Provided by: sanewall-doc_1.0.2+ds-2_all bug

NAME
       sanewall-masquerade - set up masquerading (NAT) on an interface


SYNOPSIS
       masquerade real-interface [rule-params]

       masquerade [reverse] [rule-params]


DESCRIPTION
       The masquerade helper command sets up masquerading on the output of a real network
       interface (as opposed to a Sanewall interface definition).

       If a real-interface is specified the command should be used before any interface or router
       definitions. Multiple values can be given separated by whitespace, so long as they are
       enclosed in quotes.

       If used within an interface definition the definition's real-interface will be used.

       If used within a router definition the definition's outface(s) will be used if specified.
       If the reverse option is gived, then the definition's inface(s) will be used if specified.

       Unlike most commands, masquerade does not inherit its parent definition's rules-params, it
       only honour's its own. The inface and outface parameters should not be used (iptables does
       not support inface in the POSTROUTING chain and outface will be overwritten by Sanewall
       using the rules above).

           Note
           The masquerade always applies to the output of the chosen network interfaces.

           SANEWALL_NAT will be turned on automatically (see control variables:
           sanewall-variables(5)) and Sanewall will enable packet-forwarding in the kernel.


MASQUERADING AND SNAT
       Masquerading is a special form of Source NAT (SNAT) that changes the source of requests
       when they go out and replaces their original source when they come in. This way a Linux
       host can become an Internet router for a LAN of clients having unroutable IP addresses.
       Masquerading takes care to re-map IP addresses and ports as required.

       Masquerading is expensive compare to SNAT because it checks the IP address of the outgoing
       interface every time for every packet. If your host has a static IP address you should
       generally prefer SNAT.


EXAMPLES
           # Before any interface or router
           masquerade eth0 src 192.0.2.0/24 dst not 192.0.2.0/24

           # In an interface definition to masquerade the output of its real-interface
           masquerade

           # In a router definition to masquerade the output of its outface
           masquerade

           # In a router definition to masquerade the output of its inface
           masquerade reverse


SEE ALSO
           Sanewall program: sanewall(1)
           Sanewall configuration: sanewall.conf(5)
           interface definition: sanewall-interface(5)
           router definition: sanewall-router(5)
           optional rule parameters: sanewall-rule-params(5)
           nat, snat, dnat, redirect config helpers: sanewall-nat(5)


AUTHOR
       Sanewall Team


COPYRIGHT
       Copyright © 2012, 2013 Phil Whineray <phil@sanewall.org>