'\" t
.\"     Title: shorewall-netmap
.\"    Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
.\"      Date: 06/28/2012
.\"    Manual: [FIXME: manual]
.\"    Source: [FIXME: source]
.\"  Language: English
.\"
.TH "SHOREWALL\-NETMAP" "5" "06/28/2012" "[FIXME: source]" "[FIXME: manual]"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
netmap \- Shorewall NETMAP definition file
.SH "SYNOPSIS"
.HP \w'\fB/etc/shorewall/netmap\fR\ 'u
\fB/etc/shorewall/netmap\fR
.SH "DESCRIPTION"
.PP
This file is used to map addresses in one network to corresponding addresses in a second network\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBWarning\fR
.ps -1
.br
.PP
To use this file, your kernel and iptables must have NETMAP support included\&.
.sp .5v
.RE
.PP
The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax)\&.
.PP
\fBTYPE\fR \- \fB{DNAT\fR|\fBSNAT}[:{P|O|T}\fR]
.RS 4
Must be DNAT or SNAT; beginning with Shorewall 4\&.4\&.23, may be optionally followed by :P, :O or :T to perform
stateless NAT\&. Stateless NAT requires
Rawpost Table support
in your kernel and iptables (see the output of
\fBshorewall show capabilities\fR)\&.
.sp
If DNAT or DNAT:P, traffic entering INTERFACE and addressed to NET1 has its destination address rewritten to the corresponding address in NET2\&.
.sp
If SNAT or SNAT:T, traffic leaving INTERFACE with a source address in NET1 has it\*(Aqs source address rewritten to the corresponding address in NET2\&.
.sp
If DNAT:O, traffic originating on the firewall and leaving via INTERFACE and addressed to NET1 has its destination address rewritten to the corresponding address in NET2\&.
.sp
If DNAT:P, traffic entering via INTERFACE and addressed to NET1 has its destination address rewritten to the corresponding address in NET2\&.
.sp
If SNAT:P, traffic entering via INTERFACE with a destination address in NET1 has it\*(Aqs source address rewritten to the corresponding address in NET2\&.
.sp
If SNAT:O, traffic originating on the firewall and leaving via INTERFACE with a source address in NET1 has it\*(Aqs source address rewritten to the corresponding address in NET2\&.
.RE
.PP
\fBNET1\fR \- \fInetwork\-address\fR
.RS 4
Network in CIDR format (e\&.g\&., 192\&.168\&.1\&.0/24)\&. Beginning with Shorewall 4\&.4\&.24,
\m[blue]\fBexclusion\fR\m[]\&\s-2\u[1]\d\s+2
is supported\&.
.RE
.PP
\fBINTERFACE\fR \- \fIinterface\fR
.RS 4
The name of a network interface\&. The interface must be defined in
\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[2]\d\s+2(5)\&. Shorewall allows loose matches to wildcard entries in
\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[2]\d\s+2(5)\&. For example,
ppp0
in this file will match a
\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[2]\d\s+2(8) entry that defines
ppp+\&.
.RE
.PP
\fBNET2\fR \- \fInetwork\-address\fR
.RS 4
Network in CIDR format
.RE
.PP
\fBNET3 (Optional)\fR \- \fInetwork\-address\fR
.RS 4
Added in Shorewall 4\&.4\&.11\&. If specified, qualifies INTERFACE\&. It specifies a SOURCE network for DNAT rules and a DESTINATON network for SNAT rules\&.
.RE
.PP
\fBPROTO\fR \- \fIprotocol\-number\-or\-name\fR
.RS 4
Optional \-\- added in Shorewall 4\&.4\&.23\&.2\&. Only packets specifying this protocol will have their IP header modified\&.
.RE
.PP
\fBDEST PORT(S) (dport)\fR \- \fIport\-number\-or\-name\-list\fR
.RS 4
Optional \- added in Shorewall 4\&.4\&.23\&.2\&. Destination Ports\&. A comma\-separated list of Port names (from services(5)),
\fIport number\fRs or
\fIport range\fRs; if the protocol is
\fBicmp\fR, this column is interpreted as the destination icmp\-type(s)\&. ICMP types may be specified as a numeric type, a numberic type and code separated by a slash (e\&.g\&., 3/4), or a typename\&. See
\m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#ICMP\fR\m[]\&.
.sp
If the protocol is
\fBipp2p\fR, this column is interpreted as an ipp2p option without the leading "\-\-" (example
\fBbit\fR
for bit\-torrent)\&. If no PORT is given,
\fBipp2p\fR
is assumed\&.
.sp
An entry in this field requires that the PROTO column specify icmp (1), tcp (6), udp (17), sctp (132) or udplite (136)\&. Use \*(Aq\-\*(Aq if any of the following field is supplied\&.
.RE
.PP
\fBSOURCE PORT(S) (sport)\fR \- \fIport\-number\-or\-name\-list\fR
.RS 4
Optional \-\- added in Shorewall 4\&.4\&.23\&.2\&. Source port(s)\&. If omitted, any source port is acceptable\&. Specified as a comma\-separated list of port names, port numbers or port ranges\&.
.sp
An entry in this field requires that the PROTO column specify tcp (6), udp (17), sctp (132) or udplite (136)\&. Use \*(Aq\-\*(Aq if any of the following fields is supplied\&.
.RE
.SH "FILES"
.PP
/etc/shorewall/netmap
.SH "SEE ALSO"
.PP
\m[blue]\fBhttp://shorewall\&.net/netmap\&.html\fR\m[]
.PP
\m[blue]\fBhttp://shorewall\&.net/configuration_file_basics\&.htm#Pairs\fR\m[]
.PP
shorewall(8), shorewall\-accounting(5), shorewall\-actions(5), shorewall\-blacklist(5), shorewall\-hosts(5), shorewall_interfaces(5), shorewall\-ipsets(5), shorewall\-maclist(5), shorewall\-masq(5), shorewall\-nat(5), shorewall\-params(5), shorewall\-policy(5), shorewall\-providers(5), shorewall\-proxyarp(5), shorewall\-rtrules(5), shorewall\-routestopped(5), shorewall\-rules(5), shorewall\&.conf(5), shorewall\-secmarks(5), shorewall\-tcclasses(5), shorewall\-tcdevices(5), shorewall\-tcrules(5), shorewall\-tos(5), shorewall\-tunnels(5), shorewall\-zones(5)
.SH "NOTES"
.IP " 1." 4
exclusion
.RS 4
\%http://www.shorewall.net/manpages/shorewall-exclusion.html
.RE
.IP " 2." 4
shorewall-interfaces
.RS 4
\%http://www.shorewall.net/manpages/shorewall-interfaces.html
.RE