Provided by: sanewall-doc_1.0.2+ds-2_all 
NAME
sanewall-nat, sanewall-snat, sanewall-dnat, sanewall-redirect - set up NAT and port redirections
SYNOPSIS
snat [to] target [rule-params]
dnat [to] target [rule-params]
redirect [to] portrange [rule-params]
nat {to-source | to-destination | redirect-to} target [rule-params]
nat redirect-to portrange [rule-params]
DESCRIPTION
Note
The rule-params are used only to determine the traffic that will be matched for NAT in these
commands.
snat
The snat helper sets up a Source NAT rule for routed traffic by calling nat to-source. For example:
snat to 192.0.2.1 outface eth0 src 198.51.100.1 dst 203.0.113.1
dnat
The dnat helper sets up a Destination NAT rule for routed traffic by calling nat to-destination. For
example:
dnat to 192.0.2.1 outface eth0 src 198.51.100.1 dst 203.0.113.1
redirect
The redirect helper redirects matching traffic to portrange on the local host by calling nat redirect-to.
For example:
redirect-to 8080 inface eth0 src 198.51.100.0/24 proto tcp dport 80
nat
The nat helper takes one of the following sub-commands:
to-source target
Defines a Source NAT (created in table NAT, chain POSTROUTING).
target is the source address to be set in packets matching rule-params.
If no rules are given, all forwarded traffic will be matched. inface should not be used in SNAT
since the information is not available at the time the decision is made.
target accepts any --to-source values that iptables(8) accepts. Run iptables -j SNAT --help to for
more information. Multiple targets may be specified by separating with spaces and enclosing with
quotes.
to-destination target
Defines a Destination NAT (created in table NAT, chain POSTROUTING).
target is the destination address to be set in packets matching rule-params.
If no rules are given, all forwarded traffic will be matched. outface should not be used in DNAT
since the information is not available at the time the decision is made.
target accepts any --to-destination values that iptables(8) accepts. Run iptables -j DNAT --help to
for more information. Multiple targets may be specified by separating with spaces and enclosing with
quotes.
redirect-to portrange
Redirect matching traffic to the local machine (created in table NAT, chain PREROUTING).
portrange is the port range (from-to) or single port that packets matching rule-params will be
redirected to.
If no rules are given, all forwarded traffic will be matched. outface should not be used in REDIRECT
since the information is not available at the time the decision is made.
EXAMPLES
# Send to 192.0.2.1
# - all traffic arriving at or passing through the firewall
nat to-destination 192.0.2.1
# Send to 192.0.2.1
# - all traffic arriving at or passing through the firewall
# - which WAS going to 203.0.113.1
nat to-destination 192.0.2.1 dst 203.0.113.1
# Send to 192.0.2.1
# - TCP traffic arriving at or passing through the firewall
# - which WAS going to 203.0.113.1
nat to-destination 192.0.2.1 proto tcp dst 203.0.113.1
# Send to 192.0.2.1
# - TCP traffic arriving at or passing through the firewall
# - which WAS going to 203.0.113.1, port 25
nat to-destination 192.0.2.1 proto tcp dport 25 dst 203.0.113.1
# Other examples
nat to-source 192.0.2.1 outface eth0 src 198.51.100.1 dst 203.0.113.1
nat to-destination 192.0.2.2 outface eth0 src 198.51.100.2 dst 203.0.113.2
nat redirect-to 8080 inface eth0 src 198.51.100.0/24 proto tcp dport 80
SEE ALSO
Sanewall program: sanewall(1)
Sanewall configuration: sanewall.conf(5)
interface definition: sanewall-interface(5)
router definition: sanewall-router(5)
optional rule parameters: sanewall-rule-params(5)
masquerade helper: sanewall-masquerade(5)
AUTHOR
Sanewall Team
COPYRIGHT
Copyright © 2012, 2013 Phil Whineray <phil@sanewall.org>
Sanewall 1.0.2 Built 01 Jun 2013 NAT, SNAT, DNAT, RED(5)