shorewall_code/Shorewall/masq
2006-10-31 19:01:23 +00:00

246 lines
7.9 KiB
Plaintext

#
# Shorewall version 3.3 - Masq file
#
# /etc/shorewall/masq
#
# Use this file to define dynamic NAT (Masquerading) and to define
# Source NAT (SNAT).
#
# WARNING: The entries in this file are order-sensitive. The first
# entry that matches a particular connection will be the one that
# is used.
#
# WARNING: If you have more than one ISP, adding entries to this
# file will *not* force connections to go out through a particular
# ISP. You must use PREROUTING entries in /etc/shorewall/tcrules
# to do that.
#
# Columns are:
#
# INTERFACE -- Outgoing interface. This is usually your internet
# interface. If ADD_SNAT_ALIASES=Yes in
# /etc/shorewall/shorewall.conf, you may add ":" and
# a digit to indicate that you want the alias added with
# that name (e.g., eth0:0). This will allow the alias to
# be displayed with ifconfig. THAT IS THE ONLY USE FOR
# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER
# PLACE IN YOUR SHOREWALL CONFIGURATION.
#
# This may be qualified by adding the character
# ":" followed by a destination host or subnet.
#
# If you wish to inhibit the action of ADD_SNAT_ALIASES
# for this entry then include the ":" but omit the digit:
#
# eth0:
# eth2::192.0.2.32/27
#
# Normally Masq/SNAT rules are evaluated after those for
# one-to-one NAT (/etc/shorewall/nat file). If you want
# the rule to be applied before one-to-one NAT rules,
# prefix the interface name with "+":
#
# +eth0
# +eth0:192.0.2.32/27
# +eth0:2
#
# This feature should only be required if you need to
# insert rules in this file that preempt entries in
# /etc/shorewall/nat.
#
# If you place COMMENT in this column, then the rest of the
# line will be attached as a comment to the Netfilter rule(s)
# generated by the following entry. The comment will appear
# delimited by "/* ... */" in the output of "shorewall show
# nat"
#
# SOURCE (formerly called SUBNET)
#
# Set of hosts that you wish to masquerade. You can specify this
# as an address (net or host) or as an interface. If you give
# the name of an interface, the interface must be up before you
# start the firewall (Shorewall will use your main routing table
# to determine the appropriate addresses to masquerade).
#
# In order to exclude a addrress of the specified SOURCE, you
# may append "!" and a comma-separated list of IP addresses
# (host or net) that you wish to exclude.
#
# Example: eth1!192.168.1.4,192.168.32.0/27
#
# In that example traffic from eth1 would be masqueraded unless
# it came from 192.168.1.4 or 196.168.32.0/27
#
# ADDRESS -- (Optional). If you specify an address here, SNAT will be
# used and this will be the source address. If
# ADD_SNAT_ALIASES is set to Yes or yes in
# /etc/shorewall/shorewall.conf then Shorewall
# will automatically add this address to the
# INTERFACE named in the first column.
#
# You may also specify a range of up to 256
# IP addresses if you want the SNAT address to
# be assigned from that range in a round-robin
# range by connection. The range is specified by
# <first ip in range>-<last ip in range>.
#
# Example: 206.124.146.177-206.124.146.180
#
# You may also use the special value "detect"
# which causes Shorewall to determine the
# IP addresses configured on the interface named
# in the INTERFACES column and substitute them
# in this column.
#
# Finally, you may also specify a comma-separated
# list of ranges and/or addresses in this column.
#
# This column may not contain DNS Names.
#
# Normally, Netfilter will attempt to retain
# the source port number. You may cause
# netfilter to remap the source port by following
# an address or range (if any) by ":" and
# a port range with the format <low port>-
# <high port>. If this is done, you must
# specify "tcp" or "udp" in the PROTO column.
#
# Examples:
#
# 192.0.2.4:5000-6000
# :4000-5000
#
# You can invoke the SAME target using the
# following in this column:
#
# SAME:[nodst:]<address-range>[,<address-range>...]
#
# The <address-ranges> may be single addresses
# or "detect" as described above.
#
# SAME works like SNAT with the exception that
# the same local IP address is assigned to each
# connection from a local address to a given
# remote address.
#
# If the 'nodst:' option is included, then the
# same source address is used for a given
# internal system regardless of which remote
# system is involved.
#
# If you want to leave this column empty
# but you need to specify the next column then
# place a hyphen ("-") here.
#
# PROTO -- (Optional) If you wish to restrict this entry to a
# particular protocol then enter the protocol
# name (from /etc/protocols) or number here.
#
# PORT(S) -- (Optional) If the PROTO column specifies TCP (protocol 6)
# or UDP (protocol 17) then you may list one
# or more port numbers (or names from
# /etc/services) separated by commas or you
# may list a single port range
# (<low port>:<high port>).
#
# Where a comma-separated list is given, your
# kernel and iptables must have multiport match
# support and a maximum of 15 ports may be
# listed.
#
# IPSEC -- (Optional) If you specify a value other than "-" in this
# column, you must be running kernel 2.6 and
# your kernel and iptables must include policy
# match support.
#
# Comma-separated list of options from the
# following. Only packets that will be encrypted
# via an SA that matches these options will have
# their source address changed.
#
# Yes or yes -- must be the only option
# listed and matches all outbound
# traffic that will be encrypted.
#
# reqid=<number> where <number> is
# specified using setkey(8) using the
# 'unique:<number> option for the SPD
# level.
#
# spi=<number> where <number> is the
# SPI of the SA.
#
# proto=ah|esp|ipcomp
#
# mode=transport|tunnel
#
# tunnel-src=<address>[/<mask>] (only
# available with mode=tunnel)
#
# tunnel-dst=<address>[/<mask>] (only
# available with mode=tunnel)
#
# strict Means that packets must match
# all rules.
#
# next Separates rules; can only be
# used with strict..
#
# Example 1:
#
# You have a simple masquerading setup where eth0 connects to
# a DSL or cable modem and eth1 connects to your local network
# with subnet 192.168.0.0/24.
#
# Your entry in the file can be either:
#
# eth0 eth1
#
# or
#
# eth0 192.168.0.0/24
#
# Example 2:
#
# You add a router to your local network to connect subnet
# 192.168.1.0/24 which you also want to masquerade. You then
# add a second entry for eth0 to this file:
#
# eth0 192.168.1.0/24
#
# Example 3:
#
# You have an IPSEC tunnel through ipsec0 and you want to
# masquerade packets coming from 192.168.1.0/24 but only if
# these packets are destined for hosts in 10.1.1.0/24:
#
# ipsec0:10.1.1.0/24 196.168.1.0/24
#
# Example 4:
#
# You want all outgoing traffic from 192.168.1.0/24 through
# eth0 to use source address 206.124.146.176 which is NOT the
# primary address of eth0. You want 206.124.146.176 added to
# be added to eth0 with name eth0:0.
#
# eth0:0 192.168.1.0/24 206.124.146.176
#
# Example 5:
#
# You want all outgoing SMTP traffic entering the firewall
# on eth1 to be sent from eth0 with source IP address
# 206.124.146.177. You want all other outgoing traffic
# from eth1 to be sent from eth0 with source IP address
# 206.124.146.176.
#
# eth0 eth1 206.124.146.177 tcp smtp
# eth0 eth1 206.124.146.176
#
# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
#
# For additional information, see http://shorewall.net/Documentation.htm#Masq
#
###############################################################################
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE