#
# Shorewall version 3.3 - Masq file
#
# /etc/shorewall/masq
#
#	Use this file to define dynamic NAT (Masquerading) and to define
#	Source NAT (SNAT).
#
#	WARNING: The entries in this file are order-sensitive. The first
#	entry that matches a particular connection will be the one that
#	is used.
#
#	WARNING: If you have more than one ISP, adding entries to this
#	file will *not* force connections to go out through a particular
#	ISP. You must use PREROUTING entries in /etc/shorewall/tcrules
#	to do that.
#
# Columns are:
#
#	INTERFACE -- Outgoing interface. This is usually your internet
#		     interface. If ADD_SNAT_ALIASES=Yes in
#		     /etc/shorewall/shorewall.conf, you may add ":" and
#		     a digit to indicate that you want the alias added with
#		     that name (e.g., eth0:0). This will allow the alias to
#		     be displayed with ifconfig. THAT IS THE ONLY USE FOR
#		     THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER
#		     PLACE IN YOUR SHOREWALL CONFIGURATION.
#
#		     This may be qualified by adding the character
#		     ":" followed by a destination host or subnet.
#
#		     If you wish to inhibit the action of ADD_SNAT_ALIASES
#		     for this entry then include the ":" but omit the digit:
#
#				eth0:
#				eth2::192.0.2.32/27
#
#		     Normally Masq/SNAT rules are evaluated after those for
#		     one-to-one NAT (/etc/shorewall/nat file). If you want
#		     the rule to be applied before one-to-one NAT rules,
#		     prefix the interface name with "+":
#
#			+eth0
#			+eth0:192.0.2.32/27
#			+eth0:2
#
#		     This feature should only be required if you need to
#		     insert rules in this file that preempt entries in
#		     /etc/shorewall/nat.
#
#		     If you place COMMENT in this column, then the rest of the
#		     line will be attached as a comment to the Netfilter rule(s)
#		     generated by the following entry. The comment will appear
#		     delimited by "/* ... */" in the output of "shorewall show
#		     nat"
#
#	SOURCE (formerly called SUBNET)
#
#		  Set of hosts that you wish to masquerade. You can specify this
#		  as an address (net or host) or as an interface. If you give
#		  the name of an interface, the interface must be up before you
#		  start the firewall (Shorewall will use your main routing table
#		  to determine the appropriate addresses to masquerade).
#
#		  In order to exclude a addrress of the specified SOURCE, you
#		  may append "!" and a comma-separated list of IP addresses
#		  (host or net) that you wish to exclude.
#
#		  Example: eth1!192.168.1.4,192.168.32.0/27
#
#		  In that example traffic from eth1 would be masqueraded unless
#		  it came from 192.168.1.4 or 196.168.32.0/27
#
#	ADDRESS -- (Optional).	If you specify an address here, SNAT will be
#				used and this will be the source address. If
#				ADD_SNAT_ALIASES is set to Yes or yes in
#				/etc/shorewall/shorewall.conf then Shorewall
#				will automatically add this address to the
#				INTERFACE named in the first column.
#
#				You may also specify a range of up to 256
#				IP addresses if you want the SNAT address to
#				be assigned from that range in a round-robin
#				range by connection. The range is specified by
#				<first ip in range>-<last ip in range>.
#
#				Example: 206.124.146.177-206.124.146.180
#
#				You may also use the special value "detect"
#				which causes Shorewall to determine the
#				IP addresses configured on the interface named
#				in the INTERFACES column and substitute them
#				in this column.
#
#				Finally, you may also specify a comma-separated
#				list of ranges and/or addresses in this column.
#
#				This column may not contain DNS Names.
#
#				Normally, Netfilter will attempt to retain
#				the source port number. You may cause
#				netfilter to remap the source port by following
#				an address or range (if any) by ":" and
#				a port range with the format <low port>-
#				<high port>. If this is done, you must
#				specify "tcp" or "udp" in the PROTO column.
#
#				Examples:
#
#					192.0.2.4:5000-6000
#					:4000-5000
#
#				You can invoke the SAME target using the
#				following in this column:
#
#			SAME:[nodst:]<address-range>[,<address-range>...]
#
#				The <address-ranges> may be single addresses
#				or "detect" as described above.
#
#				SAME works like SNAT with the exception that
#				the same local IP address is assigned to each
#				connection from a local address to a given
#				remote address.
#
#				If the 'nodst:' option is included, then the
#				same source address is used for a given
#				internal system regardless of which remote
#				system is involved.
#
#				If you want to leave this column empty
#				but you need to specify the next column then
#				place a hyphen ("-") here.
#
#	PROTO -- (Optional)	If you wish to restrict this entry to a
#				particular protocol then enter the protocol
#				name (from /etc/protocols) or number here.
#
#	PORT(S) -- (Optional)	If the PROTO column specifies TCP (protocol 6)
#				or UDP (protocol 17) then you may list one
#				or more port numbers (or names from
#				/etc/services) separated by commas or you
#				may list a single port range
#				(<low port>:<high port>).
#
#				Where a comma-separated list is given, your
#				kernel and iptables must have multiport match
#				support and a maximum of 15 ports may be
#				listed.
#
#	IPSEC -- (Optional)	If you specify a value other than "-" in this
#				column, you must be running kernel 2.6 and
#				your kernel and iptables must include policy
#				match support.
#
#				Comma-separated list of options from the
#				following. Only packets that will be encrypted
#				via an SA that matches these options will have
#				their source address changed.
#
#					Yes or yes -- must be the only option
#					listed and matches all outbound
#					traffic that will be encrypted.
#
#					reqid=<number> where <number> is
#					specified using setkey(8) using the
#					'unique:<number> option for the SPD
#					level.
#
#					spi=<number> where <number> is the
#					SPI of the SA.
#
#					proto=ah|esp|ipcomp
#
#					mode=transport|tunnel
#
#					tunnel-src=<address>[/<mask>] (only
#					available with mode=tunnel)
#
#					tunnel-dst=<address>[/<mask>] (only
#					available with mode=tunnel)
#
#					strict	Means that packets must match
#						all rules.
#
#					next	Separates rules; can only be
#						used with strict..
#
#	Example 1:
#
#		  You have a simple masquerading setup where eth0 connects to
#		  a DSL or cable modem and eth1 connects to your local network
#		  with subnet 192.168.0.0/24.
#
#		  Your entry in the file can be either:
#
#			eth0	eth1
#
#		  or
#
#			eth0	192.168.0.0/24
#
#	Example 2:
#
#		  You add a router to your local network to connect subnet
#		  192.168.1.0/24 which you also want to masquerade. You then
#		  add a second entry for eth0 to this file:
#
#			eth0	192.168.1.0/24
#
#	Example 3:
#
#		  You have an IPSEC tunnel through ipsec0 and you want to
#		  masquerade packets coming from 192.168.1.0/24 but only if
#		  these packets are destined for hosts in 10.1.1.0/24:
#
#			ipsec0:10.1.1.0/24	196.168.1.0/24
#
#	Example 4:
#
#		  You want all outgoing traffic from 192.168.1.0/24 through
#		  eth0 to use source address 206.124.146.176 which is NOT the
#		  primary address of eth0. You want 206.124.146.176 added to
#		  be added to eth0 with name eth0:0.
#
#			eth0:0	192.168.1.0/24	206.124.146.176
#
#	Example 5:
#
#		 You want all outgoing SMTP traffic entering the firewall
#		 on eth1 to be sent from eth0 with source IP address
#		 206.124.146.177. You want all other outgoing traffic
#		 from eth1 to be sent from eth0 with source IP address
#		 206.124.146.176.
#
#			eth0	eth1	206.124.146.177	tcp	smtp
#			eth0	eth1	206.124.146.176
#
#		THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
#
# For additional information, see http://shorewall.net/Documentation.htm#Masq
#
###############################################################################
#INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE