1shorewall-masq(5) shorewall-masq(5)
2
6 masq - Shorewall Masquerade/SNAT definition file
7
9 /etc/shorewall/masq
10
12 Use this file to define dynamic NAT (Masquerading) and to define Source
13 NAT (SNAT).
14 Warning
15 The entries in this file are order-sensitive. The first entry
17 that matches a particular connection will be the one that is
18 used.
19 Warning
20 If you have more than one ISP, adding entries to this file will
22 *not* force connections to go out through a particular ISP. You
23 must use PREROUTING entries in shorewall-tcrules
24 ⟨shorewall-tcrules.tcml⟩ (5) to do that.
25 The columns in the file are as follows.
27 INTERFACE — [+]interface[:[digit]][:[address[,address]...[exclusion]]
29 Outgoing interface. This is usually your internet interface. If
30 ADD_SNAT_ALIASES=Yes in shorewall.conf ⟨shorewall.conf.html⟩
31 (5), you may add ":" and a digit to indicate that you want the
32 alias added with that name (e.g., eth0:0). This will allow the
33 alias to be displayed with ifconfig. That is the only use for
34 the alias name; it may not appear in any other place in your
35 Shorewall configuration.
36 The interface may be qualified by adding the character ":" fol‐
38 lowed by a comma-separated list of destination host or subnet
39 addresses to indicate that you only want to change the source IP
40 address for packets being sent to those particular destinations.
41 Exclusion is allowed (see shorewall-exclusion
42 ⟨shorewall-exclusion.html⟩ (5)).
43 If you wish to inhibit the action of ADD_SNAT_ALIASES for this
45 entry then include the ":" but omit the digit:
46 eth0:
48 eth2::192.0.2.32/27
49 Normally Masq/SNAT rules are evaluated after those for one-to-
51 one NAT (defined in shorewall-nat ⟨shorewall-nat.html⟩ (5)). If
52 you want the rule to be applied before one-to-one NAT rules,
53 prefix the interface name with "+":
54 +eth0
56 +eth0:192.0.2.32/27
57 +eth0:2
58 This feature should only be required if you need to insert rules
60 in this file that preempt entries in shorewall-nat
61 ⟨shorewall-nat.html⟩ (5).
62 SOURCE (Formerly called SUBNET) — {interface[[:]exclusion]|address[,ad‐
64 dress][exclusion]}
65 Set of hosts that you wish to masquerade. You can specify this
66 as an address (net or host) or as an interface. If you give the
67 name of an interface, the interface must be up before you start
68 the firewall (Shorewall will use your main routing table to de‐
69 termine the appropriate addresses to masquerade).
70 In order to exclude a address of the specified SOURCE, you may
72 append an exclusion ("!" and a comma-separated list of IP ad‐
73 dresses (host or net) that you wish to exclude (see shorewall-
74 exclusion ⟨shorewall-exclusion.html⟩ (5))). Note that with
75 Shorewall-perl, a colon (":") must appear between an interface
76 name and the exclusion;
77 Example (shorewall-shell): eth1!192.168.1.4,192.168.32.0/27
79 Example (shorewall-perl): eth1:!192.168.1.4,192.168.32.0/27
81 In that example traffic from eth1 would be masqueraded unless it
83 came from 192.168.1.4 or 196.168.32.0/27
84 ADDRESS (Optional) — [-|[SAME:[nodst:]][address-or-address-range[,ad‐
86 dress-or-address-range]...][:lowport-highport][:random]|detect|random]
87 If you specify an address here, SNAT will be used and this will
88 be the source address. If ADD_SNAT_ALIASES is set to Yes or yes
89 in shorewall.conf ⟨shorewall.conf.html⟩ (5) then Shorewall will
90 automatically add this address to the INTERFACE named in the
91 first column.
92 You may also specify a range of up to 256 IP addresses if you
94 want the SNAT address to be assigned from that range in a round-
95 robin fashion by connection. The range is specified by
96 first.ip.in.range-last.ip.in.range. Beginning with Shorewall
97 4.0.6, you may follow the port range with :random in which case
98 assignment of ports from the list will be random. random may al‐
99 so be specified by itself in this column in which case random
100 local port assignments are made for the outgoing connections.
101 Example: 206.124.146.177-206.124.146.180
103 You may also use the special value "detect" which causes Shore‐
105 wall to determine the IP addresses configured on the interface
106 named in the INTERFACES column and substitute them in this col‐
107 umn.
108 Finally, you may also specify a comma-separated list of ranges
110 and/or addresses in this column.
111 This column may not contain DNS Names.
113 Normally, Netfilter will attempt to retain the source port num‐
115 ber. You may cause netfilter to remap the source port by follow‐
116 ing an address or range (if any) by ":" and a port range with
117 the format lowport-highport. If this is done, you must specify
118 "tcp" or "udp" in the PROTO column.
119 Examples:
121 192.0.2.4:5000-6000
123 :4000-5000
124 You can invoke the SAME target rather than the SNAT target by
126 prefixing the column contents with SAME:.
127 SAME works like SNAT with the exception that the same local IP
129 address is assigned to each connection from a local address to a
130 given remote address.
131 If the nodst: option is included, then the same source address
133 is used for a given internal system regardless of which remote
134 system is involved.
135 Warning
136 Support for the SAME target is scheduled for removal from the
138 Linux kernel in 2008.
139 If you want to leave this column empty but you need to specify the next
141 column then place a hyphen ("-") here.
142 PROTO (Optional) — {-|protocol-name|protocol-number}
144 If you wish to restrict this entry to a particular protocol then
145 enter the protocol name (from protocols(5)) or number here.
146 PORT(S) (Optional) — [port-name-or-number[,port-name-or-number]...]
148 If the PROTO column specifies TCP (protocol 6) or UDP (protocol
149 17) then you may list one or more port numbers (or names from
150 services(5)) separated by commas or you may list a single port
151 range (lowport:highport).
152 Where a comma-separated list is given, your kernel and iptables
154 must have multiport match support and a maximum of 15 ports may
155 be listed.
156 IPSEC (Optional) — [option[,option]...]
158 If you specify a value other than "-" in this column, you must
159 be running kernel 2.6 and your kernel and iptables must include
160 policy match support.
161 Comma-separated list of options from the following. Only packets
163 that will be encrypted via an SA that matches these options will
164 have their source address changed.
165 reqid=number
167 where number is specified using setkey(8) using the
168 'unique:number option for the SPD level.
169 spi=<number>
171 where number is the SPI of the SA used to encrypt/decrypt
172 packets.
173 proto=ah|esp|ipcomp
175 IPSEC Encapsulation Protocol
176 mss=number
178 sets the MSS field in TCP packets
179 mode=transport|tunnel
181 IPSEC mode
182 tunnel-src=address[/mask]
184 only available with mode=tunnel
185 tunnel-dst=address[/mask]
187 only available with mode=tunnel
188 strict Means that packets must match all rules.
190 next Separates rules; can only be used with strict
192 MARK — [!]value[/mask][:C]
194 Defines a test on the existing packet or connection mark. The
195 rule will match only if the test returns true.
196 If you don't want to define a test but need to specify anything
198 in the following columns, place a "-" in this field.
199 ! Inverts the test (not equal)
201 value Value of the packet or connection mark.
203 mask A mask to be applied to the mark before testing.
205 :C Designates a connection mark. If omitted, the packet
207 mark's value is tested. This option is only supported by
208 Shorewall-perl.
209
211 Example 1:
212 You have a simple masquerading setup where eth0 connects to a
213 DSL or cable modem and eth1 connects to your local network with
214 subnet 192.168.0.0/24.
215 Your entry in the file can be either:
217 #INTERFACE SOURCE
219 eth0 eth1
220 or
222 #INTERFACE SOURCE
224 eth0 192.168.0.0/24
225 Example 2:
227 You add a router to your local network to connect subnet
228 192.168.1.0/24 which you also want to masquerade. You then add a
229 second entry for eth0 to this file:
230 #INTERFACE SOURCE
232 eth0 192.168.1.0/24
233 Example 3:
235 You have an IPSEC tunnel through ipsec0 and you want to masquer‐
236 ade packets coming from 192.168.1.0/24 but only if these packets
237 are destined for hosts in 10.1.1.0/24:
238 #INTERFACE SOURCE
240 ipsec0:10.1.1.0/24 196.168.1.0/24
241 Example 4:
243 You want all outgoing traffic from 192.168.1.0/24 through eth0
244 to use source address 206.124.146.176 which is NOT the primary
245 address of eth0. You want 206.124.146.176 to be added to eth0
246 with name eth0:0.
247 #INTERFACE SOURCE ADDRESS
249 eth0:0 192.168.1.0/24 206.124.146.176
250 Example 5:
252 You want all outgoing SMTP traffic entering the firewall on eth1
253 to be sent from eth0 with source IP address 206.124.146.177.
254 You want all other outgoing traffic from eth1 to be sent from
255 eth0 with source IP address 206.124.146.176.
256 #INTERFACE SOURCE ADDRESS PROTO PORT(S)
258 eth0 eth1 206.124.146.177 tcp smtp
259 eth0 eth1 206.124.146.176
260 Warning
261 The order of the above two rules is significant!
263
265 /etc/shorewall/masq
266
268 shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-
269 blacklist(5), shorewall-exclusion(5), shorewall-hosts(5), shorewall-in‐
270 terfaces(5), shorewall-ipsec(5), shorewall-maclist(5), shorewall-
271 nat(5), shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
272 shorewall-providers(5), shorewall-proxyarp(5), shorewall-
273 route_routes(5), shorewall-routestopped(5), shorewall-rules(5), shore‐
274 wall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shore‐
275 wall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5), shorewall-
276 zones(5)
277 19 May 2008 shorewall-masq(5)