Provided by: shorewall-common_4.0.6-1_all bug

NAME

       masq - Shorewall Masquerade/SNAT definition file

SYNOPSIS

       /etc/shorewall/masq

DESCRIPTION

       Use this file to define dynamic NAT (Masquerading) and to define Source
       NAT (SNAT).
              Warning

              The entries in this file are order-sensitive.  The  first  entry
              that  matches  a  particular  connection will be the one that is
              used.
              Warning

              If you have more than one ISP, adding entries to this file  will
              *not*  force connections to go out through a particular ISP. You
              must    use    PREROUTING    entries    in     shorewall-tcrules
              〈shorewall-tcrules.tcml〉 (5) to do that.

       The columns in the file are as follows.

       INTERFACE — [+]interface[:[digit]][:[address[,address]...[exclusion]]
              Outgoing  interface. This is usually your internet interface. If
              ADD_SNAT_ALIASES=Yes  in  shorewall.conf   〈shorewall.conf.html〉
              (5),  you  may add ":" and a digit to indicate that you want the
              alias added with that name (e.g., eth0:0). This will  allow  the
              alias  to  be  displayed with ifconfig. That is the only use for
              the alias name; it may not appear in any  other  place  in  your
              Shorewall configuration.

              The  interface  may  be  qualified  by  adding the character ":"
              followed by a comma-separated list of destination host or subnet
              addresses to indicate that you only want to change the source IP
              address for packets being sent to those particular destinations.
              Exclusion      is      allowed      (see     shorewall-exclusion
              〈shorewall-exclusion.html〉 (5)).

              If you wish to inhibit the action of ADD_SNAT_ALIASES  for  this
              entry then include the ":" but omit the digit:

                      eth0:
                      eth2::192.0.2.32/27

              Normally  Masq/SNAT  rules are evaluated after those for one-to-
              one NAT (defined in shorewall-nat 〈shorewall-nat.html〉 (5)).  If
              you  want  the  rule  to be applied before one-to-one NAT rules,
              prefix the interface name with "+":

                      +eth0
                      +eth0:192.0.2.32/27
                      +eth0:2

              This feature should only be required if you need to insert rules
              in   this   file   that   preempt   entries   in   shorewall-nat
              〈shorewall-nat.html〉 (5).

       SOURCE          (Formerly          called           SUBNET)           —
       {interface[[:]exclusion]|address[,address][exclusion]}
              Set of hosts that you wish to masquerade. You can  specify  this
              as  an address (net or host) or as an interface. If you give the
              name of an interface, the interface must be up before you  start
              the  firewall  (Shorewall  will  use  your main routing table to
              determine the appropriate addresses to masquerade).

              In order to exclude a address of the specified SOURCE,  you  may
              append  an  exclusion  ("!"  and  a  comma-separated  list of IP
              addresses (host or net) that you wish to exclude (see shorewall-
              exclusion  〈shorewall-exclusion.html〉  (5))).   Note  that  with
              Shorewall-perl, a colon (":") must appear between  an  interface
              name and the exclusion;

              Example (shorewall-shell): eth1!192.168.1.4,192.168.32.0/27

              Example (shorewall-perl): eth1:!192.168.1.4,192.168.32.0/27

              In that example traffic from eth1 would be masqueraded unless it
              came from 192.168.1.4 or 196.168.32.0/27

       ADDRESS     (Optional)     —     [-|[SAME:[nodst:]][address-or-address-
       range[,address-or-address-range]...][:lowport-
       highport][:random]|detect|random]
              If you specify an address here, SNAT will be used and this  will
              be  the source address. If ADD_SNAT_ALIASES is set to Yes or yes
              in shorewall.conf 〈shorewall.conf.html〉 (5) then Shorewall  will
              automatically  add  this  address  to the INTERFACE named in the
              first column.

              You may also specify a range of up to 256 IP  addresses  if  you
              want the SNAT address to be assigned from that range in a round-
              robin  fashion  by  connection.  The  range  is   specified   by
              first.ip.in.range-last.ip.in.range.   Beginning  with  Shorewall
              4.0.6, you may follow the port range with :random in which  case
              assignment  of  ports  from  the list will be random. random may
              also be specified by itself in this column in which case  random
              local port assignments are made for the outgoing connections.

              Example: 206.124.146.177-206.124.146.180

              You  may  also  use  the  special  value  "detect"  which causes
              Shorewall to  determine  the  IP  addresses  configured  on  the
              interface  named in the INTERFACES column and substitute them in
              this column.

              Finally, you may also specify a comma-separated list  of  ranges
              and/or addresses in this column.

              This column may not contain DNS Names.

              Normally,  Netfilter  will  attempt  to  retain  the source port
              number. You may cause netfilter to  remap  the  source  port  by
              following  an  address or range (if any) by ":" and a port range
              with the format lowport-highport. If  this  is  done,  you  must
              specify "tcp" or "udp" in the PROTO column.

              Examples:

                      192.0.2.4:5000-6000
                      :4000-5000

              You  can  invoke  the SAME target rather than the SNAT target by
              prefixing the column contents with SAME:.

              SAME works like SNAT with the exception that the same  local  IP
              address is assigned to each connection from a local address to a
              given remote address.

              If the nodst: option is included, then the same  source  address
              is  used  for a given internal system regardless of which remote
              system is involved.
              Warning

              Support for the SAME target is scheduled for  removal  from  the
              Linux kernel in 2008.

       If you want to leave this column empty but you need to specify the next
       column then place a hyphen ("-") here.

       PROTO (Optional) — {-|protocol-name|protocol-number}
              If you wish to restrict this entry to a particular protocol then
              enter the protocol name (from protocols(5)) or number here.

       PORT(S) (Optional) — [port-name-or-number[,port-name-or-number]...]
              If  the PROTO column specifies TCP (protocol 6) or UDP (protocol
              17) then you may list one or more port numbers  (or  names  from
              services(5))  separated  by commas or you may list a single port
              range (lowport:highport).

              Where a comma-separated list is given, your kernel and  iptables
              must  have multiport match support and a maximum of 15 ports may
              be listed.

       IPSEC (Optional) — [option[,option]...]
              If you specify a value other than "-" in this column,  you  must
              be  running kernel 2.6 and your kernel and iptables must include
              policy match support.

              Comma-separated list of options from the following. Only packets
              that will be encrypted via an SA that matches these options will
              have their source address changed.

              reqid=number
                     where number  is  specified  using  setkey(8)  using  the
                     ’unique:number option for the SPD level.

              spi=<number>
                     where number is the SPI of the SA used to encrypt/decrypt
                     packets.

              proto=ah|esp|ipcomp
                     IPSEC Encapsulation Protocol

              mss=number
                     sets the MSS field in TCP packets

              mode=transport|tunnel
                     IPSEC mode

              tunnel-src=address[/mask]
                     only available with mode=tunnel

              tunnel-dst=address[/mask]
                     only available with mode=tunnel

              strict Means that packets must match all rules.

              next   Separates rules; can only be used with strict

       MARK — [!]value[/mask][:C]
              Defines a test on the existing packet or  connection  mark.  The
              rule will match only if the test returns true.

              If  you don’t want to define a test but need to specify anything
              in the following columns, place a "-" in this field.

              !      Inverts the test (not equal)

              value  Value of the packet or connection mark.

              mask   A mask to be applied to the mark before testing.

              :C     Designates a connection  mark.  If  omitted,  the  packet
                     mark’s  value is tested. This option is only supported by
                     Shorewall-perl.

EXAMPLES

       Example 1:
              You have a simple masquerading setup where eth0  connects  to  a
              DSL  or cable modem and eth1 connects to your local network with
              subnet 192.168.0.0/24.

              Your entry in the file can be either:

                      #INTERFACE   SOURCE
                      eth0         eth1

              or

                      #INTERFACE   SOURCE
                      eth0    192.168.0.0/24

       Example 2:
              You add a  router  to  your  local  network  to  connect  subnet
              192.168.1.0/24 which you also want to masquerade. You then add a
              second entry for eth0 to this file:

                      #INTERFACE   SOURCE
                      eth0         192.168.1.0/24

       Example 3:
              You have  an  IPSEC  tunnel  through  ipsec0  and  you  want  to
              masquerade  packets coming from 192.168.1.0/24 but only if these
              packets are destined for hosts in 10.1.1.0/24:

                      #INTERFACE              SOURCE
                      ipsec0:10.1.1.0/24      196.168.1.0/24

       Example 4:
              You want all outgoing traffic from 192.168.1.0/24  through  eth0
              to  use  source address 206.124.146.176 which is NOT the primary
              address of eth0. You want 206.124.146.176 to be  added  to  eth0
              with name eth0:0.

                      #INTERFACE              SOURCE          ADDRESS
                      eth0:0                  192.168.1.0/24  206.124.146.176

       Example 5:
              You want all outgoing SMTP traffic entering the firewall on eth1
              to be sent from eth0 with  source  IP  address  206.124.146.177.
              You  want  all  other outgoing traffic from eth1 to be sent from
              eth0 with source IP address 206.124.146.176.

                      #INTERFACE   SOURCE  ADDRESS         PROTO   PORT(S)
                      eth0         eth1    206.124.146.177 tcp     smtp
                      eth0         eth1    206.124.146.176
              Warning

              The order of the above two rules is significant!

FILES

       /etc/shorewall/masq

SEE ALSO

       shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-
       blacklist(5),  shorewall-exclusion(5),  shorewall-hosts(5),  shorewall-
       interfaces(5),  shorewall-ipsec(5),  shorewall-maclist(5),   shorewall-
       nat(5),  shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
       shorewall-providers(5),        shorewall-proxyarp(5),        shorewall-
       route_routes(5),     shorewall-routestopped(5),     shorewall-rules(5),
       shorewall.conf(5),   shorewall-tcclasses(5),    shorewall-tcdevices(5),
       shorewall-tcrules(5),      shorewall-tos(5),      shorewall-tunnels(5),
       shorewall-zones(5)

                               23 November 2007              shorewall-masq(5)