holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Add 'snat' config file

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-10-15 11:38:52 -07:00
parent 44477d97ac
commit 43fdddb438
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
10 changed files with 1859 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/Perl/Shorewall/Compiler.pm
View File

@ -847,7 +847,7 @@ sub compiler {
#
# Setup Masquerading/SNAT
#
setup_masq;
setup_snat( $update );
#
# Setup Nat
#

194
Shorewall/Perl/Shorewall/Nat.pm
View File

@ -37,7 +37,7 @@ use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw( setup_nat setup_netmap add_addresses );
our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule process_one_masq @addresses_to_add %addresses_to_add ) ] );
our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule process_one_masq convert_masq @addresses_to_add %addresses_to_add ) ] );
our @EXPORT_OK = ();
Exporter::export_ok_tags('rules');
@ -60,20 +60,23 @@ sub initialize($) {
#
# Process a single rule from the the masq file
#
sub process_one_masq1( $$$$$$$$$$$ )
sub process_one_masq1( $$$$$$$$$$$$ )
{
my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
my ( $snat, $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
my $pre_nat;
my $add_snat_aliases = $family == F_IPV4 && $config{ADD_SNAT_ALIASES};
my $add_snat_aliases = ! $snat && $family == F_IPV4 && $config{ADD_SNAT_ALIASES};
my $destnets = '';
my $baserule = '';
my $inlinematches = '';
my $prerule = '';
my $savelist;
#
# Leading '+'
#
$pre_nat = 1 if $interfacelist =~ s/^\+//;
$savelist = $interfacelist;
#
# Check for INLINE
#
@ -193,6 +196,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
# Parse the ADDRESSES column
#
if ( $addresses ne '-' ) {
my $saveaddresses = $addresses;
if ( $addresses eq 'random' ) {
require_capability( 'MASQUERADE_TGT', 'Masquerade rules', '') if $family == F_IPV6;
$randomize = '--random ';
@ -240,31 +244,34 @@ sub process_one_masq1( $$$$$$$$$$$ )
# Address Variable
#
$target = 'SNAT ';
if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
#
# User-defined address variable
#
$conditional = conditional_rule( $chainref, $addr );
$addrlist .= '--to-source ' . "\$${1}${ports} ";
} else {
if ( $conditional = conditional_rule( $chainref, $addr ) ) {
unless ( $snat ) {
if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
#
# Optional Interface -- rule is conditional
# User-defined address variable
#
$addr = get_interface_address $interface;
$conditional = conditional_rule( $chainref, $addr );
$addrlist .= '--to-source ' . "\$${1}${ports} ";
} else {
#
# Interface is not optional
#
$addr = record_runtime_address( $type, $interface );
}
if ( $conditional = conditional_rule( $chainref, $addr ) ) {
#
# Optional Interface -- rule is conditional
#
$addr = get_interface_address $interface;
} else {
#
# Interface is not optional
#
$addr = record_runtime_address( $type, $interface );
}
if ( $ports ) {
$addr =~ s/ $//;
$addr = $family == F_IPV4 ? "${addr}${ports} " : "[$addr]$ports ";
}
if ( $ports ) {
$addr =~ s/ $//;
$addr = $family == F_IPV4 ? "${addr}${ports} " : "[$addr]$ports ";
}
$addrlist .= '--to-source ' . $addr;
$addrlist .= '--to-source ' . $addr;
}
}
} elsif ( $family == F_IPV4 ) {
if ( $addr =~ /^.*\..*\..*\./ ) {
@ -337,6 +344,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
$target .= $randomize;
$target .= $persistent;
$addresses = $saveaddresses;
} else {
require_capability( 'MASQUERADE_TGT', 'Masquerade rules', '' ) if $family == F_IPV6;
$add_snat_aliases = 0;
@ -344,21 +352,40 @@ sub process_one_masq1( $$$$$$$$$$$ )
#
# And Generate the Rule(s)
#
expand_rule( $chainref ,
POSTROUTE_RESTRICT ,
$prerule ,
$baserule . $inlinematches . $rule ,
$networks ,
$destnets ,
$origdest ,
$target ,
'' ,
'' ,
$exceptionrule ,
'' )
unless unreachable_warning( 0, $chainref );
if ( $snat ) {
$target =~ s/ .*//;
$target = 'CONTINUE' if $target eq 'RETURN';
$target .= '+' if $pre_nat;
$target .= '(' . $addresses . ')' if $addresses ne '-';
conditional_rule_end( $chainref ) if $detectaddress || $conditional;
my $line = "$target\t$networks\t$savelist\t$proto\t$ports\t$ipsec\t$mark\t$user\t$condition\t$origdest\t$probability";
#
# Supress superfluous trailing dashes
#
$line =~ s/(?:\t-)+$//;
my $raw_matches = fetch_inline_matches;
$line .= join( '', ' ;;', $raw_matches ) if $raw_matches ne ' ';
print $snat "$line\n";
} else {
expand_rule( $chainref ,
POSTROUTE_RESTRICT ,
$prerule ,
$baserule . $inlinematches . $rule ,
$networks ,
$destnets ,
$origdest ,
$target ,
'' ,
'' ,
$exceptionrule ,
'' )
unless unreachable_warning( 0, $chainref );
conditional_rule_end( $chainref ) if $detectaddress || $conditional;
}
if ( $add_snat_aliases ) {
my ( $interface, $alias , $remainder ) = split( /:/, $fullinterface, 3 );
@ -386,8 +413,10 @@ sub process_one_masq1( $$$$$$$$$$$ )
}
sub process_one_masq( )
sub process_one_masq( $ )
{
my ( $snat ) = @_;
my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
split_line2( 'masq file',
{ interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
@ -398,7 +427,92 @@ sub process_one_masq( )
fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
for my $proto ( split_list $protos, 'Protocol' ) {
process_one_masq1( $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
process_one_masq1( $snat, $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
}
}
sub open_snat_for_output( $ ) {
my ($fn ) = @_;
my ( $snat, $fn1 );
if ( -f ( $fn1 = find_writable_file( 'snat' ) ) ) {
open( $snat , '>>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
} else {
open( $snat , '>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
#
# Transfer permissions from the existing masq file to the new snat file
#
transfer_permissions( $fn, $fn1 );
if ( $family == F_IPV4 ) {
print $snat <<'EOF';
#
# Shorewall - SNAT/Masquerade File
#
# For information about entries in this file, type "man shorewall-snat"
#
# See http://shorewall.net/manpages/shorewall-snat.html for additional information
EOF
} else {
print $snat <<'EOF';
#
# Shorewall6 - SNAT/Masquerade File
#
# For information about entries in this file, type "man shorewall6-snat"
#
# See http://shorewall.net/manpages6/shorewall6-snat.html for additional information
EOF
}
print $snat <<'EOF';
###################################################################################################################
#ACTION SOURCE DEST PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY
EOF
}
return ( $snat, $fn1 );
}
#
# Convert a masq file into the equivalent snat file
#
sub convert_masq() {
if ( my $fn = open_file( 'masq', 1, 1 ) ) {
my ( $snat, $fn1 ) = open_snat_for_output( $fn );
my $have_masq_rules;
directive_callback( sub () { print $snat "$_[1]\n"; 0; } );
first_entry(
sub {
my $date = compiletime;
progress_message2 "Converting $fn...";
print( $snat
"#\n" ,
"# Rules generated from masq file $fn by Shorewall $globals{VERSION} - $date\n" ,
"#\n" );
}
);
process_one_masq($snat), $have_masq_rules++ while read_a_line( NORMAL_READ );
if ( $have_masq_rules ) {
progress_message2 "Converted $fn to $fn1";
if ( rename $fn, "$fn.bak" ) {
progress_message2 "$fn renamed $fn.bak";
} else {
fatal_error "Cannot Rename $fn to $fn.bak: $!";
}
} else {
if ( unlink $fn ) {
warning_message "Empty masq file ($fn) removed";
} else {
warning_message "Unable to remove empty masq file $fn: $!";
}
}
close $snat, directive_callback( 0 );
}
}

331
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -38,6 +38,7 @@ use Shorewall::IPAddrs;
use Shorewall::Nat qw(:rules);
use Shorewall::Raw qw( handle_helper_rule );
use Scalar::Util 'reftype';
use Shorewall::Providers qw( provider_realm );
use strict;
@ -57,7 +58,7 @@ our @EXPORT = qw(
perl_action_tcp_helper
check_state
process_reject_action
setup_masq
setup_snat
);
our @EXPORT_OK = qw( initialize process_rule );
@ -5162,20 +5163,332 @@ sub process_mangle_rule( $ ) {
}
}
################################################################################
# Code moved from the Nat module in Shorewall 5.0.14 #
################################################################################
#
# Process the masq file
# Process a record in the snat file
#
sub setup_masq()
sub process_one_snat1( $$$$$$$$$$$ ) {
my ($action, $source, $dest, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
my $pre_nat;
my $add_snat_aliases = $family == F_IPV4 && $config{ADD_SNAT_ALIASES};
my $destnets = '';
my $baserule = '';
my $inlinematches = get_inline_matches(0);
my $prerule = '';
my $options = '';
my $addresses;
my $target;
if ( $action =~ /^MASQUERADE(\+)?\((.+)\)$/ ) {
$target = 'MASQUERADE';
$action = $target;
$pre_nat = $1;
$addresses = $2;
$options = 'random' if $addresses =~ s/:?random$//;
} elsif ( $action =~ /^SNAT(\+)?\((.+)\)$/ ) {
$pre_nat = $1;
$addresses = $2;
$target = 'SNAT';
$action = $target;
$options .= ':persistent' if $addresses =~ s/:persistent//;
$options .= ':random' if $addresses =~ s/:random//;
$options =~ s/^://;
} elsif ( $action =~ /^CONTINUE(\+)?$/ ) {
$add_snat_aliases = 0;
$target = 'RETURN';
$pre_nat = $1;
} elsif ( $action eq 'MASQUERADE' ) {
$target = 'MASQUERADE';
} else {
fatal_error "Invalid ACTION ($action)";
}
#
# Next, parse the DEST column
#
if ( $family == F_IPV4 ) {
if ( $dest =~ /^([^:]+)::([^:]*)$/ ) {
$add_snat_aliases = 0;
$destnets = $2;
$dest = $1;
} elsif ( $dest =~ /^([^:]+:[^:]+):([^:]+)$/ ) {
$destnets = $2;
$dest = $1;
} elsif ( $dest =~ /^([^:]+):$/ ) {
$add_snat_aliases = 0;
$dest = $1;
} elsif ( $dest =~ /^([^:]+):([^:]*)$/ ) {
my ( $one, $two ) = ( $1, $2 );
if ( $2 =~ /\./ || $2 =~ /^%/ ) {
$dest = $one;
$destnets = $two;
}
}
} elsif ( $dest =~ /^(.+?):(.+)$/ ) {
$dest = $1;
$destnets = $2;
}
#
# If there is no source or destination then allow all addresses
#
$source = ALLIP if $source eq '-';
$destnets = ALLIP if $destnets eq '-';
#
# Handle IPSEC options, if any
#
if ( $ipsec ne '-' ) {
fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables" unless have_capability( 'POLICY_MATCH' );
if ( $ipsec =~ /^yes$/i ) {
$baserule .= do_ipsec_options 'out', 'ipsec', '';
} elsif ( $ipsec =~ /^no$/i ) {
$baserule .= do_ipsec_options 'out', 'none', '';
} else {
$baserule .= do_ipsec_options 'out', 'ipsec', $ipsec;
}
} elsif ( have_ipsec ) {
$baserule .= '-m policy --pol none --dir out ';
}
#
# Handle Protocol, Ports and Condition
#
$baserule .= do_proto( $proto, $ports, '' );
#
# Handle Mark
#
$baserule .= do_test( $mark, $globals{TC_MASK} ) if $mark ne '-';
$baserule .= do_user( $user ) if $user ne '-';
$baserule .= do_probability( $probability ) if $probability ne '-';
my $rule = '';
( my $interface = $dest ) =~ s/:.*//;
if ( $interface =~ /(.*)[(](\w*)[)]$/ ) {
$interface = $1;
my $provider = $2;
fatal_error "Missing Provider ($dest)" unless supplied $provider;
$dest =~ s/[(]\w*[)]//;
my $realm = provider_realm( $provider );
fatal_error "$provider is not a shared-interface provider" unless $realm;
$rule .= "-m realm --realm $realm ";
}
fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
if ( $interfaceref->{root} ) {
$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
} else {
$rule .= match_dest_dev( $interface );
$interface = $interfaceref->{name};
}
my $chainref = ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface);
$baserule .= do_condition( $condition , $chainref->{name} );
my $detectaddress = 0;
my $exceptionrule = '';
my $conditional = 0;
if ( $action eq 'SNAT' ) {
if ( $addresses eq 'detect' ) {
my $variable = get_interface_address $interface;
$target .= " --to-source $variable";
if ( interface_is_optional $interface ) {
add_commands( $chainref,
'',
"if [ \"$variable\" != 0.0.0.0 ]; then" );
incr_cmd_level( $chainref );
$detectaddress = 1;
}
} else {
my $addrlist = '';
my @addrs = split_list $addresses, 'address';
fatal_error "Only one IPv6 ADDRESS may be specified" if $family == F_IPV6 && @addrs > 1;
for my $addr ( @addrs ) {
if ( $addr =~ /^([&%])(.+)$/ ) {
my ( $type, $interface ) = ( $1, $2 );
my $ports = '';
if ( $interface =~ s/:(.+)$// ) {
validate_portpair1( $proto, $1 );
$ports = ":$1";
}
#
# Address Variable
#
if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
#
# User-defined address variable
#
$conditional = conditional_rule( $chainref, $addr );
$addrlist .= ' --to-source' . "\$${1}${ports} ";
} else {
if ( $conditional = conditional_rule( $chainref, $addr ) ) {
#
# Optional Interface -- rule is conditional
#
$addr = get_interface_address $interface;
} else {
#
# Interface is not optional
#
$addr = record_runtime_address( $type, $interface );
}
if ( $ports ) {
$addr =~ s/ $//;
$addr = $family == F_IPV4 ? "${addr}${ports} " : "[$addr]$ports ";
}
$addrlist .= ' --to-source' . $addr;
}
} elsif ( $family == F_IPV4 ) {
if ( $addr =~ /^.*\..*\..*\./ ) {
my ($ipaddr, $rest) = split ':', $addr;
if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
validate_range( $1, $2 );
} else {
validate_address $ipaddr, 0;
}
validate_portpair1( $proto, $rest ) if supplied $rest;
$addrlist .= " --to-source $addr";
$exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
} else {
my $ports = $addr;
$ports =~ s/^://;
validate_portpair1( $proto, $ports );
$addrlist .= " --to-ports $ports";
$exceptionrule = do_proto( $proto, '', '' );
}
} else {
if ( $addr =~ /^\[/ ) {
#
# Can have ports specified
#
my $ports;
if ( $addr =~ s/:([^]:]+)$// ) {
$ports = $1;
}
fatal_error "Invalid IPv6 Address ($addr)" unless $addr =~ /^\[(.+)\]$/;
$addr = $1;
if ( $addr =~ /^(.+)-(.+)$/ ) {
fatal_error "Correct address range syntax is '[<addr1>-<addr2>]'" if $addr =~ /]-\[/;
validate_range( $1, $2 );
} else {
validate_address $addr, 0;
}
if ( supplied $ports ) {
validate_portpair1( $proto, $ports );
$exceptionrule = do_proto( $proto, '', '' );
$addr = "[$addr]:$ports";
}
$addrlist .= " --to-source $addr";
} else {
if ( $addr =~ /^(.+)-(.+)$/ ) {
validate_range( $1, $2 );
} else {
validate_address $addr, 0;
}
$addrlist .= " --to-source $addr";
}
}
}
$target .= $addrlist;
}
} elsif ( $action eq 'MASQUERADE' ) {
if ( supplied $addresses ) {
validate_portpair1($proto, $addresses );
$target .= " --to-ports $addresses";
}
}
for my $option ( split_list2( $options , 'option' ) ) {
if ( $option eq 'random' ) {
$target .= ' --random';
require_capability( 'MASQUERADE_TGT', "$action rules", '') if $family == F_IPV6;
} elsif ( $option eq 'persistent' ) {
fatal_error( "':persistent' is not allowed in a MASQUERADE rule" ) if $action eq 'MASQUERADE';
require_capability 'PERSISTENT_SNAT', ':persistent', 's';
$target .= ' --persistent';
} else {
fatal_error "Invalid $action option ($option)";
}
}
#
# And Generate the Rule(s)
#
expand_rule( $chainref ,
POSTROUTE_RESTRICT ,
$prerule ,
$baserule . $inlinematches . $rule ,
$source ,
$destnets ,
$origdest ,
$target ,
'' ,
'' ,
$exceptionrule ,
'' )
unless unreachable_warning( 0, $chainref );
conditional_rule_end( $chainref ) if $detectaddress || $conditional;
progress_message " Snat record \"$currentline\" $done"
}
sub process_one_snat( )
{
if ( my $fn = open_file( 'masq', 1, 1 ) ) {
my ($action, $source, $dest, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
split_line2( 'snat file',
{ action => 0, source => 1, dest => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
{}, #Nopad
undef, #Columns
1 ); #Allow inline matches
fatal_error 'ACTION must be specified' if $action eq '-';
fatal_error 'DEST must be specified' if $dest eq '-';
for my $proto ( split_list $protos, 'Protocol' ) {
process_one_snat1( $action, $source, $dest, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
}
}
#
# Process the masq or snat file
#
sub setup_snat( $ ) # Convert masq->snat if true
{
my $fn;
convert_masq() if $_[0];
if ( $fn = open_file( 'masq', 1, 1 ) ) {
first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty masq file" , 's'; } );
process_one_masq while read_a_line( NORMAL_READ );
}
process_one_masq(0) while read_a_line( NORMAL_READ );
} elsif ( $fn = open_file( 'snat', 1, 1 ) ) {
process_one_snat while read_a_line( NORMAL_READ );
}
}
1;

8
Shorewall/configfiles/snat Normal file
View File

@ -0,0 +1,8 @@
#
# Shorewall SNAT/Masquerade File
#
# For information about entries in this file, type "man shorewall-snat"
#
# See http://shorewall.net/manpages/shorewall-snat.html for additional information
###################################################################################################################
#ACTION SOURCE DEST PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY

18
Shorewall/install.sh
View File

@ -696,17 +696,15 @@ if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/maclist ]; then
echo "mac list file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/maclist"
fi
if [ -f masq ]; then
#
# Install the Masq file
#
run_install $OWNERSHIP -m 0644 masq ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
run_install $OWNERSHIP -m 0644 masq.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
#
# Install the SNAT file
#
run_install $OWNERSHIP -m 0644 snat ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
run_install $OWNERSHIP -m 0644 snat.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/masq ]; then
run_install $OWNERSHIP -m 0600 masq${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/masq
echo "Masquerade file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/masq"
fi
if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/snat ]; then
run_install $OWNERSHIP -m 0600 masq${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/masq
echo "SNAT file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/snat"
fi
if [ -f arprules ]; then

6
Shorewall/manpages/shorewall-masq.xml
View File

@ -25,8 +25,10 @@
<refsect1>
<title>Description</title>
<para>Use this file to define dynamic NAT (Masquerading) and to define
Source NAT (SNAT).</para>
<para>This file is used to define dynamic NAT (Masquerading) and to define
Source NAT (SNAT). While still supported, its use is deprecated in favor
of <ulink url="shorewall-snat.html">shorewall-snat</ulink>(5) which was
introduced in Shorewall 5.0.14.</para>
<warning>
<para>The entries in this file are order-sensitive. The first entry that

749
Shorewall/manpages/shorewall-snat.xml Normal file
View File

@ -0,0 +1,749 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-snat</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
<refname>snat</refname>
<refpurpose>Shorewall SNAT/Masquerade definition file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/snat</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>This file is used to define dynamic NAT (Masquerading) and to define
Source NAT (SNAT). It superseded <ulink
url="shorewall-masq.html">shorewall-masq</ulink>(5) in Shorewall
5.0.14.</para>
<warning>
<para>The entries in this file are order-sensitive. The first entry that
matches a particular connection will be the one that is used.</para>
</warning>
<warning>
<para>If you have more than one ISP link, adding entries to this file
will <emphasis role="bold">not</emphasis> force connections to go out
through a particular link. You must use entries in <ulink
url="/manpages/shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or
PREROUTING entries in <ulink
url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5) to do
that.</para>
</warning>
<para>The columns in the file are as follows.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">ACTION</emphasis></term>
<listitem>
<para>Defines the type of rule to generate. Choices are:</para>
<variablelist>
<varlistentry>
<term><emphasis
role="bold">MASQUERADE[+]</emphasis>[([<replaceable>lowport</replaceable>-<replaceable>highport</replaceable>][<option>random</option>])]</term>
<listitem>
<para>Causes matching outgoing packages to have their source
IP address set to the primary IP address of the interface
specified in the DEST column. if
<replaceable>lowport</replaceable>-<replaceable>highport</replaceable>
is given, that port range will be used to assign a source
port. If option <option>random</option> is used then port
mapping will be randomized. MASQUERADE should only be used
when the DEST interface has a dynamic IP address. Otherwise,
SNAT should be used and should specify the interface's static
address.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">SNAT[+]</emphasis>([<emphasis>address-or-address-range</emphasis>[,<emphasis>address-or-address-range</emphasis>]...][:<emphasis>lowport</emphasis><emphasis
role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
role="bold">:random</emphasis>][:<option>persistent</option>]|<emphasis
role="bold">detect</emphasis>|</term>
<listitem>
<para>If you specify an address here, matching packets will
have their source address set to that address. If
ADD_SNAT_ALIASES is set to Yes or yes in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
then Shorewall will automatically add this address to the
INTERFACE named in the first column.</para>
<para>You may also specify a range of up to 256 IP addresses
if you want the SNAT address to be assigned from that range in
a round-robin fashion by connection. The range is specified by
<emphasis>first.ip.in.range</emphasis>-<emphasis>last.ip.in.range</emphasis>.
You may follow the port range with<emphasis role="bold">
:random</emphasis> in which case assignment of ports from the
list will be random. <emphasis role="bold">random</emphasis>
may also be specified by itself in this column in which case
random local port assignments are made for the outgoing
connections.</para>
<para>Example: 206.124.146.177-206.124.146.180</para>
<para>You may follow the port range (or <emphasis
role="bold">:random</emphasis>) with <emphasis
role="bold">:persistent</emphasis>. This is only useful when
an address range is specified and causes a client to be given
the same source/destination IP pair. This feature replaces the
SAME modifier which was removed from Shorewall in version
4.4.0.</para>
<para>You may also use the special value
<option>detect</option> which causes Shorewall to determine
the IP addresses configured on the interface named in the DEST
column and substitute them in this column.</para>
<para>Finally, you may also specify a comma-separated list of
ranges and/or addresses in this column.</para>
<para>DNS Names names are not allowed.</para>
<para>Normally, Netfilter will attempt to retain the source
port number. You may cause netfilter to remap the source port
by following an address or range (if any) by ":" and a port
range with the format
<emphasis>lowport</emphasis>-<emphasis>highport</emphasis>. If
this is done, you must specify "tcp", "udp", "dccp" or "stcp"
in the PROTO column.</para>
<para>Examples:</para>
<programlisting> 192.0.2.4:5000-6000
:4000-5000</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>CONTINUE[+]</term>
<listitem>
<para>Causes matching packets to be exempted from any
following rules in the file.</para>
</listitem>
</varlistentry>
</variablelist>
<para>Normally Masq/SNAT rules are evaluated after those for
one-to-one NAT (defined in <ulink
url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5)). If you
want the rule to be applied before one-to-one NAT rules, follow the
action name with "+": This feature should only be required if you
need to insert rules in this file that preempt entries in <ulink
url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">SOURCE</emphasis> (Optional) -
[<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]]</term>
<listitem>
<para>Set of hosts that you wish to masquerade. You can specify this
as an <emphasis>address</emphasis> (net or host) or as an
<emphasis>interface</emphasis> (use of an
<emphasis>interface</emphasis> is deprecated). If you give the name
of an interface, the interface must be up before you start the
firewall and the Shorewall rules compiler will warn you of that
fact. (Shorewall will use your main routing table to determine the
appropriate addresses to masquerade).</para>
<para>The preferred way to specify the SOURCE is to supply one or
more host or network addresses separated by comma. You may use ipset
names preceded by a plus sign (+) to specify a set of hosts.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DEST</emphasis> - {[<emphasis
role="bold">+</emphasis>]<emphasis>interface</emphasis>[<emphasis
role="bold">:</emphasis>[<emphasis>digit</emphasis>]][<emphasis
role="bold">:</emphasis>[<emphasis>dest-address</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>dest-address</emphasis>]...[<emphasis>exclusion</emphasis>]]}</term>
<listitem>
<para>Outgoing <emphasis>interface</emphasis>. This is usually your
internet interface. If ADD_SNAT_ALIASES=Yes in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), you
may add ":" and a <emphasis>digit</emphasis> to indicate that you
want the alias added with that name (e.g., eth0:0). This will allow
the alias to be displayed with ifconfig. <emphasis role="bold">That
is the only use for the alias name; it may not appear in any other
place in your Shorewall configuration.</emphasis></para>
<para>Each interface must match an entry in <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
Shorewall allows loose matches to wildcard entries in <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
For example, <filename class="devicefile">ppp0</filename> in this
file will match a <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
entry that defines <filename
class="devicefile">ppp+</filename>.</para>
<para>Where <ulink url="/4.4/MultiISP.html#Shared">more that one
internet provider share a single interface</ulink>, the provider is
specified by including the provider name or number in
parentheses:</para>
<programlisting> eth0(Avvanta)</programlisting>
<para>In that case, you will want to specify the interface's address
for that provider as the SNAT parameter.</para>
<para>The interface may be qualified by adding the character ":"
followed by a comma-separated list of destination host or subnet
addresses to indicate that you only want to change the source IP
address for packets being sent to those particular destinations.
Exclusion is allowed (see <ulink
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5))
as are ipset names preceded by a plus sign '+';</para>
<para>If you wish to inhibit the action of ADD_SNAT_ALIASES for this
entry then include the ":" but omit the digit:</para>
<programlisting> eth0(Avvanta):
eth2::192.0.2.32/27</programlisting>
<para>Comments may be attached to Netfilter rules generated from
entries in this file through the use of ?COMMENT lines. These lines
begin with ?COMMENT; the remainder of the line is treated as a
comment which is attached to subsequent rules until another ?COMMENT
line is found or until the end of the file is reached. To stop
adding comments to rules, use a line containing only
?COMMENT.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">PROTO</emphasis> (Optional) - {<emphasis
role="bold">-</emphasis>|[!]{<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>}[,...]|+<replaceable>ipset</replaceable>}</term>
<listitem>
<para>If you wish to restrict this entry to a particular protocol
then enter the protocol name (from protocols(5)) or number
here.</para>
<para>Beginning with Shorewall 4.5.12, this column can accept a
comma-separated list of protocols.</para>
<para>Beginning with Shorewall 4.6.0, an
<replaceable>ipset</replaceable> name can be specified in this
column. This is intended to be used with
<firstterm>bitmap:port</firstterm> ipsets.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">PORT</emphasis> (Optional) -
{-|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
<listitem>
<para>If the PROTO column specifies TCP (6), UDP (17), DCCP (33),
SCTP (132) or UDPLITE (136) then you may list one or more port
numbers (or names from services(5)) or port ranges separated by
commas.</para>
<para>Port ranges are of the form
<emphasis>lowport</emphasis>:<emphasis>highport</emphasis>.</para>
<para>Beginning with Shorewall 4.6.0, an
<replaceable>ipset</replaceable> name can be specified in this
column. This is intended to be used with
<firstterm>bitmap:port</firstterm> ipsets.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">IPSEC</emphasis> (Optional) -
[<emphasis>option</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
<listitem>
<para>If you specify a value other than "-" in this column, you must
be running kernel 2.6 and your kernel and iptables must include
policy match support.</para>
<para>Comma-separated list of options from the following. Only
packets that will be encrypted via an SA that matches these options
will have their source address changed.</para>
<variablelist>
<varlistentry>
<term><emphasis
role="bold">reqid=</emphasis><emphasis>number</emphasis></term>
<listitem>
<para>where <emphasis>number</emphasis> is specified using
setkey(8) using the 'unique:<emphasis>number</emphasis> option
for the SPD level.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">spi=</emphasis>&lt;number&gt;</term>
<listitem>
<para>where <emphasis>number</emphasis> is the SPI of the SA
used to encrypt/decrypt packets.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">proto=</emphasis><emphasis
role="bold">ah</emphasis>|<emphasis
role="bold">esp</emphasis>|<emphasis
role="bold">ipcomp</emphasis></term>
<listitem>
<para>IPSEC Encapsulation Protocol</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">mss=</emphasis><emphasis>number</emphasis></term>
<listitem>
<para>sets the MSS field in TCP packets</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">mode=</emphasis><emphasis
role="bold">transport</emphasis>|<emphasis
role="bold">tunnel</emphasis></term>
<listitem>
<para>IPSEC mode</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">tunnel-src=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
<listitem>
<para>only available with mode=tunnel</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">tunnel-dst=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
<listitem>
<para>only available with mode=tunnel</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">strict</emphasis></term>
<listitem>
<para>Means that packets must match all rules.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">next</emphasis></term>
<listitem>
<para>Separates rules; can only be used with strict</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">yes</emphasis></term>
<listitem>
<para>When used by itself, causes all traffic that will be
encrypted/encapsulated to match the rule.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">MARK</emphasis> - [<emphasis
role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
role="bold">:C</emphasis>]</term>
<listitem>
<para>Defines a test on the existing packet or connection mark. The
rule will match only if the test returns true.</para>
<para>If you don't want to define a test but need to specify
anything in the following columns, place a "-" in this field.</para>
<variablelist>
<varlistentry>
<term>!</term>
<listitem>
<para>Inverts the test (not equal)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>value</emphasis></term>
<listitem>
<para>Value of the packet or connection mark.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>mask</emphasis></term>
<listitem>
<para>A mask to be applied to the mark before testing.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">:C</emphasis></term>
<listitem>
<para>Designates a connection mark. If omitted, the packet
mark's value is tested.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">USER</emphasis> (Optional) - [<emphasis
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
<listitem>
<para>This column was formerly labelled USER/GROUP.</para>
<para>Only locally-generated connections will match if this column
is non-empty.</para>
<para>When this column is non-empty, the rule matches only if the
program generating the output is running under the effective
<emphasis>user</emphasis> and/or <emphasis>group</emphasis>
specified (or is NOT running under that id if "!" is given).</para>
<para>Examples:</para>
<variablelist>
<varlistentry>
<term>joe</term>
<listitem>
<para>program must be run by joe</para>
</listitem>
</varlistentry>
<varlistentry>
<term>:kids</term>
<listitem>
<para>program must be run by a member of the 'kids'
group</para>
</listitem>
</varlistentry>
<varlistentry>
<term>!:kids</term>
<listitem>
<para>program must not be run by a member of the 'kids'
group</para>
</listitem>
</varlistentry>
<varlistentry>
<term>+upnpd</term>
<listitem>
<para>#program named upnpd</para>
<important>
<para>The ability to specify a program name was removed from
Netfilter in kernel version 2.6.14.</para>
</important>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">SWITCH -
[!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.1 and allows enabling and disabling the
rule without requiring <command>shorewall restart</command>.</para>
<para>The rule is enabled if the value stored in
<filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
is 1. The rule is disabled if that file contains 0 (the default). If
'!' is supplied, the test is inverted such that the rule is enabled
if the file contains 0.</para>
<para>Within the <replaceable>switch-name</replaceable>, '@0' and
'@{0}' are replaced by the name of the chain to which the rule is a
added. The <replaceable>switch-name</replaceable> (after '@...'
expansion) must begin with a letter and be composed of letters,
decimal digits, underscores or hyphens. Switch names must be 30
characters or less in length.</para>
<para>Switches are normally <emphasis role="bold">off</emphasis>. To
turn a switch <emphasis role="bold">on</emphasis>:</para>
<simplelist>
<member><command>echo 1 &gt;
/proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
</simplelist>
<para>To turn it <emphasis role="bold">off</emphasis> again:</para>
<simplelist>
<member><command>echo 0 &gt;
/proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
</simplelist>
<para>Switch settings are retained over <command>shorewall
restart</command>.</para>
<para>Beginning with Shorewall 4.5.10, when the
<replaceable>switch-name</replaceable> is followed by
<option>=0</option> or <option>=1</option>, then the switch is
initialized to off or on respectively by the
<command>start</command> command. Other commands do not affect the
switch setting.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">ORIGDEST</emphasis> - [<emphasis
role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
<listitem>
<para>(Optional) Added in Shorewall 4.5.6. This column may be
included and may contain one or more addresses (host or network)
separated by commas. Address ranges are not allowed. When this
column is supplied, rules are generated that require that the
original destination address matches one of the listed addresses. It
is useful for specifying that SNAT should occur only for connections
that were acted on by a DNAT when they entered the firewall.</para>
<para>This column was formerly labelled ORIGINAL DEST.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">PROBABILITY</emphasis> -
[<replaceable>probability</replaceable>]</term>
<listitem>
<para>Added in Shorewall 5.0.0. When non-empty, requires the
<firstterm>Statistics Match</firstterm> capability in your kernel
and ip6tables and causes the rule to match randomly but with the
given <replaceable>probability</replaceable>. The
<replaceable>probability</replaceable> is a number 0 &lt;
<replaceable>probability</replaceable> &lt;= 1 and may be expressed
at up to 8 decimal points of precision.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Examples</title>
<variablelist>
<varlistentry>
<term>Example 1:</term>
<listitem>
<para>You have a simple masquerading setup where eth0 connects to a
DSL or cable modem and eth1 connects to your local network with
subnet 192.168.0.0/24.</para>
<para>Your entry in the file will be:</para>
<programlisting> #INTERFACE SOURCE
eth0 192.168.0.0/24</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 2:</term>
<listitem>
<para>You add a router to your local network to connect subnet
192.168.1.0/24 which you also want to masquerade. You then add a
second entry for eth0 to this file:</para>
<programlisting> #INTERFACE SOURCE
eth0 192.168.1.0/24</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 3:</term>
<listitem>
<para>You have an IPSEC tunnel through ipsec0 and you want to
masquerade packets coming from 192.168.1.0/24 but only if these
packets are destined for hosts in 10.1.1.0/24:</para>
<programlisting> #INTERFACE SOURCE
ipsec0:10.1.1.0/24 196.168.1.0/24</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 4:</term>
<listitem>
<para>You want all outgoing traffic from 192.168.1.0/24 through eth0
to use source address 206.124.146.176 which is NOT the primary
address of eth0. You want 206.124.146.176 to be added to eth0 with
name eth0:0.</para>
<programlisting> #INTERFACE SOURCE ADDRESS
eth0:0 192.168.1.0/24 206.124.146.176</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 5:</term>
<listitem>
<para>You want all outgoing SMTP traffic entering the firewall from
172.20.1.0/29 to be sent from eth0 with source IP address
206.124.146.177. You want all other outgoing traffic from
172.20.1.0/29 to be sent from eth0 with source IP address
206.124.146.176.</para>
<programlisting> #INTERFACE SOURCE ADDRESS PROTO DPORT
eth0 172.20.1.0/29 206.124.146.177 tcp smtp
eth0 172.20.1.0/29 206.124.146.176</programlisting>
<warning>
<para>The order of the above two rules is significant!</para>
</warning>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 6:</term>
<listitem>
<para>Connections leaving on eth0 and destined to any host defined
in the ipset <emphasis>myset</emphasis> should have the source IP
address changed to 206.124.146.177.</para>
<programlisting> #INTERFACE SOURCE ADDRESS
eth0:+myset[dst] - 206.124.146.177</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 7:</term>
<listitem>
<para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
round-robin fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9
(Shorewall 4.5.9 and later).</para>
<programlisting>/etc/shorewall/tcrules:
#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
1-3:CF 192.168.1.0/24 eth0 ; state=NEW
/etc/shorewall/masq:
#INTERFACE SOURCE ADDRESS ...
eth0 192.168.1.0/24 1.1.1.1 ; mark=1:C
eth0 192.168.1.0/24 1.1.1.3 ; mark=2:C
eth0 192.168.1.0/24 1.1.1.4 ; mark=3:C</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 8:</term>
<listitem>
<para>Your eth1 has two public IP addresses: 70.90.191.121 and
70.90.191.123. You want to use the iptables statistics match to
masquerade outgoing connections evenly between these two
addresses.</para>
<programlisting>/etc/shorewall/masq:
#INTERFACE SOURCE ADDRESS
INLINE(eth1) 0.0.0.0/0 70.90.191.121 ; -m statistic --mode random --probability 0.50
eth1 0.0.0.0/0 70.90.191.123
</programlisting>
<para>If INLINE_MATCHES=Yes in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then
these rules may be specified as follows:</para>
<programlisting>/etc/shorewall/masq:
#INTERFACE SOURCE ADDRESS
eth1 0.0.0.0/0 70.90.191.121 ; -m statistic --mode random --probability 0.50
eth1 0.0.0.0/0 70.90.191.123
</programlisting>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall/snat</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-exclusion(5), shorewall-hosts(5),
shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
shorewall-tunnels(5), shorewall-zones(5)</para>
</refsect1>
</refentry>

8
Shorewall6/configfiles/snat Normal file
View File

@ -0,0 +1,8 @@
#
# Shorewall6 SNAT/Masquerade File
#
# For information about entries in this file, type "man shorewall6-snat"
#
# See http://shorewall.net/manpages6/shorewall6-snat.html for additional information
###################################################################################################################
#ACTION SOURCE DEST PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY

9
Shorewall6/manpages/shorewall6-masq.xml
View File

@ -551,8 +551,8 @@
<programlisting>/etc/shorewall/masq:
#INTERFACE SOURCE ADDRESS
INLINE(sit1) 0.0.0.0/0 2001:470:a:227::1 ; -m statistic --mode random --probability 0.50
sit1 0.0.0.0/0 2001:470:a:227::2
INLINE(sit1) ::/0 2001:470:a:227::1 ; -m statistic --mode random --probability 0.50
sit1 ::/0 2001:470:a:227::2
</programlisting>
<para>If INLINE_MATCHES=Yes in <ulink
@ -562,9 +562,8 @@
<programlisting>/etc/shorewall/masq:
#INTERFACE SOURCE ADDRESS
sit1 0.0.0.0/0 2001:470:a:227::1 ; -m statistic --mode random --probability 0.50
sit1 0.0.0.0/0 2001:470:a:227::2
</programlisting>
sit1 ::/0 2001:470:a:227::1 ; -m statistic --mode random --probability 0.50
sit1 ::/0 2001:470:a:227::2</programlisting>
</listitem>
</varlistentry>
</variablelist>

601
Shorewall6/manpages/shorewall6-snat.xml Normal file
View File

@ -0,0 +1,601 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-masq</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
<refname>snat</refname>
<refpurpose>Shorewall6 SNAT/Masquerade definition file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall6/snat</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>This file is used to define dynamic NAT (Masquerading) and to define
Source NAT (SNAT). While still supported, its use is deprecated in favor
of <ulink url="shorewall6-snat.html">shorewall6-snat</ulink>(5) which was
introduced in Shorewall 5.0.14.</para>
<warning>
<para>The entries in this file are order-sensitive. The first entry that
matches a particular connection will be the one that is used.</para>
</warning>
<warning>
<para>If you have more than one ISP link, adding entries to this file
will <emphasis role="bold">not</emphasis> force connections to go out
through a particular link. You must use entries in <ulink
url="/manpages6/shorewall6-rtrules.html">shorewall6-rtrules</ulink>(5)
or PREROUTING entries in <ulink
url="/manpages6/shorewall6-tcrules.html">shorewall-tcrules</ulink>(5) to
do that.</para>
</warning>
<para>The columns in the file are as follows.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">ACTION</emphasis></term>
<listitem>
<para>Defines the type of rule to generate. Choices are:</para>
<variablelist>
<varlistentry>
<term><emphasis
role="bold">MASQUERADE</emphasis>[+][([<replaceable>lowport</replaceable>-<replaceable>highport</replaceable>][<option>random</option>])]</term>
<listitem>
<para>Causes matching outgoing packages to have their source
IP address set to the primary IP address of the interface
specified in the DEST column. if
<replaceable>lowport</replaceable>-<replaceable>highport</replaceable>
is given, that port range will be used to assign a source
port. If option <option>random</option> is used then port
mapping will be randomized. MASQUERADE should only be used
when the DEST interface has a dynamic IP address. Otherwise,
SNAT should be used and should specify the interface's static
address.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">SNAT</emphasis>[+]([<emphasis>address-or-address-range</emphasis>[,<emphasis>address-or-address-range</emphasis>]...][:<emphasis>lowport</emphasis><emphasis
role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
role="bold">:random</emphasis>][:<option>persistent</option>]|<emphasis
role="bold">detect</emphasis>|</term>
<listitem>
<para>If you specify an address here, matching packets will
have their source address set to that address. If
ADD_SNAT_ALIASES is set to Yes or yes in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink>(5) then
Shorewall will automatically add this address to the INTERFACE
named in the first column.</para>
<para>You may also specify a range of up to 256 IP addresses
if you want the SNAT address to be assigned from that range in
a round-robin fashion by connection. The range is specified by
<emphasis>first.ip.in.range</emphasis>-<emphasis>last.ip.in.range</emphasis>.
You may follow the port range with<emphasis role="bold">
:random</emphasis> in which case assignment of ports from the
list will be random. <emphasis role="bold">random</emphasis>
may also be specified by itself in this column in which case
random local port assignments are made for the outgoing
connections.</para>
<para>Example: 206.124.146.177-206.124.146.180</para>
<para>You may follow the port range (or <emphasis
role="bold">:random</emphasis>) with <emphasis
role="bold">:persistent</emphasis>. This is only useful when
an address range is specified and causes a client to be given
the same source/destination IP pair. This feature replaces the
SAME modifier which was removed from Shorewall in version
4.4.0.</para>
<para>You may also use the special value
<option>detect</option> which causes Shorewall to determine
the IP addresses configured on the interface named in the DEST
column and substitute them in this column.</para>
<para>Finally, you may also specify a comma-separated list of
ranges and/or addresses in this column.</para>
<para>DNS Names names are not allowed.</para>
<para>Normally, Netfilter will attempt to retain the source
port number. You may cause netfilter to remap the source port
by following an address or range (if any) by ":" and a port
range with the format
<emphasis>lowport</emphasis>-<emphasis>highport</emphasis>. If
this is done, you must specify "tcp", "udp", "dccp" or "stcp"
in the PROTO column.</para>
<para>Example:</para>
<programlisting> [2001:470:a:787::2]:5000-6000</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>CONTINUE[+]</term>
<listitem>
<para>Causes matching packets to be exempted from any
following rules in the file.</para>
</listitem>
</varlistentry>
</variablelist>
<para>Normally Masq/SNAT rules are evaluated after those for
one-to-one NAT (defined in <ulink
url="/manpages6/shorewall6-nat.html">shorewall6-nat</ulink>(5)). If
you want the rule to be applied before one-to-one NAT rules, follow
the action name with "+": This feature should only be required if
you need to insert rules in this file that preempt entries in <ulink
url="/manpages6/shorewall6-nat.html">shorewall6-nat</ulink>(5).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">SOURCE</emphasis> (Optional) -
[<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]]</term>
<listitem>
<para>Set of hosts that you wish to SNAT; one or more host or
network addresses separated by comma. You may use ipset names
preceded by a plus sign (+) to specify a set of hosts.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DEST</emphasis> -
{<emphasis>interface</emphasis>|[<emphasis
role="bold">:</emphasis>[<emphasis>dest-address</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>dest-address</emphasis>]...[<emphasis>exclusion</emphasis>]]|?COMMENT}</term>
<listitem>
<para>Outgoing <emphasis>interface</emphasis>. This is usually your
internet interface.</para>
<para>The <replaceable>interface</replaceable> must match an entry
in <ulink
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
Shorewall allows loose matches to wildcard entries in <ulink
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
For example, <filename class="devicefile">ppp0</filename> in this
file will match a <ulink
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
entry that defines <filename
class="devicefile">ppp+</filename>.</para>
<para>Where <ulink url="/4.4/MultiISP.html#Shared">more that one
internet provider share a single interface</ulink>, the provider is
specified by including the provider name or number in
parentheses:</para>
<programlisting> eth0(Avvanta)</programlisting>
<para>In that case, you will want to specify the interface's address
for that provider as the SNAT parameter.</para>
<para>The interface may be qualified by adding the character ":"
followed by a comma-separated list of destination host or subnet
addresses to indicate that you only want to change the source IP
address for packets being sent to those particular destinations.
Exclusion is allowed (see <ulink
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5))
as are ipset names preceded by a plus sign '+'.</para>
<para>Comments may be attached to Netfilter rules generated from
entries in this file through the use of ?COMMENT lines. These lines
begin with ?COMMENT; the remainder of the line is treated as a
comment which is attached to subsequent rules until another ?COMMENT
line is found or until the end of the file is reached. To stop
adding comments to rules, use a line containing only
?COMMENT.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">PROTO</emphasis> (Optional) - {<emphasis
role="bold">-</emphasis>|[!]{<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>}[,...]|+<replaceable>ipset</replaceable>}</term>
<listitem>
<para>If you wish to restrict this entry to a particular protocol
then enter the protocol name (from protocols(5)) or number
here.</para>
<para>Beginning with Shorewall 4.5.12, this column can accept a
comma-separated list of protocols.</para>
<para>Beginning with Shorewall 4.6.0, an
<replaceable>ipset</replaceable> name can be specified in this
column. This is intended to be used with
<firstterm>bitmap:port</firstterm> ipsets.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DPORT</emphasis> (Optional) -
{-|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
<listitem>
<para>If the PROTO column specifies TCP (6), UDP (17), DCCP (33),
SCTP (132) or UDPLITE (136) then you may list one or more port
numbers (or names from services(5)) or port ranges separated by
commas.</para>
<para>Port ranges are of the form
<emphasis>lowport</emphasis>:<emphasis>highport</emphasis>.</para>
<para>Beginning with Shorewall 4.6.0, an
<replaceable>ipset</replaceable> name can be specified in this
column. This is intended to be used with
<firstterm>bitmap:port</firstterm> ipsets.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">IPSEC</emphasis> (Optional) -
[<emphasis>option</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
<listitem>
<para>If you specify a value other than "-" in this column, you must
be running kernel 2.6 and your kernel and iptables must include
policy match support.</para>
<para>Comma-separated list of options from the following. Only
packets that will be encrypted via an SA that matches these options
will have their source address changed.</para>
<variablelist>
<varlistentry>
<term><emphasis
role="bold">reqid=</emphasis><emphasis>number</emphasis></term>
<listitem>
<para>where <emphasis>number</emphasis> is specified using
setkey(8) using the 'unique:<emphasis>number</emphasis> option
for the SPD level.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">spi=</emphasis>&lt;number&gt;</term>
<listitem>
<para>where <emphasis>number</emphasis> is the SPI of the SA
used to encrypt/decrypt packets.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">proto=</emphasis><emphasis
role="bold">ah</emphasis>|<emphasis
role="bold">esp</emphasis>|<emphasis
role="bold">ipcomp</emphasis></term>
<listitem>
<para>IPSEC Encapsulation Protocol</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">mss=</emphasis><emphasis>number</emphasis></term>
<listitem>
<para>sets the MSS field in TCP packets</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">mode=</emphasis><emphasis
role="bold">transport</emphasis>|<emphasis
role="bold">tunnel</emphasis></term>
<listitem>
<para>IPSEC mode</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">tunnel-src=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
<listitem>
<para>only available with mode=tunnel</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">tunnel-dst=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
<listitem>
<para>only available with mode=tunnel</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">strict</emphasis></term>
<listitem>
<para>Means that packets must match all rules.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">next</emphasis></term>
<listitem>
<para>Separates rules; can only be used with strict</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">yes</emphasis></term>
<listitem>
<para>When used by itself, causes all traffic that will be
encrypted/encapsulated to match the rule.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">MARK</emphasis> - [<emphasis
role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
role="bold">:C</emphasis>]</term>
<listitem>
<para>Defines a test on the existing packet or connection mark. The
rule will match only if the test returns true.</para>
<para>If you don't want to define a test but need to specify
anything in the following columns, place a "-" in this field.</para>
<variablelist>
<varlistentry>
<term>!</term>
<listitem>
<para>Inverts the test (not equal)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>value</emphasis></term>
<listitem>
<para>Value of the packet or connection mark.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>mask</emphasis></term>
<listitem>
<para>A mask to be applied to the mark before testing.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">:C</emphasis></term>
<listitem>
<para>Designates a connection mark. If omitted, the packet
mark's value is tested.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">USER</emphasis> (Optional) - [<emphasis
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
<listitem>
<para>Only locally-generated connections will match if this column
is non-empty.</para>
<para>When this column is non-empty, the rule matches only if the
program generating the output is running under the effective
<emphasis>user</emphasis> and/or <emphasis>group</emphasis>
specified (or is NOT running under that id if "!" is given).</para>
<para>Examples:</para>
<variablelist>
<varlistentry>
<term>joe</term>
<listitem>
<para>program must be run by joe</para>
</listitem>
</varlistentry>
<varlistentry>
<term>:kids</term>
<listitem>
<para>program must be run by a member of the 'kids'
group</para>
</listitem>
</varlistentry>
<varlistentry>
<term>!:kids</term>
<listitem>
<para>program must not be run by a member of the 'kids'
group</para>
</listitem>
</varlistentry>
<varlistentry>
<term>+upnpd</term>
<listitem>
<para>#program named upnpd</para>
<important>
<para>The ability to specify a program name was removed from
Netfilter in kernel version 2.6.14.</para>
</important>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">SWITCH -
[!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.1 and allows enabling and disabling the
rule without requiring <command>shorewall restart</command>.</para>
<para>The rule is enabled if the value stored in
<filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
is 1. The rule is disabled if that file contains 0 (the default). If
'!' is supplied, the test is inverted such that the rule is enabled
if the file contains 0.</para>
<para>Within the <replaceable>switch-name</replaceable>, '@0' and
'@{0}' are replaced by the name of the chain to which the rule is a
added. The <replaceable>switch-name</replaceable> (after '@...'
expansion) must begin with a letter and be composed of letters,
decimal digits, underscores or hyphens. Switch names must be 30
characters or less in length.</para>
<para>Switches are normally <emphasis role="bold">off</emphasis>. To
turn a switch <emphasis role="bold">on</emphasis>:</para>
<simplelist>
<member><command>echo 1 &gt;
/proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
</simplelist>
<para>To turn it <emphasis role="bold">off</emphasis> again:</para>
<simplelist>
<member><command>echo 0 &gt;
/proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
</simplelist>
<para>Switch settings are retained over <command>shorewall
restart</command>.</para>
<para>Beginning with Shorewall 4.5.10, when the
<replaceable>switch-name</replaceable> is followed by
<option>=0</option> or <option>=1</option>, then the switch is
initialized to off or on respectively by the
<command>start</command> command. Other commands do not affect the
switch setting.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">ORIGDEST</emphasis> - [<emphasis
role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
<listitem>
<para>(Optional) This column may be included and may contain one or
more addresses (host or network) separated by commas. Address ranges
are not allowed. When this column is supplied, rules are generated
that require that the original destination address matches one of
the listed addresses. It is useful for specifying that SNAT should
occur only for connections that were acted on by a DNAT when they
entered the firewall.</para>
<para>This column was formerly labelled ORIGINAL DEST.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">PROBABILITY</emphasis> -
[<replaceable>probability</replaceable>]</term>
<listitem>
<para>Added in Shorewall 5.0.0. When non-empty, requires the
<firstterm>Statistics Match</firstterm> capability in your kernel
and ip6tables and causes the rule to match randomly but with the
given <replaceable>probability</replaceable>. The
<replaceable>probability</replaceable> is a number 0 &lt;
<replaceable>probability</replaceable> &lt;= 1 and may be expressed
at up to 8 decimal points of precision.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Examples</title>
<variablelist>
<varlistentry>
<term>Example 1:</term>
<listitem>
<para>You have a simple 'masquerading' setup where eth0 connects to
a DSL or cable modem and eth1 connects to your local network with
subnet 2001:470:b:787::0/64</para>
<para>Your entry in the file will be:</para>
<programlisting> #ACTION SOURCE DEST
MASQUERADE 2001:470:b:787::0/64 eth0</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 2:</term>
<listitem>
<para>Your sit1 interface has two public IP addresses:
2001:470:a:227::1 and 2001:470:b:227::1. You want to use the
iptables statistics match to masquerade outgoing connections evenly
between these two addresses.</para>
<programlisting>/etc/shorewall/snat:
#ACTION SOURCE DEST
SNAT(2001:470:a:227::1) ::/0 sit1 { probability=0.50 }
SNAT(2001:470:a:227::2) ::/0 sit</programlisting>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall6/snat</para>
</refsect1>
</refentry>