shorewall-masq.5

sharewall is very good

.\"     Title: shorewall-masq
.\"    Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
.\"      Date: 03/19/2009
.\"    Manual: [FIXME: manual]
.\"    Source: [FIXME: source]
.\"  Language: English
.\"
.TH "SHOREWALL\-MASQ" "5" "03/19/2009" "[FIXME: source]" "[FIXME: manual]"
.\" -----------------------------------------------------------------
.\" * (re)Define some macros
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" toupper - uppercase a string (locale-aware)
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.de toupper
.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
\\$*
.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
..
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" SH-xref - format a cross-reference to an SH section
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.de SH-xref
.ie n \{\
.\}
.toupper \\$*
.el \{\
\\$*
.\}
..
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" SH - level-one heading that works better for non-TTY output
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.de1 SH
.\" put an extra blank line of space above the head in non-TTY output
.if t \{\
.sp 1
.\}
.sp \\n[PD]u
.nr an-level 1
.set-an-margin
.nr an-prevailing-indent \\n[IN]
.fi
.in \\n[an-margin]u
.ti 0
.HTML-TAG ".NH \\n[an-level]"
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
\." make the size of the head bigger
.ps +3
.ft B
.ne (2v + 1u)
.ie n \{\
.\" if n (TTY output), use uppercase
.toupper \\$*
.\}
.el \{\
.nr an-break-flag 0
.\" if not n (not TTY), use normal case (not uppercase)
\\$1
.in \\n[an-margin]u
.ti 0
.\" if not n (not TTY), put a border/line under subheading
.sp -.6
\l'\n(.lu'
.\}
..
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" SS - level-two heading that works better for non-TTY output
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.de1 SS
.sp \\n[PD]u
.nr an-level 1
.set-an-margin
.nr an-prevailing-indent \\n[IN]
.fi
.in \\n[IN]u
.ti \\n[SN]u
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.ps \\n[PS-SS]u
\." make the size of the head bigger
.ps +2
.ft B
.ne (2v + 1u)
.if \\n[.$] \&\\$*
..
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" BB/BE - put background/screen (filled box) around block of text
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.de BB
.if t \{\
.sp -.5
.br
.in +2n
.ll -2n
.gcolor red
.di BX
.\}
..
.de EB
.if t \{\
.if "\\$2"adjust-for-leading-newline" \{\
.sp -1
.\}
.br
.di
.in
.ll
.gcolor
.nr BW \\n(.lu-\\n(.i
.nr BH \\n(dn+.5v
.ne \\n(BHu+.5v
.ie "\\$2"adjust-for-leading-newline" \{\
\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
.\}
.el \{\
\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
.\}
.in 0
.sp -.5v
.nf
.BX
.in
.sp .5v
.fi
.\}
..
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" BM/EM - put colored marker in margin next to block of text
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.de BM
.if t \{\
.br
.ll -2n
.gcolor red
.di BX
.\}
..
.de EM
.if t \{\
.br
.di
.ll
.gcolor
.nr BH \\n(dn
.ne \\n(BHu
\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
.in 0
.nf
.BX
.in
.fi
.\}
..
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "Name"
masq \- Shorewall Masquerade/SNAT definition file
.SH "Synopsis"
.fam C
.HP \w'\fB/etc/shorewall/masq\fR\ 'u
\fB/etc/shorewall/masq\fR
.fam
.SH "Description"
.PP
Use this file to define dynamic NAT (Masquerading) and to define Source NAT (SNAT)\&.
.if n \{\
.sp
.\}
.RS 4
.BM yellow
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBWarning\fR
.ps -1
.br
.PP
The entries in this file are order\-sensitive\&. The first entry that matches a particular connection will be the one that is used\&.
.sp .5v
.EM yellow
.RE
.if n \{\
.sp
.\}
.RS 4
.BM yellow
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBWarning\fR
.ps -1
.br
.PP
If you have more than one ISP, adding entries to this file will *not* force connections to go out through a particular ISP\&. You must use PREROUTING entries in
\m[blue]\fBshorewall\-tcrules\fR\m[]\&\s-2\u[1]\d\s+2(5) to do that\&.
.sp .5v
.EM yellow
.RE
.PP
The columns in the file are as follows\&.
.PP
\fBINTERFACE\fR \- [\fB+\fR]\fIinterfacelist\fR[\fB:\fR[\fIdigit\fR]][\fB:\fR[\fIaddress\fR[\fB,\fR\fIaddress\fR]\&.\&.\&.[\fIexclusion\fR]]
.RS 4
Outgoing
\fIinterfacelist\fR\&. Prior to Shorewall 4\&.1\&.4, this must be a single interface name; in 4\&.1\&.4 and later, this may be a comma\-separated list of interface names\&. This is usually your internet interface\&. If ADD_SNAT_ALIASES=Yes in
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5), you may add ":" and a
\fIdigit\fR
to indicate that you want the alias added with that name (e\&.g\&., eth0:0)\&. This will allow the alias to be displayed with ifconfig\&.
\fBThat is the only use for the alias name; it may not appear in any other place in your Shorewall configuratio\fRn\&.
.sp
Each interface must match an entry in
\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[3]\d\s+2(5)\&. Prior to Shorewall 4\&.1\&.4, this must be an exact match\&. Shorewall\-perl 4\&.1\&.4 and later allow loose matches to wildcard entries in
\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[3]\d\s+2(5)\&. For example,
\FCppp0\F[]
in this file will match a
\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[3]\d\s+2(5) entry that defines
\FCppp+\F[]\&.
.sp
The interface may be qualified by adding the character ":" followed by a comma\-separated list of destination host or subnet addresses to indicate that you only want to change the source IP address for packets being sent to those particular destinations\&. Exclusion is allowed (see
\m[blue]\fBshorewall\-exclusion\fR\m[]\&\s-2\u[4]\d\s+2(5))\&.
.sp
If you wish to inhibit the action of ADD_SNAT_ALIASES for this entry then include the ":" but omit the digit:
.sp
.if n \{\
.RS 4
.\}
.fam C
.ps -1
.nf
.BB lightgray
        eth0:
        eth2::192\&.0\&.2\&.32/27
.EB lightgray
.fi
.fam
.ps +1
.if n \{\
.RE
.\}
.sp
Normally Masq/SNAT rules are evaluated after those for one\-to\-one NAT (defined in
\m[blue]\fBshorewall\-nat\fR\m[]\&\s-2\u[5]\d\s+2(5))\&. If you want the rule to be applied before one\-to\-one NAT rules, prefix the interface name with "+":
.sp
.if n \{\
.RS 4
.\}
.fam C
.ps -1
.nf
.BB lightgray
        +eth0
        +eth0:192\&.0\&.2\&.32/27
        +eth0:2
.EB lightgray
.fi
.fam
.ps +1
.if n \{\
.RE
.\}
.sp
This feature should only be required if you need to insert rules in this file that preempt entries in
\m[blue]\fBshorewall\-nat\fR\m[]\&\s-2\u[5]\d\s+2(5)\&.
.RE
.PP
\fBSOURCE\fR (Formerly called SUBNET) \- {\fIinterface\fR[[:]\fIexclusion\fR]|\fIaddress\fR[\fB,\fR\fIaddress\fR][\fIexclusion\fR]}
.RS 4
Set of hosts that you wish to masquerade\&. You can specify this as an
\fIaddress\fR
(net or host) or as an
\fIinterface\fR\&. If you give the name of an interface, the interface must be up before you start the firewall (Shorewall will use your main routing table to determine the appropriate addresses to masquerade)\&.
.sp
In order to exclude a address of the specified SOURCE, you may append an
\fIexclusion\fR
("!" and a comma\-separated list of IP addresses (host or net) that you wish to exclude (see
\m[blue]\fBshorewall\-exclusion\fR\m[]\&\s-2\u[4]\d\s+2(5)))\&. Note that with Shorewall\-perl, a colon (":") must appear between an
\fIinterface\fR
name and the
\fIexclusion\fR;
.sp
Example (shorewall\-shell): eth1!192\&.168\&.1\&.4,192\&.168\&.32\&.0/27
.sp
Example (shorewall\-perl): eth1:!192\&.168\&.1\&.4,192\&.168\&.32\&.0/27
.sp
In that example traffic from eth1 would be masqueraded unless it came from 192\&.168\&.1\&.4 or 196\&.168\&.32\&.0/27
.RE
.PP
\fBADDRESS\fR (Optional) \- [\fB\-\fR|\fBNONAT\fR|[\fBSAME:\fR[\fBnodst:\fR]][\fIaddress\-or\-address\-range\fR[,\fIaddress\-or\-address\-range\fR]\&.\&.\&.][:\fIlowport\fR\fB\-\fR\fIhighport\fR][\fB:random\fR]|\fBdetect\fR|\fBrandom\fR]
.RS 4
If you specify an address here, SNAT will be used and this will be the source address\&. If ADD_SNAT_ALIASES is set to Yes or yes in
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5) then Shorewall will automatically add this address to the INTERFACE named in the first column\&.
.sp
You may also specify a range of up to 256 IP addresses if you want the SNAT address to be assigned from that range in a round\-robin fashion by connection\&. The range is specified by
\fIfirst\&.ip\&.in\&.range\fR\-\fIlast\&.ip\&.in\&.range\fR\&. Beginning with Shorewall 4\&.0\&.6, you may follow the port range with\fB :random\fR
in which case assignment of ports from the list will be random\&.
\fBrandom\fR
may also be specified by itself in this column in which case random local port assignments are made for the outgoing connections\&.
.sp
Example: 206\&.124\&.146\&.177\-206\&.124\&.146\&.180
.sp
You may also use the special value "detect" which causes Shorewall to determine the IP addresses configured on the interface named in the INTERFACES column and substitute them in this column\&.
.sp
Finally, you may also specify a comma\-separated list of ranges and/or addresses in this column\&.
.sp
This column may not contain DNS Names\&.
.sp
Normally, Netfilter will attempt to retain the source port number\&. You may cause netfilter to remap the source port by following an address or range (if any) by ":" and a port range with the format
\fIlowport\fR\-\fIhighport\fR\&. If this is done, you must specify "tcp" or "udp" in the PROTO column\&.
.sp
Examples:
.sp