extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-07 16:24:01 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update the documentation for /etc/shorewall/snat

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-10-15 13:52:28 -07:00
parent e1de1f0527
commit 026c30cfff
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
9 changed files with 154 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
docs/FAQ.xml
View File

@ -494,6 +494,12 @@ DNAT net loc:192.168.1.4 tcp 21 - 206.1
<filename>/etc/shorewall/masq</filename>:<programlisting>#INTERFACE SOURCE ADDRESS PROTO PORT
eth1:192.168.1.4 0.0.0.0/0 192.168.1.1 tcp 21</programlisting></para>
<para>When running Shorewall 5.0.14 or later, the eqivalent
<filename>/etc/shorewall/snat</filename> file is:</para>
<programlisting>#ACTION SOURCE DEST PROTO PORT
SNAT(192.168.1.1) 0.0.0.0/0 eth1:192.168.1.4 tcp 21</programlisting>
<para>This rule has the undesirable side effect of making all FTP
connections from the net appear to the FTP server as if they
originated on the Shorewall system. But it will force the FTP server
@ -531,6 +537,12 @@ net eth0 <emphasis role="bold">routeback</emphasi
<para><filename>/etc/shorewall/masq</filename>;<programlisting>#INTERFACE SOURCE ADDRESS PROTO PORT
eth0:66.249.93.111 0.0.0.0/0 206.124.146.176 tcp 993</programlisting></para>
<para>When running Shorewall 5.0.14 or later, the equivalent
/etc/shorewall/snat file is:</para>
<programlisting>#ACTION SOURCE DEST PROTO PORT
SNAT(206.124.146.176) 0.0.0.0/0 eth0:66.249.93.111 tcp 993</programlisting>
<para>and in
<filename>/etc/shorewall/shorewall.conf</filename>:</para>
@ -718,6 +730,12 @@ loc eth1 <emphasis role="bold">routeback</emphasi
<programlisting>#INTERFACE SOURCE ADDRESS PROTO PORT
<emphasis role="bold">eth1:192.168.1.5 192.168.1.0/24 192.168.1.254 tcp www</emphasis></programlisting>
<para>When running Shorewall 5.0.14 or later, the corresponding
<filename>/etc/shorewall/snat</filename> file is:</para>
<programlisting>#ACTION SOURCE DEST PROTO PORT
<emphasis role="bold">SNAT(192.168.1.254) 192.168.1.0/24 eth1:192.168.1.5 tcp www</emphasis></programlisting>
<para>Note: The technique described here is known as
<firstterm>hairpinning NAT</firstterm> and is described in section 6
of <ulink url="http://www.faqs.org/rfcs/rfc4787.html">RFC
@ -727,6 +745,11 @@ loc eth1 <emphasis role="bold">routeback</emphasi
<programlisting>#INTERFACE SOURCE ADDRESS PROTO PORT
eth1:192.168.1.5 192.168.1.0/24 <emphasis role="bold">130.151.100.69</emphasis> tcp www</programlisting>
<para>Equivalent <filename>/etc/shorewall/snat</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO PORT
SNAT(<emphasis role="bold">130.151.100.69</emphasis>) 192.168.1.0/24 eth1:192.168.1.5 tcp www</programlisting>
</listitem>
<listitem>
@ -852,6 +875,12 @@ dmz eth2 <emphasis role="bold">routeback</emphasi
<programlisting>#INTERFACE SOURCE
eth2:192.168.1.2 192.168.2.0/24</programlisting>
<para>When running Shorewall 5.0.14 or later, the equivalent
<filename>/etc/shorewall/snat</filename> is:</para>
<programlisting>#ACTION SOURCE DEST PROTO PORT
MASQUERADE 192.168.1.0/24 eth2:192.168.1.2 tcp www</programlisting>
<para>In <filename>/etc/shorewall/nat</filename>, be sure that you
have <quote>Yes</quote> in the ALL INTERFACES column.</para>
</example>
@ -3191,11 +3220,17 @@ loc $FW ACCEPT</programlisting>
<programlisting>#INTERFACE SOURCE ADDRESS
COMMENT DSL Modem
?COMMENT DSL Modem
EXT_IF:172.20.1.2 0.0.0.0/0 172.20.1.254
</programlisting>
<para>When running Shorewall 5.0.14 or later, the equivalent
<filename>/etc/shorewall/snat</filename> is:</para>
<programlisting>#ACTION SOURCE DEST PROTO PORT
SNAT(172.20.1.254) 0.0.0.0/0 EXT_IF:192.168.1.2 tcp www</programlisting>
<para><filename>/etc/shorewall/proxyarp</filename>:</para>
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
@ -3233,6 +3268,12 @@ COMMENT DSL Modem
EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254
</programlisting>
<para>When running Shorewall 5.0.14 or later, the equivalent
<filename>/etc/shorewall/snat</filename> is:</para>
<programlisting>#ACTION SOURCE DEST PROTO PORT
SNAT(192.168.1.254) 0.0.0.0/0 EXT_IF:192.168.1.1 tcp www</programlisting>
</listitem>
</itemizedlist>
</section>

12
docs/IPSEC-2.6.xml
View File

@ -152,11 +152,13 @@
<orderedlist>
<listitem>
<para>In <filename>/etc/shorewall/masq</filename>, traffic that will
later be encrypted is exempted from MASQUERADE/SNAT using existing
entries. If you want to MASQUERADE/SNAT outgoing traffic that will
later be encrypted, you must include the appropriate indication in the
new IPSEC column in that file.</para>
<para>In <filename>/etc/shorewall/masq</filename>
(<filename>/etc/shorewall/snat</filename> when running Shorewall
5.0.14 or later), traffic that will later be encrypted is exempted
from MASQUERADE/SNAT using existing entries. If you want to
MASQUERADE/SNAT outgoing traffic that will later be encrypted, you
must include the appropriate indication in the IPSEC column in that
file. </para>
</listitem>
<listitem>

6
docs/Multiple_Zones.xml
View File

@ -349,6 +349,12 @@ loc eth0:192.168.1.0/24 maclist</programlisting>
<programlisting>#INTERFACE SOURCE ADDRESS
eth0:!192.168.1.0/24 192.168.1.0/24</programlisting>
<para>When running Shorewall 5.0.14 or later, the equivalent
<filename>/etc/shorewall/snat</filename> is:</para>
<programlisting>#ACTION SOURCE DEST PROTO PORT
MASQUERADE 0.0.0.0/0 eth0:!192.168.1.0/24</programlisting>
<para>Note that the <emphasis role="bold">maclist</emphasis> option is
specified in <filename>/etc/shorewall/interfaces</filename>. This is to
help protect your router from unauthorized access by your friends and

39
docs/Shorewall_and_Aliased_Interfaces.xml
View File

@ -200,10 +200,22 @@ DNAT net loc:192.168.1.3:22 tcp 10000 - 20
<programlisting>#INTERFACE SUBNET ADDRESS
eth0 192.168.1.0/24 206.124.146.178</programlisting>
<para>When running Shorewall 5.0.14 or later, the equivalent
<filename>/etc/shorewall/snat</filename> is:</para>
<programlisting>#ACTION SOURCE DEST PROTO PORT
SNAT(206.124.146.178) 0.0.0.0/0 eth0</programlisting>
<para>Similarly, you want SMTP traffic from local system 192.168.1.22 to
have source IP 206.124.146.178:<programlisting>#INTERFACE SUBNET ADDRESS PROTO DPORT
eth0 192.168.1.22 206.124.146.178 tcp 25</programlisting></para>
<para>When running Shorewall 5.0.14 or later, the equivalent
<filename>/etc/shorewall/snat</filename> is:</para>
<programlisting>#ACTION SOURCE DEST PROTO PORT
SNAT(206.124.146.178) 0.0.0.0/0 eth0 tcp 25</programlisting>
<para>Shorewall can create the alias (additional address) for you if you
set ADD_SNAT_ALIASES=Yes in
<filename>/etc/shorewall/shorewall.con</filename>f.</para>
@ -220,16 +232,29 @@ eth0 192.168.1.22 206.124.146.178 tcp 25</progra
the INTERFACE column as follows.</para>
<para><filename>/etc/shorewall/masq</filename><programlisting>#INTERFACE SUBNET ADDRESS
eth0:0 192.168.1.0/24 206.124.146.178</programlisting>Shorewall
can also set up SNAT to round-robin over a range of IP addresses. To do
that, you specify a range of IP addresses in the ADDRESS column. If you
specify a label in the INTERFACE column, Shorewall will use that label
for the first address of the range and will increment the label by one
for each subsequent label.</para>
eth0:0 192.168.1.0/24 206.124.146.178</programlisting></para>
<para><filename>/etc/shorewall/masq</filename><programlisting>#INTERFACE SUBNET ADDRESS
<para>When running Shorewall 5.0.14 or later, the equivalent
<filename>/etc/shorewall/snat</filename> is:</para>
<programlisting>#ACTION SOURCE DEST PROTO PORT
SNAT(206.124.146.178) 192.168.1.0/24 eth0</programlisting>
<para>Shorewall can also set up SNAT to round-robin over a range of IP
addresses. To do that, you specify a range of IP addresses in the
ADDRESS column. If you specify a label in the INTERFACE column,
Shorewall will use that label for the first address of the range and
will increment the label by one for each subsequent label.</para>
<para><filename>/etc/shorewall/masq</filename><programlisting>#INTERFACE SOURCE ADDRESS
eth0:0 192.168.1.0/24 206.124.146.178-206.124.146.180</programlisting></para>
<para>When running Shorewall 5.0.14 or later, the equivalent
<filename>/etc/shorewall/snat</filename> is:</para>
<programlisting>#ACTION SOURCE DEST PROTO PORT
SNAT(206.124.146.178-206.24.146.80) 192.168.1.0/24 eth0</programlisting>
<para>The above would create three IP addresses:</para>
<programlisting>eth0:0 = 206.124.146.178

6
docs/SimpleBridge.xml
View File

@ -145,5 +145,11 @@ loc <emphasis role="bold">br0</emphasis> <emphasis
<programlisting>#INTERFACE SOURCE ADDRESS
eth0 10.0.1.0/24 ... # 10.0.1.0/24 is the local network on LAN A and LAN B</programlisting>
<para>When running Shorewall 5.0.14 or later, the equivalent
<filename>/etc/shorewall/snat</filename> is:</para>
<programlisting>#ACTION SOURCE DEST PROTO PORT
MASQUERADE 10.0.1.0/24 eth0</programlisting>
</section>
</article>

25
docs/shorewall_setup_guide.xml
View File

@ -1373,12 +1373,19 @@ Destination Gateway Genmask Flags MSS Window irtt Iface
<member>SNAT is configured in Shorewall using the <filename><ulink
url="manpages/shorewall-masq.html">/etc/shorewall/masq</ulink></filename>
file.</member>
file (/etc/shorewall/snat when running Shorewall 5.0.14 or
later):</member>
</simplelist>
<programlisting>#INTERFACE SUBNET ADDRESS
<programlisting>#INTERFACE SOURCE ADDRESS
eth0 192.168.201.0/29 192.0.2.176</programlisting>
<para>When running Shorewall 5.0.14 or later, the equivalent
<filename>/etc/shorewall/snat</filename> is:</para>
<programlisting>#ACTION SOURCE DEST PROTO PORT
SNAT(192.0.2.176) 192.168.201.0/24 eth0</programlisting>
<para>This example used the normal technique of assigning the same
public IP address for the firewall external interface and for SNAT. If
you wanted to use a different IP address, you would either have to use
@ -1592,9 +1599,15 @@ DNAT net loc:192.168.201.4 tcp www</programlisting>
connections. This is done with the following entry in
<filename>/etc/shorewall/masq</filename>:</para>
<programlisting>#INTERFACE SUBNET ADDRESS
<programlisting>#INTERFACE SOURCE ADDRESS
eth0 192.168.201.0/29 192.0.2.176</programlisting>
<para>When running Shorewall 5.0.14 or later, the equivalent
<filename>/etc/shorewall/snat</filename> is:</para>
<programlisting>#ACTION SOURCE DEST PROTO PORT
SNAT(192.0.2.176) 192.168.201.0/24 eth0</programlisting>
<para><inlinegraphic fileref="images/BD21298_.gif"/></para>
<para>Suppose now that you have decided to give your daughter her own
@ -1816,6 +1829,12 @@ dmz eth2</programlisting>
<programlisting>#INTERFACE SUBNET ADDRESS
eth0 192.168.201.0/29 192.0.2.176</programlisting>
<para>When running Shorewall 5.0.14 or later, the equivalent
<filename>/etc/shorewall/snat</filename> is:</para>
<programlisting>#ACTION SOURCE DEST PROTO PORT
SNAT(192.02.176) 192.168.201.0/24 eth0</programlisting>
<para><filename>/etc/shorewall/proxyarp</filename> - DMZ</para>
<programlisting>#ADDRESS EXTERNAL INTERFACE HAVE ROUTE

20
docs/three-interface.xml
View File

@ -647,16 +647,18 @@ root@lists:~# </programlisting>
</listitem>
</itemizedlist> In Shorewall, both Masquerading and SNAT are configured
with entries in the <filename
class="directory">/etc/shorewall/</filename><filename>masq</filename>
file.</para>
class="directory">/etc/shorewall/</filename><filename>masq</filename> file
(<filename>/etc/shorewall/snat</filename> when running Shorewall 5.0.14 or
later).</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>If your external firewall interface is <filename
class="devicefile">eth0</filename> then you do not need to modify the file
provided with the sample. Otherwise, edit <filename
class="directory">/etc/shorewall/</filename><filename>masq</filename> and
change it to match your configuration.</para>
class="directory">/etc/shorewall/</filename><filename>masq</filename> or
<filename>/etc/shorewall/snat</filename> and change it to match your
configuration.</para>
<para>If, in spite of all advice to the contrary, you are using this guide
and want to use one-to-one NAT or Proxy ARP for your DMZ, you will need to
@ -670,8 +672,14 @@ root@lists:~# </programlisting>
class="directory">/etc/shorewall/</filename><filename>masq</filename>
entry if you like although your firewall will work fine if you leave that
column empty. Entering your static IP in column 3 makes processing
outgoing packets a little more efficient.<graphic align="left"
fileref="images/openlogo-nd-25.png"/></para>
outgoing packets a little more efficient. When running Shorewall 5.0.14 or
later, the rule in /etc/shorewall/snat must be change from a MASQUERADE
rule to an SNAT rule.</para>
<programlisting>#ACTION SOURCE DEST PROTO PORT
<emphasis role="bold">SNAT(<replaceable>static-ip</replaceable>)</emphasis> ...</programlisting>
<graphic align="left" fileref="images/openlogo-nd-25.png"/>
<para><emphasis role="bold">If you are using the Debian package, please
check your <filename>shorewall.conf</filename> file to ensure that the

6
docs/traffic_shaping.xml
View File

@ -1652,6 +1652,12 @@ DNAT net dmz:192.168.4.5 tcp 80 -
<filename>/etc/shorewall/masq</filename>:<programlisting>#INTERFACE SOURCE ADDRESS
eth0 192.168.1.0/24 206.124.146.179</programlisting></para>
<para>When running Shorewall 5.0.14 or later, the equivalent
<filename>/etc/shorewall/snat</filename> would be:</para>
<programlisting>#ACTION SOURCE DEST ...
SNAT(206.124.146.179) 192.168.1.0/24 eth0</programlisting>
<para>HTTP response packets corresponding to requests that fall
under that rule will have destination IP address 206.124.146.179 and
<emphasis role="bold">source</emphasis> port 80.</para>

30
docs/two-interface.xml
View File

@ -601,7 +601,8 @@ root@lists:~# </programlisting>
<emphasis><acronym>SNAT</acronym></emphasis> are configured with entries
in the <ulink url="manpages/shorewall-masq.html"><filename
class="directory">/etc/shorewall/</filename><filename>masq</filename></ulink>
file. You will normally use Masquerading if your external
file (<filename>/etc/shorewall/snat</filename> when running Shorewall
5.0.14 or later). You will normally use Masquerading if your external
<acronym>IP</acronym> is dynamic and <acronym>SNAT</acronym> if the
<acronym>IP</acronym> is static.</para>
@ -611,8 +612,9 @@ root@lists:~# </programlisting>
class="devicefile">eth0</filename>, you do not need to modify the file
provided with <link linkend="Concepts">the sample</link>. Otherwise, edit
<filename
class="directory">/etc/shorewall/</filename><filename>masq</filename> and
change the first column to the name of your external interface.</para>
class="directory">/etc/shorewall/</filename><filename>masq</filename> or
<filename>/etc/shorewall/snat</filename> and change it to match your
configuration.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
@ -622,14 +624,19 @@ root@lists:~# </programlisting>
entry if you like although your firewall will work fine if you leave that
column empty (Masquerade). Entering your static <acronym>IP</acronym> in
column 3 (SNAT) makes the processing of outgoing packets a little more
efficient.</para>
efficient. When running Shorewall 5.0.14 or later, the rule in
/etc/shorewall/snat must be change from a MASQUERADE rule to an SNAT
rule.</para>
<graphic align="left" fileref="images/openlogo-nd-25.png"/>
<programlisting>#ACTION SOURCE DEST PROTO PORT
<emphasis role="bold">SNAT(<replaceable>static-ip</replaceable>)</emphasis> ...</programlisting>
<para>I<emphasis role="bold">f you are using the Debian package, please
check your <filename>shorewall.conf</filename> file to ensure that the
following is set correctly; if it is not, change it
appropriately:</emphasis> <itemizedlist spacing="compact">
<para><graphic align="left"
fileref="images/openlogo-nd-25.png"/>I<emphasis role="bold">f you are
using the Debian package, please check your
<filename>shorewall.conf</filename> file to ensure that the following is
set correctly; if it is not, change it appropriately:</emphasis>
<itemizedlist spacing="compact">
<listitem>
<para><varname>IP_FORWARDING=On</varname></para>
</listitem>
@ -1253,8 +1260,9 @@ eth0 10.0.0.0/8,\
192.168.0.0/16
</programlisting>
<para>then you do <emphasis role="bold">not</emphasis> need to change
the contents.</para>
<para>or of you are running Shorewall 5.0.14 or later, then you do
<emphasis role="bold">not</emphasis> need to change the
contents.</para>
<para>Otherwise, if your Internet interface is <filename
class="devicefile">eth0</filename> and your wireless interface is