Provided by: sanewall-doc_1.0.2+ds-2_all 
NAME
sanewall-nat, sanewall-snat, sanewall-dnat, sanewall-redirect - set up NAT and port
redirections
SYNOPSIS
snat [to] target [rule-params]
dnat [to] target [rule-params]
redirect [to] portrange [rule-params]
nat {to-source | to-destination | redirect-to} target [rule-params]
nat redirect-to portrange [rule-params]
DESCRIPTION
Note
The rule-params are used only to determine the traffic that will be matched for NAT in
these commands.
snat
The snat helper sets up a Source NAT rule for routed traffic by calling nat to-source. For
example:
snat to 192.0.2.1 outface eth0 src 198.51.100.1 dst 203.0.113.1
dnat
The dnat helper sets up a Destination NAT rule for routed traffic by calling nat
to-destination. For example:
dnat to 192.0.2.1 outface eth0 src 198.51.100.1 dst 203.0.113.1
redirect
The redirect helper redirects matching traffic to portrange on the local host by calling
nat redirect-to. For example:
redirect-to 8080 inface eth0 src 198.51.100.0/24 proto tcp dport 80
nat
The nat helper takes one of the following sub-commands:
to-source target
Defines a Source NAT (created in table NAT, chain POSTROUTING).
target is the source address to be set in packets matching rule-params.
If no rules are given, all forwarded traffic will be matched. inface should not be
used in SNAT since the information is not available at the time the decision is made.
target accepts any --to-source values that iptables(8) accepts. Run iptables -j SNAT
--help to for more information. Multiple targets may be specified by separating with
spaces and enclosing with quotes.
to-destination target
Defines a Destination NAT (created in table NAT, chain POSTROUTING).
target is the destination address to be set in packets matching rule-params.
If no rules are given, all forwarded traffic will be matched. outface should not be
used in DNAT since the information is not available at the time the decision is made.
target accepts any --to-destination values that iptables(8) accepts. Run iptables -j
DNAT --help to for more information. Multiple targets may be specified by separating
with spaces and enclosing with quotes.
redirect-to portrange
Redirect matching traffic to the local machine (created in table NAT, chain
PREROUTING).
portrange is the port range (from-to) or single port that packets matching rule-params
will be redirected to.
If no rules are given, all forwarded traffic will be matched. outface should not be
used in REDIRECT since the information is not available at the time the decision is
made.
EXAMPLES
# Send to 192.0.2.1
# - all traffic arriving at or passing through the firewall
nat to-destination 192.0.2.1
# Send to 192.0.2.1
# - all traffic arriving at or passing through the firewall
# - which WAS going to 203.0.113.1
nat to-destination 192.0.2.1 dst 203.0.113.1
# Send to 192.0.2.1
# - TCP traffic arriving at or passing through the firewall
# - which WAS going to 203.0.113.1
nat to-destination 192.0.2.1 proto tcp dst 203.0.113.1
# Send to 192.0.2.1
# - TCP traffic arriving at or passing through the firewall
# - which WAS going to 203.0.113.1, port 25
nat to-destination 192.0.2.1 proto tcp dport 25 dst 203.0.113.1
# Other examples
nat to-source 192.0.2.1 outface eth0 src 198.51.100.1 dst 203.0.113.1
nat to-destination 192.0.2.2 outface eth0 src 198.51.100.2 dst 203.0.113.2
nat redirect-to 8080 inface eth0 src 198.51.100.0/24 proto tcp dport 80
SEE ALSO
Sanewall program: sanewall(1)
Sanewall configuration: sanewall.conf(5)
interface definition: sanewall-interface(5)
router definition: sanewall-router(5)
optional rule parameters: sanewall-rule-params(5)
masquerade helper: sanewall-masquerade(5)
AUTHOR
Sanewall Team
COPYRIGHT
Copyright © 2012, 2013 Phil Whineray <phil@sanewall.org>