1shorewall-masq(5)                                            shorewall-masq(5)
2
3
4

NAME

6       masq - Shorewall Masquerade/SNAT definition file
7

SYNOPSIS

9       /etc/shorewall/masq
10

DESCRIPTION

12       Use this file to define dynamic NAT (Masquerading) and to define Source
13       NAT (SNAT).
14              Warning
15
16              The entries in this file are order-sensitive.  The  first  entry
17              that  matches  a  particular  connection will be the one that is
18              used.
19              Warning
20
21              If you have more than one ISP, adding entries to this file  will
22              *not*  force connections to go out through a particular ISP. You
23              must use PREROUTING entries in shorewall-tcrules
24              ⟨shorewall-tcrules.tcml⟩ (5) to do that.
25
26       The columns in the file are as follows.
27
28       INTERFACE — [+]interface[:[digit]][:[address[,address]...[exclusion]]
29              Outgoing  interface. This is usually your internet interface. If
30              ADD_SNAT_ALIASES=Yes  in  shorewall.conf   ⟨shorewall.conf.html⟩
31              (5),  you  may add ":" and a digit to indicate that you want the
32              alias added with that name (e.g., eth0:0). This will  allow  the
33              alias  to  be  displayed with ifconfig. That is the only use for
34              the alias name; it may not appear in any  other  place  in  your
35              Shorewall configuration.
36
37              The  interface may be qualified by adding the character ":" fol‐
38              lowed by a comma-separated list of destination  host  or  subnet
39              addresses to indicate that you only want to change the source IP
40              address for packets being sent to those particular destinations.
41              Exclusion is allowed (see shorewall-exclusion
42              ⟨shorewall-exclusion.html⟩ (5)).
43
44              If you wish to inhibit the action of ADD_SNAT_ALIASES  for  this
45              entry then include the ":" but omit the digit:
46
47                      eth0:
48                      eth2::192.0.2.32/27
49
50              Normally  Masq/SNAT  rules are evaluated after those for one-to-
51              one NAT (defined in shorewall-nat ⟨shorewall-nat.html⟩ (5)).  If
52              you  want  the  rule  to be applied before one-to-one NAT rules,
53              prefix the interface name with "+":
54
55                      +eth0
56                      +eth0:192.0.2.32/27
57                      +eth0:2
58
59              This feature should only be required if you need to insert rules
60              in this file that preempt entries in shorewall-nat
61              ⟨shorewall-nat.html⟩ (5).
62
63       SOURCE (Formerly called SUBNET) — {interface[[:]exclusion]|address[,ad‐
64       dress][exclusion]}
65              Set  of  hosts that you wish to masquerade. You can specify this
66              as an address (net or host) or as an interface. If you give  the
67              name  of an interface, the interface must be up before you start
68              the firewall (Shorewall will use your main routing table to  de‐
69              termine the appropriate addresses to masquerade).
70
71              In  order  to exclude a address of the specified SOURCE, you may
72              append an exclusion ("!" and a comma-separated list  of  IP  ad‐
73              dresses (host or net) that you wish to exclude (see shorewall-
74              exclusion  ⟨shorewall-exclusion.html⟩  (5))).   Note  that  with
75              Shorewall-perl,  a  colon (":") must appear between an interface
76              name and the exclusion;
77
78              Example (shorewall-shell): eth1!192.168.1.4,192.168.32.0/27
79
80              Example (shorewall-perl): eth1:!192.168.1.4,192.168.32.0/27
81
82              In that example traffic from eth1 would be masqueraded unless it
83              came from 192.168.1.4 or 196.168.32.0/27
84
85       ADDRESS  (Optional)  — [-|[SAME:[nodst:]][address-or-address-range[,ad‐
86       dress-or-address-range]...][:lowport-highport][:random]|detect|random]
87              If you specify an address here, SNAT will be used and this  will
88              be  the source address. If ADD_SNAT_ALIASES is set to Yes or yes
89              in shorewall.conf ⟨shorewall.conf.html⟩ (5) then Shorewall  will
90              automatically  add  this  address  to the INTERFACE named in the
91              first column.
92
93              You may also specify a range of up to 256 IP  addresses  if  you
94              want the SNAT address to be assigned from that range in a round-
95              robin  fashion  by  connection.  The  range  is   specified   by
96              first.ip.in.range-last.ip.in.range.   Beginning  with  Shorewall
97              4.0.6, you may follow the port range with :random in which  case
98              assignment of ports from the list will be random. random may al‐
99              so be specified by itself in this column in  which  case  random
100              local port assignments are made for the outgoing connections.
101
102              Example: 206.124.146.177-206.124.146.180
103
104              You  may also use the special value "detect" which causes Shore‐
105              wall to determine the IP addresses configured on  the  interface
106              named  in the INTERFACES column and substitute them in this col‐
107              umn.
108
109              Finally, you may also specify a comma-separated list  of  ranges
110              and/or addresses in this column.
111
112              This column may not contain DNS Names.
113
114              Normally,  Netfilter will attempt to retain the source port num‐
115              ber. You may cause netfilter to remap the source port by follow‐
116              ing  an  address  or range (if any) by ":" and a port range with
117              the format lowport-highport. If this is done, you  must  specify
118              "tcp" or "udp" in the PROTO column.
119
120              Examples:
121
122                      192.0.2.4:5000-6000
123                      :4000-5000
124
125              You  can  invoke  the SAME target rather than the SNAT target by
126              prefixing the column contents with SAME:.
127
128              SAME works like SNAT with the exception that the same  local  IP
129              address is assigned to each connection from a local address to a
130              given remote address.
131
132              If the nodst: option is included, then the same  source  address
133              is  used  for a given internal system regardless of which remote
134              system is involved.
135              Warning
136
137              Support for the SAME target is scheduled for  removal  from  the
138              Linux kernel in 2008.
139
140       If you want to leave this column empty but you need to specify the next
141       column then place a hyphen ("-") here.
142
143       PROTO (Optional) — {-|protocol-name|protocol-number}
144              If you wish to restrict this entry to a particular protocol then
145              enter the protocol name (from protocols(5)) or number here.
146
147       PORT(S) (Optional) — [port-name-or-number[,port-name-or-number]...]
148              If  the PROTO column specifies TCP (protocol 6) or UDP (protocol
149              17) then you may list one or more port numbers  (or  names  from
150              services(5))  separated  by commas or you may list a single port
151              range (lowport:highport).
152
153              Where a comma-separated list is given, your kernel and  iptables
154              must  have multiport match support and a maximum of 15 ports may
155              be listed.
156
157       IPSEC (Optional) — [option[,option]...]
158              If you specify a value other than "-" in this column,  you  must
159              be  running kernel 2.6 and your kernel and iptables must include
160              policy match support.
161
162              Comma-separated list of options from the following. Only packets
163              that will be encrypted via an SA that matches these options will
164              have their source address changed.
165
166              reqid=number
167                     where number  is  specified  using  setkey(8)  using  the
168                     'unique:number option for the SPD level.
169
170              spi=<number>
171                     where number is the SPI of the SA used to encrypt/decrypt
172                     packets.
173
174              proto=ah|esp|ipcomp
175                     IPSEC Encapsulation Protocol
176
177              mss=number
178                     sets the MSS field in TCP packets
179
180              mode=transport|tunnel
181                     IPSEC mode
182
183              tunnel-src=address[/mask]
184                     only available with mode=tunnel
185
186              tunnel-dst=address[/mask]
187                     only available with mode=tunnel
188
189              strict Means that packets must match all rules.
190
191              next   Separates rules; can only be used with strict
192
193       MARK — [!]value[/mask][:C]
194              Defines a test on the existing packet or  connection  mark.  The
195              rule will match only if the test returns true.
196
197              If  you don't want to define a test but need to specify anything
198              in the following columns, place a "-" in this field.
199
200              !      Inverts the test (not equal)
201
202              value  Value of the packet or connection mark.
203
204              mask   A mask to be applied to the mark before testing.
205
206              :C     Designates a connection  mark.  If  omitted,  the  packet
207                     mark's  value is tested. This option is only supported by
208                     Shorewall-perl.
209

EXAMPLES

211       Example 1:
212              You have a simple masquerading setup where eth0  connects  to  a
213              DSL  or cable modem and eth1 connects to your local network with
214              subnet 192.168.0.0/24.
215
216              Your entry in the file can be either:
217
218                      #INTERFACE   SOURCE
219                      eth0         eth1
220
221              or
222
223                      #INTERFACE   SOURCE
224                      eth0    192.168.0.0/24
225
226       Example 2:
227              You add a  router  to  your  local  network  to  connect  subnet
228              192.168.1.0/24 which you also want to masquerade. You then add a
229              second entry for eth0 to this file:
230
231                      #INTERFACE   SOURCE
232                      eth0         192.168.1.0/24
233
234       Example 3:
235              You have an IPSEC tunnel through ipsec0 and you want to masquer‐
236              ade packets coming from 192.168.1.0/24 but only if these packets
237              are destined for hosts in 10.1.1.0/24:
238
239                      #INTERFACE              SOURCE
240                      ipsec0:10.1.1.0/24      196.168.1.0/24
241
242       Example 4:
243              You want all outgoing traffic from 192.168.1.0/24  through  eth0
244              to  use  source address 206.124.146.176 which is NOT the primary
245              address of eth0. You want 206.124.146.176 to be  added  to  eth0
246              with name eth0:0.
247
248                      #INTERFACE              SOURCE          ADDRESS
249                      eth0:0                  192.168.1.0/24  206.124.146.176
250
251       Example 5:
252              You want all outgoing SMTP traffic entering the firewall on eth1
253              to be sent from eth0 with  source  IP  address  206.124.146.177.
254              You  want  all  other outgoing traffic from eth1 to be sent from
255              eth0 with source IP address 206.124.146.176.
256
257                      #INTERFACE   SOURCE  ADDRESS         PROTO   PORT(S)
258                      eth0         eth1    206.124.146.177 tcp     smtp
259                      eth0         eth1    206.124.146.176
260              Warning
261
262              The order of the above two rules is significant!
263

FILES

265       /etc/shorewall/masq
266

SEE ALSO

268       shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-
269       blacklist(5), shorewall-exclusion(5), shorewall-hosts(5), shorewall-in‐
270       terfaces(5),   shorewall-ipsec(5),   shorewall-maclist(5),   shorewall-
271       nat(5),  shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
272       shorewall-providers(5),        shorewall-proxyarp(5),        shorewall-
273       route_routes(5),  shorewall-routestopped(5), shorewall-rules(5), shore‐
274       wall.conf(5),  shorewall-tcclasses(5),  shorewall-tcdevices(5),  shore‐
275       wall-tcrules(5),   shorewall-tos(5),  shorewall-tunnels(5),  shorewall-
276       zones(5)
277
278
279
280                                  19 May 2008                shorewall-masq(5)
Impressum