"Fossies" - the Fresh Open Source Software Archive

Member "shorewall6-5.2.8/configfiles/snat.annotated" (24 Sep 2020, 20042 Bytes) of package /linux/misc/shorewall/shorewall6-5.2.8.tar.bz2:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "snat.annotated": 5.2.7_vs_5.2.8.

    1 #
    2 # Shorewall6 -- /etc/shorewall6/snat
    3 #
    4 # For information about entries in this file, type "man shorewall6-snat"
    5 #
    6 # See https://shorewall.org/manpages/shorewall-snat.html for more information
    7 #
    8 ?FORMAT 2
    9 ###################################################################################################################################################
   10 # 
   11 # This file is used to define dynamic NAT (Masquerading) and to define Source NAT
   12 # (SNAT). It superseded shorewall-masq(5) in Shorewall 5.0.14.
   13 # 
   14 # Warning
   15 # 
   16 # The entries in this file are order-sensitive. The first entry that matches a
   17 # particular connection will be the one that is used.
   18 # 
   19 # Warning
   20 # 
   21 # If you have more than one ISP link, adding entries to this file will not force
   22 # connections to go out through a particular link. You must use entries in
   23 # shorewall-rtrules(5) or PREROUTING entries in shorewall-mangle(5) to do that.
   24 # 
   25 # Beginning with Shorewall 5.2.6, the snat file supports two different formats:
   26 # 
   27 #  1. The SPORT (source port) column is omitted. This is the default unless a "?
   28 #     FORMAT 2" compiler directive is included.
   29 # 
   30 #  2. The SPORT column immediately follows the DPORT column.
   31 # 
   32 # The columns in the file are as follows.
   33 # 
   34 # ACTION
   35 # 
   36 #     Defines the type of rule to generate. Beginning with Shorewall 5.1.9, with
   37 #     the exception of NFLOG and ULOG, the action may be followed by a colon
   38 #     (":") and a log level (see shorewall-logging(5)).
   39 # 
   40 #     Choices for ACTION are:
   41 # 
   42 #     action[+][(parameter,...)][:level]
   43 # 
   44 #         where action is an action declared in shorewall-actions(5) with the nat
   45 #         option. See https://shorewall.org/Actions.html for further information.
   46 # 
   47 #     CONTINUE[+]:level
   48 # 
   49 #         Causes matching packets to be exempted from any following rules in the
   50 #         file.
   51 # 
   52 #     LOG:level
   53 # 
   54 #         Added in Shorewall 5.1.9. Simply log the packet and continue with the
   55 #         next rule.
   56 # 
   57 #     MASQUERADE[+][([lowport[-highport]][random])][:level]
   58 # 
   59 #         Causes matching outgoing packages to have their source IP address set
   60 #         to the primary IP address of the interface specified in the DEST
   61 #         column. if lowport-highport is given, that port range will be used to
   62 #         assign a source port. If only lowport is given, that port will be
   63 #         assigned, if possible. If option random is used then port mapping will
   64 #         be randomized. MASQUERADE should only be used when the DEST interface
   65 #         has a dynamic IP address. Otherwise, SNAT should be used and should
   66 #         specify the interface's static address.
   67 # 
   68 #     NFLOG[(nflog-parameters)]
   69 # 
   70 #         Added in Shorewall 5.1.9. Queues matching packets to a back end logging
   71 #         daemon via a netlink socket then continues to the next rule. See
   72 #         shorewall-logging(5).
   73 # 
   74 #         The nflog-parameters are a comma-separated list of up to 3 numbers:
   75 # 
   76 #           ☆ The first number specifies the netlink group (0-65535). If omitted
   77 #             (e.g., NFLOG(,0,10)) then a value of 0 is assumed.
   78 # 
   79 #           ☆ The second number specifies the maximum number of bytes to copy. If
   80 #             omitted, 0 (no limit) is assumed.
   81 # 
   82 #           ☆ The third number specifies the number of log messages that should
   83 #             be buffered in the kernel before they are sent to user space. The
   84 #             default is 1.
   85 # 
   86 #         NFLOG is similar to LOG:NFLOG[(nflog-parameters)], except that the log
   87 #         level is not changed when this ACTION is used in an action or macro
   88 #         body and the invocation of that action or macro specifies a log level.
   89 # 
   90 #     SNAT[+]([address-or-address-range][:lowport[-highport]][:random]
   91 #         [:persistent]|detect)[:level]
   92 # 
   93 #         If you specify an address here, matching packets will have their source
   94 #         address set to that address. If ADD_SNAT_ALIASES is set to Yes or yes
   95 #         in shorewall.conf(5) then Shorewall will automatically add this address
   96 #         to the INTERFACE named in the first column (IPv4 only).
   97 # 
   98 #         You may also specify a range of up to 256 IP addresses if you want the
   99 #         SNAT address to be assigned from that range in a round-robin fashion by
  100 #         connection. The range is specified by first.ip.in.range-
  101 #         last.ip.in.range. You may follow the port range with :random in which
  102 #         case assignment of ports from the list will be random. random may also
  103 #         be specified by itself in this column in which case random local port
  104 #         assignments are made for the outgoing connections.
  105 # 
  106 #         Example: 206.124.146.177-206.124.146.180
  107 # 
  108 #         You may follow the port range (or :random) with :persistent. This is
  109 #         only useful when an address range is specified and causes a client to
  110 #         be given the same source/destination IP pair.
  111 # 
  112 #         You may also use the special value detect which causes Shorewall to
  113 #         determine the IP addresses configured on the interface named in the
  114 #         DEST column and substitute them in this column.
  115 # 
  116 #         DNS Names names are not allowed.
  117 # 
  118 #         Normally, Netfilter will attempt to retain the source port number. You
  119 #         may cause netfilter to remap the source port by following an address or
  120 #         range (if any) by ":" and a port range with the format lowport-highport
  121 #         . If this is done, you must specify "tcp", "udp", "dccp" or "stcp" in
  122 #         the PROTO column.
  123 # 
  124 #         Examples:
  125 # 
  126 #                 192.0.2.4:5000-6000
  127 #                 :4000-5000
  128 # 
  129 #         You may also specify a single port number, which will be assigned to
  130 #         the outgoing connection, if possible.
  131 # 
  132 #     ULOG[(ulog-parameters)]
  133 # 
  134 #         IPv4 only. Added in Shorewall 5.1.9. Queues matching packets to a back
  135 #         end logging daemon via a netlink socket then continues to the next
  136 #         rule. See shorewall-logging(5).
  137 # 
  138 #         Similar to LOG:ULOG[(ulog-parameters)], except that the log level is
  139 #         not changed when this ACTION is used in an action or macro body and the
  140 #         invocation of that action or macro specifies a log level.
  141 # 
  142 #     Normally Masq/SNAT rules are evaluated after those for one-to-one NAT
  143 #     (defined in shorewall-nat(5)). If you want the rule to be applied before
  144 #     one-to-one NAT rules, follow the action name with "+": This feature should
  145 #     only be required if you need to insert rules in this file that preempt
  146 #     entries in shorewall-nat(5).
  147 # 
  148 # SOURCE (Optional) - [interface|address[,address...][exclusion]]
  149 # 
  150 #     Set of hosts that you wish to masquerade. You can specify this as an 
  151 #     address (net or host) or as an interface. Unless you want to perform SNAT
  152 #     in the INPUT chain (see DEST below), if you give the name of an interface
  153 #     (deprecated), the interface must be up before you start the firewall and
  154 #     the Shorewall rules compiler will warn you of that fact. (Shorewall will
  155 #     use your main routing table to determine the appropriate addresses to
  156 #     masquerade).
  157 # 
  158 #     The preferred way to specify the SOURCE is to supply one or more host or
  159 #     network addresses separated by comma. You may use ipset names preceded by a
  160 #     plus sign (+) to specify a set of hosts.
  161 # 
  162 # DEST - {interface[:digit][,interface[:digit]]...|$FW}[:[dest-address[,
  163 #     dest-address]...[exclusion]]
  164 # 
  165 #     Outgoing interfaces and destination networks. Multiple interfaces may be
  166 #     listed when the ACTION is MASQUERADE, but this is usually just your
  167 #     internet interface. If ADD_SNAT_ALIASES=Yes in shorewall.conf(5), you may
  168 #     add ":" and a digit to indicate that you want the alias added with that
  169 #     name (e.g., eth0:0). This will allow the alias to be displayed with
  170 #     ifconfig. That is the only use for the alias name; it may not appear in any
  171 #     other place in your Shorewall configuration.
  172 # 
  173 #     Beginning with Shorewall 5.1.12, SNAT may be performed in the nat table's
  174 #     INPUT chain by specifying $FW rather than one or more interfaces.
  175 # 
  176 #     Each interface must match an entry in shorewall-interfaces(5). Shorewall
  177 #     allows loose matches to wildcard entries in shorewall-interfaces(5). For
  178 #     example, ppp0 in this file will match a shorewall-interfaces(5) entry that
  179 #     defines ppp+.
  180 # 
  181 #     Where more that one internet provider share a single interface, the
  182 #     provider is specified by including the provider name or number in
  183 #     parentheses:
  184 # 
  185 #             eth0(Avvanta)
  186 # 
  187 #     In that case, you will want to specify the interface's address for that
  188 #     provider as the SNAT parameter.
  189 # 
  190 #     The interface may be qualified by adding the character ":" followed by a
  191 #     comma-separated list of destination host or subnet addresses to indicate
  192 #     that you only want to change the source IP address for packets being sent
  193 #     to those particular destinations. Exclusion is allowed (see
  194 #     shorewall-exclusion(5)) as are ipset names preceded by a plus sign '+';
  195 # 
  196 #     If you wish to inhibit the action of ADD_SNAT_ALIASES for this entry then
  197 #     include the ":" but omit the digit:
  198 # 
  199 #             eth0(Avvanta):
  200 #             eth2::192.0.2.32/27
  201 # 
  202 #     Comments may be attached to Netfilter rules generated from entries in this
  203 #     file through the use of ?COMMENT lines. These lines begin with ?COMMENT;
  204 #     the remainder of the line is treated as a comment which is attached to
  205 #     subsequent rules until another ?COMMENT line is found or until the end of
  206 #     the file is reached. To stop adding comments to rules, use a line
  207 #     containing only ?COMMENT.
  208 # 
  209 # PROTO (Optional) - {-|[!]{protocol-name|protocol-number}[,...]|+ipset}
  210 # 
  211 #     If you wish to restrict this entry to a particular protocol then enter the
  212 #     protocol name (from protocols(5)) or number here. See shorewall-rules(5)
  213 #     for details.
  214 # 
  215 #     Beginning with Shorewall 4.5.12, this column can accept a comma-separated
  216 #     list of protocols.
  217 # 
  218 #     Beginning with Shorewall 4.6.0, an ipset name can be specified in this
  219 #     column. This is intended to be used with bitmap:port ipsets.
  220 # 
  221 # {PORT|DPORT} (Optional) - {-|[!]port-name-or-number[,port-name-or-number]...|+
  222 #     ipset}
  223 # 
  224 #     The column was renamed to DPORT in Shorewall 5.2.6. Beginning with that
  225 #     release, both PORT and DPORT are accepted in the alternative input format,
  226 # 
  227 #     If the PROTO column specifies TCP (6), UDP (17), DCCP (33), SCTP (132) or
  228 #     UDPLITE (136) then you may list one or more port numbers (or names from
  229 #     services(5)) or port ranges separated by commas.
  230 # 
  231 #     Port ranges are of the form lowport:highport.
  232 # 
  233 #     Beginning with Shorewall 4.6.0, an ipset name can be specified in this
  234 #     column. This is intended to be used with bitmap:port ipsets.
  235 # 
  236 # SPORT {-|[!]port-name-or-number[,port-name-or-number]...|+ipset}
  237 # 
  238 #     FORMAT 2 only.
  239 # 
  240 #     If the PROTO column specifies TCP (6), UDP (17), DCCP (33), SCTP (132) or
  241 #     UDPLITE (136) then you may list one or more port numbers (or names from
  242 #     services(5)) or port ranges separated by commas.
  243 # 
  244 #     Port ranges are of the form lowport:highport.
  245 # 
  246 #     An ipset name can be specified in this column. This is intended to be used
  247 #     with bitmap:port ipsets.
  248 # 
  249 # IPSEC (Optional) - [option[,option]...]
  250 # 
  251 #     If you specify a value other than "-" in this column, you must be running
  252 #     kernel 2.6 and your kernel and iptables must include policy match support.
  253 # 
  254 #     Comma-separated list of options from the following. Only packets that will
  255 #     be encrypted via an SA that matches these options will have their source
  256 #     address changed.
  257 # 
  258 #     reqid=number
  259 # 
  260 #         where number is specified using setkey(8) using the 'unique:number
  261 #         option for the SPD level.
  262 # 
  263 #     spi=<number>
  264 # 
  265 #         where number is the SPI of the SA used to encrypt/decrypt packets.
  266 # 
  267 #     proto=ah|esp|ipcomp
  268 # 
  269 #         IPSEC Encapsulation Protocol
  270 # 
  271 #     mss=number
  272 # 
  273 #         sets the MSS field in TCP packets
  274 # 
  275 #     mode=transport|tunnel
  276 # 
  277 #         IPSEC mode
  278 # 
  279 #     tunnel-src=address[/mask]
  280 # 
  281 #         only available with mode=tunnel
  282 # 
  283 #     tunnel-dst=address[/mask]
  284 # 
  285 #         only available with mode=tunnel
  286 # 
  287 #     strict
  288 # 
  289 #         Means that packets must match all rules.
  290 # 
  291 #     next
  292 # 
  293 #         Separates rules; can only be used with strict
  294 # 
  295 #     yes
  296 # 
  297 #         When used by itself, causes all traffic that will be encrypted/
  298 #         encapsulated to match the rule.
  299 # 
  300 # MARK - [!]value[/mask][:C]
  301 # 
  302 #     Defines a test on the existing packet or connection mark. The rule will
  303 #     match only if the test returns true.
  304 # 
  305 #     If you don't want to define a test but need to specify anything in the
  306 #     following columns, place a "-" in this field.
  307 # 
  308 #     !
  309 # 
  310 #         Inverts the test (not equal)
  311 # 
  312 #     value
  313 # 
  314 #         Value of the packet or connection mark.
  315 # 
  316 #     mask
  317 # 
  318 #         A mask to be applied to the mark before testing.
  319 # 
  320 #     :C
  321 # 
  322 #         Designates a connection mark. If omitted, the packet mark's value is
  323 #         tested.
  324 # 
  325 # USER (Optional) - [!][user-name-or-number][:group-name-or-number][+program-name
  326 #     ]
  327 # 
  328 #     This column was formerly labelled USER/GROUP.
  329 # 
  330 #     Only locally-generated connections will match if this column is non-empty.
  331 # 
  332 #     When this column is non-empty, the rule matches only if the program
  333 #     generating the output is running under the effective user and/or group
  334 #     specified (or is NOT running under that id if "!" is given).
  335 # 
  336 #     Examples:
  337 # 
  338 #     joe
  339 # 
  340 #         program must be run by joe
  341 # 
  342 #     :kids
  343 # 
  344 #         program must be run by a member of the 'kids' group
  345 # 
  346 #     !:kids
  347 # 
  348 #         program must not be run by a member of the 'kids' group
  349 # 
  350 #     +upnpd
  351 # 
  352 #         #program named upnpd
  353 # 
  354 #         Important
  355 # 
  356 #         The ability to specify a program name was removed from Netfilter in
  357 #         kernel version 2.6.14.
  358 # 
  359 # SWITCH - [!]switch-name[={0|1}]
  360 # 
  361 #     Added in Shorewall 4.5.1 and allows enabling and disabling the rule without
  362 #     requiring shorewall restart.
  363 # 
  364 #     The rule is enabled if the value stored in /proc/net/nf_condition/
  365 #     switch-name is 1. The rule is disabled if that file contains 0 (the
  366 #     default). If '!' is supplied, the test is inverted such that the rule is
  367 #     enabled if the file contains 0.
  368 # 
  369 #     Within the switch-name, '@0' and '@{0}' are replaced by the name of the
  370 #     chain to which the rule is a added. The switch-name (after '@...'
  371 #     expansion) must begin with a letter and be composed of letters, decimal
  372 #     digits, underscores or hyphens. Switch names must be 30 characters or less
  373 #     in length.
  374 # 
  375 #     Switches are normally off. To turn a switch on:
  376 # 
  377 #     echo 1 > /proc/net/nf_condition/switch-name
  378 # 
  379 #     To turn it off again:
  380 # 
  381 #     echo 0 > /proc/net/nf_condition/switch-name
  382 # 
  383 #     Switch settings are retained over shorewall restart.
  384 # 
  385 #     Beginning with Shorewall 4.5.10, when the switch-name is followed by =0 or
  386 #     =1, then the switch is initialized to off or on respectively by the start
  387 #     command. Other commands do not affect the switch setting.
  388 # 
  389 # ORIGDEST - [-|address[,address]...[exclusion]|exclusion]
  390 # 
  391 #     (Optional) Added in Shorewall 4.5.6. This column may be included and may
  392 #     contain one or more addresses (host or network) separated by commas.
  393 #     Address ranges are not allowed. When this column is supplied, rules are
  394 #     generated that require that the original destination address matches one of
  395 #     the listed addresses. It is useful for specifying that SNAT should occur
  396 #     only for connections that were acted on by a DNAT when they entered the
  397 #     firewall.
  398 # 
  399 #     This column was formerly labelled ORIGINAL DEST.
  400 # 
  401 # PROBABILITY - [probability]
  402 # 
  403 #     Added in Shorewall 5.0.0. When non-empty, requires the Statistics Match
  404 #     capability in your kernel and ip6tables and causes the rule to match
  405 #     randomly but with the given probability. The probability is a number 0 <
  406 #     probability <= 1 and may be expressed at up to 8 decimal points of
  407 #     precision.
  408 # 
  409 # Examples
  410 # 
  411 # IPv4 Example 1:
  412 # 
  413 #     You have a simple masquerading setup where eth0 connects to a DSL or cable
  414 #     modem and eth1 connects to your local network with subnet 192.168.0.0/24.
  415 # 
  416 #     Your entry in the file will be:
  417 # 
  418 #             #ACTION    SOURCE              DEST
  419 #             MASQUERADE 192.168.0.0/24      eth0
  420 # 
  421 # IPv4 Example 2:
  422 # 
  423 #     You add a router to your local network to connect subnet 192.168.1.0/24
  424 #     which you also want to masquerade. You then add a second entry for eth0 to
  425 #     this file:
  426 # 
  427 #             #ACTION    SOURCE              DEST
  428 #             MASQUERADE 192.168.0.0/24      eth0
  429 #             MASQUERADE 192.168.1.0/24      eth0
  430 # 
  431 # IPv4 Example 3:
  432 # 
  433 #     You want all outgoing traffic from 192.168.1.0/24 through eth0 to use
  434 #     source address 206.124.146.176 which is NOT the primary address of eth0.
  435 #     You want 206.124.146.176 to be added to eth0 with name eth0:0.
  436 # 
  437 #             #ACTION                 SOURCE          DEST
  438 #             SNAT(206.124.146.176)   192.168.1.0/24  eth0:0
  439 # 
  440 # IPv4 Example 4:
  441 # 
  442 #     You want all outgoing SMTP traffic entering the firewall from 172.20.1.0/29
  443 #     to be sent from eth0 with source IP address 206.124.146.177. You want all
  444 #     other outgoing traffic from 172.20.1.0/29 to be sent from eth0 with source
  445 #     IP address 206.124.146.176.
  446 # 
  447 #             #INTERFACE   SOURCE           ADDRESS         PROTO   DPORT
  448 #             eth0         172.20.1.0/29    206.124.146.177 tcp     smtp
  449 #             eth0         172.20.1.0/29    206.124.146.176
  450 # 
  451 #             #ACTION                 SOURCE          DEST        PROTO     PORT
  452 #             SNAT(206.124.146.177)   172.20.1.0/29   eth0        tcp       smtp
  453 #             SNAT(206.124.146.176)   172.20.1.0/29   eth0
  454 # 
  455 #     Warning
  456 # 
  457 #     The order of the above two rules is significant!
  458 # 
  459 # IPv4 Example 5:
  460 # 
  461 #     Connections leaving on eth0 and destined to any host defined in the ipset 
  462 #     myset should have the source IP address changed to 206.124.146.177.
  463 # 
  464 #             #ACTION                 SOURCE          DEST
  465 #             SNAT(206.124.146.177)   -               eth0:+myset[dst]
  466 # 
  467 # IPv4 Example 6:
  468 # 
  469 #     SNAT outgoing connections on eth0 from 192.168.1.0/24 randomly to addresses
  470 #     1.1.1.1, 1.1.1.3, and 1.1.1.9 (Shorewall 5.0.0 and later).
  471 # 
  472 #     /etc/shorewall/snat:
  473 # 
  474 #            #ACTION                 SOURCE          DEST
  475 #            SNAT(1.1.1.1)           192.168.1.0/24  eth0  { probability=0.33 }
  476 #            SNAT(1.1.1.3)           192.168.1.0/24  eth0  { probability=0.50 }
  477 #            SNAT(1.1.1.9)           192.168.1.0/24  eth0
  478 # 
  479 # IPv6 Example 1:
  480 # 
  481 #     You have a simple 'masquerading' setup where eth0 connects to a DSL or
  482 #     cable modem and eth1 connects to your local network with subnet
  483 #     2001:470:b:787::0/64
  484 # 
  485 #     Your entry in the file will be:
  486 # 
  487 #             #ACTION      SOURCE                  DEST
  488 #             MASQUERADE   2001:470:b:787::0/64    eth0
  489 # 
  490 # IPv6 Example 2:
  491 # 
  492 #     Your sit1 interface has two public IP addresses: 2001:470:a:227::1 and
  493 #     2001:470:b:227::1. You want to use the iptables statistics match to
  494 #     masquerade outgoing connections evenly between these two addresses.
  495 # 
  496 #     /etc/shorewall/snat:
  497 # 
  498 #            #ACTION                      SOURCE     DEST
  499 #            SNAT(2001:470:a:227::1)      ::/0       sit1              { probability=0.50 }
  500 #            SNAT(2001:470:a:227::2)      ::/0       sit
  501 # 
  502 ###################################################################################################################################################
  503 #ACTION			SOURCE			DEST		PROTO	DPORT	SPORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY