masq
# vi /etc/shorewall/masq
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
#eth0 192.168.1.0/24
#WAN Local
-----------------------------------------------------------------------------------------------------
Examples
Example 1:
You have a simple masquerading setup where eth0 connects to a DSL or cable modem and eth1 connects to your local network with subnet 192.168.0.0/24.
Your entry in the file will be:
#INTERFACE SOURCE eth0 192.168.0.0/24
Example 2:
You add a router to your local network to connect subnet 192.168.1.0/24 which you also want to masquerade. You then add a second entry for eth0 to this file:
#INTERFACE SOURCE eth0 192.168.1.0/24
Example 3:
You have an IPSEC tunnel through ipsec0 and you want to masquerade packets coming from 192.168.1.0/24 but only if these packets are destined for hosts in 10.1.1.0/24:
#INTERFACE SOURCE ipsec0:10.1.1.0/24 196.168.1.0/24
Example 4:
You want all outgoing traffic from 192.168.1.0/24 through eth0 to use source address 206.124.146.176 which is NOT the primary address of eth0. You want 206.124.146.176 to be added to eth0 with name eth0:0.
#INTERFACE SOURCE ADDRESS eth0:0 192.168.1.0/24 206.124.146.176
Example 5:
You want all outgoing SMTP traffic entering the firewall from 172.20.1.0/29 to be sent from eth0 with source IP address 206.124.146.177. You want all other outgoing traffic from 172.20.1.0/29 to be sent from eth0 with source IP address 206.124.146.176.
#INTERFACE SOURCE ADDRESS PROTO PORT(S) eth0 172.20.1.0/29 206.124.146.177 tcp smtp eth0 172.20.1.0/29 206.124.146.176
Warning
The order of the above two rules is significant!
Example 6:
Connections leaving on eth0 and destined to any host defined in the ipset myset should have the source IP address changed to 206.124.146.177.
#INTERFACE SOURCE ADDRESS eth0:+myset[dst] - 206.124.146.177
Files
/etc/shorewall/masq