1SHOREWALL-SNAT(5) Configuration Files SHOREWALL-SNAT(5)
2
6 snat - Shorewall SNAT/Masquerade definition file
7
9 /etc/shorewall[6]/snat
10
12 This file is used to define dynamic NAT (Masquerading) and to define
13 Source NAT (SNAT). It superseded shorewall-masq[1](5) in Shorewall
14 5.0.14.
15 Warning
17 The entries in this file are order-sensitive. The first entry that
18 matches a particular connection will be the one that is used.
19 Warning
21 If you have more than one ISP link, adding entries to this file
22 will not force connections to go out through a particular link. You
23 must use entries in shorewall-rtrules[2](5) or PREROUTING entries
24 in shorewall-mangle[3](5) to do that.
25 Beginning with Shorewall 5.2.6, the snat file supports two different
27 formats:
28 1. The SPORT (source port) column is omitted. This is the default
30 unless a "?FORMAT 2" compiler directive is included.
31 2. The SPORT column immediately follows the DPORT column.
33 The columns in the file are as follows.
35 ACTION
37 Defines the type of rule to generate. Beginning with Shorewall
38 5.1.9, with the exception of NFLOG and ULOG, the action may be
39 followed by a colon (":") and a log level (see
40 shorewall-logging(5)[4]).
41 Choices for ACTION are:
43 action[+][(parameter,...)][:level]
45 where action is an action declared in shorewall-actions(5)[5]
46 with the nat option. See https://shorewall.org/Actions.html[6]
47 for further information.
48 CONTINUE[+]:level
50 Causes matching packets to be exempted from any following rules
51 in the file.
52 LOG:level
54 Added in Shorewall 5.1.9. Simply log the packet and continue
55 with the next rule.
56 MASQUERADE[+][([lowport[-highport]][random])][:level]
58 Causes matching outgoing packages to have their source IP
59 address set to the primary IP address of the interface
60 specified in the DEST column. if lowport-highport is given,
61 that port range will be used to assign a source port. If only
62 lowport is given, that port will be assigned, if possible. If
63 option random is used then port mapping will be randomized.
64 MASQUERADE should only be used when the DEST interface has a
65 dynamic IP address. Otherwise, SNAT should be used and should
66 specify the interface's static address.
67 NFLOG[(nflog-parameters)]
69 Added in Shorewall 5.1.9. Queues matching packets to a back end
70 logging daemon via a netlink socket then continues to the next
71 rule. See shorewall-logging(5)[4].
72 The nflog-parameters are a comma-separated list of up to 3
74 numbers:
75 · The first number specifies the netlink group (0-65535). If
77 omitted (e.g., NFLOG(,0,10)) then a value of 0 is assumed.
78 · The second number specifies the maximum number of bytes to
80 copy. If omitted, 0 (no limit) is assumed.
81 · The third number specifies the number of log messages that
83 should be buffered in the kernel before they are sent to
84 user space. The default is 1.
85 NFLOG is similar to LOG:NFLOG[(nflog-parameters)], except that
87 the log level is not changed when this ACTION is used in an
88 action or macro body and the invocation of that action or macro
89 specifies a log level.
90 SNAT[+]([address-or-address-range][:lowport[-highport]][:random][:persistent]|detect)[:level]
92 If you specify an address here, matching packets will have
93 their source address set to that address. If ADD_SNAT_ALIASES
94 is set to Yes or yes in shorewall.conf[7](5) then Shorewall
95 will automatically add this address to the INTERFACE named in
96 the first column (IPv4 only).
97 You may also specify a range of up to 256 IP addresses if you
99 want the SNAT address to be assigned from that range in a
100 round-robin fashion by connection. The range is specified by
101 first.ip.in.range-last.ip.in.range. You may follow the port
102 range with :random in which case assignment of ports from the
103 list will be random. random may also be specified by itself in
104 this column in which case random local port assignments are
105 made for the outgoing connections.
106 Example: 206.124.146.177-206.124.146.180
108 You may follow the port range (or :random) with :persistent.
110 This is only useful when an address range is specified and
111 causes a client to be given the same source/destination IP
112 pair.
113 You may also use the special value detect which causes
115 Shorewall to determine the IP addresses configured on the
116 interface named in the DEST column and substitute them in this
117 column.
118 Finally, you may also specify a comma-separated list of ranges
120 and/or addresses in this column.
121 DNS Names names are not allowed.
123 Normally, Netfilter will attempt to retain the source port
125 number. You may cause netfilter to remap the source port by
126 following an address or range (if any) by ":" and a port range
127 with the format lowport-highport. If this is done, you must
128 specify "tcp", "udp", "dccp" or "stcp" in the PROTO column.
129 Examples:
131 192.0.2.4:5000-6000
133 :4000-5000
134 You may also specify a single port number, which will be
136 assigned to the outgoing connection, if possible.
137 ULOG[(ulog-parameters)]
139 IPv4 only. Added in Shorewall 5.1.9. Queues matching packets to
140 a back end logging daemon via a netlink socket then continues
141 to the next rule. See shorewall-logging(5)[4].
142 Similar to LOG:ULOG[(ulog-parameters)], except that the log
144 level is not changed when this ACTION is used in an action or
145 macro body and the invocation of that action or macro specifies
146 a log level.
147 Normally Masq/SNAT rules are evaluated after those for one-to-one
149 NAT (defined in shorewall-nat[8](5)). If you want the rule to be
150 applied before one-to-one NAT rules, follow the action name with
151 "+": This feature should only be required if you need to insert
152 rules in this file that preempt entries in shorewall-nat[8](5).
153 SOURCE (Optional) - [interface|address[,address...][exclusion]]
155 Set of hosts that you wish to masquerade. You can specify this as
156 an address (net or host) or as an interface. Unless you want to
157 perform SNAT in the INPUT chain (see DEST below), if you give the
158 name of an interface (deprecated), the interface must be up before
159 you start the firewall and the Shorewall rules compiler will warn
160 you of that fact. (Shorewall will use your main routing table to
161 determine the appropriate addresses to masquerade).
162 The preferred way to specify the SOURCE is to supply one or more
164 host or network addresses separated by comma. You may use ipset
165 names preceded by a plus sign (+) to specify a set of hosts.
166 DEST -
168 {interface[:digit][,interface[:digit]]...|$FW}[:[dest-address[,dest-address]...[exclusion]]
169 Outgoing interfaces and destination networks. Multiple interfaces
170 may be listed when the ACTION is MASQUERADE, but this is usually
171 just your internet interface. If ADD_SNAT_ALIASES=Yes in
172 shorewall.conf[7](5), you may add ":" and a digit to indicate that
173 you want the alias added with that name (e.g., eth0:0). This will
174 allow the alias to be displayed with ifconfig. That is the only
175 use for the alias name; it may not appear in any other place in
176 your Shorewall configuration.
177 Beginning with Shorewall 5.1.12, SNAT may be performed in the nat
179 table's INPUT chain by specifying $FW rather than one or more
180 interfaces.
181 Each interface must match an entry in shorewall-interfaces[9](5).
183 Shorewall allows loose matches to wildcard entries in
184 shorewall-interfaces[9](5). For example, ppp0 in this file will
185 match a shorewall-interfaces[9](5) entry that defines ppp+.
186 Where more that one internet provider share a single interface[10],
188 the provider is specified by including the provider name or number
189 in parentheses:
190 eth0(Avvanta)
192 In that case, you will want to specify the interface's address for
194 that provider as the SNAT parameter.
195 The interface may be qualified by adding the character ":" followed
197 by a comma-separated list of destination host or subnet addresses
198 to indicate that you only want to change the source IP address for
199 packets being sent to those particular destinations. Exclusion is
200 allowed (see shorewall-exclusion[11](5)) as are ipset names
201 preceded by a plus sign '+';
202 If you wish to inhibit the action of ADD_SNAT_ALIASES for this
204 entry then include the ":" but omit the digit:
205 eth0(Avvanta):
207 eth2::192.0.2.32/27
208 Comments may be attached to Netfilter rules generated from entries
210 in this file through the use of ?COMMENT lines. These lines begin
211 with ?COMMENT; the remainder of the line is treated as a comment
212 which is attached to subsequent rules until another ?COMMENT line
213 is found or until the end of the file is reached. To stop adding
214 comments to rules, use a line containing only ?COMMENT.
215 PROTO (Optional) - {-|[!]{protocol-name|protocol-number}[,...]|+ipset}
217 If you wish to restrict this entry to a particular protocol then
218 enter the protocol name (from protocols(5)) or number here. See
219 shorewall-rules(5)[12] for details.
220 Beginning with Shorewall 4.5.12, this column can accept a
222 comma-separated list of protocols.
223 Beginning with Shorewall 4.6.0, an ipset name can be specified in
225 this column. This is intended to be used with bitmap:port ipsets.
226 {PORT|DPORT} (Optional) -
228 {-|[!]port-name-or-number[,port-name-or-number]...|+ipset}
229 The column was renamed to DPORT in Shorewall 5.2.6. Beginning with
230 that release, both PORT and DPORT are accepted in the alternative
231 input format,
232 If the PROTO column specifies TCP (6), UDP (17), DCCP (33), SCTP
234 (132) or UDPLITE (136) then you may list one or more port numbers
235 (or names from services(5)) or port ranges separated by commas.
236 Port ranges are of the form lowport:highport.
238 Beginning with Shorewall 4.6.0, an ipset name can be specified in
240 this column. This is intended to be used with bitmap:port ipsets.
241 SPORT {-|[!]port-name-or-number[,port-name-or-number]...|+ipset}
243 FORMAT 2 only.
244 If the PROTO column specifies TCP (6), UDP (17), DCCP (33), SCTP
246 (132) or UDPLITE (136) then you may list one or more port numbers
247 (or names from services(5)) or port ranges separated by commas.
248 Port ranges are of the form lowport:highport.
250 An ipset name can be specified in this column. This is intended to
252 be used with bitmap:port ipsets.
253 IPSEC (Optional) - [option[,option]...]
255 If you specify a value other than "-" in this column, you must be
256 running kernel 2.6 and your kernel and iptables must include policy
257 match support.
258 Comma-separated list of options from the following. Only packets
260 that will be encrypted via an SA that matches these options will
261 have their source address changed.
262 reqid=number
264 where number is specified using setkey(8) using the
265 'unique:number option for the SPD level.
266 spi=<number>
268 where number is the SPI of the SA used to encrypt/decrypt
269 packets.
270 proto=ah|esp|ipcomp
272 IPSEC Encapsulation Protocol
273 mss=number
275 sets the MSS field in TCP packets
276 mode=transport|tunnel
278 IPSEC mode
279 tunnel-src=address[/mask]
281 only available with mode=tunnel
282 tunnel-dst=address[/mask]
284 only available with mode=tunnel
285 strict
287 Means that packets must match all rules.
288 next
290 Separates rules; can only be used with strict
291 yes
293 When used by itself, causes all traffic that will be
294 encrypted/encapsulated to match the rule.
295 MARK - [!]value[/mask][:C]
297 Defines a test on the existing packet or connection mark. The rule
298 will match only if the test returns true.
299 If you don't want to define a test but need to specify anything in
301 the following columns, place a "-" in this field.
302 !
304 Inverts the test (not equal)
305 value
307 Value of the packet or connection mark.
308 mask
310 A mask to be applied to the mark before testing.
311 :C
313 Designates a connection mark. If omitted, the packet mark's
314 value is tested.
315 USER (Optional) -
317 [!][user-name-or-number][:group-name-or-number][+program-name]
318 This column was formerly labelled USER/GROUP.
319 Only locally-generated connections will match if this column is
321 non-empty.
322 When this column is non-empty, the rule matches only if the program
324 generating the output is running under the effective user and/or
325 group specified (or is NOT running under that id if "!" is given).
326 Examples:
328 joe
330 program must be run by joe
331 :kids
333 program must be run by a member of the 'kids' group
334 !:kids
336 program must not be run by a member of the 'kids' group
337 +upnpd
339 #program named upnpd
340 Important
342 The ability to specify a program name was removed from
343 Netfilter in kernel version 2.6.14.
344 SWITCH - [!]switch-name[={0|1}]
346 Added in Shorewall 4.5.1 and allows enabling and disabling the rule
347 without requiring shorewall restart.
348 The rule is enabled if the value stored in
350 /proc/net/nf_condition/switch-name is 1. The rule is disabled if
351 that file contains 0 (the default). If '!' is supplied, the test is
352 inverted such that the rule is enabled if the file contains 0.
353 Within the switch-name, '@0' and '@{0}' are replaced by the name of
355 the chain to which the rule is a added. The switch-name (after
356 '@...' expansion) must begin with a letter and be composed of
357 letters, decimal digits, underscores or hyphens. Switch names must
358 be 30 characters or less in length.
359 Switches are normally off. To turn a switch on:
361 echo 1 >
362 /proc/net/nf_condition/switch-name
363 To turn it off again:
364 echo 0 >
365 /proc/net/nf_condition/switch-name
366 Switch settings are retained over shorewall restart.
367 Beginning with Shorewall 4.5.10, when the switch-name is followed
369 by =0 or =1, then the switch is initialized to off or on
370 respectively by the start command. Other commands do not affect the
371 switch setting.
372 ORIGDEST - [-|address[,address]...[exclusion]|exclusion]
374 (Optional) Added in Shorewall 4.5.6. This column may be included
375 and may contain one or more addresses (host or network) separated
376 by commas. Address ranges are not allowed. When this column is
377 supplied, rules are generated that require that the original
378 destination address matches one of the listed addresses. It is
379 useful for specifying that SNAT should occur only for connections
380 that were acted on by a DNAT when they entered the firewall.
381 This column was formerly labelled ORIGINAL DEST.
383 PROBABILITY - [probability]
385 Added in Shorewall 5.0.0. When non-empty, requires the Statistics
386 Match capability in your kernel and ip6tables and causes the rule
387 to match randomly but with the given probability. The probability
388 is a number 0 < probability <= 1 and may be expressed at up to 8
389 decimal points of precision.
390
392 IPv4 Example 1:
393 You have a simple masquerading setup where eth0 connects to a DSL
394 or cable modem and eth1 connects to your local network with subnet
395 192.168.0.0/24.
396 Your entry in the file will be:
398 #ACTION SOURCE DEST
400 MASQUERADE 192.168.0.0/24 eth0
401 IPv4 Example 2:
403 You add a router to your local network to connect subnet
404 192.168.1.0/24 which you also want to masquerade. You then add a
405 second entry for eth0 to this file:
406 #ACTION SOURCE DEST
408 MASQUERADE 192.168.0.0/24 eth0
409 MASQUERADE 192.168.1.0/24 eth0
410 IPv4 Example 3:
412 You want all outgoing traffic from 192.168.1.0/24 through eth0 to
413 use source address 206.124.146.176 which is NOT the primary address
414 of eth0. You want 206.124.146.176 to be added to eth0 with name
415 eth0:0.
416 #ACTION SOURCE DEST
418 SNAT(206.124.146.176) 192.168.1.0/24 eth0:0
419 IPv4 Example 4:
421 You want all outgoing SMTP traffic entering the firewall from
422 172.20.1.0/29 to be sent from eth0 with source IP address
423 206.124.146.177. You want all other outgoing traffic from
424 172.20.1.0/29 to be sent from eth0 with source IP address
425 206.124.146.176.
426 #INTERFACE SOURCE ADDRESS PROTO DPORT
428 eth0 172.20.1.0/29 206.124.146.177 tcp smtp
429 eth0 172.20.1.0/29 206.124.146.176
430 #ACTION SOURCE DEST PROTO PORT
432 SNAT(206.124.146.177) 172.20.1.0/29 eth0 tcp smtp
433 SNAT(206.124.146.176) 172.20.1.0/29 eth0
434 Warning
436 The order of the above two rules is significant!
437 IPv4 Example 5:
439 Connections leaving on eth0 and destined to any host defined in the
440 ipset myset should have the source IP address changed to
441 206.124.146.177.
442 #ACTION SOURCE DEST
444 SNAT(206.124.146.177) - eth0:+myset[dst]
445 IPv4 Example 6:
447 SNAT outgoing connections on eth0 from 192.168.1.0/24 in
448 round-robin fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9
449 (Shorewall 4.5.9 and later).
450 /etc/shorewall/tcrules:
452 #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
454 1-3:CF 192.168.1.0/24 eth0 ; state=NEW
455 /etc/shorewall/snat:
457 #ACTION SOURCE DEST
459 SNAT(1.1.1.1) 192.168.1.0/24 eth0 { mark=1:C }
460 SNAT(1.1.1.3) 192.168.1.0/24 eth0 { mark=2:C }
461 SNAT(1.1.1.9) 192.168.1.0/24 eth0 { mark=3:C }
462 IPv6 Example 1:
464 You have a simple 'masquerading' setup where eth0 connects to a DSL
465 or cable modem and eth1 connects to your local network with subnet
466 2001:470:b:787::0/64
467 Your entry in the file will be:
469 #ACTION SOURCE DEST
471 MASQUERADE 2001:470:b:787::0/64 eth0
472 IPv6 Example 2:
474 Your sit1 interface has two public IP addresses: 2001:470:a:227::1
475 and 2001:470:b:227::1. You want to use the iptables statistics
476 match to masquerade outgoing connections evenly between these two
477 addresses.
478 /etc/shorewall/snat:
480 #ACTION SOURCE DEST
482 SNAT(2001:470:a:227::1) ::/0 sit1 { probability=0.50 }
483 SNAT(2001:470:a:227::2) ::/0 sit
484
486 /etc/shorewall/snat
487 /etc/shorewall6/snat
489
491 https://shorewall.org/configuration_file_basics.htm#Pairs[13]
492 shorewall(8)
494
496 1. shorewall-masq
497 https://shorewall.org/manpages/shorewall-masq.html
498 2. shorewall-rtrules
500 https://shorewall.org/manpages/shorewall-rtrules.html
501 3. shorewall-mangle
503 https://shorewall.org/manpages/shorewall-mangle.html
504 4. shorewall-logging(5)
506 https://shorewall.org/manpages/shorewall-logging.html
507 5. shorewall-actions(5)
509 https://shorewall.org/manpages/shorewall-actions.html
510 6. https://shorewall.org/Actions.html
512 https://shorewall.org/Actions.html
513 7. shorewall.conf
515 https://shorewall.org/manpages/shorewall.conf.html
516 8. shorewall-nat
518 https://shorewall.org/manpages/shorewall-nat.html
519 9. shorewall-interfaces
521 https://shorewall.org/manpages/shorewall-interfaces.html
522 10. more that one internet provider share a single interface
524 https://shorewall.org/4.4/MultiISP.html#Shared
525 11. shorewall-exclusion
527 https://shorewall.org/manpages/shorewall-exclusion.html
528 12. shorewall-rules(5)
530 https://shorewall.org/manpages/shorewall-rules.html
531 13. https://shorewall.org/configuration_file_basics.htm#Pairs
533 https://shorewall.org/configuration_file_basics.htm#Pairs
534Configuration Files 07/29/2020 SHOREWALL-SNAT(5)