diff --git a/Shorewall/manpages/shorewall-masq.xml b/Shorewall/manpages/shorewall-masq.xml
index 26b6fe8d7..e3c0f5b8d 100644
--- a/Shorewall/manpages/shorewall-masq.xml
+++ b/Shorewall/manpages/shorewall-masq.xml
@@ -684,7 +684,7 @@
#INTERFACE SOURCE ADDRESS ...
eth0 192.168.1.0/24 1.1.1.1 ; mark=1:C
eth0 192.168.1.0/24 1.1.1.3 ; mark=2:C
- eth0 192.168.1.0/24 1.1.1.4 ; mark=3:C
+ eth0 192.168.1.0/24 1.1.1.9 ; mark=3:C
diff --git a/Shorewall/manpages/shorewall-snat.xml b/Shorewall/manpages/shorewall-snat.xml
index d793e4ecb..762c11655 100644
--- a/Shorewall/manpages/shorewall-snat.xml
+++ b/Shorewall/manpages/shorewall-snat.xml
@@ -593,8 +593,8 @@
Your entry in the file will be:
- #INTERFACE SOURCE
- eth0 192.168.0.0/24
+ #ACTION SOURCE DEST
+ MASQUERADE 192.168.0.0/24 eth0
@@ -606,40 +606,28 @@
192.168.1.0/24 which you also want to masquerade. You then add a
second entry for eth0 to this file:
- #INTERFACE SOURCE
- eth0 192.168.1.0/24
+ #ACTION SOURCE DEST
+ MASQUERADE 192.168.0.0/24 eth0
+ MASQUERADE 192.168.1.0/24 eth0
Example 3:
-
- You have an IPSEC tunnel through ipsec0 and you want to
- masquerade packets coming from 192.168.1.0/24 but only if these
- packets are destined for hosts in 10.1.1.0/24:
-
- #INTERFACE SOURCE
- ipsec0:10.1.1.0/24 196.168.1.0/24
-
-
-
-
- Example 4:
-
You want all outgoing traffic from 192.168.1.0/24 through eth0
to use source address 206.124.146.176 which is NOT the primary
address of eth0. You want 206.124.146.176 to be added to eth0 with
name eth0:0.
- #INTERFACE SOURCE ADDRESS
- eth0:0 192.168.1.0/24 206.124.146.176
+ #ACTION SOURCE DEST
+ SNAT(206.124.146.176) 192.168.1.0/24 eth0:0
- Example 5:
+ Example 4:
You want all outgoing SMTP traffic entering the firewall from
@@ -652,6 +640,10 @@
eth0 172.20.1.0/29 206.124.146.177 tcp smtp
eth0 172.20.1.0/29 206.124.146.176
+ #ACTION SOURCE DEST PROTO PORT
+ SNAT(206.124.146.177) 172.20.1.0/29 eth0 tcp smtp
+ SNAT(206.124.146.176) 172.20.1.0/29 eth0
+
The order of the above two rules is significant!
@@ -659,20 +651,20 @@
- Example 6:
+ Example 5:
Connections leaving on eth0 and destined to any host defined
in the ipset myset should have the source IP
address changed to 206.124.146.177.
- #INTERFACE SOURCE ADDRESS
- eth0:+myset[dst] - 206.124.146.177
+ #ACTION SOURCE DEST
+ SNAT(206.124.146.177) - eth0+myset[dst]
- Example 7:
+ Example 6:
SNAT outgoing connections on eth0 from 192.168.1.0/24 in
@@ -684,17 +676,17 @@
#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
1-3:CF 192.168.1.0/24 eth0 ; state=NEW
-/etc/shorewall/masq:
+/etc/shorewall/snat:
- #INTERFACE SOURCE ADDRESS ...
- eth0 192.168.1.0/24 1.1.1.1 ; mark=1:C
- eth0 192.168.1.0/24 1.1.1.3 ; mark=2:C
- eth0 192.168.1.0/24 1.1.1.4 ; mark=3:C
+ #ACTION SOURCE DEST
+ SNAT(1.1.1.1) 192.168.1.0/24 eth0 { mark=1:C }
+ SNAT(1.1.1.3) 192.168.1.0/24 eth0 { mark=2:C }
+ SNAT(1.1.1.9) 192.168.1.0/24 eth0 { mark=3:C }
- Example 8:
+ Example 7:
Your eth1 has two public IP addresses: 70.90.191.121 and
@@ -702,23 +694,11 @@
masquerade outgoing connections evenly between these two
addresses.
- /etc/shorewall/masq:
+ /etc/shorewall/snat:
- #INTERFACE SOURCE ADDRESS
- INLINE(eth1) 0.0.0.0/0 70.90.191.121 ; -m statistic --mode random --probability 0.50
- eth1 0.0.0.0/0 70.90.191.123
-
-
- If INLINE_MATCHES=Yes in shorewall.conf(5), then
- these rules may be specified as follows:
-
- /etc/shorewall/masq:
-
- #INTERFACE SOURCE ADDRESS
- eth1 0.0.0.0/0 70.90.191.121 ; -m statistic --mode random --probability 0.50
- eth1 0.0.0.0/0 70.90.191.123
-
+ #ACTION SOURCE DEST
+ SNAT(70.90.191.121) - eth1 { probability=.50 }
+ SNAT(70.90.191.123) - eth1