From 524d6242b00085d103c71e927360da5088f5d600 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 19 Feb 2013 12:42:09 -0800 Subject: [PATCH] More SNAT/DNAT manpage updates Signed-off-by: Tom Eastep --- Shorewall/manpages/shorewall-rules.xml | 135 +++++++++++------------ Shorewall6/manpages/shorewall6-rules.xml | 95 +++++++++++----- 2 files changed, 130 insertions(+), 100 deletions(-) diff --git a/Shorewall/manpages/shorewall-rules.xml b/Shorewall/manpages/shorewall-rules.xml index 07958bf40..b2b7bae46 100644 --- a/Shorewall/manpages/shorewall-rules.xml +++ b/Shorewall/manpages/shorewall-rules.xml @@ -893,88 +893,79 @@ -
- + Except when all[+]|[-] is specified, the server may be + further restricted to a particular network, host or interface by + appending ":" and the network, host or interface. See SOURCE above. - Except when all[+]|[-] is specified, the server may be - further restricted to a particular network, host or interface by - appending ":" and the network, host or interface. See SOURCE above. + You may exclude certain hosts from the set already defined + through use of an exclusion (see shorewall-exclusion(5)). - You may exclude certain hosts from the set already defined - through use of an exclusion (see shorewall-exclusion(5)). + Restriction: MAC addresses are not allowed (this is a + Netfilter restriction). - Restrictions: + Like in the SOURCE column, + you may specify a range of IP addresses using the syntax + lowaddress-highaddress. + When the ACTION is DNAT or DNAT-, the connections will be assigned to + addresses in the range in a round-robin fashion. - 1. MAC addresses are not allowed (this is a Netfilter - restriction). + If you kernel and iptables have ipset match support then you + may give the name of an ipset prefaced by "+". The ipset name may be + optionally followed by a number from 1 to 6 enclosed in square + brackets ([]) to indicate the number of levels of destination + bindings to be matched. Only one of the SOURCE and DEST columns may specify an ipset + name. - 2. You may not specify both an interface and an - address. + Beginning with Shorewall 4.4.17, the primary IP address of a + firewall interface can be specified by an apersand ('&') + followed by the logical name of the interface as found in the + INTERFACE column of shorewall-interfaces + (5). - Like in the SOURCE column, - you may specify a range of IP addresses using the syntax - lowaddress-highaddress. - When the ACTION is DNAT or DNAT-, the connections will be assigned to - addresses in the range in a round-robin fashion. + The port that the server is + listening on may be included and separated from the server's IP + address by ":". If omitted, the firewall will not modifiy the + destination port. A destination port may only be included if the + ACTION is DNAT or REDIRECT. - If you kernel and iptables have ipset match support then you - may give the name of an ipset prefaced by "+". The ipset name may - be optionally followed by a number from 1 to 6 enclosed in square - brackets ([]) to indicate the number of levels of destination - bindings to be matched. Only one of the SOURCE and DEST columns may specify an ipset - name. + + + Example: - Beginning with Shorewall 4.4.17, the primary IP address of a - firewall interface can be specified by an apersand ('&') - followed by the logical name of the interface as found in the - INTERFACE column of shorewall-interfaces - (5). + + loc:192.168.1.3:3128 + specifies a local server at IP address 192.168.1.3 and + listening on port 3128. + + + - The port that the server is - listening on may be included and separated from the server's IP - address by ":". If omitted, the firewall will not modifiy the - destination port. A destination port may only be included if the - ACTION is DNAT or REDIRECT. + The port may be specified as a service + name. You may specify a port range in the form + lowport-highport to cause connections to be + assigned to ports in the range in round-robin fashion. When a port + range is specified, lowport and + highport must be given as integers; service + names are not permitted. Additionally, the port range may be + optionally followed by :random + which causes assignment to ports in the list to be random. - - - Example: - - - loc:192.168.1.3:3128 - specifies a local server at IP address 192.168.1.3 and - listening on port 3128. - - - - - The port may be specified as a service - name. You may specify a port range in the form - lowport-highport to cause connections to be - assigned to ports in the range in round-robin fashion. When a port - range is specified, lowport and - highport must be given as integers; service - names are not permitted. Additionally, the port range may be - optionally followed by :random - which causes assignment to ports in the list to be random. - - If the ACTION is REDIRECT or REDIRECT-, this column needs only to - contain the port number on the firewall that the request should be - redirected to. That is equivalent to specifying - ::port. -
+ If the ACTION is REDIRECT or REDIRECT-, this column needs only to contain + the port number on the firewall that the request should be + redirected to. That is equivalent to specifying + ::port. diff --git a/Shorewall6/manpages/shorewall6-rules.xml b/Shorewall6/manpages/shorewall6-rules.xml index 92cc36710..2be27b3d0 100644 --- a/Shorewall6/manpages/shorewall6-rules.xml +++ b/Shorewall6/manpages/shorewall6-rules.xml @@ -182,7 +182,8 @@ role="bold">DNAT[-] or REDIRECT[-] rules. + role="bold">-] rules. Requires Shorewall 4.5.14 or + later. @@ -351,7 +352,7 @@ Forward the request to another system (and optionally - another port). + another port). Requires Shorewall 4.5.14 or later. @@ -364,7 +365,8 @@ Like DNAT but only generates the DNAT iptables rule and not the companion ACCEPT rule. + role="bold">ACCEPT rule. Requires Shorewall 4.5.14 + or later. @@ -481,7 +483,8 @@ Excludes the connection from any subsequent DNAT[-] or REDIRECT[-] rules but doesn't generate - a rule to accept the traffic. + a rule to accept the traffic. Requires Shorewall 4.5.14 or + later. @@ -510,7 +513,7 @@ Redirect the request to a server running on the - firewall. + firewall. Requires Shorewall 4.5.14 or later. @@ -523,7 +526,8 @@ Like REDIRECT but only generates the REDIRECT iptables rule and not the companion ACCEPT rule. + role="bold">ACCEPT rule. Requires Shorewall 4.5.14 + or later. @@ -780,7 +784,8 @@ role="bold">-]}[:interface][:{address-or-range[,address-or-range]...[exclusion]|exclusion|+ipset|^countrycode-list} + role="bold">+ipset|^countrycode-list}[port[:random]] Location of Server. May be a zone declared in -
- Except when all[+]|[-] is specified, the server may be - further restricted to a particular network, host or interface by - appending ":" and the network, host or interface. See SOURCE above. + Except when all[+]|[-] is specified, the server may be + further restricted to a particular network, host or interface by + appending ":" and the network, host or interface. See SOURCE above. - You may exclude certain hosts from the set already defined - through use of an exclusion (see shorewall6-exclusion(5)). + You may exclude certain hosts from the set already defined + through use of an exclusion (see shorewall6-exclusion(5)). - Restrictions: + Restriction: MAC addresses are not allowed (this is a + Netfilter restriction). - 1. MAC addresses are not allowed (this is a Netfilter - restriction). + If you kernel and ip6tables have ipset match support then you + may give the name of an ipset prefaced by "+". The ipset name may be + optionally followed by a number from 1 to 6 enclosed in square + brackets ([]) to indicate the number of levels of destination + bindings to be matched. Only one of the SOURCE and DEST columns may specify an ipset + name. - If you kernel and ip6tables have ipset match support then - you may give the name of an ipset prefaced by "+". The ipset name - may be optionally followed by a number from 1 to 6 enclosed in - square brackets ([]) to indicate the number of levels of - destination bindings to be matched. Only one of the SOURCE and DEST columns may specify an ipset - name. -
+ The port that the server is + listening on may be included and separated from the server's IP + address by ":". If omitted, the firewall will not modifiy the + destination port. A destination port may only be included if the + ACTION is DNAT or REDIRECT. + + + + Example: + + + loc:[2001:470:b:227::44]:3128 specifies + a local server at IP address 2001:470:b:227::44 and listening + on port 3128. + + + + + The port may be specified as a service + name. You may specify a port range in the form + lowport-highport to cause connections to be + assigned to ports in the range in round-robin fashion. When a port + range is specified, lowport and + highport must be given as integers; service + names are not permitted. Additionally, the port range may be + optionally followed by :random + which causes assignment to ports in the list to be random. + + If the ACTION is REDIRECT or REDIRECT-, this column needs only to contain + the port number on the firewall that the request should be + redirected to. That is equivalent to specifying + ::port.