# # Shorewall version 3.0 - Sample Masq file for two-interface configuration. # Copyright (C) 2006 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. # # # /etc/shorewall/masq # # Use this file to define dynamic NAT (Masquerading) and to define # Source NAT (SNAT). # # WARNING: If you have more than one ISP, adding entries to this # file will *not* force connections to go out through a particular # ISP. You must use PREROUTING entries in /etc/shorewall/tcrules # to do that. # # Columns are: # # INTERFACE -- Outgoing interface. This is usually your internet # interface. If ADD_SNAT_ALIASES=Yes in # /etc/shorewall/shorewall.conf, you may add ":" and # a digit to indicate that you want the alias added with # that name (e.g., eth0:0). This will allow the alias to # be displayed with ifconfig. THAT IS THE ONLY USE FOR # THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER # PLACE IN YOUR SHOREWALL CONFIGURATION. # # This may be qualified by adding the character # ":" followed by a destination host or subnet. # # If you wish to inhibit the action of ADD_SNAT_ALIASES # for this entry then include the ":" but omit the digit: # # eth0: # eth2::192.0.2.32/27 # # Normally Masq/SNAT rules are evaluated after those for # one-to-one NAT (/etc/shorewall/nat file). If you want # the rule to be applied before one-to-one NAT rules, # prefix the interface name with "+": # # +eth0 # +eth0:192.0.2.32/27 # +eth0:2 # # This feature should only be required if you need to # insert rules in this file that preempt entries in # /etc/shorewall/nat. # # SUBNET -- Subnet that you wish to masquerade. You can specify this as # a subnet or as an interface. If you give the name of an # interface, you must have iproute installed and the interface # must be up before you start the firewall. # # In order to exclude a subset of the specified SUBNET, you # may append "!" and a comma-separated list of IP addresses # and/or subnets that you wish to exclude. # # Example: eth1!192.168.1.4,192.168.32.0/27 # # In that example traffic from eth1 would be masqueraded unless # it came from 192.168.1.4 or 196.168.32.0/27 # # ADDRESS -- (Optional). If you specify an address here, SNAT will be # used and this will be the source address. If # ADD_SNAT_ALIASES is set to Yes or yes in # /etc/shorewall/shorewall.conf then Shorewall # will automatically add this address to the # INTERFACE named in the first column. # # You may also specify a range of up to 256 # IP addresses if you want the SNAT address to # be assigned from that range in a round-robin # range by connection. The range is specified by # -. # # Example: 206.124.146.177-206.124.146.180 # # Finally, you may also specify a comma-separated # list of ranges and/or addresses in this column. # # This column may not contain DNS Names. # # Normally, Netfilter will attempt to retain # the source port number. You may cause # netfilter to remap the source port by following # an address or range (if any) by ":" and # a port range with the format - # . If this is done, you must # specify "tcp" or "udp" in the PROTO column. # # Examples: # # 192.0.2.4:5000-6000 # :4000-5000 # # You can invoke the SAME target using the # following in this column: # # SAME:[nodst:][,...] # # The may be single addresses. # # SAME works like SNAT with the exception that # the same local IP address is assigned to each # connection from a local address to a given # remote address. # # If the 'nodst:' option is included, then the # same source address is used for a given # internal system regardless of which remote # system is involved. # # If you want to leave this column empty # but you need to specify the next column then # place a hyphen ("-") here. # # PROTO -- (Optional) If you wish to restrict this entry to a # particular protocol then enter the protocol # name (from /etc/protocols) or number here. # # PORT(S) -- (Optional) If the PROTO column specifies TCP (protocol 6) # or UDP (protocol 17) then you may list one # or more port numbers (or names from # /etc/services) separated by commas or you # may list a single port range # (:). # # Where a comma-separated list is given, your # kernel and iptables must have multiport match # support and a maximum of 15 ports may be # listed. # # IPSEC -- (Optional) If you specify a value other than "-" in this # column, you must be running kernel 2.6 and # your kernel and iptables must include policy # match support. # # Comma-separated list of options from the # following. Only packets that will be encrypted # via an SA that matches these options will have # their source address changed. # # Yes or yes -- must be the only option # listed and matches all outbound # traffic that will be encrypted. # # reqid= where is # specified using setkey(8) using the # 'unique: option for the SPD # level. # # spi= where is the # SPI of the SA. # # proto=ah|esp|ipcomp # # mode=transport|tunnel # # tunnel-src=
[/] (only # available with mode=tunnel) # # tunnel-dst=
[/] (only # available with mode=tunnel) # # strict Means that packets must match # all rules. # # next Separates rules; can only be # used with strict.. # # Example 1: # # You have a simple masquerading setup where eth0 connects to # a DSL or cable modem and eth1 connects to your local network # with subnet 192.168.0.0/24. # # Your entry in the file can be either: # # eth0 eth1 # # or # # eth0 192.168.0.0/24 # # Example 2: # # You add a router to your local network to connect subnet # 192.168.1.0/24 which you also want to masquerade. You then # add a second entry for eth0 to this file: # # eth0 192.168.1.0/24 # # Example 3: # # You have an IPSEC tunnel through ipsec0 and you want to # masquerade packets coming from 192.168.1.0/24 but only if # these packets are destined for hosts in 10.1.1.0/24: # # ipsec0:10.1.1.0/24 196.168.1.0/24 # # Example 4: # # You want all outgoing traffic from 192.168.1.0/24 through # eth0 to use source address 206.124.146.176 which is NOT the # primary address of eth0. You want 206.124.146.176 added to # be added to eth0 with name eth0:0. # # eth0:0 192.168.1.0/24 206.124.146.176 # # Example 5: # # You want all outgoing SMTP traffic entering the firewall # on eth1 to be sent from eth0 with source IP address # 206.124.146.177. You want all other outgoing traffic # from eth1 to be sent from eth0 with source IP address # 206.124.146.176. # # eth0 eth1 206.124.146.177 tcp smtp # eth0 eth1 206.124.146.176 # # THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!! # # For additional information, see http://shorewall.net/Documentation.htm#Masq # ############################################################################### #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC eth0 eth1 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE