More document updates for the snat file.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2016-10-15 16:16:30 -07:00 · 2016-10-15 16:16:30 -07:00 · ef0253905a
commit ef0253905a
parent 86c4333f8f
4 changed files with 48 additions and 14 deletions
--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@ -774,7 +774,7 @@ fi</programlisting>
    </section>

    <section id="masq">
-      <title>./etc/shorewall/masq and Multi-ISP</title>
+      <title>./etc/shorewall/masq (/etc/shorewall/snat) and Multi-ISP</title>

      <para>If you masquerade a local network, you will need to add masquerade
      rules for both external interfaces. Referring to the diagram above, if
@ -786,6 +786,13 @@ fi</programlisting>
 eth0             0.0.0.0/0         206.124.146.176
 eth1             0.0.0.0/0         130.252.99.27</programlisting>

+      <para>When running Shorewall 5.0.14 or later, the equivalent
+      <filename>/etc/shorewall/snat</filename> is:</para>
+
+      <programlisting>#ACTION                SOURCE          DEST                PROTO   PORT
+SNAT(206.124.146.176)  0.0.0.0/0       eth0
+SNAT(130252.99.27)     0.0.0.0/0       eth1</programlisting>
+
      <para>If you have a public subnet (for example 206.124.146.176/30)
      behind your firewall, then use exclusion:</para>

@ -793,6 +800,12 @@ eth1             0.0.0.0/0         130.252.99.27</programlisting>
 eth0             !206.124.146.176/29  206.124.146.176
 eth1             0.0.0.0/0            130.252.99.27</programlisting>

+      <para>The equivalent <filename>/etc/shorewall/snat</filename> is:</para>
+
+      <programlisting>#ACTION                SOURCE              DEST                PROTO   PORT
+SNAT(206.124.146.176)  !206.124.146.176/29 eth0
+SNAT(130.252.99.27)    0.0.0.0/0           eth1</programlisting>
+
      <para>Note that exclusion is only used on the interface corresponding to
      internal subnetwork.</para>

@ -801,10 +814,10 @@ eth1             0.0.0.0/0            130.252.99.27</programlisting>
      contains all of those addresses from being masqueraded.</para>

      <warning>
-        <para>Entries in <filename>/etc/shorewall/masq</filename> have no
-        effect on which ISP a particular connection will be sent through. That
-        is rather the purpose of entries in
-        <filename>/etc/shorewall/mangle</filename> and
+        <para>Entries in <filename>/etc/shorewall/masq</filename>
+        (<filename>/etc/shorewall/snat</filename>) have no effect on which ISP
+        a particular connection will be sent through. That is rather the
+        purpose of entries in <filename>/etc/shorewall/mangle</filename> and
        <filename>/etc/shorewall/rtrules</filename>.</para>
      </warning>
    </section>
@ -830,7 +843,8 @@ Feb  9 17:23:45 gw.ilinx kernel: ll header: 00:a0:24:2a:1f:72:00:13:5f:07:97:05:
      206.124.146.176. Another gotcha is that the incoming packet has already
      had the destination IP address changed for DNAT or because the original
      outgoing connection was altered by an entry in
-      <filename>/etc/shorewall/masq</filename> (SNAT or Masquerade). So the
+      <filename>/etc/shorewall/masq</filename> or
+      <filename>/etc/shorewall/snat</filename> (SNAT or Masquerade). So the
      destination IP address (206.124.146.176) may not have been the
      destination IP address in the packet as it was initially
      received.</para>
@ -960,6 +974,13 @@ net        net            DROP</programlisting>
      <programlisting>#INTERFACE       SOURCE            ADDRESS
 eth0             0.0.0.0/0         206.124.146.176
 eth1             0.0.0.0/0         130.252.99.27</programlisting>
+
+      <para>When running Shorewall 5.0.14 or later, the equivalent
+      <filename>/etc/shorewall/snat</filename> is:</para>
+
+      <programlisting>#ACTION                SOURCE          DEST                PROTO   PORT
+SNAT(206.124.146.176)  0.0.0.0/0       eth0
+SNAT(130.252.99.27)    0.0.0.0/0       eth1</programlisting>
    </section>

    <section id="Applications">
@ -1050,7 +1071,8 @@ DNAT           net                loc:192.168.1.3   tcp       25               <

        <listitem>
          <para>For each external interface, you need to add an entry to
-          <filename>/etc/shorewall/masq</filename>.</para>
+          <filename>/etc/shorewall/masq</filename>
+          (<filename>/etc/shorewall/snat</filename>).</para>
        </listitem>
      </orderedlist>

@ -1066,6 +1088,14 @@ ISP3    3       3       main            eth3            16.105.78.254   track,ba
 eth0             0.0.0.0/0         206.124.146.176
 eth1             0.0.0.0/0         130.252.99.27
 eth3             0.0.0.0/0         16.105.78.4</programlisting></para>
+
+      <para>When running Shorewall 5.0.14 or later, the equivalent
+      <filename>/etc/shorewall/snat</filename> is:</para>
+
+      <programlisting>#ACTION                SOURCE          DEST                PROTO   PORT
+SNAT(206.124.146.176)  0.0.0.0/0       eth0
+SNAT(130.252.99.27)    0.0.0.0/0       eth1
+SNAT(16.105.78.4)      0.0.0.0/0       eth2</programlisting>
    </section>

    <section id="rtrules">
@ -2498,8 +2528,9 @@ exit 0
        </listitem>

        <listitem>
-          <para>Entries in <filename>/etc/shorewall/masq</filename> must be
-          qualified by the provider name (or number).</para>
+          <para>Entries in <filename>/etc/shorewall/masq</filename> and
+          <filename>/etc/shorewall/snat</filename> must be qualified by the
+          provider name (or number).</para>
        </listitem>

        <listitem>
--- a/docs/NAT.xml
+++ b/docs/NAT.xml
@ -79,7 +79,8 @@

    <para>Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the
    above example) is (are) not included in any specification in
-    <filename>/etc/shorewall/masq</filename> or
+    <filename>/etc/shorewall/masq</filename>
+    (<filename>/etc/shorewall/snat</filename>) or
    <filename>/etc/shorewall/proxyarp</filename>.</para>

    <note>
--- a/docs/PacketHandling.xml
+++ b/docs/PacketHandling.xml
@ -311,9 +311,10 @@

      <listitem>
        <para>The source IP address may be rewritten according to an entry in
-        the <filename>/etc/shorewall/masq</filename> file. If this is a new
-        connection request, then the rewriting occurs in a
-        <emphasis>nat</emphasis> table chain called <emphasis
+        the <filename>/etc/shorewall/masq</filename> or
+        <filename>/etc/shorewall/snat</filename> file (Shorewall 5.0.14 or
+        later). If this is a new connection request, then the rewriting occurs
+        in a <emphasis>nat</emphasis> table chain called <emphasis
        role="bold"><emphasis>interface</emphasis>_masq</emphasis> where
        <emphasis>interface</emphasis> is the interface on which the packet
        will be sent. For packets that are part of an already established
--- a/docs/ProxyARP.xml
+++ b/docs/ProxyARP.xml
@ -98,7 +98,8 @@

    <para><emphasis role="bold">Be sure that the internal systems
    (130.242.100.18 and 130.252.100.19 in the above example) are not included
-    in any specification in <filename>/etc/shorewall/masq</filename> or
+    in any specification in <filename>/etc/shorewall/masq</filename>
+    (/etc/shorewall/snat on Shorewall 5.0.14 or later) or
    <filename>/etc/shorewall/nat</filename>.</emphasis></para>

    <note>