1SHOREWALL-SNAT(5) Configuration Files SHOREWALL-SNAT(5)
2
6 snat - Shorewall SNAT/Masquerade definition file
7
9 /etc/shorewall[6]/snat
10
12 This file is used to define dynamic NAT (Masquerading) and to define
13 Source NAT (SNAT). It superseded shorewall-masq[1](5) in Shorewall
14 5.0.14.
15 Warning
17 The entries in this file are order-sensitive. The first entry that
18 matches a particular connection will be the one that is used.
19 Warning
21 If you have more than one ISP link, adding entries to this file
22 will not force connections to go out through a particular link. You
23 must use entries in shorewall-rtrules[2](5) or PREROUTING entries
24 in shorewall-mangle[3](5) to do that.
25 Beginning with Shorewall 5.2.6, the snat file supports two different
27 formats:
28 1. The SPORT (source port) column is omitted. This is the default
30 unless a "?FORMAT 2" compiler directive is included.
31 2. The SPORT column immediately follows the DPORT column.
33 The columns in the file are as follows.
35 ACTION
37 Defines the type of rule to generate. Beginning with Shorewall
38 5.1.9, with the exception of NFLOG and ULOG, the action may be
39 followed by a colon (":") and a log level (see
40 shorewall-logging(5)[4]).
41 Choices for ACTION are:
43 action[+][(parameter,...)][:level]
45 where action is an action declared in shorewall-actions(5)[5]
46 with the nat option. See https://shorewall.org/Actions.html[6]
47 for further information.
48 CONTINUE[+]:level
50 Causes matching packets to be exempted from any following rules
51 in the file.
52 LOG:level
54 Added in Shorewall 5.1.9. Simply log the packet and continue
55 with the next rule.
56 MASQUERADE[+][([lowport[-highport]][random])][:level]
58 Causes matching outgoing packages to have their source IP
59 address set to the primary IP address of the interface
60 specified in the DEST column. if lowport-highport is given,
61 that port range will be used to assign a source port. If only
62 lowport is given, that port will be assigned, if possible. If
63 option random is used then port mapping will be randomized.
64 MASQUERADE should only be used when the DEST interface has a
65 dynamic IP address. Otherwise, SNAT should be used and should
66 specify the interface's static address.
67 NFLOG[(nflog-parameters)]
69 Added in Shorewall 5.1.9. Queues matching packets to a back end
70 logging daemon via a netlink socket then continues to the next
71 rule. See shorewall-logging(5)[4].
72 The nflog-parameters are a comma-separated list of up to 3
74 numbers:
75 • The first number specifies the netlink group (0-65535). If
77 omitted (e.g., NFLOG(,0,10)) then a value of 0 is assumed.
78 • The second number specifies the maximum number of bytes to
80 copy. If omitted, 0 (no limit) is assumed.
81 • The third number specifies the number of log messages that
83 should be buffered in the kernel before they are sent to
84 user space. The default is 1.
85 NFLOG is similar to LOG:NFLOG[(nflog-parameters)], except that
87 the log level is not changed when this ACTION is used in an
88 action or macro body and the invocation of that action or macro
89 specifies a log level.
90 SNAT[+]([address-or-address-range][:lowport[-highport]][:random][:persistent]|detect)[:level]
92 If you specify an address here, matching packets will have
93 their source address set to that address. If ADD_SNAT_ALIASES
94 is set to Yes or yes in shorewall.conf[7](5) then Shorewall
95 will automatically add this address to the INTERFACE named in
96 the first column (IPv4 only).
97 You may also specify a range of up to 256 IP addresses if you
99 want the SNAT address to be assigned from that range in a
100 round-robin fashion by connection. The range is specified by
101 first.ip.in.range-last.ip.in.range. You may follow the port
102 range with :random in which case assignment of ports from the
103 list will be random. random may also be specified by itself in
104 this column in which case random local port assignments are
105 made for the outgoing connections.
106 Example: 206.124.146.177-206.124.146.180
108 You may follow the port range (or :random) with :persistent.
110 This is only useful when an address range is specified and
111 causes a client to be given the same source/destination IP
112 pair.
113 You may also use the special value detect which causes
115 Shorewall to determine the IP addresses configured on the
116 interface named in the DEST column and substitute them in this
117 column.
118 DNS Names names are not allowed.
120 Normally, Netfilter will attempt to retain the source port
122 number. You may cause netfilter to remap the source port by
123 following an address or range (if any) by ":" and a port range
124 with the format lowport-highport. If this is done, you must
125 specify "tcp", "udp", "dccp" or "stcp" in the PROTO column.
126 Examples:
128 192.0.2.4:5000-6000
130 :4000-5000
131 You may also specify a single port number, which will be
133 assigned to the outgoing connection, if possible.
134 ULOG[(ulog-parameters)]
136 IPv4 only. Added in Shorewall 5.1.9. Queues matching packets to
137 a back end logging daemon via a netlink socket then continues
138 to the next rule. See shorewall-logging(5)[4].
139 Similar to LOG:ULOG[(ulog-parameters)], except that the log
141 level is not changed when this ACTION is used in an action or
142 macro body and the invocation of that action or macro specifies
143 a log level.
144 Normally Masq/SNAT rules are evaluated after those for one-to-one
146 NAT (defined in shorewall-nat[8](5)). If you want the rule to be
147 applied before one-to-one NAT rules, follow the action name with
148 "+": This feature should only be required if you need to insert
149 rules in this file that preempt entries in shorewall-nat[8](5).
150 SOURCE (Optional) - [interface|address[,address...][exclusion]]
152 Set of hosts that you wish to masquerade. You can specify this as
153 an address (net or host) or as an interface. Unless you want to
154 perform SNAT in the INPUT chain (see DEST below), if you give the
155 name of an interface (deprecated), the interface must be up before
156 you start the firewall and the Shorewall rules compiler will warn
157 you of that fact. (Shorewall will use your main routing table to
158 determine the appropriate addresses to masquerade).
159 The preferred way to specify the SOURCE is to supply one or more
161 host or network addresses separated by comma. You may use ipset
162 names preceded by a plus sign (+) to specify a set of hosts.
163 DEST -
165 {interface[:digit][,interface[:digit]]...|$FW}[:[dest-address[,dest-address]...[exclusion]]
166 Outgoing interfaces and destination networks. Multiple interfaces
167 may be listed when the ACTION is MASQUERADE, but this is usually
168 just your internet interface. If ADD_SNAT_ALIASES=Yes in
169 shorewall.conf[7](5), you may add ":" and a digit to indicate that
170 you want the alias added with that name (e.g., eth0:0). This will
171 allow the alias to be displayed with ifconfig. That is the only
172 use for the alias name; it may not appear in any other place in
173 your Shorewall configuration.
174 Beginning with Shorewall 5.1.12, SNAT may be performed in the nat
176 table's INPUT chain by specifying $FW rather than one or more
177 interfaces.
178 Each interface must match an entry in shorewall-interfaces[9](5).
180 Shorewall allows loose matches to wildcard entries in
181 shorewall-interfaces[9](5). For example, ppp0 in this file will
182 match a shorewall-interfaces[9](5) entry that defines ppp+.
183 Where more that one internet provider share a single interface[10],
185 the provider is specified by including the provider name or number
186 in parentheses:
187 eth0(Avvanta)
189 In that case, you will want to specify the interface's address for
191 that provider as the SNAT parameter.
192 The interface may be qualified by adding the character ":" followed
194 by a comma-separated list of destination host or subnet addresses
195 to indicate that you only want to change the source IP address for
196 packets being sent to those particular destinations. Exclusion is
197 allowed (see shorewall-exclusion[11](5)) as are ipset names
198 preceded by a plus sign '+';
199 If you wish to inhibit the action of ADD_SNAT_ALIASES for this
201 entry then include the ":" but omit the digit:
202 eth0(Avvanta):
204 eth2::192.0.2.32/27
205 Comments may be attached to Netfilter rules generated from entries
207 in this file through the use of ?COMMENT lines. These lines begin
208 with ?COMMENT; the remainder of the line is treated as a comment
209 which is attached to subsequent rules until another ?COMMENT line
210 is found or until the end of the file is reached. To stop adding
211 comments to rules, use a line containing only ?COMMENT.
212 PROTO (Optional) - {-|[!]{protocol-name|protocol-number}[,...]|+ipset}
214 If you wish to restrict this entry to a particular protocol then
215 enter the protocol name (from protocols(5)) or number here. See
216 shorewall-rules(5)[12] for details.
217 Beginning with Shorewall 4.5.12, this column can accept a
219 comma-separated list of protocols.
220 Beginning with Shorewall 4.6.0, an ipset name can be specified in
222 this column. This is intended to be used with bitmap:port ipsets.
223 {PORT|DPORT} (Optional) -
225 {-|[!]port-name-or-number[,port-name-or-number]...|+ipset}
226 The column was renamed to DPORT in Shorewall 5.2.6. Beginning with
227 that release, both PORT and DPORT are accepted in the alternative
228 input format,
229 If the PROTO column specifies TCP (6), UDP (17), DCCP (33), SCTP
231 (132) or UDPLITE (136) then you may list one or more port numbers
232 (or names from services(5)) or port ranges separated by commas.
233 Port ranges are of the form lowport:highport.
235 Beginning with Shorewall 4.6.0, an ipset name can be specified in
237 this column. This is intended to be used with bitmap:port ipsets.
238 SPORT {-|[!]port-name-or-number[,port-name-or-number]...|+ipset}
240 FORMAT 2 only.
241 If the PROTO column specifies TCP (6), UDP (17), DCCP (33), SCTP
243 (132) or UDPLITE (136) then you may list one or more port numbers
244 (or names from services(5)) or port ranges separated by commas.
245 Port ranges are of the form lowport:highport.
247 An ipset name can be specified in this column. This is intended to
249 be used with bitmap:port ipsets.
250 IPSEC (Optional) - [option[,option]...]
252 If you specify a value other than "-" in this column, you must be
253 running kernel 2.6 and your kernel and iptables must include policy
254 match support.
255 Comma-separated list of options from the following. Only packets
257 that will be encrypted via an SA that matches these options will
258 have their source address changed.
259 reqid=number
261 where number is specified using setkey(8) using the
262 'unique:number option for the SPD level.
263 spi=<number>
265 where number is the SPI of the SA used to encrypt/decrypt
266 packets.
267 proto=ah|esp|ipcomp
269 IPSEC Encapsulation Protocol
270 mss=number
272 sets the MSS field in TCP packets
273 mode=transport|tunnel
275 IPSEC mode
276 tunnel-src=address[/mask]
278 only available with mode=tunnel
279 tunnel-dst=address[/mask]
281 only available with mode=tunnel
282 strict
284 Means that packets must match all rules.
285 next
287 Separates rules; can only be used with strict
288 yes
290 When used by itself, causes all traffic that will be
291 encrypted/encapsulated to match the rule.
292 MARK - [!]value[/mask][:C]
294 Defines a test on the existing packet or connection mark. The rule
295 will match only if the test returns true.
296 If you don't want to define a test but need to specify anything in
298 the following columns, place a "-" in this field.
299 !
301 Inverts the test (not equal)
302 value
304 Value of the packet or connection mark.
305 mask
307 A mask to be applied to the mark before testing.
308 :C
310 Designates a connection mark. If omitted, the packet mark's
311 value is tested.
312 USER (Optional) -
314 [!][user-name-or-number][:group-name-or-number][+program-name]
315 This column was formerly labelled USER/GROUP.
316 Only locally-generated connections will match if this column is
318 non-empty.
319 When this column is non-empty, the rule matches only if the program
321 generating the output is running under the effective user and/or
322 group specified (or is NOT running under that id if "!" is given).
323 Examples:
325 joe
327 program must be run by joe
328 :kids
330 program must be run by a member of the 'kids' group
331 !:kids
333 program must not be run by a member of the 'kids' group
334 +upnpd
336 #program named upnpd
337 Important
339 The ability to specify a program name was removed from
340 Netfilter in kernel version 2.6.14.
341 SWITCH - [!]switch-name[={0|1}]
343 Added in Shorewall 4.5.1 and allows enabling and disabling the rule
344 without requiring shorewall restart.
345 The rule is enabled if the value stored in
347 /proc/net/nf_condition/switch-name is 1. The rule is disabled if
348 that file contains 0 (the default). If '!' is supplied, the test is
349 inverted such that the rule is enabled if the file contains 0.
350 Within the switch-name, '@0' and '@{0}' are replaced by the name of
352 the chain to which the rule is a added. The switch-name (after
353 '@...' expansion) must begin with a letter and be composed of
354 letters, decimal digits, underscores or hyphens. Switch names must
355 be 30 characters or less in length.
356 Switches are normally off. To turn a switch on:
358 echo 1 >
359 /proc/net/nf_condition/switch-name
360 To turn it off again:
361 echo 0 >
362 /proc/net/nf_condition/switch-name
363 Switch settings are retained over shorewall restart.
364 Beginning with Shorewall 4.5.10, when the switch-name is followed
366 by =0 or =1, then the switch is initialized to off or on
367 respectively by the start command. Other commands do not affect the
368 switch setting.
369 ORIGDEST - [-|address[,address]...[exclusion]|exclusion]
371 (Optional) Added in Shorewall 4.5.6. This column may be included
372 and may contain one or more addresses (host or network) separated
373 by commas. Address ranges are not allowed. When this column is
374 supplied, rules are generated that require that the original
375 destination address matches one of the listed addresses. It is
376 useful for specifying that SNAT should occur only for connections
377 that were acted on by a DNAT when they entered the firewall.
378 This column was formerly labelled ORIGINAL DEST.
380 PROBABILITY - [probability]
382 Added in Shorewall 5.0.0. When non-empty, requires the Statistics
383 Match capability in your kernel and ip6tables and causes the rule
384 to match randomly but with the given probability. The probability
385 is a number 0 < probability <= 1 and may be expressed at up to 8
386 decimal points of precision.
387
389 IPv4 Example 1:
390 You have a simple masquerading setup where eth0 connects to a DSL
391 or cable modem and eth1 connects to your local network with subnet
392 192.168.0.0/24.
393 Your entry in the file will be:
395 #ACTION SOURCE DEST
397 MASQUERADE 192.168.0.0/24 eth0
398 IPv4 Example 2:
400 You add a router to your local network to connect subnet
401 192.168.1.0/24 which you also want to masquerade. You then add a
402 second entry for eth0 to this file:
403 #ACTION SOURCE DEST
405 MASQUERADE 192.168.0.0/24 eth0
406 MASQUERADE 192.168.1.0/24 eth0
407 IPv4 Example 3:
409 You want all outgoing traffic from 192.168.1.0/24 through eth0 to
410 use source address 206.124.146.176 which is NOT the primary address
411 of eth0. You want 206.124.146.176 to be added to eth0 with name
412 eth0:0.
413 #ACTION SOURCE DEST
415 SNAT(206.124.146.176) 192.168.1.0/24 eth0:0
416 IPv4 Example 4:
418 You want all outgoing SMTP traffic entering the firewall from
419 172.20.1.0/29 to be sent from eth0 with source IP address
420 206.124.146.177. You want all other outgoing traffic from
421 172.20.1.0/29 to be sent from eth0 with source IP address
422 206.124.146.176.
423 #INTERFACE SOURCE ADDRESS PROTO DPORT
425 eth0 172.20.1.0/29 206.124.146.177 tcp smtp
426 eth0 172.20.1.0/29 206.124.146.176
427 #ACTION SOURCE DEST PROTO PORT
429 SNAT(206.124.146.177) 172.20.1.0/29 eth0 tcp smtp
430 SNAT(206.124.146.176) 172.20.1.0/29 eth0
431 Warning
433 The order of the above two rules is significant!
434 IPv4 Example 5:
436 Connections leaving on eth0 and destined to any host defined in the
437 ipset myset should have the source IP address changed to
438 206.124.146.177.
439 #ACTION SOURCE DEST
441 SNAT(206.124.146.177) - eth0:+myset[dst]
442 IPv4 Example 6:
444 SNAT outgoing connections on eth0 from 192.168.1.0/24 randomly to
445 addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9 (Shorewall 5.0.0 and
446 later).
447 /etc/shorewall/snat:
449 #ACTION SOURCE DEST
451 SNAT(1.1.1.1) 192.168.1.0/24 eth0 { probability=0.33 }
452 SNAT(1.1.1.3) 192.168.1.0/24 eth0 { probability=0.50 }
453 SNAT(1.1.1.9) 192.168.1.0/24 eth0
454 IPv6 Example 1:
456 You have a simple 'masquerading' setup where eth0 connects to a DSL
457 or cable modem and eth1 connects to your local network with subnet
458 2001:470:b:787::0/64
459 Your entry in the file will be:
461 #ACTION SOURCE DEST
463 MASQUERADE 2001:470:b:787::0/64 eth0
464 IPv6 Example 2:
466 Your sit1 interface has two public IP addresses: 2001:470:a:227::1
467 and 2001:470:b:227::1. You want to use the iptables statistics
468 match to masquerade outgoing connections evenly between these two
469 addresses.
470 /etc/shorewall/snat:
472 #ACTION SOURCE DEST
474 SNAT(2001:470:a:227::1) ::/0 sit1 { probability=0.50 }
475 SNAT(2001:470:a:227::2) ::/0 sit
476
478 /etc/shorewall/snat
479 /etc/shorewall6/snat
481
483 https://shorewall.org/configuration_file_basics.htm#Pairs[13]
484 shorewall(8)
486
488 1. shorewall-masq
489 https://shorewall.org/manpages/shorewall-masq.html
490 2. shorewall-rtrules
492 https://shorewall.org/manpages/shorewall-rtrules.html
493 3. shorewall-mangle
495 https://shorewall.org/manpages/shorewall-mangle.html
496 4. shorewall-logging(5)
498 https://shorewall.org/manpages/shorewall-logging.html
499 5. shorewall-actions(5)
501 https://shorewall.org/manpages/shorewall-actions.html
502 6. https://shorewall.org/Actions.html
504 https://shorewall.org/Actions.html
505 7. shorewall.conf
507 https://shorewall.org/manpages/shorewall.conf.html
508 8. shorewall-nat
510 https://shorewall.org/manpages/shorewall-nat.html
511 9. shorewall-interfaces
513 https://shorewall.org/manpages/shorewall-interfaces.html
514 10. more that one internet provider share a single interface
516 https://shorewall.org/4.4/MultiISP.html#Shared
517 11. shorewall-exclusion
519 https://shorewall.org/manpages/shorewall-exclusion.html
520 12. shorewall-rules(5)
522 https://shorewall.org/manpages/shorewall-rules.html
523 13. https://shorewall.org/configuration_file_basics.htm#Pairs
525 https://shorewall.org/configuration_file_basics.htm#Pairs
526Configuration Files 09/24/2020 SHOREWALL-SNAT(5)