From 4a1d8ba0f9fd751675375be190f4c22757dcda1c Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 26 Mar 2018 15:56:11 -0700 Subject: [PATCH] delete shorewall-masq.xml Signed-off-by: Tom Eastep --- Shorewall/manpages/shorewall-masq.xml | 785 -------------------------- 1 file changed, 785 deletions(-) delete mode 100644 Shorewall/manpages/shorewall-masq.xml diff --git a/Shorewall/manpages/shorewall-masq.xml b/Shorewall/manpages/shorewall-masq.xml deleted file mode 100644 index e6c0a4812..000000000 --- a/Shorewall/manpages/shorewall-masq.xml +++ /dev/null @@ -1,785 +0,0 @@ - - - - - shorewall-masq - - 5 - - Configuration Files - - - - masq - - Shorewall Masquerade/SNAT definition file - - - - - /etc/shorewall[6]/masq - - - - - Description - - This file is used to define dynamic NAT (Masquerading) and to define - Source NAT (SNAT). Its use was deprecated in favor of shorewall-snat(5) in Shorewall 5.0.14, - and the file was superseded by shorewall-snat(5) in Shorewall 5.2.0. - Beginning with that release, the Shorewall compiler will automatically - convert existing masq files to the equivalent snat file, and rename the - masq file to masq.bak. - - - The entries in this file are order-sensitive. The first entry that - matches a particular connection will be the one that is used. - - - - If you have more than one ISP link, adding entries to this file - will not force connections to go out - through a particular link. You must use entries in shorewall-rtrules(5) or - PREROUTING entries in shorewall-mangle(5) to do - that. - - - The columns in the file are as follows. - - - - INTERFACE:DEST - {[+]interfacelist[:[digit]][:[dest-address[,dest-address]...[exclusion]]|?COMMENT} - - - Outgoing interfacelist. This may be a - comma-separated list of interface names. This is usually your - internet interface. If ADD_SNAT_ALIASES=Yes in shorewall.conf(5), you - may add ":" and a digit to indicate that you - want the alias added with that name (e.g., eth0:0). This will allow - the alias to be displayed with ifconfig. That - is the only use for the alias name; it may not appear in any other - place in your Shorewall configuration. - - Each interface must match an entry in shorewall-interfaces(5). - Shorewall allows loose matches to wildcard entries in shorewall-interfaces(5). - For example, ppp0 in this - file will match a shorewall-interfaces(5) - entry that defines ppp+. - - Where more that one - internet provider share a single interface, the provider is - specified by including the provider name or number in - parentheses: - - eth0(Avvanta) - - In that case, you will want to specify the interface's address - for that provider in the ADDRESS column. - - The interface may be qualified by adding the character ":" - followed by a comma-separated list of destination host or subnet - addresses to indicate that you only want to change the source IP - address for packets being sent to those particular destinations. - Exclusion is allowed (see shorewall-exclusion(5)) - as are ipset names preceded by a plus sign '+'; - - If you wish to inhibit the action of ADD_SNAT_ALIASES for this - entry then include the ":" but omit the digit: - - eth0(Avvanta): - eth2::192.0.2.32/27 - - Normally Masq/SNAT rules are evaluated after those for - one-to-one NAT (defined in shorewall-nat(5)). If you - want the rule to be applied before one-to-one NAT rules, prefix the - interface name with "+": - - +eth0 - +eth0:192.0.2.32/27 - +eth0:2 - - This feature should only be required if you need to insert - rules in this file that preempt entries in shorewall-nat(5). - - Comments may be attached to Netfilter rules generated from - entries in this file through the use of ?COMMENT lines. These lines - begin with ?COMMENT; the remainder of the line is treated as a - comment which is attached to subsequent rules until another ?COMMENT - line is found or until the end of the file is reached. To stop - adding comments to rules, use a line containing only - ?COMMENT. - - Beginning with Shorewall 4.6.0, a new syntax is also accepted. - With the exception of the leading '+', the interfacelist and - qualifiers may appear within the parentheses of INLINE(...). - - Example: - - +INLINE(eth0) - - When this is done, you may augment the rule generated by - Shorewall with iptables matches of your own. These matches appear - after a semicolon (';') at the end of the line. - - See example 8 below. - - - - - SOURCE (Formerly called SUBNET - - Optional) - - [interface|address[,address][exclusion]] - - - Set of hosts that you wish to masquerade. You can specify this - as an address (net or host) or as an - interface (use of an - interface is deprecated). If you give the name - of an interface, the interface must be up before you start the - firewall and the Shorewall rules compiler will warn you of that - fact. (Shorewall will use your main routing table to determine the - appropriate addresses to masquerade). - - The preferred way to specify the SOURCE is to supply one or - more host or network addresses separated by comma. You may use ipset - names preceded by a plus sign (+) to specify a set of hosts. - - - - - ADDRESS (Optional) - [-|NONAT|[address-or-address-range][:lowport-highport][:random][:persistent]|detect|random] - - - If you specify an address here, SNAT will be used and this - will be the source address. If ADD_SNAT_ALIASES is set to Yes or yes - in shorewall.conf(5) then - Shorewall will automatically add this address to the INTERFACE named - in the first column. - - You may also specify a range of up to 256 IP addresses if you - want the SNAT address to be assigned from that range in a - round-robin fashion by connection. The range is specified by - first.ip.in.range-last.ip.in.range. - You may follow the port range with - :random in which case assignment of ports from the list - will be random. random may also be - specified by itself in this column in which case random local port - assignments are made for the outgoing connections. - - Example: 206.124.146.177-206.124.146.180 - - You may follow the port range (or :random) with :persistent. This is only useful when an - address range is specified and causes a client to be given the same - source/destination IP pair. This feature replaces the SAME modifier - which was removed from Shorewall in version 4.4.0. Unlike random, persistent may not be used by itself. - - You may also use the special value "detect" which causes - Shorewall to determine the IP addresses configured on the interface - named in the INTERFACES column and substitute them in this - column. - - Finally, you may also specify a comma-separated list of ranges - and/or addresses in this column. - - This column may not contain DNS Names. - - Normally, Netfilter will attempt to retain the source port - number. You may cause netfilter to remap the source port by - following an address or range (if any) by ":" and a port range with - the format - lowport-highport. If this - is done, you must specify "tcp" or "udp" in the PROTO column. - - Examples: - - 192.0.2.4:5000-6000 - :4000-5000 - - If you simply place NONAT in - this column, no rewriting of the source IP address or port number - will be performed. This is useful if you want particular traffic to - be exempt from the entries that follow in the file. - - If you want to leave this column empty but you need to specify - the next column then place a hyphen ("-") here. - - - - - PROTO (Optional) - {-|[!]{protocol-name|protocol-number}[,...]|+ipset} - - - If you wish to restrict this entry to a particular protocol - then enter the protocol name (from protocols(5)) or number - here. - - Beginning with Shorewall 4.5.12, this column can accept a - comma-separated list of protocols. - - Beginning with Shorewall 4.6.0, an - ipset name can be specified in this - column. This is intended to be used with - bitmap:port ipsets. - - - - - PORT (Optional) - - {-|[!]port-name-or-number[,port-name-or-number]...|+ipset} - - - If the PROTO column specifies TCP (6), UDP (17), DCCP (33), - SCTP (132) or UDPLITE (136) then you may list one or more port - numbers (or names from services(5)) or port ranges separated by - commas. - - Port ranges are of the form - lowport:highport. - - Beginning with Shorewall 4.6.0, an - ipset name can be specified in this - column. This is intended to be used with - bitmap:port ipsets. - - - - - IPSEC (Optional) - - [option[,option]...] - - - If you specify a value other than "-" in this column, you must - be running kernel 2.6 and your kernel and iptables must include - policy match support. - - Comma-separated list of options from the following. Only - packets that will be encrypted via an SA that matches these options - will have their source address changed. - - - - reqid=number - - - where number is specified using - setkey(8) using the 'unique:number option - for the SPD level. - - - - - spi=<number> - - - where number is the SPI of the SA - used to encrypt/decrypt packets. - - - - - proto=ah|esp|ipcomp - - - IPSEC Encapsulation Protocol - - - - - mss=number - - - sets the MSS field in TCP packets - - - - - mode=transport|tunnel - - - IPSEC mode - - - - - tunnel-src=address[/mask] - - - only available with mode=tunnel - - - - - tunnel-dst=address[/mask] - - - only available with mode=tunnel - - - - - strict - - - Means that packets must match all rules. - - - - - next - - - Separates rules; can only be used with strict - - - - - yes - - - When used by itself, causes all traffic that will be - encrypted/encapsulated to match the rule. - - - - - - - - MARK - [!]value[/mask][:C] - - - Defines a test on the existing packet or connection mark. The - rule will match only if the test returns true. - - If you don't want to define a test but need to specify - anything in the following columns, place a "-" in this field. - - - - ! - - - Inverts the test (not equal) - - - - - value - - - Value of the packet or connection mark. - - - - - mask - - - A mask to be applied to the mark before testing. - - - - - :C - - - Designates a connection mark. If omitted, the packet - mark's value is tested. - - - - - - - - USER (Optional) - [!][user-name-or-number][:group-name-or-number][+program-name] - - - This column was formerly labelled USER/GROUP. - - Only locally-generated connections will match if this column - is non-empty. - - When this column is non-empty, the rule matches only if the - program generating the output is running under the effective - user and/or group - specified (or is NOT running under that id if "!" is given). - - Examples: - - - - joe - - - program must be run by joe - - - - - :kids - - - program must be run by a member of the 'kids' - group - - - - - !:kids - - - program must not be run by a member of the 'kids' - group - - - - - +upnpd - - - #program named upnpd - - - The ability to specify a program name was removed from - Netfilter in kernel version 2.6.14. - - - - - - - - - SWITCH - - [!]switch-name[={0|1}] - - - Added in Shorewall 4.5.1 and allows enabling and disabling the - rule without requiring shorewall restart. - - The rule is enabled if the value stored in - /proc/net/nf_condition/switch-name - is 1. The rule is disabled if that file contains 0 (the default). If - '!' is supplied, the test is inverted such that the rule is enabled - if the file contains 0. - - Within the switch-name, '@0' and - '@{0}' are replaced by the name of the chain to which the rule is a - added. The switch-name (after '@...' - expansion) must begin with a letter and be composed of letters, - decimal digits, underscores or hyphens. Switch names must be 30 - characters or less in length. - - Switches are normally off. To - turn a switch on: - - - echo 1 > - /proc/net/nf_condition/switch-name - - - To turn it off again: - - - echo 0 > - /proc/net/nf_condition/switch-name - - - Switch settings are retained over shorewall - restart. - - Beginning with Shorewall 4.5.10, when the - switch-name is followed by - or , then the switch is - initialized to off or on respectively by the - start command. Other commands do not affect the - switch setting. - - - - - ORIGDEST - [-|address[,address]...[exclusion]|exclusion] - - - (Optional) Added in Shorewall 4.5.6. This column may be - included and may contain one or more addresses (host or network) - separated by commas. Address ranges are not allowed. When this - column is supplied, rules are generated that require that the - original destination address matches one of the listed addresses. It - is useful for specifying that SNAT should occur only for connections - that were acted on by a DNAT when they entered the firewall. - - This column was formerly labelled ORIGINAL DEST. - - - - - PROBABILITY - - [probability] - - - Added in Shorewall 5.0.0. When non-empty, requires the - Statistics Match capability in your kernel - and ip6tables and causes the rule to match randomly but with the - given probability. The - probability is a number 0 < - probability <= 1 and may be expressed - at up to 8 decimal points of precision. - - - - - - - Examples - - - - IPv4 Example 1: - - - You have a simple masquerading setup where eth0 connects to a - DSL or cable modem and eth1 connects to your local network with - subnet 192.168.0.0/24. - - Your entry in the file will be: - - #INTERFACE SOURCE - eth0 192.168.0.0/24 - - - - - IPv4 Example 2: - - - You add a router to your local network to connect subnet - 192.168.1.0/24 which you also want to masquerade. You then add a - second entry for eth0 to this file: - - #INTERFACE SOURCE - eth0 192.168.1.0/24 - - - - - IPv4 Example 3: - - - You have an IPSEC tunnel through ipsec0 and you want to - masquerade packets coming from 192.168.1.0/24 but only if these - packets are destined for hosts in 10.1.1.0/24: - - #INTERFACE SOURCE - ipsec0:10.1.1.0/24 196.168.1.0/24 - - - - - IPv4 Example 4: - - - You want all outgoing traffic from 192.168.1.0/24 through eth0 - to use source address 206.124.146.176 which is NOT the primary - address of eth0. You want 206.124.146.176 to be added to eth0 with - name eth0:0. - - #INTERFACE SOURCE ADDRESS - eth0:0 192.168.1.0/24 206.124.146.176 - - - - - IPv4 Example 5: - - - You want all outgoing SMTP traffic entering the firewall from - 172.20.1.0/29 to be sent from eth0 with source IP address - 206.124.146.177. You want all other outgoing traffic from - 172.20.1.0/29 to be sent from eth0 with source IP address - 206.124.146.176. - - #INTERFACE SOURCE ADDRESS PROTO DPORT - eth0 172.20.1.0/29 206.124.146.177 tcp smtp - eth0 172.20.1.0/29 206.124.146.176 - - - The order of the above two rules is significant! - - - - - - IPv4 Example 6: - - - Connections leaving on eth0 and destined to any host defined - in the ipset myset should have the source IP - address changed to 206.124.146.177. - - #INTERFACE SOURCE ADDRESS - eth0:+myset[dst] - 206.124.146.177 - - - - - IPv4 Example 7: - - - SNAT outgoing connections on eth0 from 192.168.1.0/24 in - round-robin fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9 - (Shorewall 4.5.9 and later). - - /etc/shorewall/tcrules: - - #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST - 1-3:CF 192.168.1.0/24 eth0 ; state=NEW - -/etc/shorewall/masq: - - #INTERFACE SOURCE ADDRESS ... - eth0 192.168.1.0/24 1.1.1.1 ; mark=1:C - eth0 192.168.1.0/24 1.1.1.3 ; mark=2:C - eth0 192.168.1.0/24 1.1.1.9 ; mark=3:C - - - - - IPv4 Example 8: - - - Your eth1 has two public IP addresses: 70.90.191.121 and - 70.90.191.123. You want to use the iptables statistics match to - masquerade outgoing connections evenly between these two - addresses. - - /etc/shorewall/masq: - - #INTERFACE SOURCE ADDRESS - INLINE(eth1) 0.0.0.0/0 70.90.191.121 ;; -m statistic --mode random --probability 0.50 - eth1 0.0.0.0/0 70.90.191.123 - - - If INLINE_MATCHES=Yes in shorewall.conf(5), then - these rules may be specified as follows: - - /etc/shorewall/masq: - - #INTERFACE SOURCE ADDRESS - eth1 0.0.0.0/0 70.90.191.121 ; -m statistic --mode random --probability 0.50 - eth1 0.0.0.0/0 70.90.191.123 - - - - - - IPv6 Example 1: - - - You have a simple 'masquerading' setup where eth0 connects to - a DSL or cable modem and eth1 connects to your local network with - subnet 2001:470:b:787::0/64 - - Your entry in the file will be: - - #INTERFACE SOURCE ADDRESS - eth0 2001:470:b:787::0/64 - - - - - - IPv6 Example 2: - - - Your sit1 interface has two public IP addresses: - 2001:470:a:227::1 and 2001:470:b:227::1. You want to use the - iptables statistics match to masquerade outgoing connections evenly - between these two addresses. - - /etc/shorewall/masq: - - #INTERFACE SOURCE ADDRESS - INLINE(sit1) ::/0 2001:470:a:227::1 ; -m statistic --mode random --probability 0.50 - sit1 ::/0 2001:470:a:227::2 - - - If INLINE_MATCHES=Yes in shorewall6.conf(5), - then these rules may be specified as follows: - - /etc/shorewall/masq: - - #INTERFACE SOURCE ADDRESS - sit1 ::/0 2001:470:a:227::1 ; -m statistic --mode random --probability 0.50 - sit1 ::/0 2001:470:a:227::2 - - - - - - - FILES - - /etc/shorewall/masq - - /etc/shorewall6/masq - - - - See ALSO - - http://www.shorewall.net/configuration_file_basics.htm#Pairs - - shorewall(8) - -