1SHOREWALL-RULES(5)            Configuration Files           SHOREWALL-RULES(5)
2
3
4

NAME

6       rules - Shorewall rules file
7

SYNOPSIS

9       /etc/shorewall[6]/rules
10

DESCRIPTION

12       Entries in this file govern connection establishment by defining
13       exceptions to the policies laid out in shorewall-policy[1](5). By
14       default, subsequent requests and responses are automatically allowed
15       using connection tracking. For any particular (source,dest) pair of
16       zones, the rules are evaluated in the order in which they appear in
17       this file and the first terminating match is the one that determines
18       the disposition of the request. All rules are terminating except LOG
19       and COUNT rules.
20
21           Warning
22           If you masquerade or use SNAT from a local system to the internet,
23           you cannot use an ACCEPT rule to allow traffic from the internet to
24           that system. You must use a DNAT rule instead.
25
26       The rules file is divided into sections. Each section is introduced by
27       a "Section Header" which is a line beginning with ?SECTION and followed
28       by the section name.
29
30       Sections are as follows and must appear in the order listed:
31
32       ALL
33           This section was added in Shorewall 4.4.23. Rules in this section
34           are applied, regardless of the connection tracking state of the
35           packet and are applied before rules in the other sections.
36
37       ESTABLISHED
38           Packets in the ESTABLISHED state are processed by rules in this
39           section.
40
41           The only ACTIONs allowed in this section are ACCEPT, DROP, REJECT,
42           LOG, NFLOG, NFQUEUE and QUEUE
43
44           There is an implicit ACCEPT rule inserted at the end of this
45           section.
46
47       RELATED
48           Packets in the RELATED state are processed by rules in this
49           section.
50
51           The only ACTIONs allowed in this section are ACCEPT, DROP, REJECT,
52           LOG, NFLOG, NFQUEUE and QUEUE
53
54           There is an implicit rule added at the end of this section that
55           invokes the RELATED_DISPOSITION (shorewall.conf[2](5)).
56
57       INVALID
58           Added in Shorewall 4.5.13. Packets in the INVALID state are
59           processed by rules in this section.
60
61           The only Actions allowed in this section are ACCEPT, DROP, REJECT,
62           LOG, NFLOG, NFQUEUE and QUEUE.
63
64           There is an implicit rule added at the end of this section that
65           invokes the INVALID_DISPOSITION (shorewall.conf[2](5)).
66
67       UNTRACKED
68           Added in Shorewall 4.5.13. Packets in the UNTRACKED state are
69           processed by rules in this section.
70
71           The only Actions allowed in this section are ACCEPT, DROP, REJECT,
72           LOG, NFLOG, NFQUEUE and QUEUE.
73
74           There is an implicit rule added at the end of this section that
75           invokes the UNTRACKED_DISPOSITION (shorewall.conf[2](5)).
76
77       NEW
78           Packets in the NEW state are processed by rules in this section. If
79           the INVALID and/or UNTRACKED sections are empty or not included,
80           then the packets in the corresponding state(s) are also processed
81           in this section.
82
83           Note
84           If you are not familiar with Netfilter to the point where you are
85           comfortable with the differences between the various connection
86           tracking states, then it is suggested that you place all of your
87           rules in the NEW section (That's after the line that reads ?SECTION
88           NEW').
89
90           Warning
91           If you specify FASTACCEPT=Yes in shorewall.conf[2](5) then the ALL,
92           ESTABLISHED and RELATED sections must be empty.
93
94           An exception is made if you are running Shorewall 4.4.27 or later
95           and you have specified a non-default value for RELATED_DISPOSITION
96           or RELATED_LOG_LEVEL. In that case, you may have rules in the
97           RELATED section of this file.
98
99       You may omit any section that you don't need. If no Section Headers
100       appear in the file then all rules are assumed to be in the NEW section.
101
102       When defining rules that rewrite the destination IP address and/or port
103       number (namely DNAT and REDIRECT rules), it is important to keep
104       straight which columns in the file specify the packet before rewriting
105       and which specify how the packet will look after rewriting.
106
107       ·   The DEST column specifies the final destination for the packet
108           after rewriting and can include the final IP address and/or port
109           number.
110
111       ·   The remaining columns specify characteristics of the packet before
112           rewriting. In particular, the ORIGDEST column gives the original
113           destination IP address of the packet and the DPORT column give the
114           original destination port(s).
115
116       The columns in the file are as follows (where the column name is
117       followed by a different name in parentheses, the different name is used
118       in the alternate specification syntax).
119
120       ACTION - target[:{log-level|none}[!][:tag]]
121           Specifies the action to be taken if the connection request matches
122           the rule.  target must be one of the following.
123
124           ACCEPT
125               Allow the connection request.
126
127           ACCEPT+
128               like ACCEPT but also excludes the connection from any
129               subsequent matching DNAT[-] or REDIRECT[-] rules. Use with IPv6
130               requires Shorewall 4.5.14 or later.
131
132           ACCEPT!
133               like ACCEPT but exempts the rule from being suppressed by
134               OPTIMIZE=1 in shorewall.conf[2](5).
135
136           action
137               The name of an action declared in shorewall-actions[3](5) or in
138               /usr/share/shorewall[6]/actions.std.
139
140           ADD(ipset:flags[:timeout])
141               Added in Shorewall 4.4.12. Causes addresses and/or port numbers
142               to be added to the named ipset. The flags specify the address
143               or tuple to be added to the set and must match the type of
144               ipset involved. For example, for an iphash ipset, either the
145               SOURCE or DESTINATION address can be added using flags src or
146               dst respectively (see the -A command in ipset (8)).
147
148               Beginning with Shorewall 5.0.3, an optional timeout can be
149               specified. This is the number of seconds that the new entry in
150               the ipset is to remain valid and overrides any timeout
151               specified when the ipset was created.
152
153               ADD is non-terminating. Even if a packet matches the rule, it
154               is passed on to the next rule.
155
156           AUDIT[(accept|drop|reject)]
157               Added in Shorewall 4.5.10. Audits the packet with the specified
158               type; if the type is omitted, then drop is assumed. Require
159               AUDIT_TARGET support in the kernel and iptables.
160
161           A_ACCEPT, A_ACCEPT+ and A_ACCEPT!
162               Added in Shorewall 4.4.20. Audited versions of ACCEPT, ACCEPT+
163               and ACCEPT! respectively. Require AUDIT_TARGET support in the
164               kernel and iptables. A_ACCEPT+ with IPv6 requires Shorewall
165               4.5.14 or later.
166
167           A_DROP and A_DROP!
168               Added in Shorewall 4.4.20. Audited versions of DROP and DROP!
169               respectively. Require AUDIT_TARGET support in the kernel and
170               iptables.
171
172           A_REJECT AND A_REJECT!
173               Added in Shorewall 4.4.20. Audited versions of REJECT and
174               REJECT! respectively. Require AUDIT_TARGET support in the
175               kernel and iptables.
176
177           ?COMMENT
178               the rest of the line will be attached as a comment to the
179               Netfilter rule(s) generated by the following entries. The
180               comment will appear delimited by "/* ... */" in the output of
181               "shorewall show <chain>". To stop the comment from being
182               attached to further rules, simply include ?COMMENT on a line by
183               itself.
184
185           CONMARK({mark})
186               Added in Shorewall 5.0.7, CONNMARK is identical to MARK with
187               the exception that the mark is assigned to connection to which
188               the packet belongs is marked rather than to the packet itself.
189
190           CONTINUE
191               For experts only.
192
193               Do not process any of the following rules for this (source
194               zone,destination zone). If the source and/or destination IP
195               address falls into a zone defined later in
196               shorewall-zones[4](5) or in a parent zone of the source or
197               destination zones, then this connection request will be passed
198               to the rules defined for that (those) zone(s). See
199               shorewall-nesting[5](5) for additional information.
200
201           CONTINUE!
202               like CONTINUE but exempts the rule from being suppressed by
203               OPTIMIZE=1 in shorewall.conf[2](5).
204
205           COUNT
206               Simply increment the rule's packet and byte count and pass the
207               packet to the next rule.
208
209           DEL(ipset:flags)
210               Added in Shorewall 4.4.12. Causes an entry to be deleted from
211               the named ipset. The flags specify the address or tuple to be
212               deleted from the set and must match the type of ipset involved.
213               For example, for an iphash ipset, either the SOURCE or
214               DESTINATION address can be deleted using flags src or dst
215               respectively (see the -D command in ipset (8)).
216
217               DEL is non-terminating. Even if a packet matches the rule, it
218               is passed on to the next rule.
219
220           DNAT
221               Forward the request to another system (and optionally another
222               port). Use with IPv6 requires Shorewall 4.5.14 or later.
223
224           DNAT-
225               Advanced users only.
226
227               Like DNAT but only generates the DNAT iptables rule and not the
228               companion ACCEPT rule. Use with IPv6 requires Shorewall 4.5.14
229               or later.
230
231           DROP
232               Ignore the request.
233
234           DROP!
235               like DROP but exempts the rule from being suppressed by
236               OPTIMIZE=1 in shorewall.conf[2](5).
237
238           HELPER
239               Added in Shorewall 4.5.7. This action requires that the HELPER
240               column contains the name of the Netfilter helper to be
241               associated with connections matching this connection. May only
242               be specified in the NEW section and is useful for being able to
243               specify a helper when the applicable policy is ACCEPT. No
244               destination zone should be specified in HELPER rules.
245
246           INLINE[(action)]
247               Added in Shorewall 4.5.16. This action allows you to construct
248               most of the rule yourself using iptables syntax. The part that
249               you specify must follow two semicolons (';;') and is completely
250               free-form. If the target of the rule (the part following 'j')
251               is something that Shorewall supports in the ACTION column, then
252               you may enclose it in parentheses (e.g., INLINE(ACCEPT)).
253               Otherwise, you can include it after the semicolon(s). In this
254               case, you must declare the target as a builtin action in
255               shorewall-actions[3](5).
256
257               Some considerations when using INLINE:
258
259               ·   The p, s, d, i, o, policy, and state match (state or
260                   conntrack --ctstate) matches will always appear in the
261                   front of the rule in that order.
262
263               ·   When multiple matches are specified, the compiler will keep
264                   them in the order in which they appear (excluding the above
265                   listed ones), but they will not necessarily be at the end
266                   of the generated rule. For example, if addresses are
267                   specified in the SOURCE and/or DEST columns, their
268                   generated matches will appear after those specified using
269                   ';;' or ';'.
270
271           IPTABLES({iptables-target [option ...])
272               IPv4 only. This action allows you to specify an iptables target
273               with options (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If
274               the iptables-target is not one recognized by Shorewall, the
275               following error message will be issued:
276
277                       ERROR: Unknown target (iptables-target)
278
279               This error message may be eliminated by adding the
280               iptables-target as a builtin action in shorewall-actions[3](5).
281
282                   Important
283                   If you specify REJECT as the iptables-target, the target of
284                   the rule will be the iptables REJECT target and not
285                   Shorewall's builtin 'reject' chain which is used when
286                   REJECT (see below) is specified as the target in the ACTION
287                   column.
288
289           IP6TABLES({ip6tables-target [option ...])
290               IPv6 only. This action allows you to specify an ip6tables
291               target with options (e.g., 'IPTABLES(MARK --set-xmark
292               0x01/0xff)'. If the ip6tables-target is not one recognized by
293               Shorewall, the following error message will be issued:
294
295                       ERROR: Unknown target (ip6tables-target)
296
297               This error message may be eliminated by adding the
298               ip6tables-target as a builtin action in
299               shorewall-actions[6](5).
300
301                   Important
302                   If you specify REJECT as the ip6tables-target, the target
303                   of the rule will be the i6ptables REJECT target and not
304                   Shorewall's builtin 'reject' chain which is used when
305                   REJECT (see below) is specified as the target in the ACTION
306                   column.
307
308           LOG:level
309               Simply log the packet and continue with the next rule.
310
311           macro[(macrotarget)]
312               The name of a macro defined in a file named macro.macro. If the
313               macro accepts an action parameter (Look at the macro source to
314               see if it has PARAM in the TARGET column) then the macro name
315               is followed by the parenthesized macrotarget (ACCEPT, DROP,
316               REJECT, ...) to be substituted for the parameter.
317
318               Example: FTP(ACCEPT).
319
320               The older syntax where the macro name and the target are
321               separated by a slash (e.g. FTP/ACCEPT) is still allowed but is
322               deprecated.
323
324           MARK({mark})
325               where mark is a packet mark value.
326
327               Added in Shorewall 5.0.7, MARK requires "Mark in filter table"
328               support in your kernel and iptables.
329
330               Normally will set the mark value of the current packet. If
331               preceded by a vertical bar ("|"), the mark value will be
332               logically ORed with the current mark value to produce a new
333               mark value. If preceded by an ampersand ("&"), will be
334               logically ANDed with the current mark value to produce a new
335               mark value.
336
337               Both "|" and "&" require Extended MARK Target support in your
338               kernel and iptables.
339
340               The mark value may be optionally followed by "/" and a mask
341               value (used to determine those bits of the connection mark to
342               actually be set). When a mask is specified, the result of
343               logically ANDing the mark value with the mask must be the same
344               as the mark value.
345
346           NFLOG[(nflog-parameters)]
347               Added in Shorewall 4.5.9.3. Queues matching packets to a back
348               end logging daemon via a netlink socket then continues to the
349               next rule. See
350               http://www.shorewall.net/shorewall_logging.html[7].
351
352               The nflog-parameters are a comma-separated list of up to 3
353               numbers:
354
355               ·   The first number specifies the netlink group (0-65535). If
356                   omitted (e.g., NFLOG(,0,10)) then a value of 0 is assumed.
357
358               ·   The second number specifies the maximum number of bytes to
359                   copy. If omitted, 0 (no limit) is assumed.
360
361               ·   The third number specifies the number of log messages that
362                   should be buffered in the kernel before they are sent to
363                   user space. The default is 1.
364
365               NFLOG is similar to LOG:NFLOG[(nflog-parameters)], except that
366               the log level is not changed when this ACTION is used in an
367               action or macro body and the invocation of that action or macro
368               specifies a log level.
369
370           NFQUEUE[([queuenumber1[:queuenumber2[c]][,bypass]]|bypass)]
371               Queues the packet to a user-space application using the
372               nfnetlink_queue mechanism. If a queuenumber1 is not specified,
373               queue zero (0) is assumed. Beginning with Shorewall 4.6.10, the
374               keyword bypass can be given. By default, if no userspace
375               program is listening on an NFQUEUE, then all packets that are
376               to be queued are dropped. When this option is used, the NFQUEUE
377               rule is silently bypassed instead. The packet will move on to
378               the next rule. Also beginning in Shorewall 4.6.10, a second
379               queue number (queuenumber2) may be specified. This specifies a
380               range of queues to use. Packets are then balanced across the
381               given queues. This is useful for multicore systems: start
382               multiple instances of the userspace program on queues x, x+1,
383               .. x+n and use "x:x+n". Packets belonging to the same
384               connection are put into the same nfqueue.
385
386               Beginning with Shorewall 5.1.0, queuenumber2 may be followed by
387               the letter 'c' to indicate that the CPU ID will be used as an
388               index to map packets to the queues. The idea is that you can
389               improve performance if there's a queue per CPU. Requires the
390               NFQUEUE CPU Fanout capability in your kernel and iptables.
391
392           NFQUEUE![([queuenumber1[:queuenumber2[c]][,bypass]]|bypass)]
393               like NFQUEUE but exempts the rule from being suppressed by
394               OPTIMIZE=1 in shorewall.conf[2](5).
395
396           NONAT
397               Excludes the connection from any subsequent DNAT[-] or
398               REDIRECT[-] rules but doesn't generate a rule to accept the
399               traffic. Use with IPv6 requires Shorewall 4.5.14 or later.
400
401           QUEUE
402               Queue the packet to a user-space application such as ftwall
403               (http://p2pwall.sf.net). The application may reinsert the
404               packet for further processing.
405
406           QUEUE!
407               like QUEUE but exempts the rule from being suppressed by
408               OPTIMIZE=1 in shorewall.conf[2](5).
409
410           REJECT[(option)]
411               disallow the request and return an icmp-unreachable or an RST
412               packet. If no option is passed, Shorewall selects the
413               appropriate option based on the protocol of the packet.
414
415               Beginning with Shorewall 5.0.8, the type of reject may be
416               specified in the option paramater. Valid IPv4 option values
417               are:
418                   icmp-net-unreachable
419                   icmp-host-unreachable
420                   icmp-port-unreachable
421                   icmp-proto-unreachable
422                   icmp-net-prohibited
423                   icmp-host-prohibited
424                   icmp-admin-prohibited
425                   icmp-tcp-reset (the PROTO column
426                                     must specify TCP). Beginning with
427                   Shorewall 5.1.3, this
428                                     option may also be specified as
429                                     tcp-reset.
430               Valid IPv6 option values are:
431                   icmp6-no-route
432                   no-route
433                   icmp6-adm-prohibited
434                   adm-prohibited
435                   icmp6-addr-unreachable
436                   addr-unreach
437                   icmp6-port-unreachable
438                   tcp-reset (the PROTO column must
439                                     specify TCP)
440
441           REJECT!
442               like REJECT but exempts the rule from being suppressed by
443               OPTIMIZE=1 in shorewall.conf[2](5).
444
445           REDIRECT
446               Redirect the request to a server running on the firewall. Use
447               with IPv6 requires Shorewall 4.5.14 or later.
448
449           REDIRECT-
450               Advanced users only.
451
452               Like REDIRECT but only generates the REDIRECT iptables rule and
453               not the companion ACCEPT rule. Use with IPv6 requires Shorewall
454               4.5.14 or later.
455
456           TARPIT [(tarpit | honeypot | reset)]
457               Added in Shorewall 4.6.6.
458
459               TARPIT captures and holds incoming TCP connections using no
460               local per-connection resources.
461
462               TARPIT only works with the PROTO column set to tcp (6), and is
463               totally application agnostic. This module will answer a TCP
464               request and play along like a listening server, but aside from
465               sending an ACK or RST, no data is sent. Incoming packets are
466               ignored and dropped. The attacker will terminate the session
467               eventually. This module allows the initial packets of an attack
468               to be captured by other software for inspection. In most cases
469               this is sufficient to determine the nature of the attack.
470
471               This offers similar functionality to LaBrea
472               <http://www.hackbusters.net/LaBrea/> but does not require
473               dedicated hardware or IPs. Any TCP port that you would normally
474               DROP or REJECT can instead become a tarpit.
475
476               The target accepts a single optional parameter:
477
478               tarpit
479                   This mode is the default and completes a connection with
480                   the attacker but limits the window size to 0, thus keeping
481                   the attacker waiting long periods of time. While he is
482                   maintaining state of the connection and trying to continue
483                   every 60-240 seconds, we keep none, so it is very
484                   lightweight. Attempts to close the connection are ignored,
485                   forcing the remote side to time out the connection in 12-24
486                   minutes.
487
488               honeypot
489                   This mode completes a connection with the attacker, but
490                   signals a normal window size, so that the remote side will
491                   attempt to send data, often with some very nasty exploit
492                   attempts. We can capture these packets for decoding and
493                   further analysis. The module does not send any data, so if
494                   the remote expects an application level response, the game
495                   is up.
496
497               reset
498                   This mode is handy because we can send an inline RST
499                   (reset). It has no other function.
500
501           ULOG[(ulog-parameters)]
502               IPv4 only. Added in Shorewall 4.5.10. Queues matching packets
503               to a back end logging daemon via a netlink socket then
504               continues to the next rule. See shorewall-logging(5)[8].
505
506               Similar to LOG:ULOG[(ulog-parameters)], except that the log
507               level is not changed when this ACTION is used in an action or
508               macro body and the invocation of that action or macro specifies
509               a log level.
510
511           The target may optionally be followed by ":" and a syslog log level
512           (e.g, REJECT:info or Web(ACCEPT):debug). This causes the packet to
513           be logged at the specified level. Note that if the ACTION involves
514           destination network address translation (DNAT, REDIRECT, etc.) then
515           the packet is logged before the destination address is rewritten.
516
517           If the ACTION names an action declared in shorewall-actions[3](5)
518           or in /usr/share/shorewall/actions.std then:
519
520           ·   If the log level is followed by "!' then all rules in the
521               action are logged at the log level.
522
523           ·   If the log level is not followed by "!" then only those rules
524               in the action that do not specify logging are logged at the
525               specified level.
526
527           ·   The special log level none!  suppresses logging by the action.
528
529           You may also specify ULOG (IPv4 only) or NFLOG (must be in upper
530           case) as a log level.This will log to the ULOG or NFLOG target for
531           routing to a separate log through use of ulogd
532           (shorewall-logging(5)[8]).
533
534           Actions specifying logging may be followed by a log tag (a string
535           of alphanumeric characters) which is appended to the string
536           generated by the LOGPREFIX (in shorewall.conf[2](5)).
537
538           Example: ACCEPT:info:ftp would include 'ftp ' at the end of the log
539           prefix generated by the LOGPREFIX setting.
540
541       SOURCE - source-spec[,...]
542           Source hosts to which the rule applies.
543
544           source-spec is one of the following:
545
546           zone[,...[+]]
547               The name of a zone defined in shorewall-zones[4](5). When only
548               the zone name is specified, the packet source may be any host
549               in that zone.
550
551               zone may also be one of the following:
552
553               all[+][-]
554                   all, without the "-" means "All Zones, including the
555                   firewall zone". If the "-" is included, the firewall zone
556                   is omitted. Normally all omits intra-zone traffic, but
557                   intra-zone traffic can be included specifying "+".
558
559               any[+][-]
560                   any is equivalent to all when there are no nested zones.
561                   When there are nested zones, any only refers to top-level
562                   zones (those with no parent zones). Note that any excludes
563                   all vserver zones, since those zones are nested within the
564                   firewall zone.
565
566               none
567                   When none is used either in the SOURCE or DEST column, the
568                   rule is ignored.
569
570               Similar to with all and any, intra-zone traffic is normally
571               excluded when multiple zones are listed. Intra-zone traffic may
572               be included by following the list with a plus sign ("+").
573
574               all and any may be followed by an exclamation point ("!") and a
575               comma-separated list of zone names to be omitted.
576
577           zone:[!]interface
578               When this form is used, interface must be the name of an
579               interface associated with the named zone in either
580               shorewall-interfaces[9](5) or shorewall-hosts[10](5). Only
581               packets from hosts in the zone that arrive through the named
582               interface will match the rule.
583
584               Beginning with Shorweall 5.2.1, the interface may be preceded
585               with '!' which matches all interfaces associated with the zone
586               except the one specified.
587
588           zone:address[,...]
589               where address can be:
590
591               ·   A host or network IP address. A network address may be
592                   followed by exclusion (see shorewall-exclusion[11](5)).
593
594               ·   An address range, specified using the syntax
595                   lowaddress-highaddress.
596
597               ·   +ipset where ipset is the name of an ipset and must be
598                   preceded by a plus sign ("+").
599
600               ·   A MAC address in Shorewall format (preceded by a tilde
601                   ("~") and with the hex byte values separated by dashes
602                   (e.g., "~00-0a-f6-04-9c-7d").
603
604               ·   ^country-code where country-code is a two-character
605                   ISO-3661 country code preceded by a caret ("^").
606
607               ·   ^country-code-list where country-code-list is a
608                   comma-separated list of up to 15 ISO-3661 country codes
609                   enclosed in square brackets ("[...]").
610
611               ·   The primary IP address of a firewall interface can be
612                   specified by an ampersand ('&') followed by the logical
613                   name of the interface as found in the INTERFACE column of
614                   shorewall-interfaces[9] (5).
615
616           zone:interface:address[,...]
617               This form combines the preceding two and requires that both the
618               incoming interface and source address match.
619
620           zone:exclusion
621               This form matches if the host IP address does not match any of
622               the entries in the exclusion (see shorewall-exclusion[11](5)).
623
624           zone:interface:exclusion
625               This form matches packets from the named zone entering through
626               the specified interface where the source address does not match
627               any entry in the exclusion.
628
629           Beginning with Shorewall 5.1.0, multiple source-specs may be
630           listed, provided that extended forms of the source-spec are used:
631           zone:(interface)
632
633           zone:(address[,...])
634
635           zone:(interface:address[,...])
636
637           zone:(exclusion)
638
639           zone:(interface:exclusion) Examples:
640
641           dmz:192.168.2.2
642               Host 192.168.2.2 in the DMZ
643
644           net:155.186.235.0/24
645               Subnet 155.186.235.0/24 on the Internet
646
647           loc:192.168.1.1,192.168.1.2
648               Hosts 192.168.1.1 and 192.168.1.2 in the local zone.
649
650           loc:~00-A0-C9-15-39-78
651               Host in the local zone with MAC address 00:A0:C9:15:39:78.
652
653           net:192.0.2.11-192.0.2.17
654               Hosts 192.0.2.11-192.0.2.17 in the net zone.
655
656           net:!192.0.2.11-192.0.2.17
657               All hosts in the net zone except for 192.0.2.11-192.0.2.17.
658
659           net:155.186.235.0/24!155.186.235.16/28
660               Subnet 155.186.235.0/24 on the Internet except for
661               155.186.235.16/28
662
663           $FW:&eth0
664               The primary IP address of eth0 in the firewall zone.
665
666           loc,dmz
667               Both the loc and dmz zones.
668
669           all!dmz
670               All but the dmz zone.
671
672           net:^CN
673               China.
674
675           loc:(eth1:1.2.3.4,2.3.4.5),dmz:(eth2:5.6.7.8,9.10.11.12),net
676               Hosts 1.2.3.4 and 2.3.4.5 in the loc zone when the packet
677               arrives through eth1 plus hosts 5.6.7.8 and 9.10.11.12 in the
678               dmz zone when the packet arrives through eth2 plus all of the
679               net zone.
680
681           dmz:[2002:ce7c:2b4:1::2]
682               Host 2002:ce7c:92b4:1::2 in the DMZ
683
684           net:2001:4d48:ad51:24::/64
685               Subnet 2001:4d48:ad51:24::/64 on the Internet
686
687           loc:[2002:cec792b4:1::2],[2002:cec792b4:1::44]
688               Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the local
689               zone.
690
691           loc:~00-A0-C9-15-39-78
692               Host in the local zone with MAC address 00:A0:C9:15:39:78.
693
694           net:[2001:4d48:ad51:24::]/64![2001:4d48:ad51:24:6::]/80
695               Subnet 2001:4d48:ad51:24::/64 on the Internet except for
696               2001:4d48:ad51:24:6::/80.
697
698       DEST - dest-spec[,...]
699           Destination hosts to which the rule applies.
700
701           dest-spec is one of the following:
702
703           zone[,...[+]]
704               The name of a zone defined in shorewall-zones[4](5). When only
705               the zone name is specified, the packet destination may be any
706               host in that zone.
707
708               zone may also be one of the following:
709
710               all[+][-]
711                   all, without the "-" means "All Zones, including the
712                   firewall zone". If the "-" is included, the firewall zone
713                   is omitted. Normally all omits intra-zone traffic, but
714                   intra-zone traffic can be included specifying "+".
715
716               any[+][-]
717                   any is equivalent to all when there are no nested zones.
718                   When there are nested zones, any only refers to top-level
719                   zones (those with no parent zones). Note that any excludes
720                   all vserver zones, since those zones are nested within the
721                   firewall zone.
722
723               none
724                   When none is used either in the SOURCE or DEST column, the
725                   rule is ignored.
726
727               Similar to with all and any, intra-zone traffic is normally
728               excluded when multiple zones are listed. Intra-zone traffic may
729               be included by following the list with a plus sign ("+").
730
731               all and any may be followed by an exclamation point ("!") and a
732               comma-separated list of zone names to be omitted.
733
734           zone:[!]interface
735               When this form is used, interface must be the name of an
736               interface associated with the named zone in either
737               shorewall-interfaces[9](5) or shorewall-hosts[12](5). Only
738               packets to hosts in the zone that are sent through the named
739               interface will match the rule.
740
741               Beginning with Shorweall 5.2.1, the interface may be preceded
742               with '!' which matches all interfaces associated with the zone
743               except the one specified.
744
745           zone:address[,...]
746               where address can be:
747
748               ·   A host or network IP address. A network address may be
749                   followed by exclusion (see shorewall-exclusion[11](5)).
750
751               ·   An address range, specified using the syntax
752                   lowaddress-highaddress.
753
754               ·   +ipset where ipset is the name of an ipset and must be
755                   preceded by a plus sign ("+").
756
757               ·   ^country-code where country-code is a two-character
758                   ISO-3661 country code preceded by a caret ("^").
759
760               ·   ^country-code-list where country-code-list is a
761                   comma-separated list of up to 15 ISO-3661 country codes
762                   enclosed in square brackets ("[...]").
763
764               ·   The primary IP address of a firewall interface can be
765                   specified by an ampersand ('&') followed by the logical
766                   name of the interface as found in the INTERFACE column of
767                   shorewall-interfaces[9] (5).
768
769           zone:[!]interface:address[,...]
770               This form combines the preceding two and requires that both the
771               outgoing interface and destinationaddress match.
772
773               Beginning with Shorweall 5.2.1, the interface may be preceded
774               with '!' which matches all interfaces associated with the zone
775               except the one specified.
776
777           zone:exclusion
778               This form matches if the host IP address does not match any of
779               the entries in the exclusion (see shorewall-exclusion[11](5)).
780
781           zone:[!]interface:exclusion
782               This form matches packets to the named zone leaving through the
783               specified interface where the destination address does not
784               match any entry in the exclusion.
785
786               Beginning with Shorweall 5.2.1, the interface may be preceded
787               with '!' which matches all interfaces associated with the zone
788               except the one specified.
789
790           [zone]:[server-IP][:port-or-port-range[:random]]
791               This form applies when the ACTION is DNAT[-] or REDIRECT[-].
792               The zone may be omitted in REDIRECT rules ($FW is assumed) and
793               must be omitted in DNAT-, REDIRECT- and NONAT rules.
794
795               server-IP is not allowed in REDIRECT rules and may be omitted
796               in DNAT[-] rules provided that port-or-port-range is included.
797
798               ·   The IP address of the server to which the packet is to be
799                   sent.
800
801               ·   A range of IP address with the low and high address
802                   separated by a dash (:"-"). Connections are distributed
803                   among the IP addresses in the range.
804
805               If server-IP is omitted in a DNAT[-] rule, only the destination
806               port number is modified by the rule.
807
808               port-or-port-range may be:
809
810               ·   An integer port number in the range 1 - 65535.
811
812               ·   The name of a service from /etc/services.
813
814               ·   A port range with the low and high integer port numbers
815                   separated by a dash ("-"). Connections are distributed
816                   among the ports in the range.
817
818               If random is specified, port mapping will be randomized.
819
820           If the DEST zone is a bport zone, then either:
821
822            1. the SOURCE must be all[+][-], or
823
824            2. the SOURCE zone must be another bport zone associated with the
825               same bridge, or
826
827            3. the SOURCE zone must be an ipv4 zone that is associated with
828               only the same bridge.
829
830           Beginning with Shorewall 5.1.0, multiple dest-specs may be listed,
831           provided that extended forms of the source-spec are used:
832           zone:(interface)
833
834           zone:(address[,...])
835
836           zone:(interface:address[,...])
837
838           zone:(exclusion)
839
840           zone:(interface:exclusion) Multiple dest-specs are not permitted in
841           DNAT[-] and REDIRECT[-] rules.
842
843           Examples:
844
845           dmz:192.168.2.2
846               Host 192.168.2.2 in the DMZ
847
848           net:155.186.235.0/24
849               Subnet 155.186.235.0/24 on the Internet
850
851           loc:192.168.1.1,192.168.1.2
852               Hosts 192.168.1.1 and 192.168.1.2 in the local zone.
853
854           net:192.0.2.11-192.0.2.17
855               Hosts 192.0.2.11-192.0.2.17 in the net zone.
856
857           net:!192.0.2.11-192.0.2.17
858               All hosts in the net zone except for 192.0.2.11-192.0.2.17.
859
860           net:155.186.235.0/24!155.186.235.16/28
861               Subnet 155.186.235.0/24 on the Internet except for
862               155.186.235.16/28
863
864           $FW:&eth0
865               The primary IP address of eth0 in the firewall zone.
866
867           loc,dmz
868               Both the loc and dmz zones.
869
870           all!dmz
871               All but the dmz zone.
872
873           net:^CN
874               China.
875
876           dmz:192.168.10.4:25
877               Port 25 on server 192.168.10.4 in the dmz zone (DNAT rule).
878
879           loc:(eth1:1.2.3.4,2.3.4.5),dmz:(eth2:5.6.7.8,9.10.11.12),net
880               Hosts 1.2.3.4 and 2.3.4.5 in the loc zone when the packet
881               arrives through eth1 plus hosts 5.6.7.8 and 9.10.11.12 in the
882               dmz zone when the packet arrives through eth2 plus all of the
883               net zone.
884
885       PROTO-
886       {-|tcp:[!]syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-name|all}
887           Optional Protocol - ipp2p* requires ipp2p match support in your
888           kernel and iptables.  tcp:syn implies tcp plus the SYN flag must be
889           set and the RST, ACK and FIN flags must be reset. Beginning with
890           Shorewall 5.1.3, you may also specify tcp:!syn, which matches if
891           SYN is not set or if RST, ACK or FIN is set.
892
893           Beginning with Shorewall 4.4.19, this column can contain a
894           comma-separated list of protocol-numbers and/or protocol names.
895
896       DPORT -
897       {-|port-name-number-or-range[,port-name-number-or-range]...|+ipset}
898           Optional destination Ports. A comma-separated list of Port names
899           (from services(5)), port numbers or port ranges; if the protocol is
900           icmp, this column is interpreted as the destination icmp-type(s).
901           ICMP types may be specified as a numeric type, a numeric type and
902           code separated by a slash (e.g., 3/4), or a typename. See
903           http://www.shorewall.net/configuration_file_basics.htm#ICMP[13].
904           Note that prior to Shorewall 4.4.19, only a single ICMP type may be
905           listed.
906
907           If the protocol is ipp2p, this column is interpreted as an ipp2p
908           option without the leading "--" (example bit for bit-torrent). If
909           no port is given, ipp2p is assumed.
910
911           A port range is expressed as lowport:highport.
912
913           This column is ignored if PROTO = all but must be entered if any of
914           the following columns are supplied. In that case, it is suggested
915           that this field contain a dash (-).
916
917           If your kernel contains multi-port match support, then only a
918           single Netfilter rule will be generated if in this list and the
919           SPORT list below:
920
921           1. There are 15 or less ports listed.
922
923           2. No port ranges are included or your kernel and iptables contain
924           extended multi-port match support.
925
926           Beginning with Shorewall 4.6.0, an ipset name can be specified in
927           this column. This is intended to be used with bitmap:port ipsets.
928
929           This column was formerly labelled DEST PORT(S).
930
931       SPORT -
932       {-|port-name-number-or-range[,port-name-number-or-range]...|+ipset}
933           Optional port(s) used by the client. If omitted, any source port is
934           acceptable. Specified as a comma- separated list of port names,
935           port numbers or port ranges.
936
937           Beginning with Shorewall 4.5.15, you may place '=' in this column,
938           provided that the DPORT column is non-empty. This causes the rule
939           to match when either the source port or the destination port in a
940           packet matches one of the ports specified in DEST PORTS(S). Use of
941           '=' requires multi-port match in your iptables and kernel.
942
943               Warning
944               Unless you really understand IP, you should leave this column
945               empty or place a dash (-) in the column. Most people who try to
946               use this column get it wrong.
947           If you don't want to restrict client ports but need to specify an
948           ORIGDEST in the next column, then place "-" in this column.
949
950           If your kernel contains multi-port match support, then only a
951           single Netfilter rule will be generated if in this list and the
952           DPORT list above:
953
954           1. There are 15 or less ports listed.
955
956           2. No port ranges are included or your kernel and iptables contain
957           extended multi-port match support.
958
959           Beginning with Shorewall 4.6.0, an ipset name can be specified in
960           this column. This is intended to be used with bitmap:port ipsets.
961
962           This column was formerly labelled SOURCE PORT(S).
963
964       ORIGDEST - [-|address[,address]...[exclusion]|exclusion]
965           Optional. If ACTION is DNAT[-] or REDIRECT[-] then if this column
966           is included and is different from the IP address given in the DEST
967           column, then connections destined for that address will be
968           forwarded to the IP and port specified in the DEST column.
969
970           A comma-separated list of addresses may also be used. This is most
971           useful with the REDIRECT target where you want to redirect traffic
972           destined for particular set of hosts. Finally, if the list of
973           addresses begins with "!" (exclusion) then the rule will be
974           followed only if the original destination address in the connection
975           request does not match any of the addresses listed.
976
977           Beginning with Shorewall 4.4.17, the primary IP address of a
978           firewall interface can be specified by an ampersand ('&') followed
979           by the logical name of the interface as found in the INTERFACE
980           column of shorewall-interfaces[9] (5).
981
982           For other actions, this column may be included and may contain one
983           or more addresses (host or network) separated by commas. Address
984           ranges are not allowed. When this column is supplied, rules are
985           generated that require that the original destination address
986           matches one of the listed addresses. This feature is most useful
987           when you want to generate a filter rule that corresponds to a DNAT-
988           or REDIRECT- rule. In this usage, the list of addresses should not
989           begin with "!".
990
991           It is also possible to specify a set of addresses then exclude part
992           of those addresses. For example, 192.168.1.0/24!192.168.1.16/28
993           specifies the addresses 192.168.1.0-182.168.1.15 and
994           192.168.1.32-192.168.1.255. See shorewall-exclusion[11](5).
995
996           See http://www.shorewall.net/PortKnocking.html[14] for an example
997           of using an entry in this column with a user-defined action rule.
998
999           This column was formerly labelled ORIGINAL DEST.
1000
1001       RATE - limit
1002           where limit is one of:
1003               [-|[{s|d}[/vlsm]:[name[(ht-buckets,ht-max)]:]rate/{sec|min|hour|day}[:burst]
1004               [s[/vlsm1]:][name1[(ht-buckets1,ht-max1)]:]rate1/{sec|min|hour|day}[:burst1],[d[/vlsm2:][name2[(ht-buckets2,ht-max2)]:]rate2/{sec|min|hour|day}[:burst2]
1005           You may optionally rate-limit the rule by placing a value in this
1006           column:
1007
1008           rate* is the number of connections per interval (sec or min) and
1009           burst* is the largest burst permitted. If no burst is given, a
1010           value of 5 is assumed. There may be no no white-space embedded in
1011           the specification.
1012
1013           Example: 10/sec:20
1014
1015           When s: or d: is specified, the rate applies per source IP address
1016           or per destination IP address respectively. The names may be chosen
1017           by the user and specify a hash table to be used to count matching
1018           connections. If not given, the name shorewallN (where N is a unique
1019           integer) is assumed. Where more than one rule or POLICY specifies
1020           the same name, the connections counts for the rules are aggregated
1021           and the individual rates apply to the aggregated count. Beginning
1022           with Shorewall 5.2.1, the s or d may be followed by a slash ("/")
1023           and an integer vlsm. When a vlsm is specified, all source or
1024           destination addresses encountered will be grouped according to the
1025           given prefix length and the so-created subnet will be subject to
1026           the rate limit.
1027
1028           Example: s/24::10/sec
1029
1030           Beginning with Shorewall 4.6.5, two limits may be specified,
1031           separated by a comma. In this case, the first limit (name1, rate1,
1032           burst1) specifies the per-source IP limit and the second limit
1033           specifies the per-destination IP limit.
1034
1035           Example: client:10/sec:20,:60/sec:100
1036
1037           In this example, the 'client' hash table will be used to enforce
1038           the per-source limit and the compiler will pick a unique name for
1039           the hash table that tracks the per-destination limit.
1040
1041           Beginning with Shorewall 5.2.1, the table name, if any, may be
1042           followed by two integers separated by commas and enclosed in
1043           parentheses. The first integer (ht-buckets) specifies the number of
1044           buckets in the generated hash table. The second integer (ht-max)
1045           specifies the maximum number of entries in the hash table.
1046
1047           Example: s:netfw(1024,65536):10/sec
1048
1049           This column was formerly labelled RATE LIMIT.
1050
1051       USER - [!][user-name-or-number][:group-name-or-number][,...]
1052           This optional column may only be non-empty if the SOURCE is the
1053           firewall itself.
1054
1055           When this column is non-empty, the rule applies only if the program
1056           generating the output is running under the effective user and/or
1057           group specified (or is NOT running under that id if "!" is given).
1058
1059           Beginning with Shorewall 4.5.8, multiple user or group names/ids
1060           separated by commas may be specified.
1061
1062           Examples:
1063
1064           joe
1065               program must be run by joe
1066
1067           :kids
1068               program must be run by a member of the 'kids' group
1069
1070           !:kids
1071               program must not be run by a member of the 'kids' group
1072
1073           2001-2099
1074               UIDs 2001 through 2099 (Shorewall 4.5.6 and later)
1075
1076           This column was formerly labelled USER/GROUP.
1077
1078       MARK - [!]value[/mask][:C]
1079           Defines a test on the existing packet or connection mark. The rule
1080           will match only if the test returns true.
1081
1082           If you don't want to define a test but need to specify anything in
1083           the following columns, place a "-" in this field.
1084
1085           !
1086               Inverts the test (not equal)
1087
1088           value
1089               Value of the packet or connection mark.
1090
1091           mask
1092               A mask to be applied to the mark before testing.
1093
1094           :C
1095               Designates a connection mark. If omitted, the packet mark's
1096               value is tested.
1097
1098       CONNLIMIT - [d:][!]limit[:mask]
1099           May be used to limit the number of simultaneous connections to/from
1100           each individual host or network to limit connections. Requires
1101           connlimit match in your kernel and iptables. While the limit is
1102           only checked on rules specifying CONNLIMIT, the number of current
1103           connections is calculated over all current connections from the
1104           SOURCE or DESTINATION host. By default, limiting is done by SOURCE
1105           host or net, but if the specification begins with d:, then limiting
1106           will be donw by destination host or net.
1107
1108           By default, the limit is applied to each host but can be made to
1109           apply to networks of hosts by specifying a mask. The mask specifies
1110           the width of a VLSM mask to be applied to the source address; the
1111           number of current connections is then taken over all hosts in the
1112           subnet source-address/mask. When !  is specified, the rule matches
1113           when the number of connection exceeds the limit.
1114
1115       TIME - timeelement[&timeelement...]
1116           May be used to limit the rule to a particular time period each day,
1117           to particular days of the week or month, or to a range defined by
1118           dates and times. Requires time match support in your kernel and
1119           iptables.
1120
1121           timeelement may be:
1122
1123           timestart=hh:mm[:ss]
1124               Defines the starting time of day.
1125
1126           timestop=hh:mm[:ss]
1127               Defines the ending time of day.
1128
1129           contiguous
1130               Added in Shoreawll 5.0.12. When timestop is smaller than
1131               timestart value, match this as a single time period instead of
1132               distinct intervals.
1133
1134           utc
1135               Times are expressed in Greenwich Mean Time.
1136
1137           localtz
1138               Deprecated by the Netfilter team in favor of kerneltz. Times
1139               are expressed in Local Civil Time (default).
1140
1141           kerneltz
1142               Added in Shorewall 4.5.2. Times are expressed in Local Kernel
1143               Time (requires iptables 1.4.12 or later).
1144
1145           weekdays=ddd[,ddd]...
1146               where ddd is one of Mon, Tue, Wed, Thu, Fri, Sat or Sun
1147
1148           monthdays=dd[,dd],...
1149               where dd is an ordinal day of the month
1150
1151
1152           datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
1153               Defines the starting date and time.
1154
1155           datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
1156               Defines the ending date and time.
1157
1158       HEADERS - [!][any:|exactly:]header-list (Optional - Added in Shorewall
1159       4.4.15)
1160           This column is only used in IPv6. In IPv4, supply "-" in this
1161           column if you with to place a value in one of the following
1162           columns.
1163
1164           The header-list consists of a comma-separated list of headers from
1165           the following list.
1166
1167           auth, ah, or 51
1168               Authentication Headers extension header.
1169
1170           esp, or 50
1171               Encrypted Security Payload extension header.
1172
1173           hop, hop-by-hop or 0
1174               Hop-by-hop options extension header.
1175
1176           route, ipv6-route or 43
1177               IPv6 Route extension header.
1178
1179           frag, ipv6-frag or 44
1180               IPv6 fragmentation extension header.
1181
1182           none, ipv6-nonxt or 59
1183               No next header
1184
1185           proto, protocol or 255
1186               Any protocol header.
1187
1188           If any: is specified, the rule will match if any of the listed
1189           headers are present. If exactly: is specified, the will match
1190           packets that exactly include all specified headers. If neither is
1191           given, any: is assumed.
1192
1193           If !  is entered, the rule will match those packets which would not
1194           be matched when !  is omitted.
1195
1196       SWITCH - [!]switch-name[={0|1}]
1197           Added in Shorewall 4.4.24 and allows enabling and disabling the
1198           rule without requiring shorewall restart.
1199
1200           The rule is enabled if the value stored in
1201           /proc/net/nf_condition/switch-name is 1. The rule is disabled if
1202           that file contains 0 (the default). If '!' is supplied, the test is
1203           inverted such that the rule is enabled if the file contains 0.
1204
1205           Within the switch-name, '@0' and '@{0}' are replaced by the name of
1206           the chain to which the rule is a added. The switch-name (after
1207           '@...' expansion) must begin with a letter and be composed of
1208           letters, decimal digits, underscores or hyphens. Switch names must
1209           be 30 characters or less in length.
1210
1211           Switches are normally off. To turn a switch on:
1212               echo 1 >
1213                           /proc/net/nf_condition/switch-name
1214           To turn it off again:
1215               echo 0 >
1216                           /proc/net/nf_condition/switch-name
1217           Switch settings are retained over shorewall restart.
1218
1219           Beginning with Shorewall 4.5.10, when the switch-name is followed
1220           by =0 or =1, then the switch is initialized to off or on
1221           respectively by the start command. Other commands do not affect the
1222           switch setting.
1223
1224       HELPER - [helper]
1225           Added in Shorewall 4.5.7.
1226
1227           In the NEW section, causes the named conntrack helper to be
1228           associated with this connection; the contents of this column are
1229           ignored unless ACTION is ACCEPT*, DNAT* or REDIRECT*.
1230
1231           In the RELATED section, will only match if the related connection
1232           has the named helper associated with it.
1233
1234           The helper may be one of:
1235               amanda
1236               ftp
1237               irc
1238               netbios-ns
1239               pptp
1240               Q.931
1241               RAS
1242               sane
1243               sip
1244               snmp
1245               tftp
1246           If the HELPERS option is specified in shorewall.conf[2](5), then
1247           any module specified in this column must be listed in the HELPERS
1248           setting.
1249

EXAMPLES

1251       Example 1:
1252           Accept SMTP requests from the DMZ to the internet
1253
1254                        #ACTION SOURCE  DEST      PROTO      DPORT   SPORT   ORIGDEST
1255                        ACCEPT  dmz     net       tcp        smtp
1256
1257       Example 2:
1258           Forward all ssh and http connection requests from the internet to
1259           local system 192.168.1.3
1260
1261                       #ACTION SOURCE  DEST            PROTO   DPORT   SPORT   ORIGDEST
1262                       DNAT    net     loc:192.168.1.3 tcp     ssh,http
1263
1264       Example 3:
1265           Forward all http connection requests from the internet to local
1266           system 192.168.1.3 with a limit of 3 per second and a maximum burst
1267           of 10
1268
1269                       #ACTION SOURCE DEST             PROTO  DPORT SPORT   ORIGDEST RATE
1270                       DNAT    net    loc:192.168.1.3  tcp    http  -       -        3/sec:10
1271
1272       Example 4:
1273           Redirect all locally-originating www connection requests to port
1274           3128 on the firewall (Squid running on the firewall system) except
1275           when the destination address is 192.168.2.2
1276
1277                       #ACTION  SOURCE DEST      PROTO DPORT   SPORT   ORIGDEST
1278                       REDIRECT loc    3128      tcp   www      -      !192.168.2.2
1279
1280       Example 5:
1281           All http requests from the internet to address 130.252.100.69 are
1282           to be forwarded to 192.168.1.3
1283
1284                       #ACTION  SOURCE DEST            PROTO   DPORT   SPORT   ORIGDEST
1285                       DNAT      net   loc:192.168.1.3 tcp     80      -       130.252.100.69
1286
1287       Example 6:
1288           You want to accept SSH connections to your firewall only from
1289           internet IP addresses 130.252.100.69 and 130.252.100.70
1290
1291                       #ACTION  SOURCE DEST            PROTO   DPORT   SPORT   ORIGDEST
1292                       ACCEPT   net:130.252.100.69,130.252.100.70 \
1293                                       $FW             tcp     22
1294
1295       Example 7:
1296           You wish to accept connections from the internet to your firewall
1297           on port 2222 and you want to forward them to local system
1298           192.168.1.3, port 22
1299
1300                       #ACTION  SOURCE DEST                PROTO   DPORT   SPORT   ORIGDEST
1301                       DNAT     net    loc:192.168.1.3:22  tcp     2222
1302
1303       Example 8:
1304           You want to redirect connection requests to port 80 randomly to the
1305           port range 81-90.
1306
1307                       #ACTION  SOURCE DEST                PROTO DPORT   SPORT   ORIGDEST
1308                       REDIRECT net    $FW::81-90:random   tcp   www
1309
1310       Example 9:
1311           Shorewall does not impose as much structure on the Netfilter rules
1312           in the 'nat' table as it does on those in the filter table. As a
1313           consequence, when using Shorewall versions before 4.1.4, care must
1314           be exercised when using DNAT and REDIRECT rules with zones defined
1315           with wildcard interfaces (those ending with '+'. Here is an
1316           example:
1317
1318           shorewall-zones[4](5):
1319
1320                       #ZONE       TYPE    OPTIONS
1321                       fw          firewall
1322                       net         ipv4
1323                       dmz         ipv4
1324                       loc         ipv4
1325
1326           shorewall-interfaces[9](5):
1327
1328                       #ZONE       INTERFACE       BROADCAST      OPTIONS
1329                       net         ppp0
1330                       loc         eth1            detect
1331                       dmz         eth2            detect
1332                       -           ppp+                           # Addresses are assigned from 192.168.3.0/24
1333
1334           shorewall-host[12](5):
1335
1336                       #ZONE       HOST(S)              OPTIONS
1337                       loc         ppp+:192.168.3.0/24
1338
1339           rules:
1340
1341                       #ACTION     SOURCE          DEST       PROTO       DPORT
1342                       REDIRECT    loc             3128       tcp         80
1343
1344           Note that it would have been tempting to simply define the loc zone
1345           entirely in shorewall-interfaces(8):
1346
1347                       #******************* INCORRECT *****************
1348                       #ZONE       INTERFACE       BROADCAST      OPTIONS
1349                       net         ppp0
1350                       loc         eth1            detect
1351                       loc         ppp+
1352                       dmz         eth2
1353
1354           This would have made it impossible to run a internet-accessible web
1355           server in the DMZ because all traffic entering ppp+ interfaces
1356           would have been redirected to port 3128 on the firewall and there
1357           would have been no net->fw ACCEPT rule for that traffic.
1358
1359       Example 10:
1360           Add the tuple (source IP, dest port, dest IP) of an incoming SSH
1361           connection to the ipset S:
1362
1363                       #ACTION                       SOURCE           DEST           PROTO       DPORT
1364                       ADD(+S:dst,src,dst)           net              fw             tcp         22
1365
1366       Example 11:
1367           You wish to limit SSH connections from remote systems to 1/min with
1368           a burst of three (to allow for limited retry):
1369
1370                       #ACTION     SOURCE          DEST       PROTO       DPORT        SPORT     ORIGDEST         RATE
1371                       SSH(ACCEPT) net             all        -           -            -         -                s:1/min:3
1372
1373       Example 12:
1374           Forward port 80 to dmz host $BACKUP if switch 'primary_down' is on.
1375
1376                       #ACTION     SOURCE          DEST        PROTO       DPORT        SPORT     ORIGDEST   RATE      USER      MARK    CONNLIMIT     TIME     HEADERS    SWITCH
1377                       DNAT        net             dmz:$BACKUP tcp         80           -         -          -         -         -       -             -        -          primary_down
1378
1379       Example 13:
1380           Drop all email from the Anonymous Proxy and Satellite Provider
1381           address ranges:
1382
1383                       #ACTION                       SOURCE           DEST           PROTO       DPORT
1384                       DROP                          net:^A1,A2       fw             tcp         25
1385
1386       Example 14:
1387           You want to generate your own rule involving iptables targets and
1388           matches not supported by Shorewall.
1389
1390                       #ACTION                       SOURCE           DEST           PROTO       DPORT
1391                       INLINE                        $FW              net ; -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3
1392
1393           The above will generate the following iptables-restore input:
1394
1395                       -A fw2net -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3
1396
1397           Note that SECCTX must be defined as a builtin action in
1398           shorewall-actions[3](5):
1399
1400                       #ACTION            OPTIONS
1401                       SECCTX             builtin
1402
1403       Example 15:
1404           You want to accept SSH connections to your firewall only from
1405           internet IP addresses 2002:ce7c::92b4:1::2 and
1406           2002:ce7c::92b4:1::22
1407
1408                       #ACTION  SOURCE DEST            PROTO   DPORT   SPORT   ORIGDEST
1409                       ACCEPT   net:<2002:ce7c::92b4:1::2,2002:ce7c::92b4:1::22> \
1410                                       $FW              tcp     22
1411

FILES

1413       /etc/shorewall/rules
1414
1415       /etc/shorewall6/rules
1416

SEE ALSO

1418       shorewall-logging(5)[8]
1419
1420       http://www.shorewall.net/ipsets.html[15]
1421
1422       http://www.shorewall.net/configuration_file_basics.htm#Pairs[16]
1423
1424       shorewall(8)
1425

NOTES

1427        1. shorewall-policy
1428           http://www.shorewall.net/manpages/shorewall-policy.html
1429
1430        2. shorewall.conf
1431           http://www.shorewall.net/manpages/shorewall.conf.html
1432
1433        3. shorewall-actions
1434           http://www.shorewall.net/manpages/shorewall-actions.html
1435
1436        4. shorewall-zones
1437           http://www.shorewall.net/manpages/shorewall-zones.html
1438
1439        5. shorewall-nesting
1440           http://www.shorewall.net/manpages/shorewall-nesting.html
1441
1442        6. shorewall-actions
1443           http://www.shorewall.net/manpages6/shorewall6-actions.html
1444
1445        7. http://www.shorewall.net/shorewall_logging.html
1446           http://www.shorewall.net/shorewall_logging.html
1447
1448        8. shorewall-logging(5)
1449           http://www.shorewall.netshorewall-logging.html
1450
1451        9. shorewall-interfaces
1452           http://www.shorewall.net/manpages/shorewall-interfaces.html
1453
1454       10. shorewall-hosts
1455           http://www.shorewall.net/manpages/shorewall.hosts.html
1456
1457       11. shorewall-exclusion
1458           http://www.shorewall.net/manpages/shorewall-exclusion.html
1459
1460       12. shorewall-hosts
1461           http://www.shorewall.net/manpages/shorewall-hosts.html
1462
1463       13. http://www.shorewall.net/configuration_file_basics.htm#ICMP
1464           http://www.shorewall.net/configuration_file_basics.htm#ICMP
1465
1466       14. http://www.shorewall.net/PortKnocking.html
1467           http://www.shorewall.net/PortKnocking.html
1468
1469       15. http://www.shorewall.net/ipsets.html
1470           http://www.shorewall.net/ipsets.html
1471
1472       16. http://www.shorewall.net/configuration_file_basics.htm#Pairs
1473           http://www.shorewall.net/configuration_file_basics.htm#Pairs
1474
1475
1476
1477Configuration Files               01/17/2019                SHOREWALL-RULES(5)
Impressum