Provided by: sanewall-doc_1.0.2+ds-2_all bug

NAME

       sanewall-nat, sanewall-snat, sanewall-dnat, sanewall-redirect - set up NAT and port
       redirections

SYNOPSIS

       snat [to] target [rule-params]

       dnat [to] target [rule-params]

       redirect [to] portrange [rule-params]

       nat {to-source | to-destination | redirect-to} target [rule-params]

       nat redirect-to portrange [rule-params]

DESCRIPTION

           Note
           The rule-params are used only to determine the traffic that will be matched for NAT in
           these commands.

   snat
       The snat helper sets up a Source NAT rule for routed traffic by calling nat to-source. For
       example:

           snat to 192.0.2.1 outface eth0 src 198.51.100.1 dst 203.0.113.1

   dnat
       The dnat helper sets up a Destination NAT rule for routed traffic by calling nat
       to-destination. For example:

           dnat to 192.0.2.1 outface eth0 src 198.51.100.1 dst 203.0.113.1

   redirect
       The redirect helper redirects matching traffic to portrange on the local host by calling
       nat redirect-to. For example:

           redirect-to 8080 inface eth0 src 198.51.100.0/24 proto tcp dport 80

   nat
       The nat helper takes one of the following sub-commands:

       to-source target
           Defines a Source NAT (created in table NAT, chain POSTROUTING).

           target is the source address to be set in packets matching rule-params.

           If no rules are given, all forwarded traffic will be matched.  inface should not be
           used in SNAT since the information is not available at the time the decision is made.

           target accepts any --to-source values that iptables(8) accepts. Run iptables -j SNAT
           --help to for more information. Multiple targets may be specified by separating with
           spaces and enclosing with quotes.

       to-destination target
           Defines a Destination NAT (created in table NAT, chain POSTROUTING).

           target is the destination address to be set in packets matching rule-params.

           If no rules are given, all forwarded traffic will be matched.  outface should not be
           used in DNAT since the information is not available at the time the decision is made.

           target accepts any --to-destination values that iptables(8) accepts. Run iptables -j
           DNAT --help to for more information. Multiple targets may be specified by separating
           with spaces and enclosing with quotes.

       redirect-to portrange
           Redirect matching traffic to the local machine (created in table NAT, chain
           PREROUTING).

           portrange is the port range (from-to) or single port that packets matching rule-params
           will be redirected to.

           If no rules are given, all forwarded traffic will be matched.  outface should not be
           used in REDIRECT since the information is not available at the time the decision is
           made.

EXAMPLES

           # Send to 192.0.2.1
           #  - all traffic arriving at or passing through the firewall
           nat to-destination 192.0.2.1

           # Send to 192.0.2.1
           #  - all traffic arriving at or passing through the firewall
           #  - which WAS going to 203.0.113.1
           nat to-destination 192.0.2.1 dst 203.0.113.1

           # Send to 192.0.2.1
           #  - TCP traffic arriving at or passing through the firewall
           #  - which WAS going to 203.0.113.1
           nat to-destination 192.0.2.1 proto tcp dst 203.0.113.1

           # Send to 192.0.2.1
           #  - TCP traffic arriving at or passing through the firewall
           #  - which WAS going to 203.0.113.1, port 25
           nat to-destination 192.0.2.1 proto tcp dport 25 dst 203.0.113.1

           # Other examples
           nat to-source 192.0.2.1 outface eth0 src 198.51.100.1 dst 203.0.113.1
           nat to-destination 192.0.2.2 outface eth0 src 198.51.100.2 dst 203.0.113.2
           nat redirect-to 8080 inface eth0 src 198.51.100.0/24 proto tcp dport 80

SEE ALSO

           Sanewall program: sanewall(1)
           Sanewall configuration: sanewall.conf(5)
           interface definition: sanewall-interface(5)
           router definition: sanewall-router(5)
           optional rule parameters: sanewall-rule-params(5)
           masquerade helper: sanewall-masquerade(5)

AUTHOR

       Sanewall Team

COPYRIGHT

       Copyright © 2012, 2013 Phil Whineray <phil@sanewall.org>