is similar to LOG:NFLOG[(nflog-parameters)], except that
87               the log level is not changed when this ACTION is used in an
88               action or macro body and the invocation of that action or macro
89               specifies a log level.
90
91           SNAT[+]([address-or-address-range][:lowport[-highport]][:random][:persistent]|detect)[:level]
92               If you specify an address here, matching packets will have
93               their source address set to that address. If ADD_SNAT_ALIASES
94               is set to Yes or yes in shorewall.conf[7](5) then Shorewall
95               will automatically add this address to the INTERFACE named in
96               the first column (IPv4 only).
97
98               You may also specify a range of up to 256 IP addresses if you
99               want the SNAT address to be assigned from that range in a
100               round-robin fashion by connection. The range is specified by
101               first.ip.in.range-last.ip.in.range. You may follow the port
102               range with :random in which case assignment of ports from the
103               list will be random.  random may also be specified by itself in
104               this column in which case random local port assignments are
105               made for the outgoing connections.
106
107               Example: 206.124.146.177-206.124.146.180
108
109               You may follow the port range (or :random) with :persistent.
110               This is only useful when an address range is specified and
111               causes a client to be given the same source/destination IP
112               pair.
113
114               You may also use the special value detect which causes
115               Shorewall to determine the IP addresses configured on the
116               interface named in the DEST column and substitute them in this
117               column.
118
119               DNS Names names are not allowed.
120
121               Normally, Netfilter will attempt to retain the source port
122               number. You may cause netfilter to remap the source port by
123               following an address or range (if any) by ":" and a port range
124               with the format lowport-highport. If this is done, you must
125               specify "tcp", "udp", "dccp" or "stcp" in the PROTO column.
126
127               Examples:
128
129                           192.0.2.4:5000-6000
130                           :4000-5000
131
132               You may also specify a single port number, which will be
133               assigned to the outgoing connection, if possible.
134
135           ULOG[(ulog-parameters)]
136               IPv4 only. Added in Shorewall 5.1.9. Queues matching packets to
137               a back end logging daemon via a netlink socket then continues
138               to the next rule. See shorewall-logging(5)[4].
139
140               Similar to LOG:ULOG[(ulog-parameters)], except that the log
141               level is not changed when this ACTION is used in an action or
142               macro body and the invocation of that action or macro specifies
143               a log level.
144
145           Normally Masq/SNAT rules are evaluated after those for one-to-one
146           NAT (defined in shorewall-nat[8](5)). If you want the rule to be
147           applied before one-to-one NAT rules, follow the action name with
148           "+": This feature should only be required if you need to insert
149           rules in this file that preempt entries in shorewall-nat[8](5).
150
151       SOURCE (Optional) - [interface|address[,address...][exclusion]]
152           Set of hosts that you wish to masquerade. You can specify this as
153           an address (net or host) or as an interface. Unless you want to
154           perform SNAT in the INPUT chain (see DEST below), if you give the
155           name of an interface (deprecated), the interface must be up before
156           you start the firewall and the Shorewall rules compiler will warn
157           you of that fact. (Shorewall will use your main routing table to
158           determine the appropriate addresses to masquerade).
159
160           The preferred way to specify the SOURCE is to supply one or more
161           host or network addresses separated by comma. You may use ipset
162           names preceded by a plus sign (+) to specify a set of hosts.
163
164       DEST -
165       {interface[:digit][,interface[:digit]]...|$FW}[:[dest-address[,dest-address]...[exclusion]]
166           Outgoing interfaces and destination networks. Multiple interfaces
167           may be listed when the ACTION is MASQUERADE, but this is usually
168           just your internet interface. If ADD_SNAT_ALIASES=Yes in
169           shorewall.conf[7](5), you may add ":" and a digit to indicate that
170           you want the alias added with that name (e.g., eth0:0). This will
171           allow the alias to be displayed with ifconfig.  That is the only
172           use for the alias name; it may not appear in any other place in
173           your Shorewall configuration.
174
175           Beginning with Shorewall 5.1.12, SNAT may be performed in the nat
176           table's INPUT chain by specifying $FW rather than one or more
177           interfaces.
178
179           Each interface must match an entry in shorewall-interfaces[9](5).
180           Shorewall allows loose matches to wildcard entries in
181           shorewall-interfaces[9](5). For example, ppp0 in this file will
182           match a shorewall-interfaces[9](5) entry that defines ppp+.
183
184           Where more that one internet provider share a single interface[10],
185           the provider is specified by including the provider name or number
186           in parentheses:
187
188                       eth0(Avvanta)
189
190           In that case, you will want to specify the interface's address for
191           that provider as the SNAT parameter.
192
193           The interface may be qualified by adding the character ":" followed
194           by a comma-separated list of destination host or subnet addresses
195           to indicate that you only want to change the source IP address for
196           packets being sent to those particular destinations. Exclusion is
197           allowed (see shorewall-exclusion[11](5)) as are ipset names
198           preceded by a plus sign '+';
199
200           If you wish to inhibit the action of ADD_SNAT_ALIASES for this
201           entry then include the ":" but omit the digit:
202
203                       eth0(Avvanta):
204                       eth2::192.0.2.32/27
205
206           Comments may be attached to Netfilter rules generated from entries
207           in this file through the use of ?COMMENT lines. These lines begin
208           with ?COMMENT; the remainder of the line is treated as a comment
209           which is attached to subsequent rules until another ?COMMENT line
210           is found or until the end of the file is reached. To stop adding
211           comments to rules, use a line containing only ?COMMENT.
212
213       PROTO (Optional) - {-|[!]{protocol-name|protocol-number}[,...]|+ipset}
214           If you wish to restrict this entry to a particular protocol then
215           enter the protocol name (from protocols(5)) or number here. See
216           shorewall-rules(5)[12] for details.
217
218           Beginning with Shorewall 4.5.12, this column can accept a
219           comma-separated list of protocols.
220
221           Beginning with Shorewall 4.6.0, an ipset name can be specified in
222           this column. This is intended to be used with bitmap:port ipsets.
223
224       {PORT|DPORT} (Optional) -
225       {-|[!]port-name-or-number[,port-name-or-number]...|+ipset}
226           The column was renamed to DPORT in Shorewall 5.2.6. Beginning with
227           that release, both PORT and DPORT are accepted in the alternative
228           input format,
229
230           If the PROTO column specifies TCP (6), UDP (17), DCCP (33), SCTP
231           (132) or UDPLITE (136) then you may list one or more port numbers
232           (or names from services(5)) or port ranges separated by commas.
233
234           Port ranges are of the form lowport:highport.
235
236           Beginning with Shorewall 4.6.0, an ipset name can be specified in
237           this column. This is intended to be used with bitmap:port ipsets.
238
239       SPORT {-|[!]port-name-or-number[,port-name-or-number]...|+ipset}
240           FORMAT 2 only.
241
242           If the PROTO column specifies TCP (6), UDP (17), DCCP (33), SCTP
243           (132) or UDPLITE (136) then you may list one or more port numbers
244           (or names from services(5)) or port ranges separated by commas.
245
246           Port ranges are of the form lowport:highport.
247
248           An ipset name can be specified in this column. This is intended to
249           be used with bitmap:port ipsets.
250
251       IPSEC (Optional) - [option[,option]...]
252           If you specify a value other than "-" in this column, you must be
253           running kernel 2.6 and your kernel and iptables must include policy
254           match support.
255
256           Comma-separated list of options from the following. Only packets
257           that will be encrypted via an SA that matches these options will
258           have their source address changed.
259
260           reqid=number
261               where number is specified using setkey(8) using the
262               'unique:number option for the SPD level.
263
264           spi=<number>
265               where number is the SPI of the SA used to encrypt/decrypt
266               packets.
267
268           proto=ah|esp|ipcomp
269               IPSEC Encapsulation Protocol
270
271           mss=number
272               sets the MSS field in TCP packets
273
274           mode=transport|tunnel
275               IPSEC mode
276
277           tunnel-src=address[/mask]
278               only available with mode=tunnel
279
280           tunnel-dst=address[/mask]
281               only available with mode=tunnel
282
283           strict
284               Means that packets must match all rules.
285
286           next
287               Separates rules; can only be used with strict
288
289           yes
290               When used by itself, causes all traffic that will be
291               encrypted/encapsulated to match the rule.
292
293       MARK - [!]value[/mask][:C]
294           Defines a test on the existing packet or connection mark. The rule
295           will match only if the test returns true.
296
297           If you don't want to define a test but need to specify anything in
298           the following columns, place a "-" in this field.
299
300           !
301               Inverts the test (not equal)
302
303           value
304               Value of the packet or connection mark.
305
306           mask
307               A mask to be applied to the mark before testing.
308
309           :C
310               Designates a connection mark. If omitted, the packet mark's
311               value is tested.
312
313       USER (Optional) -
314       [!][user-name-or-number][:group-name-or-number][+program-name]
315           This column was formerly labelled USER/GROUP.
316
317           Only locally-generated connections will match if this column is
318           non-empty.
319
320           When this column is non-empty, the rule matches only if the program
321           generating the output is running under the effective user and/or
322           group specified (or is NOT running under that id if "!" is given).
323
324           Examples:
325
326           joe
327               program must be run by joe
328
329           :kids
330               program must be run by a member of the 'kids' group
331
332           !:kids
333               program must not be run by a member of the 'kids' group
334
335           +upnpd
336               #program named upnpd
337
338                   Important
339                   The ability to specify a program name was removed from
340                   Netfilter in kernel version 2.6.14.
341
342       SWITCH - [!]switch-name[={0|1}]
343           Added in Shorewall 4.5.1 and allows enabling and disabling the rule
344           without requiring shorewall restart.
345
346           The rule is enabled if the value stored in
347           /proc/net/nf_condition/switch-name is 1. The rule is disabled if
348           that file contains 0 (the default). If '!' is supplied, the test is
349           inverted such that the rule is enabled if the file contains 0.
350
351           Within the switch-name, '@0' and '@{0}' are replaced by the name of
352           the chain to which the rule is a added. The switch-name (after
353           '@...' expansion) must begin with a letter and be composed of
354           letters, decimal digits, underscores or hyphens. Switch names must
355           be 30 characters or less in length.
356
357           Switches are normally off. To turn a switch on:
358               echo 1 >
359                           /proc/net/nf_condition/switch-name
360           To turn it off again:
361               echo 0 >
362                           /proc/net/nf_condition/switch-name
363           Switch settings are retained over shorewall restart.
364
365           Beginning with Shorewall 4.5.10, when the switch-name is followed
366           by =0 or =1, then the switch is initialized to off or on
367           respectively by the start command. Other commands do not affect the
368           switch setting.
369
370       ORIGDEST - [-|address[,address]...[exclusion]|exclusion]
371           (Optional) Added in Shorewall 4.5.6. This column may be included
372           and may contain one or more addresses (host or network) separated
373           by commas. Address ranges are not allowed. When this column is
374           supplied, rules are generated that require that the original
375           destination address matches one of the listed addresses. It is
376           useful for specifying that SNAT should occur only for connections
377           that were acted on by a DNAT when they entered the firewall.
378
379           This column was formerly labelled ORIGINAL DEST.
380
381       PROBABILITY - [probability]
382           Added in Shorewall 5.0.0. When non-empty, requires the Statistics
383           Match capability in your kernel and ip6tables and causes the rule
384           to match randomly but with the given probability. The probability
385           is a number 0 < probability <= 1 and may be expressed at up to 8
386           decimal points of precision.
387

EXAMPLES

389       IPv4 Example 1:
390           You have a simple masquerading setup where eth0 connects to a DSL
391           or cable modem and eth1 connects to your local network with subnet
392           192.168.0.0/24.
393
394           Your entry in the file will be:
395
396                       #ACTION    SOURCE              DEST
397                       MASQUERADE 192.168.0.0/24      eth0
398
399       IPv4 Example 2:
400           You add a router to your local network to connect subnet
401           192.168.1.0/24 which you also want to masquerade. You then add a
402           second entry for eth0 to this file:
403
404                       #ACTION    SOURCE              DEST
405                       MASQUERADE 192.168.0.0/24      eth0
406                       MASQUERADE 192.168.1.0/24      eth0
407
408       IPv4 Example 3:
409           You want all outgoing traffic from 192.168.1.0/24 through eth0 to
410           use source address 206.124.146.176 which is NOT the primary address
411           of eth0. You want 206.124.146.176 to be added to eth0 with name
412           eth0:0.
413
414                       #ACTION                 SOURCE          DEST
415                       SNAT(206.124.146.176)   192.168.1.0/24  eth0:0
416
417       IPv4 Example 4:
418           You want all outgoing SMTP traffic entering the firewall from
419           172.20.1.0/29 to be sent from eth0 with source IP address
420           206.124.146.177. You want all other outgoing traffic from
421           172.20.1.0/29 to be sent from eth0 with source IP address
422           206.124.146.176.
423
424                       #INTERFACE   SOURCE           ADDRESS         PROTO   DPORT
425                       eth0         172.20.1.0/29    206.124.146.177 tcp     smtp
426                       eth0         172.20.1.0/29    206.124.146.176
427
428                       #ACTION                 SOURCE          DEST        PROTO     PORT
429                       SNAT(206.124.146.177)   172.20.1.0/29   eth0        tcp       smtp
430                       SNAT(206.124.146.176)   172.20.1.0/29   eth0
431
432               Warning
433               The order of the above two rules is significant!
434
435       IPv4 Example 5:
436           Connections leaving on eth0 and destined to any host defined in the
437           ipset myset should have the source IP address changed to
438           206.124.146.177.
439
440                       #ACTION                 SOURCE          DEST
441                       SNAT(206.124.146.177)   -               eth0:+myset[dst]
442
443       IPv4 Example 6:
444           SNAT outgoing connections on eth0 from 192.168.1.0/24 randomly to
445           addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9 (Shorewall 5.0.0 and
446           later).
447
448               /etc/shorewall/snat:
449
450                      #ACTION                 SOURCE          DEST
451                      SNAT(1.1.1.1)           192.168.1.0/24  eth0  { probability=0.33 }
452                      SNAT(1.1.1.3)           192.168.1.0/24  eth0  { probability=0.50 }
453                      SNAT(1.1.1.9)           192.168.1.0/24  eth0
454
455       IPv6 Example 1:
456           You have a simple 'masquerading' setup where eth0 connects to a DSL
457           or cable modem and eth1 connects to your local network with subnet
458           2001:470:b:787::0/64
459
460           Your entry in the file will be:
461
462                       #ACTION      SOURCE                  DEST
463                       MASQUERADE   2001:470:b:787::0/64    eth0
464
465       IPv6 Example 2:
466           Your sit1 interface has two public IP addresses: 2001:470:a:227::1
467           and 2001:470:b:227::1. You want to use the iptables statistics
468           match to masquerade outgoing connections evenly between these two
469           addresses.
470
471               /etc/shorewall/snat:
472
473                      #ACTION                      SOURCE     DEST
474                      SNAT(2001:470:a:227::1)      ::/0       sit1              { probability=0.50 }
475                      SNAT(2001:470:a:227::2)      ::/0       sit
476

FILES

478       /etc/shorewall/snat
479
480       /etc/shorewall6/snat
481

SEE ALSO

483       https://shorewall.org/configuration_file_basics.htm#Pairs[13]
484
485       shorewall(8)
486

NOTES

488        1. shorewall-masq
489           https://shorewall.org/manpages/shorewall-masq.html
490
491        2. shorewall-rtrules
492           https://shorewall.org/manpages/shorewall-rtrules.html
493
494        3. shorewall-mangle
495           https://shorewall.org/manpages/shorewall-mangle.html
496
497        4. shorewall-logging(5)
498           https://shorewall.org/manpages/shorewall-logging.html
499
500        5. shorewall-actions(5)
501           https://shorewall.org/manpages/shorewall-actions.html
502
503        6. https://shorewall.org/Actions.html
504           https://shorewall.org/Actions.html
505
506        7. shorewall.conf
507           https://shorewall.org/manpages/shorewall.conf.html
508
509        8. shorewall-nat
510           https://shorewall.org/manpages/shorewall-nat.html
511
512        9. shorewall-interfaces
513           https://shorewall.org/manpages/shorewall-interfaces.html
514
515       10. more that one internet provider share a single interface
516           https://shorewall.org/4.4/MultiISP.html#Shared
517
518       11. shorewall-exclusion
519           https://shorewall.org/manpages/shorewall-exclusion.html
520
521       12. shorewall-rules(5)
522           https://shorewall.org/manpages/shorewall-rules.html
523
524       13. https://shorewall.org/configuration_file_basics.htm#Pairs
525           https://shorewall.org/configuration_file_basics.htm#Pairs
526
527
528
529Configuration Files               09/24/2020                 SHOREWALL-SNAT(5)
Impressum