<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> <refentry> <refmeta> <refentrytitle>shorewall-netmap</refentrytitle> <manvolnum>5</manvolnum> </refmeta> <refnamediv> <refname>netmap</refname> <refpurpose>Shorewall NETMAP definition file</refpurpose> </refnamediv> <refsynopsisdiv> <cmdsynopsis> <command>/etc/shorewall/netmap</command> </cmdsynopsis> </refsynopsisdiv> <refsect1> <title>Description</title> <para>This file is used to map addresses in one network to corresponding addresses in a second network.</para> <warning> <para>To use this file, your kernel and iptables must have NETMAP support included.</para> </warning> <para>The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax).</para> <variablelist> <varlistentry> <term><emphasis role="bold">TYPE</emphasis> - <emphasis role="bold">{DNAT</emphasis>|<emphasis role="bold">SNAT}[:{P|O|T}</emphasis>]</term> <listitem> <para>Must be DNAT or SNAT; beginning with Shorewall 4.4.23, may be optionally followed by :P, :O or :T to perform <firstterm>stateless NAT</firstterm>. Stateless NAT requires <firstterm>Rawpost Table support</firstterm> in your kernel and iptables (see the output of <command>shorewall show capabilities</command>).</para> <para>If DNAT or DNAT:P, traffic entering INTERFACE and addressed to NET1 has its destination address rewritten to the corresponding address in NET2.</para> <para>If SNAT or SNAT:T, traffic leaving INTERFACE with a source address in NET1 has it's source address rewritten to the corresponding address in NET2.</para> <para>If DNAT:O, traffic originating on the firewall and leaving via INTERFACE and addressed to NET1 has its destination address rewritten to the corresponding address in NET2.</para> <para>If DNAT:P, traffic entering via INTERFACE and addressed to NET1 has its destination address rewritten to the corresponding address in NET2.</para> <para>If SNAT:P, traffic entering via INTERFACE with a destination address in NET1 has it's source address rewritten to the corresponding address in NET2.</para> <para>If SNAT:O, traffic originating on the firewall and leaving via INTERFACE with a source address in NET1 has it's source address rewritten to the corresponding address in NET2.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">NET1</emphasis> - <emphasis>network-address</emphasis></term> <listitem> <para>Network in CIDR format (e.g., 192.168.1.0/24). Beginning with Shorewall 4.4.24, <ulink url="shorewall-exclusion.html">exclusion</ulink> is supported.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">INTERFACE</emphasis> - <emphasis>interface</emphasis></term> <listitem> <para>The name of a network interface. The interface must be defined in <ulink url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5). Shorewall allows loose matches to wildcard entries in <ulink url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For example, <filename class="devicefile">ppp0</filename> in this file will match a <ulink url="shorewall-interfaces.html">shorewall-interfaces</ulink>(8) entry that defines <filename class="devicefile">ppp+</filename>.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">NET2</emphasis> - <emphasis>network-address</emphasis></term> <listitem> <para>Network in CIDR format</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">NET3 (Optional)</emphasis> - <emphasis>network-address</emphasis></term> <listitem> <para>Added in Shorewall 4.4.11. If specified, qualifies INTERFACE. It specifies a SOURCE network for DNAT rules and a DESTINATON network for SNAT rules.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">PROTO</emphasis> - <emphasis>protocol-number-or-name</emphasis></term> <listitem> <para>Optional -- added in Shorewall 4.4.23.2. Only packets specifying this protocol will have their IP header modified.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">DEST PORT(S) (dport)</emphasis> - <emphasis>port-number-or-name-list</emphasis></term> <listitem> <para>Optional - added in Shorewall 4.4.23.2. Destination Ports. A comma-separated list of Port names (from services(5)), <emphasis>port number</emphasis>s or <emphasis>port range</emphasis>s; if the protocol is <emphasis role="bold">icmp</emphasis>, this column is interpreted as the destination icmp-type(s). ICMP types may be specified as a numeric type, a numberic type and code separated by a slash (e.g., 3/4), or a typename. See <ulink url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para> <para>If the protocol is <emphasis role="bold">ipp2p</emphasis>, this column is interpreted as an ipp2p option without the leading "--" (example <emphasis role="bold">bit</emphasis> for bit-torrent). If no PORT is given, <emphasis role="bold">ipp2p</emphasis> is assumed.</para> <para>An entry in this field requires that the PROTO column specify icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of the following field is supplied.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">SOURCE PORT(S) (sport)</emphasis> - <emphasis>port-number-or-name-list</emphasis></term> <listitem> <para>Optional -- added in Shorewall 4.4.23.2. Source port(s). If omitted, any source port is acceptable. Specified as a comma-separated list of port names, port numbers or port ranges.</para> <para>An entry in this field requires that the PROTO column specify tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of the following fields is supplied.</para> </listitem> </varlistentry> </variablelist> </refsect1> <refsect1> <title>FILES</title> <para>/etc/shorewall/netmap</para> </refsect1> <refsect1> <title>See ALSO</title> <para><ulink url="http://shorewall.net/netmap.html">http://shorewall.net/netmap.html</ulink></para> <para><ulink url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para> <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall-params(5), shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para> </refsect1> </refentry>