File: //usr/share/shorewall/configfiles/snat.annotated
#
# Shorewall -- /etc/shorewall/snat
#
# For information about entries in this file, type "man shorewall-snat"
#
# See http://shorewall.net/manpages/shorewall-snat.html for more information
#
###########################################################################################################################################
#
# This file is used to define dynamic NAT (Masquerading) and to define Source NAT
# (SNAT). It superseded shorewall-masq(5) in Shorewall 5.0.14.
#
# Warning
#
# The entries in this file are order-sensitive. The first entry that matches a
# particular connection will be the one that is used.
#
# Warning
#
# If you have more than one ISP link, adding entries to this file will not force
# connections to go out through a particular link. You must use entries in
# shorewall-rtrules(5) or PREROUTING entries in shorewall-mangle(5) to do that.
#
# The columns in the file are as follows.
#
# ACTION
#
# Defines the type of rule to generate. Beginning with Shorewall 5.1.9, with
# the exception of NFLOG and ULOG, the action may be followed by a colon
# (":") and a log level (see shorewall-logging(5)).
#
# Choices for ACTION are:
#
# action[+][(parameter,...)][:level]
#
# where action is an action declared in shorewall-actions(5) with the nat
# option. See www.shorewall.net/Actions.html for further information.
#
# CONTINUE[+]:level
#
# Causes matching packets to be exempted from any following rules in the
# file.
#
# LOG:level
#
# Added in Shorewall 5.1.9. Simply log the packet and continue with the
# next rule.
#
# MASQUERADE[+][([lowport[-highport]][random])][:level]
#
# Causes matching outgoing packages to have their source IP address set
# to the primary IP address of the interface specified in the DEST
# column. if lowport-highport is given, that port range will be used to
# assign a source port. If only lowport is given, that port will be
# assigned, if possible. If option random is used then port mapping will
# be randomized. MASQUERADE should only be used when the DEST interface
# has a dynamic IP address. Otherwise, SNAT should be used and should
# specify the interface's static address.
#
# NFLOG[(nflog-parameters)]
#
# Added in Shorewall 5.1.9. Queues matching packets to a back end logging
# daemon via a netlink socket then continues to the next rule. See
# shorewall-logging(5).
#
# The nflog-parameters are a comma-separated list of up to 3 numbers:
#
# ☆ The first number specifies the netlink group (0-65535). If omitted
# (e.g., NFLOG(,0,10)) then a value of 0 is assumed.
#
# ☆ The second number specifies the maximum number of bytes to copy. If
# omitted, 0 (no limit) is assumed.
#
# ☆ The third number specifies the number of log messages that should
# be buffered in the kernel before they are sent to user space. The
# default is 1.
#
# NFLOG is similar to LOG:NFLOG[(nflog-parameters)], except that the log
# level is not changed when this ACTION is used in an action or macro
# body and the invocation of that action or macro specifies a log level.
#
# SNAT[+]([address-or-address-range][:lowport[-highport]][:random]
# [:persistent]|detect)[:level]
#
# If you specify an address here, matching packets will have their source
# address set to that address. If ADD_SNAT_ALIASES is set to Yes or yes
# in shorewall.conf(5) then Shorewall will automatically add this address
# to the INTERFACE named in the first column (IPv4 only).
#
# You may also specify a range of up to 256 IP addresses if you want the
# SNAT address to be assigned from that range in a round-robin fashion by
# connection. The range is specified by first.ip.in.range-
# last.ip.in.range. You may follow the port range with :random in which
# case assignment of ports from the list will be random. random may also
# be specified by itself in this column in which case random local port
# assignments are made for the outgoing connections.
#
# Example: 206.124.146.177-206.124.146.180
#
# You may follow the port range (or :random) with :persistent. This is
# only useful when an address range is specified and causes a client to
# be given the same source/destination IP pair.
#
# You may also use the special value detect which causes Shorewall to
# determine the IP addresses configured on the interface named in the
# DEST column and substitute them in this column.
#
# Finally, you may also specify a comma-separated list of ranges and/or
# addresses in this column.
#
# DNS Names names are not allowed.
#
# Normally, Netfilter will attempt to retain the source port number. You
# may cause netfilter to remap the source port by following an address or
# range (if any) by ":" and a port range with the format lowport-highport
# . If this is done, you must specify "tcp", "udp", "dccp" or "stcp" in
# the PROTO column.
#
# Examples:
#
# 192.0.2.4:5000-6000
# :4000-5000
#
# You may also specify a single port number, which will be assigned to
# the outgoing connection, if possible.
#
# ULOG[(ulog-parameters)]
#
# IPv4 only. Added in Shorewall 5.1.9. Queues matching packets to a back
# end logging daemon via a netlink socket then continues to the next
# rule. See shorewall-logging(5).
#
# Similar to LOG:ULOG[(ulog-parameters)], except that the log level is
# not changed when this ACTION is used in an action or macro body and the
# invocation of that action or macro specifies a log level.
#
# Normally Masq/SNAT rules are evaluated after those for one-to-one NAT
# (defined in shorewall-nat(5)). If you want the rule to be applied before
# one-to-one NAT rules, follow the action name with "+": This feature should
# only be required if you need to insert rules in this file that preempt
# entries in shorewall-nat(5).
#
# SOURCE (Optional) - [interface|address[,address...][exclusion]]
#
# Set of hosts that you wish to masquerade. You can specify this as an
# address (net or host) or as an interface. Unless you want to perform SNAT
# in the INPUT chain (see DEST below), if you give the name of an interface
# (deprecated), the interface must be up before you start the firewall and
# the Shorewall rules compiler will warn you of that fact. (Shorewall will
# use your main routing table to determine the appropriate addresses to
# masquerade).
#
# The preferred way to specify the SOURCE is to supply one or more host or
# network addresses separated by comma. You may use ipset names preceded by a
# plus sign (+) to specify a set of hosts.
#
# DEST - {interface[:digit][,interface[:digit]]...|$FW}[:[dest-address[,
# dest-address]...[exclusion]]
#
# Outgoing interfaces and destination networks. Multiple interfaces may be
# listed when the ACTION is MASQUERADE, but this is usually just your
# internet interface. If ADD_SNAT_ALIASES=Yes in shorewall.conf(5), you may
# add ":" and a digit to indicate that you want the alias added with that
# name (e.g., eth0:0). This will allow the alias to be displayed with
# ifconfig. That is the only use for the alias name; it may not appear in any
# other place in your Shorewall configuration.
#
# Beginning with Shorewall 5.1.12, SNAT may be performed in the nat table's
# INPUT chain by specifying $FW rather than one or more interfaces.
#
# Each interface must match an entry in shorewall-interfaces(5). Shorewall
# allows loose matches to wildcard entries in shorewall-interfaces(5). For
# example, ppp0 in this file will match a shorewall-interfaces(5) entry that
# defines ppp+.
#
# Where more that one internet provider share a single interface, the
# provider is specified by including the provider name or number in
# parentheses:
#
# eth0(Avvanta)
#
# In that case, you will want to specify the interface's address for that
# provider as the SNAT parameter.
#
# The interface may be qualified by adding the character ":" followed by a
# comma-separated list of destination host or subnet addresses to indicate
# that you only want to change the source IP address for packets being sent
# to those particular destinations. Exclusion is allowed (see
# shorewall-exclusion(5)) as are ipset names preceded by a plus sign '+';
#
# If you wish to inhibit the action of ADD_SNAT_ALIASES for this entry then
# include the ":" but omit the digit:
#
# eth0(Avvanta):
# eth2::192.0.2.32/27
#
# Comments may be attached to Netfilter rules generated from entries in this
# file through the use of ?COMMENT lines. These lines begin with ?COMMENT;
# the remainder of the line is treated as a comment which is attached to
# subsequent rules until another ?COMMENT line is found or until the end of
# the file is reached. To stop adding comments to rules, use a line
# containing only ?COMMENT.
#
# PROTO (Optional) - {-|[!]{protocol-name|protocol-number}[,...]|+ipset}
#
# If you wish to restrict this entry to a particular protocol then enter the
# protocol name (from protocols(5)) or number here. See shorewall-rules(5)
# for details.
#
# Beginning with Shorewall 4.5.12, this column can accept a comma-separated
# list of protocols.
#
# Beginning with Shorewall 4.6.0, an ipset name can be specified in this
# column. This is intended to be used with bitmap:port ipsets.
#
# PORT (Optional) - {-|[!]port-name-or-number[,port-name-or-number]...|+ipset}
#
# If the PROTO column specifies TCP (6), UDP (17), DCCP (33), SCTP (132) or
# UDPLITE (136) then you may list one or more port numbers (or names from
# services(5)) or port ranges separated by commas.
#
# Port ranges are of the form lowport:highport.
#
# Beginning with Shorewall 4.6.0, an ipset name can be specified in this
# column. This is intended to be used with bitmap:port ipsets.
#
# IPSEC (Optional) - [option[,option]...]
#
# If you specify a value other than "-" in this column, you must be running
# kernel 2.6 and your kernel and iptables must include policy match support.
#
# Comma-separated list of options from the following. Only packets that will
# be encrypted via an SA that matches these options will have their source
# address changed.
#
# reqid=number
#
# where number is specified using setkey(8) using the 'unique:number
# option for the SPD level.
#
# spi=<number>
#
# where number is the SPI of the SA used to encrypt/decrypt packets.
#
# proto=ah|esp|ipcomp
#
# IPSEC Encapsulation Protocol
#
# mss=number
#
# sets the MSS field in TCP packets
#
# mode=transport|tunnel
#
# IPSEC mode
#
# tunnel-src=address[/mask]
#
# only available with mode=tunnel
#
# tunnel-dst=address[/mask]
#
# only available with mode=tunnel
#
# strict
#
# Means that packets must match all rules.
#
# next
#
# Separates rules; can only be used with strict
#
# yes
#
# When used by itself, causes all traffic that will be encrypted/
# encapsulated to match the rule.
#
# MARK - [!]value[/mask][:C]
#
# Defines a test on the existing packet or connection mark. The rule will
# match only if the test returns true.
#
# If you don't want to define a test but need to specify anything in the
# following columns, place a "-" in this field.
#
# !
#
# Inverts the test (not equal)
#
# value
#
# Value of the packet or connection mark.
#
# mask
#
# A mask to be applied to the mark before testing.
#
# :C
#
# Designates a connection mark. If omitted, the packet mark's value is
# tested.
#
# USER (Optional) - [!][user-name-or-number][:group-name-or-number][+program-name
# ]
#
# This column was formerly labelled USER/GROUP.
#
# Only locally-generated connections will match if this column is non-empty.
#
# When this column is non-empty, the rule matches only if the program
# generating the output is running under the effective user and/or group
# specified (or is NOT running under that id if "!" is given).
#
# Examples:
#
# joe
#
# program must be run by joe
#
# :kids
#
# program must be run by a member of the 'kids' group
#
# !:kids
#
# program must not be run by a member of the 'kids' group
#
# +upnpd
#
# #program named upnpd
#
# Important
#
# The ability to specify a program name was removed from Netfilter in
# kernel version 2.6.14.
#
# SWITCH - [!]switch-name[={0|1}]
#
# Added in Shorewall 4.5.1 and allows enabling and disabling the rule without
# requiring shorewall restart.
#
# The rule is enabled if the value stored in /proc/net/nf_condition/
# switch-name is 1. The rule is disabled if that file contains 0 (the
# default). If '!' is supplied, the test is inverted such that the rule is
# enabled if the file contains 0.
#
# Within the switch-name, '@0' and '@{0}' are replaced by the name of the
# chain to which the rule is a added. The switch-name (after '@...'
# expansion) must begin with a letter and be composed of letters, decimal
# digits, underscores or hyphens. Switch names must be 30 characters or less
# in length.
#
# Switches are normally off. To turn a switch on:
#
# echo 1 > /proc/net/nf_condition/switch-name
#
# To turn it off again:
#
# echo 0 > /proc/net/nf_condition/switch-name
#
# Switch settings are retained over shorewall restart.
#
# Beginning with Shorewall 4.5.10, when the switch-name is followed by =0 or
# =1, then the switch is initialized to off or on respectively by the start
# command. Other commands do not affect the switch setting.
#
# ORIGDEST - [-|address[,address]...[exclusion]|exclusion]
#
# (Optional) Added in Shorewall 4.5.6. This column may be included and may
# contain one or more addresses (host or network) separated by commas.
# Address ranges are not allowed. When this column is supplied, rules are
# generated that require that the original destination address matches one of
# the listed addresses. It is useful for specifying that SNAT should occur
# only for connections that were acted on by a DNAT when they entered the
# firewall.
#
# This column was formerly labelled ORIGINAL DEST.
#
# PROBABILITY - [probability]
#
# Added in Shorewall 5.0.0. When non-empty, requires the Statistics Match
# capability in your kernel and ip6tables and causes the rule to match
# randomly but with the given probability. The probability is a number 0 <
# probability <= 1 and may be expressed at up to 8 decimal points of
# precision.
#
# Examples
#
# IPv4 Example 1:
#
# You have a simple masquerading setup where eth0 connects to a DSL or cable
# modem and eth1 connects to your local network with subnet 192.168.0.0/24.
#
# Your entry in the file will be:
#
# #ACTION SOURCE DEST
# MASQUERADE 192.168.0.0/24 eth0
#
# IPv4 Example 2:
#
# You add a router to your local network to connect subnet 192.168.1.0/24
# which you also want to masquerade. You then add a second entry for eth0 to
# this file:
#
# #ACTION SOURCE DEST
# MASQUERADE 192.168.0.0/24 eth0
# MASQUERADE 192.168.1.0/24 eth0
#
# IPv4 Example 3:
#
# You want all outgoing traffic from 192.168.1.0/24 through eth0 to use
# source address 206.124.146.176 which is NOT the primary address of eth0.
# You want 206.124.146.176 to be added to eth0 with name eth0:0.
#
# #ACTION SOURCE DEST
# SNAT(206.124.146.176) 192.168.1.0/24 eth0:0
#
# IPv4 Example 4:
#
# You want all outgoing SMTP traffic entering the firewall from 172.20.1.0/29
# to be sent from eth0 with source IP address 206.124.146.177. You want all
# other outgoing traffic from 172.20.1.0/29 to be sent from eth0 with source
# IP address 206.124.146.176.
#
# #INTERFACE SOURCE ADDRESS PROTO DPORT
# eth0 172.20.1.0/29 206.124.146.177 tcp smtp
# eth0 172.20.1.0/29 206.124.146.176
#
# #ACTION SOURCE DEST PROTO PORT
# SNAT(206.124.146.177) 172.20.1.0/29 eth0 tcp smtp
# SNAT(206.124.146.176) 172.20.1.0/29 eth0
#
# Warning
#
# The order of the above two rules is significant!
#
# IPv4 Example 5:
#
# Connections leaving on eth0 and destined to any host defined in the ipset
# myset should have the source IP address changed to 206.124.146.177.
#
# #ACTION SOURCE DEST
# SNAT(206.124.146.177) - eth0:+myset[dst]
#
# IPv4 Example 6:
#
# SNAT outgoing connections on eth0 from 192.168.1.0/24 in round-robin
# fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9 (Shorewall 4.5.9
# and later).
#
# /etc/shorewall/tcrules:
#
# #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
# 1-3:CF 192.168.1.0/24 eth0 ; state=NEW
#
# /etc/shorewall/snat:
#
# #ACTION SOURCE DEST
# SNAT(1.1.1.1) 192.168.1.0/24 eth0 { mark=1:C }
# SNAT(1.1.1.3) 192.168.1.0/24 eth0 { mark=2:C }
# SNAT(1.1.1.9) 192.168.1.0/24 eth0 { mark=3:C }
#
# IPv6 Example 1:
#
# You have a simple 'masquerading' setup where eth0 connects to a DSL or
# cable modem and eth1 connects to your local network with subnet
# 2001:470:b:787::0/64
#
# Your entry in the file will be:
#
# #ACTION SOURCE DEST
# MASQUERADE 2001:470:b:787::0/64 eth0
#
# IPv6 Example 2:
#
# Your sit1 interface has two public IP addresses: 2001:470:a:227::1 and
# 2001:470:b:227::1. You want to use the iptables statistics match to
# masquerade outgoing connections evenly between these two addresses.
#
# /etc/shorewall/snat:
#
# #ACTION SOURCE DEST
# SNAT(2001:470:a:227::1) ::/0 sit1 { probability=0.50 }
# SNAT(2001:470:a:227::2) ::/0 sit
#
###########################################################################################################################################
#ACTION SOURCE DEST PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY