1SHOREWALL-RULES(5) [FIXME: manual] SHOREWALL-RULES(5)
2
6 rules - Shorewall rules file
7
9 /etc/shorewall/rules
10
12 Entries in this file govern connection establishment by defining
13 exceptions to the policies layed out in shorewall-policy[1](5). By
14 default, subsequent requests and responses are automatically allowed
15 using connection tracking. For any particular (source,dest) pair of
16 zones, the rules are evaluated in the order in which they appear in
17 this file and the first terminating match is the one that determines
18 the disposition of the request. All rules are terminating except LOG
19 and COUNT rules.
20 Warning
22 If you masquerade or use SNAT from a local system to the internet,
23 you cannot use an ACCEPT rule to allow traffic from the internet to
24 that system. You must use a DNAT rule instead.
25 The rules file is divided into sections. Each section is introduced by
27 a "Section Header" which is a line beginning with SECTION and followed
28 by the section name.
29 Sections are as follows and must appear in the order listed:
31 ALL
33 This section was added in Shorewall 4.4.23. rules in this section
34 are applied, regardless of the connection tracking state of the
35 packet.
36 ESTABLISHED
38 Packets in the ESTABLISHED state are processed by rules in this
39 section.
40 The only ACTIONs allowed in this section are ACCEPT, DROP, REJECT,
42 LOG and QUEUE
43 There is an implicit ACCEPT rule inserted at the end of this
45 section.
46 RELATED
48 Packets in the RELATED state are processed by rules in this
49 section.
50 The only ACTIONs allowed in this section are ACCEPT, DROP, REJECT,
52 LOG and QUEUE
53 There is an implicit ACCEPT rule inserted at the end of this
55 section.
56 NEW
58 Packets in the NEW, INVALID and UNTRACKED states are processed by
59 rules in this section.
60 Note
62 If you are not familiar with Netfilter to the point where you are
63 comfortable with the differences between the various connection
64 tracking states, then it is suggested that you omit the ESTABLISHED
65 and RELATED sections and place all of your rules in the NEW section
66 (That's after the line that reads SECTION NEW').
67 Warning
69 If you specify FASTACCEPT=Yes in shorewall.conf[2](5) then the
70 ESTABLISHED and RELATED sections must be empty.
71 You may omit any section that you don't need. If no Section Headers
73 appear in the file then all rules are assumed to be in the NEW section.
74 When defining rules that rewrite the destination IP address and/or port
76 number (namely DNAT and REDIRECT rules), it is important to keep
77 straight which columns in the file specify the packet before rewriting
78 and which specify how the packet will look after rewriting.
79 · The DEST column specifies the final destination for the packet
81 after rewriting and can include the final IP address and/or port
82 number.
83 · The remaining columns specify characteristics of the packet before
85 rewriting. In particular, the ORIGINAL DEST column gives the
86 original destination IP address of the packet and the DEST PORT(S)
87 column give the original destination port(s).
88 The columns in the file are as follows.
90 ACTION - target[:{log-level|none}[!][:tag]]
92 Specifies the action to be taken if the connection request matches
93 the rule. target must be one of the following.
94 ACCEPT
96 Allow the connection request.
97 ACCEPT+
99 like ACCEPT but also excludes the connection from any
100 subsequent matching DNAT[-] or REDIRECT[-] rules
101 ACCEPT!
103 like ACCEPT but exempts the rule from being suppressed by
104 OPTIMIZE=1 in shorewall.conf[2](5).
105 A_ACCEPT, A_ACCEPT+ and A_ACCEPT!
107 Added in Shorewall 4.4.20. Audited versions of ACCEPT, ACCEPT+
108 and ACCEPT! respectively. Require AUDIT_TARGET support in the
109 kernel and iptables.
110 NONAT
112 Excludes the connection from any subsequent DNAT[-] or
113 REDIRECT[-] rules but doesn't generate a rule to accept the
114 traffic.
115 DROP
117 Ignore the request.
118 DROP!
120 like DROP but exempts the rule from being suppressed by
121 OPTIMIZE=1 in shorewall.conf[2](5).
122 A_DROP and A_DROP!
124 Added in Shorewall 4.4.20. Audited versions of DROP and DROP!
125 respectively. Require AUDIT_TARGET support in the kernel and
126 iptables.
127 REJECT
129 disallow the request and return an icmp-unreachable or an RST
130 packet.
131 REJECT!
133 like REJECT but exempts the rule from being suppressed by
134 OPTIMIZE=1 in shorewall.conf[2](5).
135 A_REJECT AND A_REJECT!
137 Added in Shorewall 4.4.20. Audited versions of REJECT and
138 REJECT! respectively. Require AUDIT_TARGET support in the
139 kernel and iptables.
140 DNAT
142 Forward the request to another system (and optionally another
143 port).
144 DNAT-
146 Advanced users only.
147 Like DNAT but only generates the DNAT iptables rule and not the
149 companion ACCEPT rule.
150 REDIRECT
152 Redirect the request to a server running on the firewall.
153 REDIRECT-
155 Advanced users only.
156 Like REDIRECT but only generates the REDIRECT iptables rule and
158 not the companion ACCEPT rule.
159 CONTINUE
161 For experts only.
162 Do not process any of the following rules for this (source
164 zone,destination zone). If the source and/or destination IP
165 address falls into a zone defined later in
166 shorewall-zones[3](5) or in a parent zone of the source or
167 destination zones, then this connection request will be passed
168 to the rules defined for that (those) zone(s). See
169 shorewall-nesting[4](5) for additional information.
170 CONTINUE!
172 like CONTINUE but exempts the rule from being suppressed by
173 OPTIMIZE=1 in shorewall.conf[2](5).
174 LOG
176 Simply log the packet and continue with the next rule.
177 QUEUE
179 Queue the packet to a user-space application such as ftwall
180 (http://p2pwall.sf.net). The application may reinsert the
181 packet for further processing.
182 QUEUE!
184 like QUEUE but exempts the rule from being suppressed by
185 OPTIMIZE=1 in shorewall.conf[2](5).
186 NFLOG[(nflog-parameters)]
188 queues matching packets to a backend logging daemon via a
189 netlink socket then continues to the next rule. See
190 http://www.shorewall.net/shorewall_logging.html[5].
191 NFQUEUE[(queuenumber)]
193 Queues the packet to a user-space application using the
194 nfnetlink_queue mechanism. If a queuenumber is not specified,
195 queue zero (0) is assumed.
196 NFQUEUE![(queuenumber)]
198 like NFQUEUE but exempts the rule from being suppressed by
199 OPTIMIZE=1 in shorewall.conf[2](5).
200 COUNT
202 Simply increment the rule's packet and byte count and pass the
203 packet to the next rule.
204 COMMENT
206 the rest of the line will be attached as a comment to the
207 Netfilter rule(s) generated by the following entries. The
208 comment will appear delimited by "/* ... */" in the output of
209 "shorewall show <chain>". To stop the comment from being
210 attached to further rules, simply include COMMENT on a line by
211 itself.
212 action
214 The name of an action declared in shorewall-actions[6](5) or in
215 /usr/share/shorewall/actions.std.
216 macro[(macrotarget)]
218 The name of a macro defined in a file named macro.macro. If the
219 macro accepts an action parameter (Look at the macro source to
220 see if it has PARAM in the TARGET column) then the macro name
221 is followed by the parenthesized macrotarget (ACCEPT, DROP,
222 REJECT, ...) to be substituted for the parameter.
223 Example: FTP(ACCEPT).
225 The older syntax where the macro name and the target are
227 separated by a slash (e.g. FTP/ACCEPT) is still allowed but is
228 deprecated.
229 ADD(ipset:flags)
231 Added in Shorewall 4.4.12. Causes addresses and/or port numbers
232 to be added to the named ipset. The flags specify the address
233 or tupple to be added to the set and must match the type of
234 ipset involved. For example, for an iphash ipset, either the
235 SOURCE or DESTINATION address can be added using flags src or
236 dst respectively (see the -A command in ipset (8)).
237 ADD is non-terminating. Even if a packet matches the rule, it
239 is passed on to the next rule.
240 DEL(ipset:flags)
242 Added in Shorewall 4.4.12. Causes an entry to be deleted from
243 the named ipset. The flags specify the address or tupple to be
244 deleted from the set and must match the type of ipset involved.
245 For example, for an iphash ipset, either the SOURCE or
246 DESTINATION address can be deletec using flags src or dst
247 respectively (see the -D command in ipset (8)).
248 DEL is non-terminating. Even if a packet matches the rule, it
250 is passed on to the next rule.
251 The target may optionally be followed by ":" and a syslog log level
253 (e.g, REJECT:info or Web(ACCEPT):debug). This causes the packet to
254 be logged at the specified level. Note that if the ACTION involves
255 destination network address translation (DNAT, REDIRECT, etc.) then
256 the packet is logged before the destination address is rewritten.
257 If the ACTION names an action declared in shorewall-actions[6](5)
259 or in /usr/share/shorewall/actions.std then:
260 · If the log level is followed by "!' then all rules in the
262 action are logged at the log level.
263 · If the log level is not followed by "!" then only those rules
265 in the action that do not specify logging are logged at the
266 specified level.
267 · The special log level none! suppresses logging by the action.
269 You may also specify ULOG or NFLOG (must be in upper case) as a log
271 level.This will log to the ULOG or NFLOG target for routing to a
272 separate log through use of ulogd
273 (http://www.netfilter.org/projects/ulogd/index.html).
274 Actions specifying logging may be followed by a log tag (a string
276 of alphanumeric characters) which is appended to the string
277 generated by the LOGPREFIX (in shorewall.conf[2](5)).
278 Example: ACCEPT:info:ftp would include 'ftp ' at the end of the log
280 prefix generated by the LOGPREFIX setting.
281 SOURCE -
283 {zone|zone-list[+]|{all|any}[+][-]}[:interface][:{address-or-range[,address-or-range]...[exclusion]|exclusion|+ipset}
284 Source hosts to which the rule applies. May be a zone declared in
285 /etc/shorewall/zones, $FW to indicate the firewall itself, all,
286 all+, all-, all+- or none.
287 Beginning with Shorewall 4.4.13, you may use a zone-list which
289 consists of a comma-separated list of zones declared in
290 shorewall-zones[3] (5). Ths zone-list may be optionally followed by
291 "+" to indicate that the rule is to apply to intra-zone traffic as
292 well as inter-zone traffic.
293 When none is used either in the SOURCE or DEST column, the rule is
295 ignored.
296 all means "All Zones", including the firewall itself. all- means
298 "All Zones, except the firewall itself". When all[-] is used either
299 in the SOURCE or DEST column intra-zone traffic is not affected.
300 When all+[-] is "used, intra-zone traffic is affected. Beginning
301 with Shorewall 4.4.13, exclusion is supported -- see see
302 shorewall-exclusion[7](5).
303 Except when all[+][-] or any[+][-] is specified, clients may be
305 further restricted to a list of networks and/or hosts by appending
306 ":" and a comma-separated list of network and/or host addresses.
307 Hosts may be specified by IP or MAC address; mac addresses must
308 begin with "~" and must use "-" as a separator.
309 The above restriction on all[+][-] and any[+][-] is removed in
311 Shorewall-4.4.13.
312 any is equivalent to all when there are no nested zones. When there
314 are nested zones, any only refers to top-level zones (those with no
315 parent zones). Note that any excludes all vserver zones, since
316 those zones are nested within the firewall zone.
317 Hosts may also be specified as an IP address range using the syntax
319 lowaddress-highaddress. This requires that your kernel and iptables
320 contain iprange match support. If your kernel and iptables have
321 ipset match support then you may give the name of an ipset prefaced
322 by "+". The ipset name may be optionally followed by a number from
323 1 to 6 enclosed in square brackets ([]) to indicate the number of
324 levels of source bindings to be matched.
325 Beginning with Shorewall 4.4.17, the primary IP address of a
327 firewall interface can be specified by an apersand ('&') followed
328 by the logican name of the interface as found in the INTERFACE
329 column of shorewall-interfaces[8] (5).
330 You may exclude certain hosts from the set already defined through
332 use of an exclusion (see shorewall-exclusion[7](5)).
333 Examples:
335 dmz:192.168.2.2
337 Host 192.168.2.2 in the DMZ
338 net:155.186.235.0/24
340 Subnet 155.186.235.0/24 on the Internet
341 loc:192.168.1.1,192.168.1.2
343 Hosts 192.168.1.1 and 192.168.1.2 in the local zone.
344 loc:~00-A0-C9-15-39-78
346 Host in the local zone with MAC address 00:A0:C9:15:39:78.
347 net:192.0.2.11-192.0.2.17
349 Hosts 192.0.2.11-192.0.2.17 in the net zone.
350 net:!192.0.2.11-192.0.2.17
352 All hosts in the net zone except for 192.0.2.11-192.0.2.17.
353 net:155.186.235.0/24!155.186.235.16/28
355 Subnet 155.186.235.0/24 on the Internet except for
356 155.186.235.16/28
357 $FW:ð0
359 The primary IP address of eth0 in the firewall zone (Shorewall
360 4.4.17 and later).
361 DEST -
363 {zone|zone-list[+]|{all|any}[+][-]}[:{interface|address-or-range[,address-or-range]...[exclusion]|exclusion|+ipset}][:port[:random]]
364 Location of Server. May be a zone declared in
365 shorewall-zones[3](5), $FW to indicate the firewall itself, all.
366 all+ or none.
367 Beginning with Shorewall 4.4.13, you may use a zone-list which
369 consists of a comma-separated list of zones declared in
370 shorewall-zones[3] (5). Ths zone-list may be optionally followed by
371 "+" to indicate that the rule is to apply to intra-zone traffic as
372 well as inter-zone traffic.
373 When none is used either in the SOURCE or DEST column, the rule is
375 ignored.
376 When all is used either in the SOURCE or DEST column intra-zone
378 traffic is not affected. When all+ is used, intra-zone traffic is
379 affected. Beginning with Shorewall 4.4.13, exclusion is supported
380 -- see see shorewall-exclusion[7](5).
381 any is equivalent to all when there are no nested zones. When there
383 are nested zones, any only refers to top-level zones (those with no
384 parent zones).
385 The zone should be omitted in DNAT-, REDIRECT- and NONAT rules.
387 If the DEST zone is a bport zone, then either:
389 1. the SOURCE must be all[+][-], or
391 2. the SOURCE zone must be another bport zone associated with the
393 same bridge, or
394 3. the SOURCE zone must be an ipv4 zone that is associated with
396 only the same bridge.
397 Except when all[+]|[-] is specified, the server may be further
401 restricted to a particular network, host or interface by appending
402 ":" and the network, host or interface. See SOURCE above.
403 You may exclude certain hosts from the set already defined through
405 use of an exclusion (see shorewall-exclusion[7](5)).
406 Restrictions:
408 1. MAC addresses are not allowed (this is a Netfilter restriction).
410 2. You may not specify both an interface and an address.
412 Like in the SOURCE column, you may specify a range of IP addresses
414 using the syntax lowaddress-highaddress. When the ACTION is DNAT or
415 DNAT-, the connections will be assigned to addresses in the range
416 in a round-robin fashion.
417 If you kernel and iptables have ipset match support then you may
419 give the name of an ipset prefaced by "+". The ipset name may be
420 optionally followed by a number from 1 to 6 enclosed in square
421 brackets ([]) to indicate the number of levels of destination
422 bindings to be matched. Only one of the SOURCE and DEST columns may
423 specify an ipset name.
424 Beginning with Shorewall 4.4.17, the primary IP address of a
426 firewall interface can be specified by an apersand ('&') followed
427 by the logical name of the interface as found in the INTERFACE
428 column of shorewall-interfaces[8] (5).
429 The port that the server is listening on may be included and
431 separated from the server's IP address by ":". If omitted, the
432 firewall will not modifiy the destination port. A destination port
433 may only be included if the ACTION is DNAT or REDIRECT.
434 Example:
436 loc:192.168.1.3:3128 specifies a local server at IP address
437 192.168.1.3 and listening on port 3128.
438 The port may be specified as a service name. You may specify a port
440 range in the form lowport-highport to cause connections to be
441 assigned to ports in the range in round-robin fashion. When a port
442 range is specified, lowport and highport must be given as integers;
443 service names are not permitted. Additionally, the port range may
444 be optionally followed by :random which causes assignment to ports
445 in the list to be random.
446 If the ACTION is REDIRECT or REDIRECT-, this column needs only to
448 contain the port number on the firewall that the request should be
449 redirected to. That is equivalent to specifying $FW::port.
450 PROTO (Optional) -
452 {-|tcp:syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-name|all}
453 Protocol - ipp2p* requires ipp2p match support in your kernel and
454 iptables. tcp:syn implies tcp plus the SYN flag must be set and
455 the RST,ACK and FIN flags must be reset.
456 Beginning with Shorewall 4.4.19, this column can contain a
458 comma-separated list of protocol-numbers and/or protocol names.
459 DEST PORT(S) (Optional) -
461 {-|port-name-number-or-range[,port-name-number-or-range]...}
462 Destination Ports. A comma-separated list of Port names (from
463 services(5)), port numbers or port ranges; if the protocol is icmp,
464 this column is interpreted as the destination icmp-type(s). ICMP
465 types may be specified as a numeric type, a numberic type and code
466 separated by a slash (e.g., 3/4), or a typename. See
467 http://www.shorewall.net/configuration_file_basics.htm#ICMP. Note
468 that prior to Shorewall 4.4.19, only a single ICMP type may be
469 listsed.
470 If the protocol is ipp2p, this column is interpreted as an ipp2p
472 option without the leading "--" (example bit for bit-torrent). If
473 no port is given, ipp2p is assumed.
474 A port range is expressed as lowport:highport.
476 This column is ignored if PROTO = all but must be entered if any of
478 the following columns are supplied. In that case, it is suggested
479 that this field contain a dash (-).
480 If your kernel contains multi-port match support, then only a
482 single Netfilter rule will be generated if in this list and the
483 CLIENT PORT(S) list below:
484 1. There are 15 or less ports listed.
486 2. No port ranges are included or your kernel and iptables contain
488 extended multiport match support.
489 SOURCE PORT(S) (Optional) -
491 {-|port-name-number-or-range[,port-name-number-or-range]...}
492 Port(s) used by the client. If omitted, any source port is
493 acceptable. Specified as a comma- separated list of port names,
494 port numbers or port ranges.
495 Warning
497 Unless you really understand IP, you should leave this column
498 empty or place a dash (-) in the column. Most people who try to
499 use this column get it wrong.
500 If you don't want to restrict client ports but need to specify an
501 ORIGINAL DEST in the next column, then place "-" in this column.
502 If your kernel contains multi-port match support, then only a
504 single Netfilter rule will be generated if in this list and the
505 DEST PORT(S) list above:
506 1. There are 15 or less ports listed.
508 2. No port ranges are included or your kernel and iptables contain
510 extended multiport match support.
511 ORIGINAL DEST (Optional) -
513 [-|address[,address]...[exclusion]|exclusion]
514 If ACTION is DNAT[-] or REDIRECT[-] then if this column is included
515 and is different from the IP address given in the DEST column, then
516 connections destined for that address will be forwarded to the IP
517 and port specified in the DEST column.
518 A comma-separated list of addresses may also be used. This is most
520 useful with the REDIRECT target where you want to redirect traffic
521 destined for particular set of hosts. Finally, if the list of
522 addresses begins with "!" (exclusion) then the rule will be
523 followed only if the original destination address in the connection
524 request does not match any of the addresses listed.
525 Beginning with Shorewall 4.4.17, the primary IP address of a
527 firewall interface can be specified by an apersand ('&') followed
528 by the logical name of the interface as found in the INTERFACE
529 column of shorewall-interfaces[8] (5).
530 For other actions, this column may be included and may contain one
532 or more addresses (host or network) separated by commas. Address
533 ranges are not allowed. When this column is supplied, rules are
534 generated that require that the original destination address
535 matches one of the listed addresses. This feature is most useful
536 when you want to generate a filter rule that corresponds to a DNAT-
537 or REDIRECT- rule. In this usage, the list of addresses should not
538 begin with "!".
539 It is also possible to specify a set of addresses then exclude part
541 of those addresses. For example, 192.168.1.0/24!192.168.1.16/28
542 specifies the addresses 192.168.1.0-182.168.1.15 and
543 192.168.1.32-192.168.1.255. See shorewall-exclusion[7](5).
544 See http://shorewall.net/PortKnocking.html[9] for an example of
546 using an entry in this column with a user-defined action rule.
547 RATE LIMIT (Optional) -
549 [-|[{s|d}:[[name]:]]]rate/{sec|min|hour|day}[:burst]
550 You may rate-limit the rule by placing a value in this column:
551 rate is the number of connections per interval (sec or min) and
553 burst is the largest burst permitted. If no burst is given, a value
554 of 5 is assumed. There may be no no whitespace embedded in the
555 specification.
556 Example: 10/sec:20
558 When s: or d: is specified, the rate applies per source IP address
560 or per destination IP address respectively. The name may be chosen
561 by the user and specifies a hash table to be used to count matching
562 connections. If not given, the name shorewallN (where N is a unique
563 integer) is assumed. Where more than one rule specifies the same
564 name, the connections counts for the rules are aggregated and the
565 individual rates apply to the aggregated count.
566 Example: s:ssh:3/min:5
568 USER/GROUP (Optional) -
570 [!][user-name-or-number][:group-name-or-number][+program-name]
571 This column may only be non-empty if the SOURCE is the firewall
572 itself.
573 When this column is non-empty, the rule applies only if the program
575 generating the output is running under the effective user and/or
576 group specified (or is NOT running under that id if "!" is given).
577 Examples:
579 joe
581 program must be run by joe
582 :kids
584 program must be run by a member of the 'kids' group
585 !:kids
587 program must not be run by a member of the 'kids' group
588 +upnpd
590 program named upnpd
591 Important
593 The ability to specify a program name was removed from
594 Netfilter in kernel version 2.6.14.
595 MARK - [!]value[/mask][:C]
597 Defines a test on the existing packet or connection mark. The rule
598 will match only if the test returns true.
599 If you don't want to define a test but need to specify anything in
601 the following columns, place a "-" in this field.
602 !
604 Inverts the test (not equal)
605 value
607 Value of the packet or connection mark.
608 mask
610 A mask to be applied to the mark before testing.
611 :C
613 Designates a connection mark. If omitted, the packet mark's
614 value is tested.
615 CONNLIMIT - [!]limit[:mask]
617 May be used to limit the number of simultaneous connections from
618 each individual host to limit connections. Requires connlimit match
619 in your kernel and iptables. While the limit is only checked on
620 rules specifying CONNLIMIT, the number of current connections is
621 calculated over all current connections from the SOURCE host. By
622 default, the limit is applied to each host but can be made to apply
623 to networks of hosts by specifying a mask. The mask specifies the
624 width of a VLSM mask to be applied to the source address; the
625 number of current connections is then taken over all hosts in the
626 subnet source-address/mask. When ! is specified, the rule matches
627 when the number of connection exceeds the limit.
628 TIME - timeelement[&timelement...]
630 May be used to limit the rule to a particular time period each day,
631 to particular days of the week or month, or to a range defined by
632 dates and times. Requires time match support in your kernel and
633 iptables.
634 timeelement may be:
636 timestart=hh:mm[:ss]
638 Defines the starting time of day.
639 timestop=hh:mm[:ss]
641 Defines the ending time of day.
642 utc
644 Times are expressed in Greenwich Mean Time.
645 localtz
647 Times are expressed in Local Civil Time (default).
648 weekdays=ddd[,ddd]...
650 where ddd is one of Mon, Tue, Wed, Thu, Fri, Sat or Sun
651 monthdays=dd[,dd],...
653 where dd is an ordinal day of the month
654 datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
656 Defines the starting date and time.
657 datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
659 Defines the ending date and time.
660
662 Example 1:
663 Accept SMTP requests from the DMZ to the internet
664 #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
666 # PORT PORT(S) DEST
667 ACCEPT dmz net tcp smtp
668 Example 2:
670 Forward all ssh and http connection requests from the internet to
671 local system 192.168.1.3
672 #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
674 # PORT PORT(S) DEST
675 DNAT net loc:192.168.1.3 tcp ssh,http
676 Example 3:
678 Forward all http connection requests from the internet to local
679 system 192.168.1.3 with a limit of 3 per second and a maximum burst
680 of 10
681 #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
683 # PORT PORT(S) DEST LIMIT
684 DNAT net loc:192.168.1.3 tcp http - - 3/sec:10
685 Example 4:
687 Redirect all locally-originating www connection requests to port
688 3128 on the firewall (Squid running on the firewall system) except
689 when the destination address is 192.168.2.2
690 #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
692 # PORT PORT(S) DEST
693 REDIRECT loc 3128 tcp www - !192.168.2.2
694 Example 5:
696 All http requests from the internet to address 130.252.100.69 are
697 to be forwarded to 192.168.1.3
698 #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
700 # PORT PORT(S) DEST
701 DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
702 Example 6:
704 You want to accept SSH connections to your firewall only from
705 internet IP addresses 130.252.100.69 and 130.252.100.70
706 #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
708 # PORT PORT(S) DEST
709 ACCEPT net:130.252.100.69,130.252.100.70 $FW \
710 tcp 22
711 Example 7:
713 You wish to accept connections from the internet to your firewall
714 on port 2222 and you want to forward them to local system
715 192.168.1.3, port 22
716 #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
718 # PORT PORT(S) DEST
719 DNAT net loc:192.168.1.3:22 tcp 2222
720 Example 8:
722 You want to redirect connection requests to port 80 randomly to the
723 port range 81-90.
724 #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
726 # PORT PORT(S) DEST
727 REDIRECT net $FW::81-90:random tcp www
728 Example 9:
730 Shorewall does not impose as much structure on the Netfilter rules
731 in the 'nat' table as it does on those in the filter table. As a
732 consequence, when using Shorewall versions before 4.1.4, care must
733 be exercised when using DNAT and REDIRECT rules with zones defined
734 with wildcard interfaces (those ending with '+'. Here is an
735 example:
736 shorewall-zones[3](8):
738 #ZONE TYPE OPTIONS
740 fw firewall
741 net ipv4
742 dmz ipv4
743 loc ipv4
744 shorewall-interfaces[8](8):
746 #ZONE INTERFACE BROADCAST OPTIONS
748 net ppp0
749 loc eth1 detect
750 dmz eth2 detect
751 - ppp+ # Addresses are assigned from 192.168.3.0/24
752 shorewall-host[10](8):
754 #ZONE HOST(S) OPTIONS
756 loc ppp+:192.168.3.0/24
757 rules:
759 #ACTION SOURCE DEST PROTO DEST
761 # PORT(S)
762 REDIRECT loc 3128 tcp 80
763 Note that it would have been tempting to simply define the loc zone
765 entirely in shorewall-interfaces(8):
766 #******************* INCORRECT *****************
768 #ZONE INTERFACE BROADCAST OPTIONS
769 net ppp0
770 loc eth1 detect
771 loc ppp+
772 dmz eth2
773 This would have made it impossible to run a internet-accessible web
775 server in the DMZ because all traffic entering ppp+ interfaces
776 would have been redirected to port 3128 on the firewall and there
777 would have been no net->fw ACCEPT rule for that traffic.
778 Example 10:
780 Add the tupple (source IP, dest port, dest IP) of an incoming SSH
781 connection to the ipset S:
782 #ACTION SOURCE DEST PROTO DEST
784 # PORT(S)
785 ADD(+S:dst,src,dst) net fw tcp 22
786 Example 11:
788 You wish to limit SSH connections from remote systems to 1/min with
789 a burst of three (to allow for limited retry):
790 #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
792 # PORT(S) PORT(S) DEST LIMIT
793 SSH(ACCEPT) net all - - - - s:1/min:3
794
796 /etc/shorewall/rules
797
799 http://www.shorewall.net/ipsets.html
800 shorewall(8), shorewall-accounting(5), shorewall-actions(5),
802 shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
803 shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
804 shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
805 shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
806 shorewall-route_rules(5), shorewall-routestopped(5), shorewall.conf(5),
807 shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
808 shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
809 shorewall-zones(5)
810
812 1. shorewall-policy
813 http://www.shorewall.net/manpages/shorewall-policy.html
814 2. shorewall.conf
816 http://www.shorewall.net/manpages/shorewall.conf.html
817 3. shorewall-zones
819 http://www.shorewall.net/manpages/shorewall-zones.html
820 4. shorewall-nesting
822 http://www.shorewall.net/manpages/shorewall-nesting.html
823 5. http://www.shorewall.net/shorewall_logging.html
825 http://www.shorewall.net/shorewall.logging.html
826 6. shorewall-actions
828 http://www.shorewall.net/manpages/shorewall-actions.html
829 7. shorewall-exclusion
831 http://www.shorewall.net/manpages/shorewall-exclusion.html
832 8. shorewall-interfaces
834 http://www.shorewall.net/manpages/shorewall-interfaces.html
835 9. http://shorewall.net/PortKnocking.html
837 http://www.shorewall.net/manpages/../PortKnocking.html
838 10. shorewall-host
840 http://www.shorewall.net/manpages/shorewall-hosts.html
841[FIXME: source] 09/16/2011 SHOREWALL-RULES(5)