'\" t .\" Title: shorewall6-netmap .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.75.2 .\" Date: 06/28/2012 .\" Manual: [FIXME: manual] .\" Source: [FIXME: source] .\" Language: English .\" .TH "SHOREWALL6\-NETMAP" "5" "06/28/2012" "[FIXME: source]" "[FIXME: manual]" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" netmap \- Shorewall6 NETMAP definition file .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall/netmap\fR\ 'u \fB/etc/shorewall/netmap\fR .SH "DESCRIPTION" .PP This file is used to map addresses in one network to corresponding addresses in a second network\&. It was added in Shorewall6 iin 4\&.4\&.23\&.3\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBWarning\fR .ps -1 .br .PP To use this file, your kernel and ip6tables must have RAWPOST table support included\&. .sp .5v .RE .PP The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax)\&. .PP \fBTYPE\fR \- \fB{DNAT\fR|\fBSNAT}:{P|O|T}\fR .RS 4 Must be DNAT or SNAT followed by :P, :O or :T to perform stateless NAT\&. Stateless NAT requires Rawpost Table support in your kernel and iptables (see the output of \fBshorewall6 show capabilities\fR)\&. .sp If DNAT:P, traffic entering INTERFACE and addressed to NET1 has its destination address rewritten to the corresponding address in NET2\&. .sp If SNAT:T, traffic leaving INTERFACE with a source address in NET1 has it\*(Aqs source address rewritten to the corresponding address in NET2\&. .sp If DNAT:O, traffic originating on the firewall and leaving via INTERFACE and addressed to NET1 has its destination address rewritten to the corresponding address in NET2\&. .sp If DNAT:P, traffic entering via INTERFACE and addressed to NET1 has its destination address rewritten to the corresponding address in NET2\&. .sp If SNAT:P, traffic entering via INTERFACE with a destination address in NET1 has it\*(Aqs source address rewritten to the corresponding address in NET2\&. .sp If SNAT:O, traffic originating on the firewall and leaving via INTERFACE with a source address in NET1 has it\*(Aqs source address rewritten to the corresponding address in NET2\&. .RE .PP \fBNET1\fR \- \fInetwork\-address\fR .RS 4 Network in CIDR format (e\&.g\&., 2001:470:b:227/64)\&. Beginning in Shorewall6 4\&.4\&.24, \m[blue]\fBexclusion\fR\m[]\&\s-2\u[1]\d\s+2 is supported\&. .RE .PP \fBINTERFACE\fR \- \fIinterface\fR .RS 4 The name of a network interface\&. The interface must be defined in \m[blue]\fBshorewall6\-interfaces\fR\m[]\&\s-2\u[2]\d\s+2(5)\&. Shorewall allows loose matches to wildcard entries in \m[blue]\fBshorewall6\-interfaces\fR\m[]\&\s-2\u[2]\d\s+2(5)\&. For example, ppp0 in this file will match a \m[blue]\fBshorewall6\-interfaces\fR\m[]\&\s-2\u[2]\d\s+2(8) entry that defines ppp+\&. .RE .PP \fBNET2\fR \- \fInetwork\-address\fR .RS 4 Network in CIDR format .RE .PP \fBNET3\fR \- \fInetwork\-address\fR .RS 4 Optional \- added in Shorewall 4\&.4\&.11\&. If specified, qualifies INTERFACE\&. It specifies a SOURCE network for DNAT rules and a DESTINATON network for SNAT rules\&. .RE .PP \fBPROTO (Optional\fR \- \fIprotocol\-number\-or\-name\fR .RS 4 Only packets specifying this protocol will have their IP header modified\&. .RE .PP \fBDEST PORT(S)\fR (dport) \- \fIport\-number\-or\-name\-list\fR .RS 4 Destination Ports\&. An optional comma\-separated list of Port names (from services(5)), \fIport number\fRs or \fIport range\fRs; if the protocol is \fBicmp\fR, this column is interpreted as the destination icmp\-type(s)\&. ICMP types may be specified as a numeric type, a numberic type and code separated by a slash (e\&.g\&., 3/4), or a typename\&. See \m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#ICMP\fR\m[]\&. .sp If the protocol is \fBipp2p\fR, this column is interpreted as an ipp2p option without the leading "\-\-" (example \fBbit\fR for bit\-torrent)\&. If no PORT is given, \fBipp2p\fR is assumed\&. .sp An entry in this field requires that the PROTO column specify icmp (1), tcp (6), udp (17), sctp (132) or udplite (136)\&. Use \*(Aq\-\*(Aq if any of the following field is supplied\&. .RE .PP \fBSOURCE PORT(S)\fR (sport) \- \fIport\-number\-or\-name\-list\fR .RS 4 Optional source port(s)\&. If omitted, any source port is acceptable\&. Specified as a comma\-separated list of port names, port numbers or port ranges\&. .sp An entry in this field requires that the PROTO column specify tcp (6), udp (17), sctp (132) or udplite (136)\&. Use \*(Aq\-\*(Aq if any of the following fields is supplied\&. .RE .SH "FILES" .PP /etc/shorewall/netmap .SH "SEE ALSO" .PP \m[blue]\fBhttp://shorewall\&.net/netmap\&.html\fR\m[] .PP \m[blue]\fBhttp://shorewall\&.net/configuration_file_basics\&.htm#Pairs\fR\m[] .SH "NOTES" .IP " 1." 4 exclusion .RS 4 \%http://www.shorewall.net/manpages6/shorewall6-exclusion.html .RE .IP " 2." 4 shorewall6-interfaces .RS 4 \%http://www.shorewall.net/manpages6/shorewall6-interfaces.html .RE