Provided by: sanewall-doc_1.0.2+ds-2_all
NAME
sanewall-nat, sanewall-snat, sanewall-dnat, sanewall-redirect - set up NAT and port redirections
SYNOPSIS
snat [to] target [rule-params] dnat [to] target [rule-params] redirect [to] portrange [rule-params] nat {to-source | to-destination | redirect-to} target [rule-params] nat redirect-to portrange [rule-params]
DESCRIPTION
Note The rule-params are used only to determine the traffic that will be matched for NAT in these commands. snat The snat helper sets up a Source NAT rule for routed traffic by calling nat to-source. For example: snat to 192.0.2.1 outface eth0 src 198.51.100.1 dst 203.0.113.1 dnat The dnat helper sets up a Destination NAT rule for routed traffic by calling nat to-destination. For example: dnat to 192.0.2.1 outface eth0 src 198.51.100.1 dst 203.0.113.1 redirect The redirect helper redirects matching traffic to portrange on the local host by calling nat redirect-to. For example: redirect-to 8080 inface eth0 src 198.51.100.0/24 proto tcp dport 80 nat The nat helper takes one of the following sub-commands: to-source target Defines a Source NAT (created in table NAT, chain POSTROUTING). target is the source address to be set in packets matching rule-params. If no rules are given, all forwarded traffic will be matched. inface should not be used in SNAT since the information is not available at the time the decision is made. target accepts any --to-source values that iptables(8) accepts. Run iptables -j SNAT --help to for more information. Multiple targets may be specified by separating with spaces and enclosing with quotes. to-destination target Defines a Destination NAT (created in table NAT, chain POSTROUTING). target is the destination address to be set in packets matching rule-params. If no rules are given, all forwarded traffic will be matched. outface should not be used in DNAT since the information is not available at the time the decision is made. target accepts any --to-destination values that iptables(8) accepts. Run iptables -j DNAT --help to for more information. Multiple targets may be specified by separating with spaces and enclosing with quotes. redirect-to portrange Redirect matching traffic to the local machine (created in table NAT, chain PREROUTING). portrange is the port range (from-to) or single port that packets matching rule-params will be redirected to. If no rules are given, all forwarded traffic will be matched. outface should not be used in REDIRECT since the information is not available at the time the decision is made.
EXAMPLES
# Send to 192.0.2.1 # - all traffic arriving at or passing through the firewall nat to-destination 192.0.2.1 # Send to 192.0.2.1 # - all traffic arriving at or passing through the firewall # - which WAS going to 203.0.113.1 nat to-destination 192.0.2.1 dst 203.0.113.1 # Send to 192.0.2.1 # - TCP traffic arriving at or passing through the firewall # - which WAS going to 203.0.113.1 nat to-destination 192.0.2.1 proto tcp dst 203.0.113.1 # Send to 192.0.2.1 # - TCP traffic arriving at or passing through the firewall # - which WAS going to 203.0.113.1, port 25 nat to-destination 192.0.2.1 proto tcp dport 25 dst 203.0.113.1 # Other examples nat to-source 192.0.2.1 outface eth0 src 198.51.100.1 dst 203.0.113.1 nat to-destination 192.0.2.2 outface eth0 src 198.51.100.2 dst 203.0.113.2 nat redirect-to 8080 inface eth0 src 198.51.100.0/24 proto tcp dport 80
SEE ALSO
Sanewall program: sanewall(1) Sanewall configuration: sanewall.conf(5) interface definition: sanewall-interface(5) router definition: sanewall-router(5) optional rule parameters: sanewall-rule-params(5) masquerade helper: sanewall-masquerade(5)
AUTHOR
Sanewall Team
COPYRIGHT
Copyright © 2012, 2013 Phil Whineray <phil@sanewall.org>