1SHOREWALL-MASQ(5) [FIXME: manual] SHOREWALL-MASQ(5)
2
6 masq - Shorewall Masquerade/SNAT definition file
7
9 /etc/shorewall/masq
10
12 Use this file to define dynamic NAT (Masquerading) and to define Source
13 NAT (SNAT).
14 Warning
16 The entries in this file are order-sensitive. The first entry that
17 matches a particular connection will be the one that is used.
18 Warning
20 If you have more than one ISP link, adding entries to this file
21 will not force connections to go out through a particular link. You
22 must use entries in shorewall-route_rules[1](5) or PREROUTING
23 entries in shorewall-tcrules[2](5) to do that.
24 The columns in the file are as follows.
26 INTERFACE:DEST -
28 {[+]interfacelist[:[digit]][:[dest-address[,dest-address]...[exclusion]]|COMMENT}
29 Outgoing interfacelist. This may be a comma-separated list of
30 interface names. This is usually your internet interface. If
31 ADD_SNAT_ALIASES=Yes in shorewall.conf[3](5), you may add ":" and a
32 digit to indicate that you want the alias added with that name
33 (e.g., eth0:0). This will allow the alias to be displayed with
34 ifconfig. That is the only use for the alias name; it may not
35 appear in any other place in your Shorewall configuration.
36 Each interface must match an entry in shorewall-interfaces[4](5).
38 Shorewall allows loose matches to wildcard entries in
39 shorewall-interfaces[4](5). For example, ppp0 in this file will
40 match a shorewall-interfaces[4](5) entry that defines ppp+.
41 Where more that one internet provider share a single interface[5],
43 the provider is specified by including the provider name or number
44 in parentheses:
45 eth0(Avvanta)
47 In that case, you will want to specify the interfaces's address for
49 that provider in the ADDRESS column.
50 The interface may be qualified by adding the character ":" followed
52 by a comma-separated list of destination host or subnet addresses
53 to indicate that you only want to change the source IP address for
54 packets being sent to those particular destinations. Exclusion is
55 allowed (see shorewall-exclusion[6](5)).
56 If you wish to inhibit the action of ADD_SNAT_ALIASES for this
58 entry then include the ":" but omit the digit:
59 eth0(Avvanta):
61 eth2::192.0.2.32/27
62 Normally Masq/SNAT rules are evaluated after those for one-to-one
64 NAT (defined in shorewall-nat[7](5)). If you want the rule to be
65 applied before one-to-one NAT rules, prefix the interface name with
66 "+":
67 +eth0
69 +eth0:192.0.2.32/27
70 +eth0:2
71 This feature should only be required if you need to insert rules in
73 this file that preempt entries in shorewall-nat[7](5).
74 Comments may be attached to Netfilter rules generated from entries
76 in this file through the use of COMMENT lines. These lines begin
77 with the word COMMENT; the remainder of the line is treated as a
78 comment which is attached to subsequent rules until another COMMENT
79 line is found or until the end of the file is reached. To stop
80 adding comments to rules, use a line with only the word COMMENT.
81 SOURCE (Formerly called SUBNET) -
83 {interface[:exclusion]|address[,address][exclusion]}
84 Set of hosts that you wish to masquerade. You can specify this as
85 an address (net or host) or as an interface (use of an interface is
86 deprecated). If you give the name of an interface, the interface
87 must be up before you start the firewall and the Shorewall rules
88 compiler will warn you of that fact. (Shorewall will use your main
89 routing table to determine the appropriate addresses to
90 masquerade).
91 In order to exclude a address of the specified SOURCE, you may
93 append an exclusion ("!" and a comma-separated list of IP addresses
94 (host or net) that you wish to exclude (see
95 shorewall-exclusion[6](5))). Note that a colon (":") must appear
96 between an interface name and the exclusion;
97 Example: eth1:!192.168.1.4,192.168.32.0/27
99 In that example traffic from eth1 would be masqueraded unless it
101 came from 192.168.1.4 or 196.168.32.0/27
102 ADDRESS (Optional) -
104 [-|NONAT|[address-or-address-range[,address-or-address-range]...][:lowport-highport][:random][:persistent]|detect|random]
105 If you specify an address here, SNAT will be used and this will be
106 the source address. If ADD_SNAT_ALIASES is set to Yes or yes in
107 shorewall.conf[3](5) then Shorewall will automatically add this
108 address to the INTERFACE named in the first column.
109 You may also specify a range of up to 256 IP addresses if you want
111 the SNAT address to be assigned from that range in a round-robin
112 fashion by connection. The range is specified by
113 first.ip.in.range-last.ip.in.range. You may follow the port range
114 with :random in which case assignment of ports from the list will
115 be random. random may also be specified by itself in this column
116 in which case random local port assignments are made for the
117 outgoing connections.
118 Example: 206.124.146.177-206.124.146.180
120 You may follow the port range (or :random) with :persistent. This
122 is only useful when an address range is specified and causes a
123 client to be given the same source/destination IP pair. This
124 feature replaces the SAME modifier which was removed from Shorewall
125 in version 4.4.0. Unlike random, persistent may not be used by
126 itself.
127 You may also use the special value "detect" which causes Shorewall
129 to determine the IP addresses configured on the interface named in
130 the INTERFACES column and substitute them in this column.
131 Finally, you may also specify a comma-separated list of ranges
133 and/or addresses in this column.
134 This column may not contain DNS Names.
136 Normally, Netfilter will attempt to retain the source port number.
138 You may cause netfilter to remap the source port by following an
139 address or range (if any) by ":" and a port range with the format
140 lowport-highport. If this is done, you must specify "tcp" or "udp"
141 in the PROTO column.
142 Examples:
144 192.0.2.4:5000-6000
146 :4000-5000
147 If you simply place NONAT in this column, no rewriting of the
149 source IP address or port number will be performed. This is useful
150 if you want particular traffic to be exempt from the entries that
151 follow in the file.
152 If you want to leave this column empty but you need to specify the
154 next column then place a hyphen ("-") here.
155 PROTO (Optional) - {-|[!]protocol-name|[!]protocol-number}
157 If you wish to restrict this entry to a particular protocol then
158 enter the protocol name (from protocols(5)) or number here.
159 PORT(S) (Optional) - [[!]port-name-or-number[,port-name-or-number]...]
161 If the PROTO column specifies TCP (6), UDP (17), DCCP (33), SCTP
162 (132) or UDPLITE (136) then you may list one or more port numbers
163 (or names from services(5)) or port ranges separated by commas.
164 Port ranges are of the form lowport:highport.
166 IPSEC (Optional) - [option[,option]...]
168 If you specify a value other than "-" in this column, you must be
169 running kernel 2.6 and your kernel and iptables must include policy
170 match support.
171 Comma-separated list of options from the following. Only packets
173 that will be encrypted via an SA that matches these options will
174 have their source address changed.
175 reqid=number
177 where number is specified using setkey(8) using the
178 'unique:number option for the SPD level.
179 spi=<number>
181 where number is the SPI of the SA used to encrypt/decrypt
182 packets.
183 proto=ah|esp|ipcomp
185 IPSEC Encapsulation Protocol
186 mss=number
188 sets the MSS field in TCP packets
189 mode=transport|tunnel
191 IPSEC mode
192 tunnel-src=address[/mask]
194 only available with mode=tunnel
195 tunnel-dst=address[/mask]
197 only available with mode=tunnel
198 strict
200 Means that packets must match all rules.
201 next
203 Separates rules; can only be used with strict
204 yes
206 When used by itself, causes all traffic that will be
207 encrypted/encapsulated to match the rule.
208 MARK - [!]value[/mask][:C]
210 Defines a test on the existing packet or connection mark. The rule
211 will match only if the test returns true.
212 If you don't want to define a test but need to specify anything in
214 the following columns, place a "-" in this field.
215 !
217 Inverts the test (not equal)
218 value
220 Value of the packet or connection mark.
221 mask
223 A mask to be applied to the mark before testing.
224 :C
226 Designates a connection mark. If omitted, the packet mark's
227 value is tested.
228 USER/GROUP (Optional) -
230 [!][user-name-or-number][:group-name-or-number][+program-name]
231 Only locally-generated connections will match if this column is
232 non-empty.
233 When this column is non-empty, the rule matches only if the program
235 generating the output is running under the effective user and/or
236 group specified (or is NOT running under that id if "!" is given).
237 Examples:
239 joe
241 program must be run by joe
242 :kids
244 program must be run by a member of the 'kids' group
245 !:kids
247 program must not be run by a member of the 'kids' group
248 +upnpd
250 #program named upnpd
251 Important
253 The ability to specify a program name was removed from
254 Netfilter in kernel version 2.6.14.
255
257 Example 1:
258 You have a simple masquerading setup where eth0 connects to a DSL
259 or cable modem and eth1 connects to your local network with subnet
260 192.168.0.0/24.
261 Your entry in the file will be:
263 #INTERFACE SOURCE
265 eth0 192.168.0.0/24
266 Example 2:
268 You add a router to your local network to connect subnet
269 192.168.1.0/24 which you also want to masquerade. You then add a
270 second entry for eth0 to this file:
271 #INTERFACE SOURCE
273 eth0 192.168.1.0/24
274 Example 3:
276 You have an IPSEC tunnel through ipsec0 and you want to masquerade
277 packets coming from 192.168.1.0/24 but only if these packets are
278 destined for hosts in 10.1.1.0/24:
279 #INTERFACE SOURCE
281 ipsec0:10.1.1.0/24 196.168.1.0/24
282 Example 4:
284 You want all outgoing traffic from 192.168.1.0/24 through eth0 to
285 use source address 206.124.146.176 which is NOT the primary address
286 of eth0. You want 206.124.146.176 to be added to eth0 with name
287 eth0:0.
288 #INTERFACE SOURCE ADDRESS
290 eth0:0 192.168.1.0/24 206.124.146.176
291 Example 5:
293 You want all outgoing SMTP traffic entering the firewall from
294 172.20.1.0/29 to be sent from eth0 with source IP address
295 206.124.146.177. You want all other outgoing traffic from
296 172.20.1.0/29 to be sent from eth0 with source IP address
297 206.124.146.176.
298 #INTERFACE SOURCE ADDRESS PROTO PORT(S)
300 eth0 172.20.1.0/29 206.124.146.177 tcp smtp
301 eth0 172.20.1.0/29 206.124.146.176
302 Warning
304 The order of the above two rules is significant!
305
307 /etc/shorewall/masq
308
310 shorewall(8), shorewall-accounting(5), shorewall-actions(5),
311 shorewall-blacklist(5), shorewall-exclusion(5), shorewall-hosts(5),
312 shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
313 shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
314 shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
315 shorewall-route_rules(5), shorewall-routestopped(5),
316 shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
317 shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
318 shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
319
321 1. shorewall-route_rules
322 http://www.shorewall.net/manpages/shorewall-route_rules.html
323 2. shorewall-tcrules
325 http://www.shorewall.net/manpages/shorewall-tcrules.html
326 3. shorewall.conf
328 http://www.shorewall.net/manpages/shorewall.conf.html
329 4. shorewall-interfaces
331 http://www.shorewall.net/manpages/shorewall-interfaces.html
332 5. more that one internet provider share a single interface
334 http://www.shorewall.net/4.4/MultiISP.html#Shared
335 6. shorewall-exclusion
337 http://www.shorewall.net/manpages/shorewall-exclusion.html
338 7. shorewall-nat
340 http://www.shorewall.net/manpages/shorewall-nat.html
341[FIXME: source] 09/16/2011 SHOREWALL-MASQ(5)