From 026c30cfff547654ee2401e896ab65cd25887963 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 15 Oct 2016 13:52:28 -0700 Subject: [PATCH] Update the documentation for /etc/shorewall/snat Signed-off-by: Tom Eastep --- docs/FAQ.xml | 43 ++++++++++++++++++++++- docs/IPSEC-2.6.xml | 12 ++++--- docs/Multiple_Zones.xml | 6 ++++ docs/Shorewall_and_Aliased_Interfaces.xml | 39 ++++++++++++++++---- docs/SimpleBridge.xml | 6 ++++ docs/shorewall_setup_guide.xml | 25 +++++++++++-- docs/three-interface.xml | 20 +++++++---- docs/traffic_shaping.xml | 6 ++++ docs/two-interface.xml | 30 ++++++++++------ 9 files changed, 154 insertions(+), 33 deletions(-) diff --git a/docs/FAQ.xml b/docs/FAQ.xml index e17e4e959..444889d7f 100644 --- a/docs/FAQ.xml +++ b/docs/FAQ.xml @@ -494,6 +494,12 @@ DNAT net loc:192.168.1.4 tcp 21 - 206.1 /etc/shorewall/masq:#INTERFACE SOURCE ADDRESS PROTO PORT eth1:192.168.1.4 0.0.0.0/0 192.168.1.1 tcp 21 + When running Shorewall 5.0.14 or later, the eqivalent + /etc/shorewall/snat file is: + + #ACTION SOURCE DEST PROTO PORT +SNAT(192.168.1.1) 0.0.0.0/0 eth1:192.168.1.4 tcp 21 + This rule has the undesirable side effect of making all FTP connections from the net appear to the FTP server as if they originated on the Shorewall system. But it will force the FTP server @@ -531,6 +537,12 @@ net eth0 routeback/etc/shorewall/masq;#INTERFACE SOURCE ADDRESS PROTO PORT eth0:66.249.93.111 0.0.0.0/0 206.124.146.176 tcp 993 + When running Shorewall 5.0.14 or later, the equivalent + /etc/shorewall/snat file is: + + #ACTION SOURCE DEST PROTO PORT +SNAT(206.124.146.176) 0.0.0.0/0 eth0:66.249.93.111 tcp 993 + and in /etc/shorewall/shorewall.conf: @@ -718,6 +730,12 @@ loc eth1 routeback#INTERFACE SOURCE ADDRESS PROTO PORT eth1:192.168.1.5 192.168.1.0/24 192.168.1.254 tcp www + When running Shorewall 5.0.14 or later, the corresponding + /etc/shorewall/snat file is: + + #ACTION SOURCE DEST PROTO PORT +SNAT(192.168.1.254) 192.168.1.0/24 eth1:192.168.1.5 tcp www + Note: The technique described here is known as hairpinning NAT and is described in section 6 of RFC @@ -727,6 +745,11 @@ loc eth1 routeback#INTERFACE SOURCE ADDRESS PROTO PORT eth1:192.168.1.5 192.168.1.0/24 130.151.100.69 tcp www + + Equivalent /etc/shorewall/snat: + + #ACTION SOURCE DEST PROTO PORT +SNAT(130.151.100.69) 192.168.1.0/24 eth1:192.168.1.5 tcp www @@ -852,6 +875,12 @@ dmz eth2 routeback#INTERFACE SOURCE eth2:192.168.1.2 192.168.2.0/24 + When running Shorewall 5.0.14 or later, the equivalent + /etc/shorewall/snat is: + + #ACTION SOURCE DEST PROTO PORT +MASQUERADE 192.168.1.0/24 eth2:192.168.1.2 tcp www + In /etc/shorewall/nat, be sure that you have Yes in the ALL INTERFACES column. @@ -3191,11 +3220,17 @@ loc $FW ACCEPT #INTERFACE SOURCE ADDRESS -COMMENT DSL Modem +?COMMENT DSL Modem EXT_IF:172.20.1.2 0.0.0.0/0 172.20.1.254 + When running Shorewall 5.0.14 or later, the equivalent + /etc/shorewall/snat is: + + #ACTION SOURCE DEST PROTO PORT +SNAT(172.20.1.254) 0.0.0.0/0 EXT_IF:192.168.1.2 tcp www + /etc/shorewall/proxyarp: #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT @@ -3233,6 +3268,12 @@ COMMENT DSL Modem EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254 + + When running Shorewall 5.0.14 or later, the equivalent + /etc/shorewall/snat is: + + #ACTION SOURCE DEST PROTO PORT +SNAT(192.168.1.254) 0.0.0.0/0 EXT_IF:192.168.1.1 tcp www diff --git a/docs/IPSEC-2.6.xml b/docs/IPSEC-2.6.xml index 5fd1f31e6..9e1371bb7 100644 --- a/docs/IPSEC-2.6.xml +++ b/docs/IPSEC-2.6.xml @@ -152,11 +152,13 @@ - In /etc/shorewall/masq, traffic that will - later be encrypted is exempted from MASQUERADE/SNAT using existing - entries. If you want to MASQUERADE/SNAT outgoing traffic that will - later be encrypted, you must include the appropriate indication in the - new IPSEC column in that file. + In /etc/shorewall/masq + (/etc/shorewall/snat when running Shorewall + 5.0.14 or later), traffic that will later be encrypted is exempted + from MASQUERADE/SNAT using existing entries. If you want to + MASQUERADE/SNAT outgoing traffic that will later be encrypted, you + must include the appropriate indication in the IPSEC column in that + file. diff --git a/docs/Multiple_Zones.xml b/docs/Multiple_Zones.xml index 8bdbb25a8..7467bc568 100644 --- a/docs/Multiple_Zones.xml +++ b/docs/Multiple_Zones.xml @@ -349,6 +349,12 @@ loc eth0:192.168.1.0/24 maclist #INTERFACE SOURCE ADDRESS eth0:!192.168.1.0/24 192.168.1.0/24 + When running Shorewall 5.0.14 or later, the equivalent + /etc/shorewall/snat is: + + #ACTION SOURCE DEST PROTO PORT +MASQUERADE 0.0.0.0/0 eth0:!192.168.1.0/24 + Note that the maclist option is specified in /etc/shorewall/interfaces. This is to help protect your router from unauthorized access by your friends and diff --git a/docs/Shorewall_and_Aliased_Interfaces.xml b/docs/Shorewall_and_Aliased_Interfaces.xml index 5d063596b..6632c3126 100644 --- a/docs/Shorewall_and_Aliased_Interfaces.xml +++ b/docs/Shorewall_and_Aliased_Interfaces.xml @@ -200,10 +200,22 @@ DNAT net loc:192.168.1.3:22 tcp 10000 - 20 #INTERFACE SUBNET ADDRESS eth0 192.168.1.0/24 206.124.146.178 + When running Shorewall 5.0.14 or later, the equivalent + /etc/shorewall/snat is: + + #ACTION SOURCE DEST PROTO PORT +SNAT(206.124.146.178) 0.0.0.0/0 eth0 + Similarly, you want SMTP traffic from local system 192.168.1.22 to have source IP 206.124.146.178:#INTERFACE SUBNET ADDRESS PROTO DPORT eth0 192.168.1.22 206.124.146.178 tcp 25 + When running Shorewall 5.0.14 or later, the equivalent + /etc/shorewall/snat is: + + #ACTION SOURCE DEST PROTO PORT +SNAT(206.124.146.178) 0.0.0.0/0 eth0 tcp 25 + Shorewall can create the alias (additional address) for you if you set ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. @@ -220,16 +232,29 @@ eth0 192.168.1.22 206.124.146.178 tcp 25 /etc/shorewall/masq#INTERFACE SUBNET ADDRESS -eth0:0 192.168.1.0/24 206.124.146.178Shorewall - can also set up SNAT to round-robin over a range of IP addresses. To do - that, you specify a range of IP addresses in the ADDRESS column. If you - specify a label in the INTERFACE column, Shorewall will use that label - for the first address of the range and will increment the label by one - for each subsequent label. +eth0:0 192.168.1.0/24 206.124.146.178 - /etc/shorewall/masq#INTERFACE SUBNET ADDRESS + When running Shorewall 5.0.14 or later, the equivalent + /etc/shorewall/snat is: + + #ACTION SOURCE DEST PROTO PORT +SNAT(206.124.146.178) 192.168.1.0/24 eth0 + + Shorewall can also set up SNAT to round-robin over a range of IP + addresses. To do that, you specify a range of IP addresses in the + ADDRESS column. If you specify a label in the INTERFACE column, + Shorewall will use that label for the first address of the range and + will increment the label by one for each subsequent label. + + /etc/shorewall/masq#INTERFACE SOURCE ADDRESS eth0:0 192.168.1.0/24 206.124.146.178-206.124.146.180 + When running Shorewall 5.0.14 or later, the equivalent + /etc/shorewall/snat is: + + #ACTION SOURCE DEST PROTO PORT +SNAT(206.124.146.178-206.24.146.80) 192.168.1.0/24 eth0 + The above would create three IP addresses: eth0:0 = 206.124.146.178 diff --git a/docs/SimpleBridge.xml b/docs/SimpleBridge.xml index a77d6f3da..f3c3307ee 100644 --- a/docs/SimpleBridge.xml +++ b/docs/SimpleBridge.xml @@ -145,5 +145,11 @@ loc br0 #INTERFACE SOURCE ADDRESS eth0 10.0.1.0/24 ... # 10.0.1.0/24 is the local network on LAN A and LAN B + + When running Shorewall 5.0.14 or later, the equivalent + /etc/shorewall/snat is: + + #ACTION SOURCE DEST PROTO PORT +MASQUERADE 10.0.1.0/24 eth0 diff --git a/docs/shorewall_setup_guide.xml b/docs/shorewall_setup_guide.xml index 0f3e8906b..4dce36a7a 100644 --- a/docs/shorewall_setup_guide.xml +++ b/docs/shorewall_setup_guide.xml @@ -1373,12 +1373,19 @@ Destination Gateway Genmask Flags MSS Window irtt Iface SNAT is configured in Shorewall using the /etc/shorewall/masq - file. + file (/etc/shorewall/snat when running Shorewall 5.0.14 or + later): - #INTERFACE SUBNET ADDRESS + #INTERFACE SOURCE ADDRESS eth0 192.168.201.0/29 192.0.2.176 + When running Shorewall 5.0.14 or later, the equivalent + /etc/shorewall/snat is: + + #ACTION SOURCE DEST PROTO PORT +SNAT(192.0.2.176) 192.168.201.0/24 eth0 + This example used the normal technique of assigning the same public IP address for the firewall external interface and for SNAT. If you wanted to use a different IP address, you would either have to use @@ -1592,9 +1599,15 @@ DNAT net loc:192.168.201.4 tcp www connections. This is done with the following entry in /etc/shorewall/masq: - #INTERFACE SUBNET ADDRESS + #INTERFACE SOURCE ADDRESS eth0 192.168.201.0/29 192.0.2.176 + When running Shorewall 5.0.14 or later, the equivalent + /etc/shorewall/snat is: + + #ACTION SOURCE DEST PROTO PORT +SNAT(192.0.2.176) 192.168.201.0/24 eth0 + Suppose now that you have decided to give your daughter her own @@ -1816,6 +1829,12 @@ dmz eth2 #INTERFACE SUBNET ADDRESS eth0 192.168.201.0/29 192.0.2.176 + When running Shorewall 5.0.14 or later, the equivalent + /etc/shorewall/snat is: + + #ACTION SOURCE DEST PROTO PORT +SNAT(192.02.176) 192.168.201.0/24 eth0 + /etc/shorewall/proxyarp - DMZ #ADDRESS EXTERNAL INTERFACE HAVE ROUTE diff --git a/docs/three-interface.xml b/docs/three-interface.xml index a25366d02..943f81edc 100644 --- a/docs/three-interface.xml +++ b/docs/three-interface.xml @@ -647,16 +647,18 @@ root@lists:~# In Shorewall, both Masquerading and SNAT are configured with entries in the /etc/shorewall/masq - file. + class="directory">/etc/shorewall/masq file + (/etc/shorewall/snat when running Shorewall 5.0.14 or + later). If your external firewall interface is eth0 then you do not need to modify the file provided with the sample. Otherwise, edit /etc/shorewall/masq and - change it to match your configuration. + class="directory">/etc/shorewall/masq or + /etc/shorewall/snat and change it to match your + configuration. If, in spite of all advice to the contrary, you are using this guide and want to use one-to-one NAT or Proxy ARP for your DMZ, you will need to @@ -670,8 +672,14 @@ root@lists:~# class="directory">/etc/shorewall/masq entry if you like although your firewall will work fine if you leave that column empty. Entering your static IP in column 3 makes processing - outgoing packets a little more efficient. + outgoing packets a little more efficient. When running Shorewall 5.0.14 or + later, the rule in /etc/shorewall/snat must be change from a MASQUERADE + rule to an SNAT rule. + + #ACTION SOURCE DEST PROTO PORT +SNAT(static-ip) ... + + If you are using the Debian package, please check your shorewall.conf file to ensure that the diff --git a/docs/traffic_shaping.xml b/docs/traffic_shaping.xml index bb61a405f..ce912a62e 100644 --- a/docs/traffic_shaping.xml +++ b/docs/traffic_shaping.xml @@ -1652,6 +1652,12 @@ DNAT net dmz:192.168.4.5 tcp 80 - /etc/shorewall/masq:#INTERFACE SOURCE ADDRESS eth0 192.168.1.0/24 206.124.146.179 + When running Shorewall 5.0.14 or later, the equivalent + /etc/shorewall/snat would be: + + #ACTION SOURCE DEST ... +SNAT(206.124.146.179) 192.168.1.0/24 eth0 + HTTP response packets corresponding to requests that fall under that rule will have destination IP address 206.124.146.179 and source port 80. diff --git a/docs/two-interface.xml b/docs/two-interface.xml index 1f40b8a44..4a7b18b9d 100644 --- a/docs/two-interface.xml +++ b/docs/two-interface.xml @@ -601,7 +601,8 @@ root@lists:~# SNAT are configured with entries in the /etc/shorewall/masq - file. You will normally use Masquerading if your external + file (/etc/shorewall/snat when running Shorewall + 5.0.14 or later). You will normally use Masquerading if your external IP is dynamic and SNAT if the IP is static. @@ -611,8 +612,9 @@ root@lists:~# class="devicefile">eth0, you do not need to modify the file provided with the sample. Otherwise, edit /etc/shorewall/masq and - change the first column to the name of your external interface. + class="directory">/etc/shorewall/masq or + /etc/shorewall/snat and change it to match your + configuration. @@ -622,14 +624,19 @@ root@lists:~# entry if you like although your firewall will work fine if you leave that column empty (Masquerade). Entering your static IP in column 3 (SNAT) makes the processing of outgoing packets a little more - efficient. + efficient. When running Shorewall 5.0.14 or later, the rule in + /etc/shorewall/snat must be change from a MASQUERADE rule to an SNAT + rule. - + #ACTION SOURCE DEST PROTO PORT +SNAT(static-ip) ... - If you are using the Debian package, please - check your shorewall.conf file to ensure that the - following is set correctly; if it is not, change it - appropriately: + If you are + using the Debian package, please check your + shorewall.conf file to ensure that the following is + set correctly; if it is not, change it appropriately: + IP_FORWARDING=On @@ -1253,8 +1260,9 @@ eth0 10.0.0.0/8,\ 192.168.0.0/16 - then you do not need to change - the contents. + or of you are running Shorewall 5.0.14 or later, then you do + not need to change the + contents. Otherwise, if your Internet interface is eth0 and your wireless interface is