Update the documentation for /etc/shorewall/snat

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2025-01-03 20:19:19 +01:00 · 2016-10-15 13:52:28 -07:00 · 2016-10-15 13:52:28 -07:00 · 026c30cfff
commit 026c30cfff
parent e1de1f0527
9 changed files with 154 additions and 33 deletions
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@ -494,6 +494,12 @@ DNAT       net           loc:192.168.1.4    tcp      21          -         206.1
        <filename>/etc/shorewall/masq</filename>:<programlisting>#INTERFACE              SOURCE             ADDRESS         PROTO   PORT
 eth1:192.168.1.4        0.0.0.0/0          192.168.1.1     tcp     21</programlisting></para>
        <para>When running Shorewall 5.0.14 or later, the eqivalent
        <filename>/etc/shorewall/snat</filename> file is:</para>
        <programlisting>#ACTION                 SOURCE              DEST              PROTO  PORT
 SNAT(192.168.1.1)       0.0.0.0/0           eth1:192.168.1.4  tcp    21</programlisting>
        <para>This rule has the undesirable side effect of making all FTP
        connections from the net appear to the FTP server as if they
        originated on the Shorewall system. But it will force the FTP server
@ -531,6 +537,12 @@ net             eth0                    <emphasis role="bold">routeback</emphasi
        <para><filename>/etc/shorewall/masq</filename>;<programlisting>#INTERFACE              SOURCE          ADDRESS         PROTO   PORT
 eth0:66.249.93.111      0.0.0.0/0       206.124.146.176 tcp     993</programlisting></para>
        <para>When running Shorewall 5.0.14 or later, the equivalent
        /etc/shorewall/snat file is:</para>
        <programlisting>#ACTION                 SOURCE          DEST                PROTO   PORT
 SNAT(206.124.146.176)   0.0.0.0/0       eth0:66.249.93.111  tcp     993</programlisting>
        <para>and in
        <filename>/etc/shorewall/shorewall.conf</filename>:</para>
@ -718,6 +730,12 @@ loc             eth1                    <emphasis role="bold">routeback</emphasi
          <programlisting>#INTERFACE              SOURCE          ADDRESS         PROTO   PORT
 <emphasis role="bold">eth1:192.168.1.5        192.168.1.0/24  192.168.1.254   tcp     www</emphasis></programlisting>
          <para>When running Shorewall 5.0.14 or later, the corresponding
          <filename>/etc/shorewall/snat</filename> file is:</para>
          <programlisting>#ACTION                 SOURCE          DEST                PROTO   PORT
 <emphasis role="bold">SNAT(192.168.1.254)     192.168.1.0/24  eth1:192.168.1.5    tcp     www</emphasis></programlisting>
          <para>Note: The technique described here is known as
          <firstterm>hairpinning NAT</firstterm> and is described in section 6
          of <ulink url="http://www.faqs.org/rfcs/rfc4787.html">RFC
@ -727,6 +745,11 @@ loc             eth1                    <emphasis role="bold">routeback</emphasi
          <programlisting>#INTERFACE              SOURCE          ADDRESS         PROTO   PORT
 eth1:192.168.1.5        192.168.1.0/24  <emphasis role="bold">130.151.100.69</emphasis>  tcp     www</programlisting>
          <para>Equivalent <filename>/etc/shorewall/snat</filename>:</para>
          <programlisting>#ACTION                 SOURCE          DEST                PROTO   PORT
 SNAT(<emphasis role="bold">130.151.100.69</emphasis>)    192.168.1.0/24  eth1:192.168.1.5    tcp     www</programlisting>
        </listitem>
        <listitem>
@ -852,6 +875,12 @@ dmz             eth2                    <emphasis role="bold">routeback</emphasi
          <programlisting>#INTERFACE              SOURCE
 eth2:192.168.1.2        192.168.2.0/24</programlisting>
          <para>When running Shorewall 5.0.14 or later, the equivalent
          <filename>/etc/shorewall/snat</filename> is:</para>
          <programlisting>#ACTION        SOURCE          DEST                PROTO   PORT
 MASQUERADE     192.168.1.0/24  eth2:192.168.1.2    tcp     www</programlisting>
          <para>In <filename>/etc/shorewall/nat</filename>, be sure that you
          have <quote>Yes</quote> in the ALL INTERFACES column.</para>
        </example>
@ -3191,11 +3220,17 @@ loc             $FW             ACCEPT</programlisting>
          <programlisting>#INTERFACE              SOURCE          ADDRESS
-COMMENT DSL Modem
+?COMMENT DSL Modem
 EXT_IF:172.20.1.2       0.0.0.0/0       172.20.1.254
 </programlisting>
          <para>When running Shorewall 5.0.14 or later, the equivalent
          <filename>/etc/shorewall/snat</filename> is:</para>
          <programlisting>#ACTION                SOURCE          DEST                PROTO   PORT
 SNAT(172.20.1.254)     0.0.0.0/0       EXT_IF:192.168.1.2  tcp     www</programlisting>
          <para><filename>/etc/shorewall/proxyarp</filename>:</para>
          <programlisting>#ADDRESS        INTERFACE       EXTERNAL        HAVEROUTE       PERSISTENT
@ -3233,6 +3268,12 @@ COMMENT DSL Modem
 EXT_IF:192.168.1.1      0.0.0.0/0       192.168.1.254
 </programlisting>
          <para>When running Shorewall 5.0.14 or later, the equivalent
          <filename>/etc/shorewall/snat</filename> is:</para>
          <programlisting>#ACTION                SOURCE          DEST                PROTO   PORT
 SNAT(192.168.1.254)    0.0.0.0/0       EXT_IF:192.168.1.1  tcp     www</programlisting>
        </listitem>
      </itemizedlist>
    </section>
--- a/docs/IPSEC-2.6.xml
+++ b/docs/IPSEC-2.6.xml
@ -152,11 +152,13 @@
    <orderedlist>
      <listitem>
-        <para>In <filename>/etc/shorewall/masq</filename>, traffic that will
+        <para>In <filename>/etc/shorewall/masq</filename>
-        later be encrypted is exempted from MASQUERADE/SNAT using existing
+        (<filename>/etc/shorewall/snat</filename> when running Shorewall
-        entries. If you want to MASQUERADE/SNAT outgoing traffic that will
+        5.0.14 or later), traffic that will later be encrypted is exempted
-        later be encrypted, you must include the appropriate indication in the
+        from MASQUERADE/SNAT using existing entries. If you want to
-        new IPSEC column in that file.</para>
+        MASQUERADE/SNAT outgoing traffic that will later be encrypted, you
        must include the appropriate indication in the IPSEC column in that
        file. </para>
      </listitem>
      <listitem>
--- a/docs/Multiple_Zones.xml
+++ b/docs/Multiple_Zones.xml
@ -349,6 +349,12 @@ loc                 eth0:192.168.1.0/24                maclist</programlisting>
    <programlisting>#INTERFACE              SOURCE          ADDRESS
 eth0:!192.168.1.0/24    192.168.1.0/24</programlisting>
    <para>When running Shorewall 5.0.14 or later, the equivalent
    <filename>/etc/shorewall/snat</filename> is:</para>
    <programlisting>#ACTION                SOURCE          DEST                PROTO   PORT
 MASQUERADE             0.0.0.0/0       eth0:!192.168.1.0/24</programlisting>
    <para>Note that the <emphasis role="bold">maclist</emphasis> option is
    specified in <filename>/etc/shorewall/interfaces</filename>. This is to
    help protect your router from unauthorized access by your friends and
--- a/docs/Shorewall_and_Aliased_Interfaces.xml
+++ b/docs/Shorewall_and_Aliased_Interfaces.xml
@ -200,10 +200,22 @@ DNAT      net        loc:192.168.1.3:22   tcp        10000          -         20
      <programlisting>#INTERFACE             SUBNET          ADDRESS
 eth0                   192.168.1.0/24  206.124.146.178</programlisting>
      <para>When running Shorewall 5.0.14 or later, the equivalent
      <filename>/etc/shorewall/snat</filename> is:</para>
      <programlisting>#ACTION                SOURCE          DEST                PROTO   PORT
 SNAT(206.124.146.178)  0.0.0.0/0       eth0</programlisting>
      <para>Similarly, you want SMTP traffic from local system 192.168.1.22 to
      have source IP 206.124.146.178:<programlisting>#INTERFACE             SUBNET          ADDRESS             PROTO      DPORT
 eth0                   192.168.1.22    206.124.146.178     tcp        25</programlisting></para>
      <para>When running Shorewall 5.0.14 or later, the equivalent
      <filename>/etc/shorewall/snat</filename> is:</para>
      <programlisting>#ACTION                SOURCE          DEST                PROTO   PORT
 SNAT(206.124.146.178)  0.0.0.0/0       eth0                tcp     25</programlisting>
      <para>Shorewall can create the alias (additional address) for you if you
      set ADD_SNAT_ALIASES=Yes in
      <filename>/etc/shorewall/shorewall.con</filename>f.</para>
@ -220,16 +232,29 @@ eth0                   192.168.1.22    206.124.146.178     tcp        25</progra
      the INTERFACE column as follows.</para>
      <para><filename>/etc/shorewall/masq</filename><programlisting>#INTERFACE              SUBNET         ADDRESS
-eth0:0                  192.168.1.0/24 206.124.146.178</programlisting>Shorewall
+eth0:0                  192.168.1.0/24 206.124.146.178</programlisting></para>
      can also set up SNAT to round-robin over a range of IP addresses. To do
      that, you specify a range of IP addresses in the ADDRESS column. If you
      specify a label in the INTERFACE column, Shorewall will use that label
      for the first address of the range and will increment the label by one
      for each subsequent label.</para>
-      <para><filename>/etc/shorewall/masq</filename><programlisting>#INTERFACE               SUBNET         ADDRESS
+      <para>When running Shorewall 5.0.14 or later, the equivalent
      <filename>/etc/shorewall/snat</filename> is:</para>
      <programlisting>#ACTION                SOURCE          DEST                PROTO   PORT
 SNAT(206.124.146.178)  192.168.1.0/24  eth0</programlisting>
      <para>Shorewall can also set up SNAT to round-robin over a range of IP
      addresses. To do that, you specify a range of IP addresses in the
      ADDRESS column. If you specify a label in the INTERFACE column,
      Shorewall will use that label for the first address of the range and
      will increment the label by one for each subsequent label.</para>
      <para><filename>/etc/shorewall/masq</filename><programlisting>#INTERFACE               SOURCE         ADDRESS
 eth0:0                   192.168.1.0/24 206.124.146.178-206.124.146.180</programlisting></para>
      <para>When running Shorewall 5.0.14 or later, the equivalent
      <filename>/etc/shorewall/snat</filename> is:</para>
      <programlisting>#ACTION                              SOURCE          DEST                PROTO   PORT
 SNAT(206.124.146.178-206.24.146.80)  192.168.1.0/24  eth0</programlisting>
      <para>The above would create three IP addresses:</para>
      <programlisting>eth0:0 = 206.124.146.178
--- a/docs/SimpleBridge.xml
+++ b/docs/SimpleBridge.xml
@ -145,5 +145,11 @@ loc            <emphasis role="bold">br0</emphasis>             <emphasis
    <programlisting>#INTERFACE     SOURCE          ADDRESS
 eth0           10.0.1.0/24     ...            # 10.0.1.0/24 is the local network on LAN A and LAN B</programlisting>
    <para>When running Shorewall 5.0.14 or later, the equivalent
    <filename>/etc/shorewall/snat</filename> is:</para>
    <programlisting>#ACTION                SOURCE          DEST                PROTO   PORT
 MASQUERADE             10.0.1.0/24     eth0</programlisting>
  </section>
 </article>
--- a/docs/shorewall_setup_guide.xml
+++ b/docs/shorewall_setup_guide.xml
@ -1373,12 +1373,19 @@ Destination    Gateway     Genmask         Flags MSS Window irtt Iface
          <member>SNAT is configured in Shorewall using the <filename><ulink
          url="manpages/shorewall-masq.html">/etc/shorewall/masq</ulink></filename>
-          file.</member>
+          file (/etc/shorewall/snat when running Shorewall 5.0.14 or
          later):</member>
        </simplelist>
-        <programlisting>#INTERFACE     SUBNET               ADDRESS
+        <programlisting>#INTERFACE     SOURCE               ADDRESS
 eth0           192.168.201.0/29     192.0.2.176</programlisting>
        <para>When running Shorewall 5.0.14 or later, the equivalent
        <filename>/etc/shorewall/snat</filename> is:</para>
        <programlisting>#ACTION                SOURCE            DEST                PROTO   PORT
 SNAT(192.0.2.176)      192.168.201.0/24  eth0</programlisting>
        <para>This example used the normal technique of assigning the same
        public IP address for the firewall external interface and for SNAT. If
        you wanted to use a different IP address, you would either have to use
@ -1592,9 +1599,15 @@ DNAT     net     loc:192.168.201.4  tcp    www</programlisting>
        connections. This is done with the following entry in
        <filename>/etc/shorewall/masq</filename>:</para>
-        <programlisting>#INTERFACE     SUBNET               ADDRESS
+        <programlisting>#INTERFACE     SOURCE               ADDRESS
 eth0           192.168.201.0/29     192.0.2.176</programlisting>
        <para>When running Shorewall 5.0.14 or later, the equivalent
        <filename>/etc/shorewall/snat</filename> is:</para>
        <programlisting>#ACTION                SOURCE            DEST                PROTO   PORT
 SNAT(192.0.2.176)      192.168.201.0/24  eth0</programlisting>
        <para><inlinegraphic fileref="images/BD21298_.gif"/></para>
        <para>Suppose now that you have decided to give your daughter her own
@ -1816,6 +1829,12 @@ dmz      eth2</programlisting>
      <programlisting>#INTERFACE     SUBNET               ADDRESS
 eth0           192.168.201.0/29     192.0.2.176</programlisting>
      <para>When running Shorewall 5.0.14 or later, the equivalent
      <filename>/etc/shorewall/snat</filename> is:</para>
      <programlisting>#ACTION                SOURCE            DEST                PROTO   PORT
 SNAT(192.02.176)       192.168.201.0/24  eth0</programlisting>
      <para><filename>/etc/shorewall/proxyarp</filename> - DMZ</para>
      <programlisting>#ADDRESS     EXTERNAL     INTERFACE     HAVE ROUTE
--- a/docs/three-interface.xml
+++ b/docs/three-interface.xml
@ -647,16 +647,18 @@ root@lists:~# </programlisting>
        </listitem>
      </itemizedlist> In Shorewall, both Masquerading and SNAT are configured
    with entries in the <filename
-    class="directory">/etc/shorewall/</filename><filename>masq</filename>
+    class="directory">/etc/shorewall/</filename><filename>masq</filename> file
-    file.</para>
+    (<filename>/etc/shorewall/snat</filename> when running Shorewall 5.0.14 or
    later).</para>
    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
    <para>If your external firewall interface is <filename
    class="devicefile">eth0</filename> then you do not need to modify the file
    provided with the sample. Otherwise, edit <filename
-    class="directory">/etc/shorewall/</filename><filename>masq</filename> and
+    class="directory">/etc/shorewall/</filename><filename>masq</filename> or
-    change it to match your configuration.</para>
+    <filename>/etc/shorewall/snat</filename> and change it to match your
    configuration.</para>
    <para>If, in spite of all advice to the contrary, you are using this guide
    and want to use one-to-one NAT or Proxy ARP for your DMZ, you will need to
@ -670,8 +672,14 @@ root@lists:~# </programlisting>
    class="directory">/etc/shorewall/</filename><filename>masq</filename>
    entry if you like although your firewall will work fine if you leave that
    column empty. Entering your static IP in column 3 makes processing
-    outgoing packets a little more efficient.<graphic align="left"
+    outgoing packets a little more efficient. When running Shorewall 5.0.14 or
-    fileref="images/openlogo-nd-25.png"/></para>
+    later, the rule in /etc/shorewall/snat must be change from a MASQUERADE
    rule to an SNAT rule.</para>
    <programlisting>#ACTION                      SOURCE                DEST         PROTO      PORT
 <emphasis role="bold">SNAT(<replaceable>static-ip</replaceable>)</emphasis>              ...</programlisting>
    <graphic align="left" fileref="images/openlogo-nd-25.png"/>
    <para><emphasis role="bold">If you are using the Debian package, please
    check your <filename>shorewall.conf</filename> file to ensure that the
--- a/docs/traffic_shaping.xml
+++ b/docs/traffic_shaping.xml
@ -1652,6 +1652,12 @@ DNAT          net              dmz:192.168.4.5 tcp      80              -
          <filename>/etc/shorewall/masq</filename>:<programlisting>#INTERFACE        SOURCE           ADDRESS
 eth0              192.168.1.0/24   206.124.146.179</programlisting></para>
          <para>When running Shorewall 5.0.14 or later, the equivalent
          <filename>/etc/shorewall/snat</filename> would be:</para>
          <programlisting>#ACTION                SOURCE         DEST       ...
 SNAT(206.124.146.179)  192.168.1.0/24 eth0</programlisting>
          <para>HTTP response packets corresponding to requests that fall
          under that rule will have destination IP address 206.124.146.179 and
          <emphasis role="bold">source</emphasis> port 80.</para>
--- a/docs/two-interface.xml
+++ b/docs/two-interface.xml
@ -601,7 +601,8 @@ root@lists:~# </programlisting>
    <emphasis><acronym>SNAT</acronym></emphasis> are configured with entries
    in the <ulink url="manpages/shorewall-masq.html"><filename
    class="directory">/etc/shorewall/</filename><filename>masq</filename></ulink>
-    file. You will normally use Masquerading if your external
+    file (<filename>/etc/shorewall/snat</filename> when running Shorewall
    5.0.14 or later). You will normally use Masquerading if your external
    <acronym>IP</acronym> is dynamic and <acronym>SNAT</acronym> if the
    <acronym>IP</acronym> is static.</para>
@ -611,8 +612,9 @@ root@lists:~# </programlisting>
    class="devicefile">eth0</filename>, you do not need to modify the file
    provided with <link linkend="Concepts">the sample</link>. Otherwise, edit
    <filename
-    class="directory">/etc/shorewall/</filename><filename>masq</filename> and
+    class="directory">/etc/shorewall/</filename><filename>masq</filename> or
-    change the first column to the name of your external interface.</para>
+    <filename>/etc/shorewall/snat</filename> and change it to match your
    configuration.</para>
    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
@ -622,14 +624,19 @@ root@lists:~# </programlisting>
    entry if you like although your firewall will work fine if you leave that
    column empty (Masquerade). Entering your static <acronym>IP</acronym> in
    column 3 (SNAT) makes the processing of outgoing packets a little more
-    efficient.</para>
+    efficient. When running Shorewall 5.0.14 or later, the rule in
    /etc/shorewall/snat must be change from a MASQUERADE rule to an SNAT
    rule.</para>
-    <graphic align="left" fileref="images/openlogo-nd-25.png"/>
+    <programlisting>#ACTION                      SOURCE                DEST         PROTO      PORT
 <emphasis role="bold">SNAT(<replaceable>static-ip</replaceable>)</emphasis>              ...</programlisting>
-    <para>I<emphasis role="bold">f you are using the Debian package, please
+    <para><graphic align="left"
-    check your <filename>shorewall.conf</filename> file to ensure that the
+    fileref="images/openlogo-nd-25.png"/>I<emphasis role="bold">f you are
-    following is set correctly; if it is not, change it
+    using the Debian package, please check your
-    appropriately:</emphasis> <itemizedlist spacing="compact">
+    <filename>shorewall.conf</filename> file to ensure that the following is
    set correctly; if it is not, change it appropriately:</emphasis>
    <itemizedlist spacing="compact">
        <listitem>
          <para><varname>IP_FORWARDING=On</varname></para>
        </listitem>
@ -1253,8 +1260,9 @@ eth0			10.0.0.0/8,\
 			192.168.0.0/16
 </programlisting>
-        <para>then you do <emphasis role="bold">not</emphasis> need to change
+        <para>or of you are running Shorewall 5.0.14 or later, then you do
-        the contents.</para>
+        <emphasis role="bold">not</emphasis> need to change the
        contents.</para>
        <para>Otherwise, if your Internet interface is <filename
        class="devicefile">eth0</filename> and your wireless interface is