2004-01-31 17:11:22 +01:00
|
|
|
#
|
2005-05-02 22:54:43 +02:00
|
|
|
# Shorewall 2.4 - Masquerade file
|
2004-01-31 17:11:22 +01:00
|
|
|
#
|
|
|
|
# /etc/shorewall/masq
|
|
|
|
#
|
|
|
|
# Use this file to define dynamic NAT (Masquerading) and to define Source NAT
|
|
|
|
# (SNAT).
|
|
|
|
#
|
|
|
|
# Columns are:
|
|
|
|
#
|
|
|
|
# INTERFACE -- Outgoing interface. This is usually your internet
|
|
|
|
# interface. If ADD_SNAT_ALIASES=Yes in
|
|
|
|
# /etc/shorewall/shorewall.conf, you may add ":" and
|
|
|
|
# a digit to indicate that you want the alias added with
|
|
|
|
# that name (e.g., eth0:0). This will allow the alias to
|
|
|
|
# be displayed with ifconfig. THAT IS THE ONLY USE FOR
|
|
|
|
# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER
|
|
|
|
# PLACE IN YOUR SHOREWALL CONFIGURATION.
|
|
|
|
#
|
|
|
|
# This may be qualified by adding the character
|
|
|
|
# ":" followed by a destination host or subnet.
|
|
|
|
#
|
2004-07-13 02:33:30 +02:00
|
|
|
# If you wish to inhibit the action of ADD_SNAT_ALIASES
|
|
|
|
# for this entry then include the ":" but omit the digit:
|
|
|
|
#
|
|
|
|
# eth0:
|
|
|
|
# eth2::192.0.2.32/27
|
|
|
|
#
|
|
|
|
# Normally Masq/SNAT rules are evaluated after those for
|
|
|
|
# one-to-one NAT (/etc/shorewall/nat file). If you want
|
|
|
|
# the rule to be applied before one-to-one NAT rules,
|
|
|
|
# prefix the interface name with "+":
|
|
|
|
#
|
|
|
|
# +eth0
|
|
|
|
# +eth0:192.0.2.32/27
|
|
|
|
# +eth0:2
|
2004-01-31 17:11:22 +01:00
|
|
|
#
|
2004-07-15 22:29:06 +02:00
|
|
|
# This feature should only be required if you need to
|
|
|
|
# insert rules in this file that preempt entries in
|
|
|
|
# /etc/shorewall/nat.
|
|
|
|
#
|
2004-01-31 17:11:22 +01:00
|
|
|
# SUBNET -- Subnet that you wish to masquerade. You can specify this as
|
|
|
|
# a subnet or as an interface. If you give the name of an
|
|
|
|
# interface, you must have iproute installed and the interface
|
|
|
|
# must be up before you start the firewall.
|
|
|
|
#
|
|
|
|
# In order to exclude a subset of the specified SUBNET, you
|
|
|
|
# may append "!" and a comma-separated list of IP addresses
|
|
|
|
# and/or subnets that you wish to exclude.
|
|
|
|
#
|
|
|
|
# Example: eth1!192.168.1.4,192.168.32.0/27
|
|
|
|
#
|
|
|
|
# In that example traffic from eth1 would be masqueraded unless
|
|
|
|
# it came from 192.168.1.4 or 196.168.32.0/27
|
|
|
|
#
|
|
|
|
# ADDRESS -- (Optional). If you specify an address here, SNAT will be
|
|
|
|
# used and this will be the source address. If
|
|
|
|
# ADD_SNAT_ALIASES is set to Yes or yes in
|
|
|
|
# /etc/shorewall/shorewall.conf then Shorewall
|
|
|
|
# will automatically add this address to the
|
|
|
|
# INTERFACE named in the first column.
|
|
|
|
#
|
|
|
|
# You may also specify a range of up to 256
|
|
|
|
# IP addresses if you want the SNAT address to
|
|
|
|
# be assigned from that range in a round-robin
|
|
|
|
# range by connection. The range is specified by
|
|
|
|
# <first ip in range>-<last ip in range>.
|
|
|
|
#
|
|
|
|
# Example: 206.124.146.177-206.124.146.180
|
|
|
|
#
|
|
|
|
# Finally, you may also specify a comma-separated
|
|
|
|
# list of ranges and/or addresses in this column.
|
2004-07-19 15:50:14 +02:00
|
|
|
#
|
2004-01-31 17:11:22 +01:00
|
|
|
# This column may not contain DNS Names.
|
|
|
|
#
|
2004-08-26 22:59:39 +02:00
|
|
|
# Normally, Netfilter will attempt to retain
|
|
|
|
# the source port number. You may cause
|
|
|
|
# netfilter to remap the source port by following
|
|
|
|
# an address or range (if any) by ":" and
|
|
|
|
# a port range with the format <low port>-
|
|
|
|
# <high port>. If this is done, you must
|
|
|
|
# specify "tcp" or "udp" in the PROTO column.
|
|
|
|
#
|
|
|
|
# Examples:
|
|
|
|
#
|
|
|
|
# 192.0.2.4:5000-6000
|
|
|
|
# :4000-5000
|
|
|
|
#
|
2005-04-12 22:37:11 +02:00
|
|
|
# You can invoke the SAME target using the
|
|
|
|
# following in this column:
|
|
|
|
#
|
|
|
|
# SAME:[nodst:]<address-range>[,<address-range>...]
|
|
|
|
#
|
|
|
|
# The <address-ranges> may be single addresses.
|
|
|
|
#
|
|
|
|
# SAME works like SNAT with the exception that the
|
|
|
|
# same local IP address is assigned to each connection
|
|
|
|
# from a local address to a given remote address. If
|
|
|
|
# the 'nodst:' option is included, then the same source
|
|
|
|
# address is used for a given internal system regardless
|
|
|
|
# of which remote system is involved.
|
|
|
|
#
|
2004-05-01 18:07:55 +02:00
|
|
|
# If you want to leave this column empty
|
|
|
|
# but you need to specify the next column then
|
|
|
|
# place a hyphen ("-") here.
|
|
|
|
#
|
|
|
|
# PROTO -- (Optional) If you wish to restrict this entry to a
|
|
|
|
# particular protocol then enter the protocol
|
|
|
|
# name (from /etc/protocols) or number here.
|
|
|
|
#
|
|
|
|
# PORT(S) -- (Optional) If the PROTO column specifies TCP (protocol 6)
|
|
|
|
# or UDP (protocol 17) then you may list one
|
|
|
|
# or more port numbers (or names from
|
|
|
|
# /etc/services) separated by commas or you
|
|
|
|
# may list a single port range
|
|
|
|
# (<low port>:<high port>).
|
|
|
|
#
|
|
|
|
# Where a comma-separated list is given, your
|
|
|
|
# kernel and iptables must have multiport match
|
2004-05-01 19:26:02 +02:00
|
|
|
# support and a maximum of 15 ports may be
|
|
|
|
# listed.
|
2004-05-01 18:07:55 +02:00
|
|
|
#
|
2004-08-14 20:39:09 +02:00
|
|
|
# IPSEC -- (Optional) If you specify a value other than "-" in this
|
|
|
|
# column, you must be running kernel 2.6 and
|
|
|
|
# your kernel and iptables must include policy
|
|
|
|
# match support.
|
|
|
|
#
|
2004-08-19 00:29:09 +02:00
|
|
|
# Comma-separated list of options from the following.
|
|
|
|
# Only packets that will be encrypted via an SA that
|
|
|
|
# matches these options will have their source address
|
|
|
|
# changed.
|
|
|
|
#
|
2004-12-31 19:18:19 +01:00
|
|
|
# Yes or yes -- must be the only option listed
|
|
|
|
# and matches all outbound traffic that will be
|
|
|
|
# encrypted.
|
|
|
|
#
|
2004-08-19 00:29:09 +02:00
|
|
|
# reqid=<number> where <number> is specified
|
|
|
|
# using setkey(8) using the 'unique:<number>
|
|
|
|
# option for the SPD level.
|
|
|
|
#
|
|
|
|
# spi=<number> where <number> is the SPI of
|
|
|
|
# the SA.
|
|
|
|
#
|
|
|
|
# proto=ah|esp|ipcomp
|
|
|
|
#
|
|
|
|
# mode=transport|tunnel
|
|
|
|
#
|
|
|
|
# tunnel-src=<address>[/<mask>] (only
|
|
|
|
# available with mode=tunnel)
|
|
|
|
#
|
|
|
|
# tunnel-dst=<address>[/<mask>] (only
|
|
|
|
# available with mode=tunnel)
|
|
|
|
#
|
2004-08-21 02:22:47 +02:00
|
|
|
# strict Means that packets must match all
|
|
|
|
# rules.
|
|
|
|
#
|
|
|
|
# next Separates rules; can only be used
|
|
|
|
# with strict..
|
2004-05-01 18:07:55 +02:00
|
|
|
#
|
2004-01-31 17:11:22 +01:00
|
|
|
# Example 1:
|
|
|
|
#
|
|
|
|
# You have a simple masquerading setup where eth0 connects to
|
|
|
|
# a DSL or cable modem and eth1 connects to your local network
|
|
|
|
# with subnet 192.168.0.0/24.
|
|
|
|
#
|
|
|
|
# Your entry in the file can be either:
|
|
|
|
#
|
|
|
|
# eth0 eth1
|
|
|
|
#
|
|
|
|
# or
|
|
|
|
#
|
|
|
|
# eth0 192.168.0.0/24
|
|
|
|
#
|
|
|
|
# Example 2:
|
|
|
|
#
|
|
|
|
# You add a router to your local network to connect subnet
|
|
|
|
# 192.168.1.0/24 which you also want to masquerade. You then
|
|
|
|
# add a second entry for eth0 to this file:
|
|
|
|
#
|
|
|
|
# eth0 192.168.1.0/24
|
|
|
|
#
|
|
|
|
# Example 3:
|
|
|
|
#
|
|
|
|
# You have an IPSEC tunnel through ipsec0 and you want to
|
|
|
|
# masquerade packets coming from 192.168.1.0/24 but only if
|
|
|
|
# these packets are destined for hosts in 10.1.1.0/24:
|
|
|
|
#
|
|
|
|
# ipsec0:10.1.1.0/24 196.168.1.0/24
|
|
|
|
#
|
|
|
|
# Example 4:
|
|
|
|
#
|
|
|
|
# You want all outgoing traffic from 192.168.1.0/24 through
|
|
|
|
# eth0 to use source address 206.124.146.176 which is NOT the
|
|
|
|
# primary address of eth0. You want 206.124.146.176 added to
|
|
|
|
# be added to eth0 with name eth0:0.
|
|
|
|
#
|
|
|
|
# eth0:0 192.168.1.0/24 206.124.146.176
|
|
|
|
#
|
2004-05-01 18:07:55 +02:00
|
|
|
# Example 5:
|
|
|
|
#
|
|
|
|
# You want all outgoing SMTP traffic entering the firewall
|
|
|
|
# on eth1 to be sent from eth0 with source IP address
|
|
|
|
# 206.124.146.177. You want all other outgoing traffic
|
|
|
|
# from eth1 to be sent from eth0 with source IP address
|
|
|
|
# 206.124.146.176.
|
|
|
|
#
|
|
|
|
# eth0 eth1 206.124.146.177 tcp smtp
|
|
|
|
# eth0 eth1 206.124.146.176
|
|
|
|
#
|
|
|
|
# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
|
|
|
|
#
|
2005-04-17 16:54:43 +02:00
|
|
|
# For additional information, see http://shorewall.net/Documentation.htm#Masq
|
|
|
|
#
|
2004-05-01 04:20:58 +02:00
|
|
|
###############################################################################
|
2004-08-14 20:39:09 +02:00
|
|
|
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
|
2004-01-31 17:11:22 +01:00
|
|
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|