Provided by: shorewall-common_4.0.12-1_all bug


       masq - Shorewall Masquerade/SNAT definition file




       Use this file to define dynamic NAT (Masquerading) and to define Source
       NAT (SNAT).

              The entries in this file are order-sensitive.  The  first  entry
              that  matches  a  particular  connection will be the one that is

              If you have more than one ISP, adding entries to this file  will
              *not*  force connections to go out through a particular ISP. You
              must    use    PREROUTING    entries    in     shorewall-tcrules
              〈shorewall-tcrules.tcml〉 (5) to do that.

       The columns in the file are as follows.

       INTERFACE — [+]interface[:[digit]][:[address[,address]...[exclusion]]
              Outgoing  interface. This is usually your internet interface. If
              ADD_SNAT_ALIASES=Yes  in  shorewall.conf   〈shorewall.conf.html〉
              (5),  you  may add ":" and a digit to indicate that you want the
              alias added with that name (e.g., eth0:0). This will  allow  the
              alias  to  be  displayed with ifconfig. That is the only use for
              the alias name; it may not appear in any  other  place  in  your
              Shorewall configuration.

              The  interface  may  be  qualified  by  adding the character ":"
              followed by a comma-separated list of destination host or subnet
              addresses to indicate that you only want to change the source IP
              address for packets being sent to those particular destinations.
              Exclusion      is      allowed      (see     shorewall-exclusion
              〈shorewall-exclusion.html〉 (5)).

              If you wish to inhibit the action of ADD_SNAT_ALIASES  for  this
              entry then include the ":" but omit the digit:


              Normally  Masq/SNAT  rules are evaluated after those for one-to-
              one NAT (defined in shorewall-nat 〈shorewall-nat.html〉 (5)).  If
              you  want  the  rule  to be applied before one-to-one NAT rules,
              prefix the interface name with "+":


              This feature should only be required if you need to insert rules
              in   this   file   that   preempt   entries   in   shorewall-nat
              〈shorewall-nat.html〉 (5).

       SOURCE          (Formerly          called           SUBNET)           —
              Set of hosts that you wish to masquerade. You can  specify  this
              as  an address (net or host) or as an interface. If you give the
              name of an interface, the interface must be up before you  start
              the  firewall  (Shorewall  will  use  your main routing table to
              determine the appropriate addresses to masquerade).

              In order to exclude a address of the specified SOURCE,  you  may
              append  an  exclusion  ("!"  and  a  comma-separated  list of IP
              addresses (host or net) that you wish to exclude (see shorewall-
              exclusion  〈shorewall-exclusion.html〉  (5))).   Note  that  with
              Shorewall-perl, a colon (":") must appear between  an  interface
              name and the exclusion;

              Example (shorewall-shell): eth1!,

              Example (shorewall-perl): eth1:!,

              In that example traffic from eth1 would be masqueraded unless it
              came from or

       ADDRESS     (Optional)     —     [-|[SAME:[nodst:]][address-or-address-
              If you specify an address here, SNAT will be used and this  will
              be  the source address. If ADD_SNAT_ALIASES is set to Yes or yes
              in shorewall.conf 〈shorewall.conf.html〉 (5) then Shorewall  will
              automatically  add  this  address  to the INTERFACE named in the
              first column.

              You may also specify a range of up to 256 IP  addresses  if  you
              want the SNAT address to be assigned from that range in a round-
              robin  fashion  by  connection.  The  range  is   specified   by
       Beginning  with  Shorewall
              4.0.6, you may follow the port range with :random in which  case
              assignment  of  ports  from  the list will be random. random may
              also be specified by itself in this column in which case  random
              local port assignments are made for the outgoing connections.


              You  may  also  use  the  special  value  "detect"  which causes
              Shorewall to  determine  the  IP  addresses  configured  on  the
              interface  named in the INTERFACES column and substitute them in
              this column.

              Finally, you may also specify a comma-separated list  of  ranges
              and/or addresses in this column.

              This column may not contain DNS Names.

              Normally,  Netfilter  will  attempt  to  retain  the source port
              number. You may cause netfilter to  remap  the  source  port  by
              following  an  address or range (if any) by ":" and a port range
              with the format lowport-highport. If  this  is  done,  you  must
              specify "tcp" or "udp" in the PROTO column.



              You  can  invoke  the SAME target rather than the SNAT target by
              prefixing the column contents with SAME:.

              SAME works like SNAT with the exception that the same  local  IP
              address is assigned to each connection from a local address to a
              given remote address.

              If the nodst: option is included, then the same  source  address
              is  used  for a given internal system regardless of which remote
              system is involved.

              Support for the SAME target is scheduled for  removal  from  the
              Linux kernel in 2008.

       If you want to leave this column empty but you need to specify the next
       column then place a hyphen ("-") here.

       PROTO (Optional) — {-|protocol-name|protocol-number}
              If you wish to restrict this entry to a particular protocol then
              enter the protocol name (from protocols(5)) or number here.

       PORT(S) (Optional) — [port-name-or-number[,port-name-or-number]...]
              If  the PROTO column specifies TCP (protocol 6) or UDP (protocol
              17) then you may list one or more port numbers  (or  names  from
              services(5))  separated  by commas or you may list a single port
              range (lowport:highport).

              Where a comma-separated list is given, your kernel and  iptables
              must  have multiport match support and a maximum of 15 ports may
              be listed.

       IPSEC (Optional) — [option[,option]...]
              If you specify a value other than "-" in this column,  you  must
              be  running kernel 2.6 and your kernel and iptables must include
              policy match support.

              Comma-separated list of options from the following. Only packets
              that will be encrypted via an SA that matches these options will
              have their source address changed.

                     where number  is  specified  using  setkey(8)  using  the
                     ’unique:number option for the SPD level.

                     where number is the SPI of the SA used to encrypt/decrypt

                     IPSEC Encapsulation Protocol

                     sets the MSS field in TCP packets

                     IPSEC mode

                     only available with mode=tunnel

                     only available with mode=tunnel

              strict Means that packets must match all rules.

              next   Separates rules; can only be used with strict

       MARK — [!]value[/mask][:C]
              Defines a test on the existing packet or  connection  mark.  The
              rule will match only if the test returns true.

              If  you don’t want to define a test but need to specify anything
              in the following columns, place a "-" in this field.

              !      Inverts the test (not equal)

              value  Value of the packet or connection mark.

              mask   A mask to be applied to the mark before testing.

              :C     Designates a connection  mark.  If  omitted,  the  packet
                     mark’s  value is tested. This option is only supported by


       Example 1:
              You have a simple masquerading setup where eth0  connects  to  a
              DSL  or cable modem and eth1 connects to your local network with

              Your entry in the file can be either:

                      #INTERFACE   SOURCE
                      eth0         eth1


                      #INTERFACE   SOURCE

       Example 2:
              You add a  router  to  your  local  network  to  connect  subnet
     which you also want to masquerade. You then add a
              second entry for eth0 to this file:

                      #INTERFACE   SOURCE

       Example 3:
              You have  an  IPSEC  tunnel  through  ipsec0  and  you  want  to
              masquerade  packets coming from but only if these
              packets are destined for hosts in

                      #INTERFACE              SOURCE

       Example 4:
              You want all outgoing traffic from  through  eth0
              to  use  source address which is NOT the primary
              address of eth0. You want to be  added  to  eth0
              with name eth0:0.

                      #INTERFACE              SOURCE          ADDRESS

       Example 5:
              You want all outgoing SMTP traffic entering the firewall on eth1
              to be sent from eth0 with  source  IP  address
              You  want  all  other outgoing traffic from eth1 to be sent from
              eth0 with source IP address

                      #INTERFACE   SOURCE  ADDRESS         PROTO   PORT(S)
                      eth0         eth1 tcp     smtp
                      eth0         eth1

              The order of the above two rules is significant!




       shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-
       blacklist(5),  shorewall-exclusion(5),  shorewall-hosts(5),  shorewall-
       interfaces(5),  shorewall-ipsec(5),  shorewall-maclist(5),   shorewall-
       nat(5),  shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
       shorewall-providers(5),        shorewall-proxyarp(5),        shorewall-
       route_routes(5),     shorewall-routestopped(5),     shorewall-rules(5),
       shorewall.conf(5),   shorewall-tcclasses(5),    shorewall-tcdevices(5),
       shorewall-tcrules(5),      shorewall-tos(5),      shorewall-tunnels(5),

                                 24 June 2008                shorewall-masq(5)