"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "manpages/shorewall-snat.xml" between
shorewall-docs-xml-5.2.3.6.tar.bz2 and shorewall-docs-xml-5.2.6.tar.bz2

About: Shorewall (The Shoreline Firewall) is an iptables based firewall (documentation; XML)

shorewall-snat.xml  (shorewall-docs-xml-5.2.3.6.tar.bz2):shorewall-snat.xml  (shorewall-docs-xml-5.2.6.tar.bz2)
skipping to change at line 30 skipping to change at line 30
<cmdsynopsis> <cmdsynopsis>
<command>/etc/shorewall[6]/snat</command> <command>/etc/shorewall[6]/snat</command>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
<refsect1> <refsect1>
<title>Description</title> <title>Description</title>
<para>This file is used to define dynamic NAT (Masquerading) and to define <para>This file is used to define dynamic NAT (Masquerading) and to define
Source NAT (SNAT). It superseded <ulink Source NAT (SNAT). It superseded <ulink
url="/manpages/shorewall-masq.html">shorewall-masq</ulink>(5) in Shorewall url="shorewall-masq.html">shorewall-masq</ulink>(5) in Shorewall
5.0.14.</para> 5.0.14.</para>
<warning> <warning>
<para>The entries in this file are order-sensitive. The first entry that <para>The entries in this file are order-sensitive. The first entry that
matches a particular connection will be the one that is used.</para> matches a particular connection will be the one that is used.</para>
</warning> </warning>
<warning> <warning>
<para>If you have more than one ISP link, adding entries to this file <para>If you have more than one ISP link, adding entries to this file
will <emphasis role="bold">not</emphasis> force connections to go out will <emphasis role="bold">not</emphasis> force connections to go out
through a particular link. You must use entries in <ulink through a particular link. You must use entries in <ulink
url="/manpages/shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or url="shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or PREROUTING
PREROUTING entries in <ulink entries in <ulink
url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5) to do url="shorewall-mangle.html">shorewall-mangle</ulink>(5) to do
that.</para> that.</para>
</warning> </warning>
<para>Beginning with Shorewall 5.2.6, the snat file supports two different
formats:</para>
<orderedlist>
<listitem>
<para>The SPORT (source port) column is omitted. This is the default
unless a "?FORMAT 2" compiler directive is included.</para>
</listitem>
<listitem>
<para>The SPORT column immediately follows the DPORT column.</para>
</listitem>
</orderedlist>
<para>The columns in the file are as follows.</para> <para>The columns in the file are as follows.</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term><emphasis role="bold">ACTION</emphasis></term> <term><emphasis role="bold">ACTION</emphasis></term>
<listitem> <listitem>
<para>Defines the type of rule to generate. Beginning with Shorewall <para>Defines the type of rule to generate. Beginning with Shorewall
5.1.9, with the exception of NFLOG and ULOG, the action may be 5.1.9, with the exception of NFLOG and ULOG, the action may be
followed by a colon (":") and a <replaceable>log level</replaceable> followed by a colon (":") and a <replaceable>log level</replaceable>
skipping to change at line 71 skipping to change at line 85
<para>Choices for ACTION are:</para> <para>Choices for ACTION are:</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold"><replaceable>action</replaceable></emphasis>[+][(<repl aceable>parameter</replaceable>,...)][:<replaceable>level</replaceable>]</term> role="bold"><replaceable>action</replaceable></emphasis>[+][(<repl aceable>parameter</replaceable>,...)][:<replaceable>level</replaceable>]</term>
<listitem> <listitem>
<para>where <replaceable>action</replaceable> is an action <para>where <replaceable>action</replaceable> is an action
declared in <ulink declared in <ulink
url="/manpages/shorewall-actions.html">shorewall-actions(5)</uli url="shorewall-actions.html">shorewall-actions(5)</ulink> with
nk> the <option>nat</option> option. See <ulink
with the <option>nat</option> option. See <ulink url="../Actions.html">https://shorewall.org/Actions.html</ulink>
url="/Actions.html">www.shorewall.net/Actions.html</ulink> for for further information.</para>
further information.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">CONTINUE</emphasis>[+]:<replaceable>level</replaceable ></term> role="bold">CONTINUE</emphasis>[+]:<replaceable>level</replaceable ></term>
<listitem> <listitem>
<para>Causes matching packets to be exempted from any <para>Causes matching packets to be exempted from any
following rules in the file.</para> following rules in the file.</para>
skipping to change at line 168 skipping to change at line 182
<term><emphasis <term><emphasis
role="bold">SNAT[+]</emphasis>([<emphasis>address-or-address-range </emphasis>][:<emphasis>lowport</emphasis><emphasis role="bold">SNAT[+]</emphasis>([<emphasis>address-or-address-range </emphasis>][:<emphasis>lowport</emphasis><emphasis
role="bold">[-</emphasis><emphasis>highport</emphasis>]][<emphasis role="bold">[-</emphasis><emphasis>highport</emphasis>]][<emphasis
role="bold">:random</emphasis>][:<option>persistent</option>]|<emp hasis role="bold">:random</emphasis>][:<option>persistent</option>]|<emp hasis
role="bold">detect</emphasis>)[:<replaceable>level</replaceable>]< /term> role="bold">detect</emphasis>)[:<replaceable>level</replaceable>]< /term>
<listitem> <listitem>
<para>If you specify an address here, matching packets will <para>If you specify an address here, matching packets will
have their source address set to that address. If have their source address set to that address. If
ADD_SNAT_ALIASES is set to Yes or yes in <ulink ADD_SNAT_ALIASES is set to Yes or yes in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) url="shorewall.conf.html">shorewall.conf</ulink>(5) then
then Shorewall will automatically add this address to the Shorewall will automatically add this address to the INTERFACE
INTERFACE named in the first column (IPv4 only).</para> named in the first column (IPv4 only).</para>
<para>You may also specify a range of up to 256 IP addresses <para>You may also specify a range of up to 256 IP addresses
if you want the SNAT address to be assigned from that range in if you want the SNAT address to be assigned from that range in
a round-robin fashion by connection. The range is specified by a round-robin fashion by connection. The range is specified by
<emphasis>first.ip.in.range</emphasis>-<emphasis>last.ip.in.rang e</emphasis>. <emphasis>first.ip.in.range</emphasis>-<emphasis>last.ip.in.rang e</emphasis>.
You may follow the port range with<emphasis role="bold"> You may follow the port range with<emphasis role="bold">
:random</emphasis> in which case assignment of ports from the :random</emphasis> in which case assignment of ports from the
list will be random. <emphasis role="bold">random</emphasis> list will be random. <emphasis role="bold">random</emphasis>
may also be specified by itself in this column in which case may also be specified by itself in this column in which case
random local port assignments are made for the outgoing random local port assignments are made for the outgoing
skipping to change at line 240 skipping to change at line 254
LOG:ULOG</emphasis>[(<replaceable>ulog-parameters</replaceable>) ], LOG:ULOG</emphasis>[(<replaceable>ulog-parameters</replaceable>) ],
except that the log level is not changed when this ACTION is except that the log level is not changed when this ACTION is
used in an action or macro body and the invocation of that used in an action or macro body and the invocation of that
action or macro specifies a log level.</para> action or macro specifies a log level.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
<para>Normally Masq/SNAT rules are evaluated after those for <para>Normally Masq/SNAT rules are evaluated after those for
one-to-one NAT (defined in <ulink one-to-one NAT (defined in <ulink
url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5)). If you url="shorewall-nat.html">shorewall-nat</ulink>(5)). If you want the
want the rule to be applied before one-to-one NAT rules, follow the rule to be applied before one-to-one NAT rules, follow the action
action name with "+": This feature should only be required if you name with "+": This feature should only be required if you need to
need to insert rules in this file that preempt entries in <ulink insert rules in this file that preempt entries in <ulink
url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5).</para> url="shorewall-nat.html">shorewall-nat</ulink>(5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">SOURCE</emphasis> (Optional) - <term><emphasis role="bold">SOURCE</emphasis> (Optional) -
[<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis [<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>address</emphasis>...][<emphasis>exclu sion</emphasis>]]</term> role="bold">,</emphasis><emphasis>address</emphasis>...][<emphasis>exclu sion</emphasis>]]</term>
<listitem> <listitem>
<para>Set of hosts that you wish to masquerade. You can specify this <para>Set of hosts that you wish to masquerade. You can specify this
skipping to change at line 282 skipping to change at line 296
role="bold">:</emphasis><emphasis>digit][,</emphasis><emphasis>interface </emphasis>[<emphasis role="bold">:</emphasis><emphasis>digit][,</emphasis><emphasis>interface </emphasis>[<emphasis
role="bold">:</emphasis><emphasis>digit</emphasis>]]...|$FW}[<emphasis role="bold">:</emphasis><emphasis>digit</emphasis>]]...|$FW}[<emphasis
role="bold">:</emphasis>[<emphasis>dest-address</emphasis>[<emphasis role="bold">:</emphasis>[<emphasis>dest-address</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>dest-address</emphasis>]...[<emphasis> exclusion</emphasis>]]</term> role="bold">,</emphasis><emphasis>dest-address</emphasis>]...[<emphasis> exclusion</emphasis>]]</term>
<listitem> <listitem>
<para>Outgoing <emphasis>interface</emphasis>s and destination <para>Outgoing <emphasis>interface</emphasis>s and destination
networks. Multiple interfaces may be listed when the ACTION is networks. Multiple interfaces may be listed when the ACTION is
MASQUERADE, but this is usually just your internet interface. If MASQUERADE, but this is usually just your internet interface. If
ADD_SNAT_ALIASES=Yes in <ulink ADD_SNAT_ALIASES=Yes in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), you url="shorewall.conf.html">shorewall.conf</ulink>(5), you may add ":"
may add ":" and a <emphasis>digit</emphasis> to indicate that you and a <emphasis>digit</emphasis> to indicate that you want the alias
want the alias added with that name (e.g., eth0:0). This will allow added with that name (e.g., eth0:0). This will allow the alias to be
the alias to be displayed with ifconfig. <emphasis role="bold">That displayed with ifconfig. <emphasis role="bold">That is the only use
is the only use for the alias name; it may not appear in any other for the alias name; it may not appear in any other place in your
place in your Shorewall configuration.</emphasis></para> Shorewall configuration.</emphasis></para>
<para>Beginning with Shorewall 5.1.12, SNAT may be performed in the <para>Beginning with Shorewall 5.1.12, SNAT may be performed in the
nat table's INPUT chain by specifying $FW rather than one or more nat table's INPUT chain by specifying $FW rather than one or more
interfaces. </para> interfaces.</para>
<para>Each interface must match an entry in <ulink <para>Each interface must match an entry in <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink> (5). url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
Shorewall allows loose matches to wildcard entries in <ulink Shorewall allows loose matches to wildcard entries in <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink> url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
(5). example, <filename class="devicefile">ppp0</filename> in this file
For example, <filename class="devicefile">ppp0</filename> in this will match a <ulink
file will match a <ulink url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
(5)
entry that defines <filename entry that defines <filename
class="devicefile">ppp+</filename>.</para> class="devicefile">ppp+</filename>.</para>
<para>Where <ulink url="/4.4/MultiISP.html#Shared">more that one <para>Where <ulink url="../4.4/MultiISP.html#Shared">more that one
internet provider share a single interface</ulink>, the provider is internet provider share a single interface</ulink>, the provider is
specified by including the provider name or number in specified by including the provider name or number in
parentheses:</para> parentheses:</para>
<programlisting> eth0(Avvanta)</programlisting> <programlisting> eth0(Avvanta)</programlisting>
<para>In that case, you will want to specify the interface's address <para>In that case, you will want to specify the interface's address
for that provider as the SNAT parameter.</para> for that provider as the SNAT parameter.</para>
<para>The interface may be qualified by adding the character ":" <para>The interface may be qualified by adding the character ":"
followed by a comma-separated list of destination host or subnet followed by a comma-separated list of destination host or subnet
addresses to indicate that you only want to change the source IP addresses to indicate that you only want to change the source IP
address for packets being sent to those particular destinations. address for packets being sent to those particular destinations.
Exclusion is allowed (see <ulink Exclusion is allowed (see <ulink
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5 url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)) as
)) are ipset names preceded by a plus sign '+';</para>
as are ipset names preceded by a plus sign '+';</para>
<para>If you wish to inhibit the action of ADD_SNAT_ALIASES for this <para>If you wish to inhibit the action of ADD_SNAT_ALIASES for this
entry then include the ":" but omit the digit:</para> entry then include the ":" but omit the digit:</para>
<programlisting> eth0(Avvanta): <programlisting> eth0(Avvanta):
eth2::192.0.2.32/27</programlisting> eth2::192.0.2.32/27</programlisting>
<para>Comments may be attached to Netfilter rules generated from <para>Comments may be attached to Netfilter rules generated from
entries in this file through the use of ?COMMENT lines. These lines entries in this file through the use of ?COMMENT lines. These lines
begin with ?COMMENT; the remainder of the line is treated as a begin with ?COMMENT; the remainder of the line is treated as a
skipping to change at line 344 skipping to change at line 358
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">PROTO</emphasis> (Optional) - {<emphasis <term><emphasis role="bold">PROTO</emphasis> (Optional) - {<emphasis
role="bold">-</emphasis>|[!]{<emphasis>protocol-name</emphasis>|<emphasi s>protocol-number</emphasis>}[,...]|+<replaceable>ipset</replaceable>}</term> role="bold">-</emphasis>|[!]{<emphasis>protocol-name</emphasis>|<emphasi s>protocol-number</emphasis>}[,...]|+<replaceable>ipset</replaceable>}</term>
<listitem> <listitem>
<para>If you wish to restrict this entry to a particular protocol <para>If you wish to restrict this entry to a particular protocol
then enter the protocol name (from protocols(5)) or number here. See then enter the protocol name (from protocols(5)) or number here. See
<ulink <ulink url="shorewall-rules.html">shorewall-rules(5)</ulink> for
url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink> for
details.</para> details.</para>
<para>Beginning with Shorewall 4.5.12, this column can accept a <para>Beginning with Shorewall 4.5.12, this column can accept a
comma-separated list of protocols.</para> comma-separated list of protocols.</para>
<para>Beginning with Shorewall 4.6.0, an <para>Beginning with Shorewall 4.6.0, an
<replaceable>ipset</replaceable> name can be specified in this <replaceable>ipset</replaceable> name can be specified in this
column. This is intended to be used with column. This is intended to be used with
<firstterm>bitmap:port</firstterm> ipsets.</para> <firstterm>bitmap:port</firstterm> ipsets.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">PORT</emphasis> (Optional) - <term><emphasis role="bold">{PORT|DPORT}</emphasis> (Optional) -
{-|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-n umber</emphasis>]...|+<replaceable>ipset</replaceable>}</term> {-|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-n umber</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
<listitem> <listitem>
<para>The column was renamed to DPORT in Shorewall 5.2.6. Beginning
with that release, both PORT and DPORT are accepted in the
alternative input format,</para>
<para>If the PROTO column specifies TCP (6), UDP (17), DCCP (33), <para>If the PROTO column specifies TCP (6), UDP (17), DCCP (33),
SCTP (132) or UDPLITE (136) then you may list one or more port SCTP (132) or UDPLITE (136) then you may list one or more port
numbers (or names from services(5)) or port ranges separated by numbers (or names from services(5)) or port ranges separated by
commas.</para> commas.</para>
<para>Port ranges are of the form <para>Port ranges are of the form
<emphasis>lowport</emphasis>:<emphasis>highport</emphasis>.</para> <emphasis>lowport</emphasis>:<emphasis>highport</emphasis>.</para>
<para>Beginning with Shorewall 4.6.0, an <para>Beginning with Shorewall 4.6.0, an
<replaceable>ipset</replaceable> name can be specified in this <replaceable>ipset</replaceable> name can be specified in this
column. This is intended to be used with column. This is intended to be used with
<firstterm>bitmap:port</firstterm> ipsets.</para> <firstterm>bitmap:port</firstterm> ipsets.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">SPORT
{-|[!]<replaceable>port-name-or-number</replaceable>[,<replaceable>port-
name-or-number</replaceable>]...|+<replaceable>ipset</replaceable>}</emphasis></
term>
<listitem>
<para>FORMAT 2 only.</para>
<para>If the PROTO column specifies TCP (6), UDP (17), DCCP (33),
SCTP (132) or UDPLITE (136) then you may list one or more port
numbers (or names from services(5)) or port ranges separated by
commas.</para>
<para>Port ranges are of the form
<emphasis>lowport</emphasis>:<emphasis>highport</emphasis>.</para>
<para>An <replaceable>ipset</replaceable> name can be specified in
this column. This is intended to be used with
<firstterm>bitmap:port</firstterm> ipsets.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">IPSEC</emphasis> (Optional) - <term><emphasis role="bold">IPSEC</emphasis> (Optional) -
[<emphasis>option</emphasis>[<emphasis [<emphasis>option</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>option</emphasis>]...]</term> role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
<listitem> <listitem>
<para>If you specify a value other than "-" in this column, you must <para>If you specify a value other than "-" in this column, you must
be running kernel 2.6 and your kernel and iptables must include be running kernel 2.6 and your kernel and iptables must include
policy match support.</para> policy match support.</para>
<para>Comma-separated list of options from the following. Only <para>Comma-separated list of options from the following. Only
skipping to change at line 834 skipping to change at line 872
<para>/etc/shorewall/snat</para> <para>/etc/shorewall/snat</para>
<para>/etc/shorewall6/snat</para> <para>/etc/shorewall6/snat</para>
</refsect1> </refsect1>
<refsect1> <refsect1>
<title>See ALSO</title> <title>See ALSO</title>
<para><ulink <para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configur ation_file_basics.htm#Pairs</ulink></para> url="../configuration_file_basics.htm#Pairs">https://shorewall.org/configura tion_file_basics.htm#Pairs</ulink></para>
<para>shorewall(8)</para> <para>shorewall(8)</para>
</refsect1> </refsect1>
</refentry> </refentry>
 End of changes. 17 change blocks. 
39 lines changed or deleted 75 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)