1SHOREWALL-RULES(5) Configuration Files SHOREWALL-RULES(5)
2
6 rules - Shorewall rules file
7
9 /etc/shorewall[6]/rules
10
12 Entries in this file govern connection establishment by defining
13 exceptions to the policies laid out in shorewall-policy[1](5). By
14 default, subsequent requests and responses are automatically allowed
15 using connection tracking. For any particular (source,dest) pair of
16 zones, the rules are evaluated in the order in which they appear in
17 this file and the first terminating match is the one that determines
18 the disposition of the request. All rules are terminating except LOG
19 and COUNT rules.
20 Warning
22 If you masquerade or use SNAT from a local system to the internet,
23 you cannot use an ACCEPT rule to allow traffic from the internet to
24 that system. You must use a DNAT rule instead.
25 The rules file is divided into sections. Each section is introduced by
27 a "Section Header" which is a line beginning with ?SECTION and followed
28 by the section name.
29 Sections are as follows and must appear in the order listed:
31 ALL
33 This section was added in Shorewall 4.4.23. Rules in this section
34 are applied, regardless of the connection tracking state of the
35 packet and are applied before rules in the other sections.
36 ESTABLISHED
38 Packets in the ESTABLISHED state are processed by rules in this
39 section.
40 The only ACTIONs allowed in this section are ACCEPT, DROP, REJECT,
42 LOG, NFLOG, NFQUEUE and QUEUE
43 There is an implicit ACCEPT rule inserted at the end of this
45 section.
46 RELATED
48 Packets in the RELATED state are processed by rules in this
49 section.
50 The only ACTIONs allowed in this section are ACCEPT, DROP, REJECT,
52 LOG, NFLOG, NFQUEUE and QUEUE
53 There is an implicit rule added at the end of this section that
55 invokes the RELATED_DISPOSITION (shorewall.conf[2](5)).
56 INVALID
58 Added in Shorewall 4.5.13. Packets in the INVALID state are
59 processed by rules in this section.
60 The only Actions allowed in this section are ACCEPT, DROP, REJECT,
62 LOG, NFLOG, NFQUEUE and QUEUE.
63 There is an implicit rule added at the end of this section that
65 invokes the INVALID_DISPOSITION (shorewall.conf[2](5)).
66 UNTRACKED
68 Added in Shorewall 4.5.13. Packets in the UNTRACKED state are
69 processed by rules in this section.
70 The only Actions allowed in this section are ACCEPT, DROP, REJECT,
72 LOG, NFLOG, NFQUEUE and QUEUE.
73 There is an implicit rule added at the end of this section that
75 invokes the UNTRACKED_DISPOSITION (shorewall.conf[2](5)).
76 NEW
78 Packets in the NEW state are processed by rules in this section. If
79 the INVALID and/or UNTRACKED sections are empty or not included,
80 then the packets in the corresponding state(s) are also processed
81 in this section.
82 Note
84 If you are not familiar with Netfilter to the point where you are
85 comfortable with the differences between the various connection
86 tracking states, then it is suggested that you place all of your
87 rules in the NEW section (That's after the line that reads ?SECTION
88 NEW').
89 Warning
91 If you specify FASTACCEPT=Yes in shorewall.conf[2](5) then the ALL,
92 ESTABLISHED and RELATED sections must be empty.
93 An exception is made if you are running Shorewall 4.4.27 or later
95 and you have specified a non-default value for RELATED_DISPOSITION
96 or RELATED_LOG_LEVEL. In that case, you may have rules in the
97 RELATED section of this file.
98 You may omit any section that you don't need. If no Section Headers
100 appear in the file then all rules are assumed to be in the NEW section.
101 When defining rules that rewrite the destination IP address and/or port
103 number (namely DNAT and REDIRECT rules), it is important to keep
104 straight which columns in the file specify the packet before rewriting
105 and which specify how the packet will look after rewriting.
106 · The DEST column specifies the final destination for the packet
108 after rewriting and can include the final IP address and/or port
109 number.
110 · The remaining columns specify characteristics of the packet before
112 rewriting. In particular, the ORIGDEST column gives the original
113 destination IP address of the packet and the DPORT column give the
114 original destination port(s).
115 The columns in the file are as follows (where the column name is
117 followed by a different name in parentheses, the different name is used
118 in the alternate specification syntax).
119 ACTION - target[:{log-level|none}[!][:tag]]
121 Specifies the action to be taken if the connection request matches
122 the rule. target must be one of the following.
123 ACCEPT
125 Allow the connection request.
126 ACCEPT+
128 like ACCEPT but also excludes the connection from any
129 subsequent matching DNAT[-] or REDIRECT[-] rules. Use with IPv6
130 requires Shorewall 4.5.14 or later.
131 ACCEPT!
133 like ACCEPT but exempts the rule from being suppressed by
134 OPTIMIZE=1 in shorewall.conf[2](5).
135 action
137 The name of an action declared in shorewall-actions[3](5) or in
138 /usr/share/shorewall[6]/actions.std.
139 ADD(ipset:flags[:timeout])
141 Added in Shorewall 4.4.12. Causes addresses and/or port numbers
142 to be added to the named ipset. The flags specify the address
143 or tuple to be added to the set and must match the type of
144 ipset involved. For example, for an iphash ipset, either the
145 SOURCE or DESTINATION address can be added using flags src or
146 dst respectively (see the -A command in ipset (8)).
147 Beginning with Shorewall 5.0.3, an optional timeout can be
149 specified. This is the number of seconds that the new entry in
150 the ipset is to remain valid and overrides any timeout
151 specified when the ipset was created.
152 ADD is non-terminating. Even if a packet matches the rule, it
154 is passed on to the next rule.
155 AUDIT[(accept|drop|reject)]
157 Added in Shorewall 4.5.10. Audits the packet with the specified
158 type; if the type is omitted, then drop is assumed. Require
159 AUDIT_TARGET support in the kernel and iptables.
160 A_ACCEPT, A_ACCEPT+ and A_ACCEPT!
162 Added in Shorewall 4.4.20. Audited versions of ACCEPT, ACCEPT+
163 and ACCEPT! respectively. Require AUDIT_TARGET support in the
164 kernel and iptables. A_ACCEPT+ with IPv6 requires Shorewall
165 4.5.14 or later.
166 A_DROP and A_DROP!
168 Added in Shorewall 4.4.20. Audited versions of DROP and DROP!
169 respectively. Require AUDIT_TARGET support in the kernel and
170 iptables.
171 A_REJECT AND A_REJECT!
173 Added in Shorewall 4.4.20. Audited versions of REJECT and
174 REJECT! respectively. Require AUDIT_TARGET support in the
175 kernel and iptables.
176 ?COMMENT
178 the rest of the line will be attached as a comment to the
179 Netfilter rule(s) generated by the following entries. The
180 comment will appear delimited by "/* ... */" in the output of
181 "shorewall show <chain>". To stop the comment from being
182 attached to further rules, simply include ?COMMENT on a line by
183 itself.
184 CONMARK({mark})
186 Added in Shorewall 5.0.7, CONNMARK is identical to MARK with
187 the exception that the mark is assigned to connection to which
188 the packet belongs is marked rather than to the packet itself.
189 CONTINUE
191 For experts only.
192 Do not process any of the following rules for this (source
194 zone,destination zone). If the source and/or destination IP
195 address falls into a zone defined later in
196 shorewall-zones[4](5) or in a parent zone of the source or
197 destination zones, then this connection request will be passed
198 to the rules defined for that (those) zone(s). See
199 shorewall-nesting[5](5) for additional information.
200 CONTINUE!
202 like CONTINUE but exempts the rule from being suppressed by
203 OPTIMIZE=1 in shorewall.conf[2](5).
204 COUNT
206 Simply increment the rule's packet and byte count and pass the
207 packet to the next rule.
208 DEL(ipset:flags)
210 Added in Shorewall 4.4.12. Causes an entry to be deleted from
211 the named ipset. The flags specify the address or tuple to be
212 deleted from the set and must match the type of ipset involved.
213 For example, for an iphash ipset, either the SOURCE or
214 DESTINATION address can be deleted using flags src or dst
215 respectively (see the -D command in ipset (8)).
216 DEL is non-terminating. Even if a packet matches the rule, it
218 is passed on to the next rule.
219 DNAT
221 Forward the request to another system (and optionally another
222 port). Use with IPv6 requires Shorewall 4.5.14 or later.
223 DNAT-
225 Advanced users only.
226 Like DNAT but only generates the DNAT iptables rule and not the
228 companion ACCEPT rule. Use with IPv6 requires Shorewall 4.5.14
229 or later.
230 DROP
232 Ignore the request.
233 DROP!
235 like DROP but exempts the rule from being suppressed by
236 OPTIMIZE=1 in shorewall.conf[2](5).
237 HELPER
239 Added in Shorewall 4.5.7. This action requires that the HELPER
240 column contains the name of the Netfilter helper to be
241 associated with connections matching this connection. May only
242 be specified in the NEW section and is useful for being able to
243 specify a helper when the applicable policy is ACCEPT. No
244 destination zone should be specified in HELPER rules.
245 INLINE[(action)]
247 Added in Shorewall 4.5.16. This action allows you to construct
248 most of the rule yourself using iptables syntax. The part that
249 you specify must follow two semicolons (';;') and is completely
250 free-form. If the target of the rule (the part following 'j')
251 is something that Shorewall supports in the ACTION column, then
252 you may enclose it in parentheses (e.g., INLINE(ACCEPT)).
253 Otherwise, you can include it after the semicolon(s). In this
254 case, you must declare the target as a builtin action in
255 shorewall-actions[3](5).
256 Some considerations when using INLINE:
258 · The p, s, d, i, o, policy, and state match (state or
260 conntrack --ctstate) matches will always appear in the
261 front of the rule in that order.
262 · When multiple matches are specified, the compiler will keep
264 them in the order in which they appear (excluding the above
265 listed ones), but they will not necessarily be at the end
266 of the generated rule. For example, if addresses are
267 specified in the SOURCE and/or DEST columns, their
268 generated matches will appear after those specified using
269 ';;' or ';'.
270 IPTABLES({iptables-target [option ...])
272 IPv4 only. This action allows you to specify an iptables target
273 with options (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If
274 the iptables-target is not one recognized by Shorewall, the
275 following error message will be issued:
276 ERROR: Unknown target (iptables-target)
278 This error message may be eliminated by adding the
280 iptables-target as a builtin action in shorewall-actions[3](5).
281 Important
283 If you specify REJECT as the iptables-target, the target of
284 the rule will be the iptables REJECT target and not
285 Shorewall's builtin 'reject' chain which is used when
286 REJECT (see below) is specified as the target in the ACTION
287 column.
288 IP6TABLES({ip6tables-target [option ...])
290 IPv6 only. This action allows you to specify an ip6tables
291 target with options (e.g., 'IPTABLES(MARK --set-xmark
292 0x01/0xff)'. If the ip6tables-target is not one recognized by
293 Shorewall, the following error message will be issued:
294 ERROR: Unknown target (ip6tables-target)
296 This error message may be eliminated by adding the
298 ip6tables-target as a builtin action in
299 shorewall-actions[3](5).
300 Important
302 If you specify REJECT as the ip6tables-target, the target
303 of the rule will be the i6ptables REJECT target and not
304 Shorewall's builtin 'reject' chain which is used when
305 REJECT (see below) is specified as the target in the ACTION
306 column.
307 LOG:level
309 Simply log the packet and continue with the next rule.
310 macro[(macrotarget)]
312 The name of a macro defined in a file named macro.macro. If the
313 macro accepts an action parameter (Look at the macro source to
314 see if it has PARAM in the TARGET column) then the macro name
315 is followed by the parenthesized macrotarget (ACCEPT, DROP,
316 REJECT, ...) to be substituted for the parameter.
317 Example: FTP(ACCEPT).
319 The older syntax where the macro name and the target are
321 separated by a slash (e.g. FTP/ACCEPT) is still allowed but is
322 deprecated.
323 MARK({mark})
325 where mark is a packet mark value.
326 Added in Shorewall 5.0.7, MARK requires "Mark in filter table"
328 support in your kernel and iptables.
329 Normally will set the mark value of the current packet. If
331 preceded by a vertical bar ("|"), the mark value will be
332 logically ORed with the current mark value to produce a new
333 mark value. If preceded by an ampersand ("&"), will be
334 logically ANDed with the current mark value to produce a new
335 mark value.
336 Both "|" and "&" require Extended MARK Target support in your
338 kernel and iptables.
339 The mark value may be optionally followed by "/" and a mask
341 value (used to determine those bits of the connection mark to
342 actually be set). When a mask is specified, the result of
343 logically ANDing the mark value with the mask must be the same
344 as the mark value.
345 NFLOG[(nflog-parameters)]
347 Added in Shorewall 4.5.9.3. Queues matching packets to a back
348 end logging daemon via a netlink socket then continues to the
349 next rule. See
350 http://www.shorewall.net/shorewall_logging.html[6].
351 The nflog-parameters are a comma-separated list of up to 3
353 numbers:
354 · The first number specifies the netlink group (0-65535). If
356 omitted (e.g., NFLOG(,0,10)) then a value of 0 is assumed.
357 · The second number specifies the maximum number of bytes to
359 copy. If omitted, 0 (no limit) is assumed.
360 · The third number specifies the number of log messages that
362 should be buffered in the kernel before they are sent to
363 user space. The default is 1.
364 NFLOG is similar to LOG:NFLOG[(nflog-parameters)], except that
366 the log level is not changed when this ACTION is used in an
367 action or macro body and the invocation of that action or macro
368 specifies a log level.
369 NFQUEUE[([queuenumber1[:queuenumber2[c]][,bypass]]|bypass)]
371 Queues the packet to a user-space application using the
372 nfnetlink_queue mechanism. If a queuenumber1 is not specified,
373 queue zero (0) is assumed. Beginning with Shorewall 4.6.10, the
374 keyword bypass can be given. By default, if no userspace
375 program is listening on an NFQUEUE, then all packets that are
376 to be queued are dropped. When this option is used, the NFQUEUE
377 rule behaves like ACCEPT instead. Also beginning in Shorewall
378 4.6.10, a second queue number (queuenumber2) may be specified.
379 This specifies a range of queues to use. Packets are then
380 balanced across the given queues. This is useful for multicore
381 systems: start multiple instances of the userspace program on
382 queues x, x+1, .. x+n and use "x:x+n". Packets belonging to the
383 same connection are put into the same nfqueue.
384 Beginning with Shorewall 5.1.0, queuenumber2 may be followed by
386 the letter 'c' to indicate that the CPU ID will be used as an
387 index to map packets to the queues. The idea is that you can
388 improve performance if there's a queue per CPU. Requires the
389 NFQUEUE CPU Fanout capability in your kernel and iptables.
390 NFQUEUE![([queuenumber1[:queuenumber2[c]][,bypass]]|bypass)]
392 like NFQUEUE but exempts the rule from being suppressed by
393 OPTIMIZE=1 in shorewall.conf[2](5).
394 NONAT
396 Excludes the connection from any subsequent DNAT[-] or
397 REDIRECT[-] rules but doesn't generate a rule to accept the
398 traffic. Use with IPv6 requires Shorewall 4.5.14 or later.
399 QUEUE
401 Queue the packet to a user-space application such as ftwall
402 (http://p2pwall.sf.net). The application may reinsert the
403 packet for further processing.
404 QUEUE!
406 like QUEUE but exempts the rule from being suppressed by
407 OPTIMIZE=1 in shorewall.conf[2](5).
408 REJECT[(option)]
410 disallow the request and return an icmp-unreachable or an RST
411 packet. If no option is passed, Shorewall selects the
412 appropriate option based on the protocol of the packet.
413 Beginning with Shorewall 5.0.8, the type of reject may be
415 specified in the option paramater. Valid IPv4 option values
416 are:
417 icmp-net-unreachable
418 icmp-host-unreachable
419 icmp-port-unreachable
420 icmp-proto-unreachable
421 icmp-net-prohibited
422 icmp-host-prohibited
423 icmp-admin-prohibited
424 icmp-tcp-reset (the PROTO column
425 must specify TCP). Beginning with
426 Shorewall 5.1.3, this
427 option may also be specified as
428 tcp-reset.
429 Valid IPv6 option values are:
430 icmp6-no-route
431 no-route
432 icmp6-adm-prohibited
433 adm-prohibited
434 icmp6-addr-unreachable
435 addr-unreach
436 icmp6-port-unreachable
437 tcp-reset (the PROTO column must
438 specify TCP)
439 REJECT!
441 like REJECT but exempts the rule from being suppressed by
442 OPTIMIZE=1 in shorewall.conf[2](5).
443 REDIRECT
445 Redirect the request to a server running on the firewall. Use
446 with IPv6 requires Shorewall 4.5.14 or later.
447 REDIRECT-
449 Advanced users only.
450 Like REDIRECT but only generates the REDIRECT iptables rule and
452 not the companion ACCEPT rule. Use with IPv6 requires Shorewall
453 4.5.14 or later.
454 TARPIT [(tarpit | honeypot | reset)]
456 Added in Shorewall 4.6.6.
457 TARPIT captures and holds incoming TCP connections using no
459 local per-connection resources.
460 TARPIT only works with the PROTO column set to tcp (6), and is
462 totally application agnostic. This module will answer a TCP
463 request and play along like a listening server, but aside from
464 sending an ACK or RST, no data is sent. Incoming packets are
465 ignored and dropped. The attacker will terminate the session
466 eventually. This module allows the initial packets of an attack
467 to be captured by other software for inspection. In most cases
468 this is sufficient to determine the nature of the attack.
469 This offers similar functionality to LaBrea
471 <http://www.hackbusters.net/LaBrea/> but does not require
472 dedicated hardware or IPs. Any TCP port that you would normally
473 DROP or REJECT can instead become a tarpit.
474 The target accepts a single optional parameter:
476 tarpit
478 This mode is the default and completes a connection with
479 the attacker but limits the window size to 0, thus keeping
480 the attacker waiting long periods of time. While he is
481 maintaining state of the connection and trying to continue
482 every 60-240 seconds, we keep none, so it is very
483 lightweight. Attempts to close the connection are ignored,
484 forcing the remote side to time out the connection in 12-24
485 minutes.
486 honeypot
488 This mode completes a connection with the attacker, but
489 signals a normal window size, so that the remote side will
490 attempt to send data, often with some very nasty exploit
491 attempts. We can capture these packets for decoding and
492 further analysis. The module does not send any data, so if
493 the remote expects an application level response, the game
494 is up.
495 reset
497 This mode is handy because we can send an inline RST
498 (reset). It has no other function.
499 ULOG[(ulog-parameters)]
501 IPv4 only. Added in Shorewall 4.5.10. Queues matching packets
502 to a back end logging daemon via a netlink socket then
503 continues to the next rule. See shorewall-logging(5)[7].
504 Similar to LOG:ULOG[(ulog-parameters)], except that the log
506 level is not changed when this ACTION is used in an action or
507 macro body and the invocation of that action or macro specifies
508 a log level.
509 The target may optionally be followed by ":" and a syslog log level
511 (e.g, REJECT:info or Web(ACCEPT):debug). This causes the packet to
512 be logged at the specified level. Note that if the ACTION involves
513 destination network address translation (DNAT, REDIRECT, etc.) then
514 the packet is logged before the destination address is rewritten.
515 If the ACTION names an action declared in shorewall-actions[3](5)
517 or in /usr/share/shorewall/actions.std then:
518 · If the log level is followed by "!' then all rules in the
520 action are logged at the log level.
521 · If the log level is not followed by "!" then only those rules
523 in the action that do not specify logging are logged at the
524 specified level.
525 · The special log level none! suppresses logging by the action.
527 You may also specify ULOG (IPv4 only) or NFLOG (must be in upper
529 case) as a log level.This will log to the ULOG or NFLOG target for
530 routing to a separate log through use of ulogd
531 (shorewall-logging(5)[7]).
532 Actions specifying logging may be followed by a log tag (a string
534 of alphanumeric characters) which is appended to the string
535 generated by the LOGPREFIX (in shorewall.conf[2](5)).
536 Example: ACCEPT:info:ftp would include 'ftp ' at the end of the log
538 prefix generated by the LOGPREFIX setting.
539 SOURCE - source-spec[,...]
541 Source hosts to which the rule applies.
542 source-spec is one of the following:
544 zone[,...[+]]
546 The name of a zone defined in shorewall-zones[4](5). When only
547 the zone name is specified, the packet source may be any host
548 in that zone.
549 zone may also be one of the following:
551 all[+]
553 all, without the "-" means "All Zones, including the
554 firewall zone". Normally all omits intra-zone traffic, but
555 intra-zone traffic can be included specifying "+".
556 any[+]
558 any is equivalent to all when there are no nested zones.
559 When there are nested zones, any only refers to top-level
560 zones (those with no parent zones). Note that any excludes
561 all vserver zones, since those zones are nested within the
562 firewall zone.
563 none
565 When none is used either in the SOURCE or DEST column, the
566 rule is ignored.
567 Similar to with all and any, intra-zone traffic is normally
569 excluded when multiple zones are listed. Intra-zone traffic may
570 be included by following the list with a plus sign ("+").
571 all and any may be followed by an exclamation point ("!") and a
573 comma-separated list of zone names to be omitted.
574 zone:[!]interface
576 When this form is used, interface must be the name of an
577 interface associated with the named zone in either
578 shorewall-interfaces[8](5) or shorewall-hosts[9](5). Only
579 packets from hosts in the zone that arrive through the named
580 interface will match the rule.
581 Beginning with Shorweall 5.2.1, the interface may be preceded
583 with '!' which matches all interfaces associated with the zone
584 except the one specified.
585 zone:address[,...]
587 where address can be:
588 · A host or network IP address. A network address may be
590 followed by exclusion (see shorewall-exclusion[10](5)).
591 · An address range, specified using the syntax
593 lowaddress-highaddress.
594 · +ipset where ipset is the name of an ipset and must be
596 preceded by a plus sign ("+").
597 · A MAC address in Shorewall format (preceded by a tilde
599 ("~") and with the hex byte values separated by dashes
600 (e.g., "~00-0a-f6-04-9c-7d").
601 · ^country-code where country-code is a two-character
603 ISO-3661 country code preceded by a caret ("^").
604 · ^country-code-list where country-code-list is a
606 comma-separated list of up to 15 ISO-3661 country codes
607 enclosed in square brackets ("[...]").
608 · The primary IP address of a firewall interface can be
610 specified by an ampersand ('&') followed by the logical
611 name of the interface as found in the INTERFACE column of
612 shorewall-interfaces[8] (5).
613 zone:interface:address[,...]
615 This form combines the preceding two and requires that both the
616 incoming interface and source address match.
617 zone:exclusion
619 This form matches if the host IP address does not match any of
620 the entries in the exclusion (see shorewall-exclusion[10](5)).
621 zone:interface:exclusion
623 This form matches packets from the named zone entering through
624 the specified interface where the source address does not match
625 any entry in the exclusion.
626 Beginning with Shorewall 5.1.0, multiple source-specs may be
628 listed, provided that extended forms of the source-spec are used:
629 zone:(interface)
630 zone:(address[,...])
632 zone:(interface:address[,...])
634 zone:(exclusion)
636 zone:(interface:exclusion) Examples:
638 dmz:192.168.2.2
640 Host 192.168.2.2 in the DMZ
641 net:155.186.235.0/24
643 Subnet 155.186.235.0/24 on the Internet
644 loc:192.168.1.1,192.168.1.2
646 Hosts 192.168.1.1 and 192.168.1.2 in the local zone.
647 loc:~00-A0-C9-15-39-78
649 Host in the local zone with MAC address 00:A0:C9:15:39:78.
650 net:192.0.2.11-192.0.2.17
652 Hosts 192.0.2.11-192.0.2.17 in the net zone.
653 net:!192.0.2.11-192.0.2.17
655 All hosts in the net zone except for 192.0.2.11-192.0.2.17.
656 net:155.186.235.0/24!155.186.235.16/28
658 Subnet 155.186.235.0/24 on the Internet except for
659 155.186.235.16/28
660 $FW:ð0
662 The primary IP address of eth0 in the firewall zone.
663 loc,dmz
665 Both the loc and dmz zones.
666 all!dmz
668 All but the dmz zone.
669 all+!$FW
671 All but the firewall zone and applies to intrazone traffic.
672 net:^CN
674 China.
675 loc:(eth1:1.2.3.4,2.3.4.5),dmz:(eth2:5.6.7.8,9.10.11.12),net
677 Hosts 1.2.3.4 and 2.3.4.5 in the loc zone when the packet
678 arrives through eth1 plus hosts 5.6.7.8 and 9.10.11.12 in the
679 dmz zone when the packet arrives through eth2 plus all of the
680 net zone.
681 dmz:[2002:ce7c:2b4:1::2]
683 Host 2002:ce7c:92b4:1::2 in the DMZ
684 net:2001:4d48:ad51:24::/64
686 Subnet 2001:4d48:ad51:24::/64 on the Internet
687 loc:[2002:cec792b4:1::2],[2002:cec792b4:1::44]
689 Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the local
690 zone.
691 loc:~00-A0-C9-15-39-78
693 Host in the local zone with MAC address 00:A0:C9:15:39:78.
694 net:[2001:4d48:ad51:24::]/64![2001:4d48:ad51:24:6::]/80
696 Subnet 2001:4d48:ad51:24::/64 on the Internet except for
697 2001:4d48:ad51:24:6::/80.
698 DEST - dest-spec[,...]
700 Destination hosts to which the rule applies.
701 dest-spec is one of the following:
703 zone[,...[+]]
705 The name of a zone defined in shorewall-zones[4](5). When only
706 the zone name is specified, the packet destination may be any
707 host in that zone.
708 zone may also be one of the following:
710 all[+]
712 all, without the "-" means "All Zones, including the
713 firewall zone". Normally all omits intra-zone traffic, but
714 intra-zone traffic can be included specifying "+".
715 any[+]
717 any is equivalent to all when there are no nested zones.
718 When there are nested zones, any only refers to top-level
719 zones (those with no parent zones). Note that any excludes
720 all vserver zones, since those zones are nested within the
721 firewall zone.
722 none
724 When none is used either in the SOURCE or DEST column, the
725 rule is ignored.
726 Similar to with all and any, intra-zone traffic is normally
728 excluded when multiple zones are listed. Intra-zone traffic may
729 be included by following the list with a plus sign ("+").
730 all and any may be followed by an exclamation point ("!") and a
732 comma-separated list of zone names to be omitted.
733 zone:[!]interface
735 When this form is used, interface must be the name of an
736 interface associated with the named zone in either
737 shorewall-interfaces[8](5) or shorewall-hosts[11](5). Only
738 packets to hosts in the zone that are sent through the named
739 interface will match the rule.
740 Beginning with Shorweall 5.2.1, the interface may be preceded
742 with '!' which matches all interfaces associated with the zone
743 except the one specified.
744 zone:address[,...]
746 where address can be:
747 · A host or network IP address. A network address may be
749 followed by exclusion (see shorewall-exclusion[10](5)).
750 · An address range, specified using the syntax
752 lowaddress-highaddress.
753 · +ipset where ipset is the name of an ipset and must be
755 preceded by a plus sign ("+").
756 · ^country-code where country-code is a two-character
758 ISO-3661 country code preceded by a caret ("^").
759 · ^country-code-list where country-code-list is a
761 comma-separated list of up to 15 ISO-3661 country codes
762 enclosed in square brackets ("[...]").
763 · The primary IP address of a firewall interface can be
765 specified by an ampersand ('&') followed by the logical
766 name of the interface as found in the INTERFACE column of
767 shorewall-interfaces[8] (5).
768 zone:[!]interface:address[,...]
770 This form combines the preceding two and requires that both the
771 outgoing interface and destinationaddress match.
772 Beginning with Shorweall 5.2.1, the interface may be preceded
774 with '!' which matches all interfaces associated with the zone
775 except the one specified.
776 zone:exclusion
778 This form matches if the host IP address does not match any of
779 the entries in the exclusion (see shorewall-exclusion[10](5)).
780 zone:[!]interface:exclusion
782 This form matches packets to the named zone leaving through the
783 specified interface where the destination address does not
784 match any entry in the exclusion.
785 Beginning with Shorweall 5.2.1, the interface may be preceded
787 with '!' which matches all interfaces associated with the zone
788 except the one specified.
789 [zone]:[server-IP][:port-or-port-range[:random]]
791 This form applies when the ACTION is DNAT[-] or REDIRECT[-].
792 The zone may be omitted in REDIRECT rules ($FW is assumed) and
793 must be omitted in DNAT-, REDIRECT- and NONAT rules.
794 server-IP is not allowed in REDIRECT rules and may be omitted
796 in DNAT[-] rules provided that port-or-port-range is included.
797 · The IP address of the server to which the packet is to be
799 sent.
800 · A range of IP address with the low and high address
802 separated by a dash (:"-"). Connections are distributed
803 among the IP addresses in the range.
804 If server-IP is omitted in a DNAT[-] rule, only the destination
806 port number is modified by the rule.
807 port-or-port-range may be:
809 · An integer port number in the range 1 - 65535.
811 · The name of a service from /etc/services.
813 · A port range with the low and high integer port numbers
815 separated by a dash ("-"). Connections are distributed
816 among the ports in the range.
817 If random is specified, port mapping will be randomized.
819 If the DEST zone is a bport zone, then either:
821 1. the SOURCE must be all[+], or
823 2. the SOURCE zone must be another bport zone associated with the
825 same bridge, or
826 3. the SOURCE zone must be an ipv4 zone that is associated with
828 only the same bridge.
829 Beginning with Shorewall 5.1.0, multiple dest-specs may be listed,
831 provided that extended forms of the source-spec are used:
832 zone:(interface)
833 zone:(address[,...])
835 zone:(interface:address[,...])
837 zone:(exclusion)
839 zone:(interface:exclusion) Multiple dest-specs are not permitted in
841 DNAT[-] and REDIRECT[-] rules.
842 Examples:
844 dmz:192.168.2.2
846 Host 192.168.2.2 in the DMZ
847 net:155.186.235.0/24
849 Subnet 155.186.235.0/24 on the Internet
850 loc:192.168.1.1,192.168.1.2
852 Hosts 192.168.1.1 and 192.168.1.2 in the local zone.
853 net:192.0.2.11-192.0.2.17
855 Hosts 192.0.2.11-192.0.2.17 in the net zone.
856 net:!192.0.2.11-192.0.2.17
858 All hosts in the net zone except for 192.0.2.11-192.0.2.17.
859 net:155.186.235.0/24!155.186.235.16/28
861 Subnet 155.186.235.0/24 on the Internet except for
862 155.186.235.16/28
863 $FW:ð0
865 The primary IP address of eth0 in the firewall zone.
866 loc,dmz
868 Both the loc and dmz zones.
869 all!dmz
871 All but the dmz zone.
872 net:^CN
874 China.
875 dmz:192.168.10.4:25
877 Port 25 on server 192.168.10.4 in the dmz zone (DNAT rule).
878 loc:(eth1:1.2.3.4,2.3.4.5),dmz:(eth2:5.6.7.8,9.10.11.12),net
880 Hosts 1.2.3.4 and 2.3.4.5 in the loc zone when the packet
881 arrives through eth1 plus hosts 5.6.7.8 and 9.10.11.12 in the
882 dmz zone when the packet arrives through eth2 plus all of the
883 net zone.
884 PROTO-
886 {-|tcp:[!]syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-name|all}
887 Optional Protocol - ipp2p* requires ipp2p match support in your
888 kernel and iptables. tcp:syn implies tcp plus the SYN flag must be
889 set and the RST, ACK and FIN flags must be reset. Beginning with
890 Shorewall 5.1.3, you may also specify tcp:!syn, which matches if
891 SYN is not set or if RST, ACK or FIN is set.
892 Beginning with Shorewall 4.4.19, this column can contain a
894 comma-separated list of protocol-numbers and/or protocol names.
895 DPORT -
897 {-|port-name-number-or-range[,port-name-number-or-range]...|+ipset}
898 Optional destination Ports. A comma-separated list of Port names
899 (from services(5)), port numbers or port ranges; if the protocol is
900 icmp, this column is interpreted as the destination icmp-type(s).
901 ICMP types may be specified as a numeric type, a numeric type and
902 code separated by a slash (e.g., 3/4), or a typename. See
903 http://www.shorewall.net/configuration_file_basics.htm#ICMP[12].
904 Note that prior to Shorewall 4.4.19, only a single ICMP type may be
905 listed.
906 If the protocol is ipp2p, this column is interpreted as an ipp2p
908 option without the leading "--" (example bit for bit-torrent). If
909 no port is given, ipp2p is assumed.
910 A port range is expressed as lowport:highport.
912 This column is ignored if PROTO = all but must be entered if any of
914 the following columns are supplied. In that case, it is suggested
915 that this field contain a dash (-).
916 If your kernel contains multi-port match support, then only a
918 single Netfilter rule will be generated if in this list and the
919 SPORT list below:
920 1. There are 15 or less ports listed.
922 2. No port ranges are included or your kernel and iptables contain
924 extended multi-port match support.
925 Beginning with Shorewall 4.6.0, an ipset name can be specified in
927 this column. This is intended to be used with bitmap:port ipsets.
928 This column was formerly labelled DEST PORT(S).
930 SPORT -
932 {-|port-name-number-or-range[,port-name-number-or-range]...|+ipset}
933 Optional port(s) used by the client. If omitted, any source port is
934 acceptable. Specified as a comma- separated list of port names,
935 port numbers or port ranges.
936 Beginning with Shorewall 4.5.15, you may place '=' in this column,
938 provided that the DPORT column is non-empty. This causes the rule
939 to match when either the source port or the destination port in a
940 packet matches one of the ports specified in DEST PORTS(S). Use of
941 '=' requires multi-port match in your iptables and kernel.
942 Warning
944 Unless you really understand IP, you should leave this column
945 empty or place a dash (-) in the column. Most people who try to
946 use this column get it wrong.
947 If you don't want to restrict client ports but need to specify an
948 ORIGDEST in the next column, then place "-" in this column.
949 If your kernel contains multi-port match support, then only a
951 single Netfilter rule will be generated if in this list and the
952 DPORT list above:
953 1. There are 15 or less ports listed.
955 2. No port ranges are included or your kernel and iptables contain
957 extended multi-port match support.
958 Beginning with Shorewall 4.6.0, an ipset name can be specified in
960 this column. This is intended to be used with bitmap:port ipsets.
961 This column was formerly labelled SOURCE PORT(S).
963 ORIGDEST - [-|address[,address]...[exclusion]|exclusion]
965 Optional. If ACTION is DNAT[-] or REDIRECT[-] then if this column
966 is included and is different from the IP address given in the DEST
967 column, then connections destined for that address will be
968 forwarded to the IP and port specified in the DEST column.
969 A comma-separated list of addresses may also be used. This is most
971 useful with the REDIRECT target where you want to redirect traffic
972 destined for particular set of hosts. Finally, if the list of
973 addresses begins with "!" (exclusion) then the rule will be
974 followed only if the original destination address in the connection
975 request does not match any of the addresses listed.
976 Beginning with Shorewall 4.4.17, the primary IP address of a
978 firewall interface can be specified by an ampersand ('&') followed
979 by the logical name of the interface as found in the INTERFACE
980 column of shorewall-interfaces[8] (5).
981 For other actions, this column may be included and may contain one
983 or more addresses (host or network) separated by commas. Address
984 ranges are not allowed. When this column is supplied, rules are
985 generated that require that the original destination address
986 matches one of the listed addresses. This feature is most useful
987 when you want to generate a filter rule that corresponds to a DNAT-
988 or REDIRECT- rule. In this usage, the list of addresses should not
989 begin with "!".
990 It is also possible to specify a set of addresses then exclude part
992 of those addresses. For example, 192.168.1.0/24!192.168.1.16/28
993 specifies the addresses 192.168.1.0-182.168.1.15 and
994 192.168.1.32-192.168.1.255. See shorewall-exclusion[10](5).
995 See http://www.shorewall.net/PortKnocking.html[13] for an example
997 of using an entry in this column with a user-defined action rule.
998 This column was formerly labelled ORIGINAL DEST.
1000 RATE - limit
1002 where limit is one of:
1003 [-|[{s|d}[/vlsm]:[name[(ht-buckets,ht-max)]:]rate/{sec|min|hour|day}[:burst]
1004 [s[/vlsm1]:][name1[(ht-buckets1,ht-max1)]:]rate1/{sec|min|hour|day}[:burst1],[d[/vlsm2:][name2[(ht-buckets2,ht-max2)]:]rate2/{sec|min|hour|day}[:burst2]
1005 You may optionally rate-limit the rule by placing a value in this
1006 column:
1007 rate* is the number of connections per interval (sec or min) and
1009 burst* is the largest burst permitted. If no burst is given, a
1010 value of 5 is assumed. There may be no no white-space embedded in
1011 the specification.
1012 Example: 10/sec:20
1014 When s: or d: is specified, the rate applies per source IP address
1016 or per destination IP address respectively. The names may be chosen
1017 by the user and specify a hash table to be used to count matching
1018 connections. If not given, the name shorewallN (where N is a unique
1019 integer) is assumed. Where more than one rule or POLICY specifies
1020 the same name, the connections counts for the rules are aggregated
1021 and the individual rates apply to the aggregated count. Beginning
1022 with Shorewall 5.2.1, the s or d may be followed by a slash ("/")
1023 and an integer vlsm. When a vlsm is specified, all source or
1024 destination addresses encountered will be grouped according to the
1025 given prefix length and the so-created subnet will be subject to
1026 the rate limit.
1027 Example: s/24::10/sec
1029 Beginning with Shorewall 4.6.5, two limits may be specified,
1031 separated by a comma. In this case, the first limit (name1, rate1,
1032 burst1) specifies the per-source IP limit and the second limit
1033 specifies the per-destination IP limit.
1034 Example: client:10/sec:20,:60/sec:100
1036 In this example, the 'client' hash table will be used to enforce
1038 the per-source limit and the compiler will pick a unique name for
1039 the hash table that tracks the per-destination limit.
1040 Beginning with Shorewall 5.2.1, the table name, if any, may be
1042 followed by two integers separated by commas and enclosed in
1043 parentheses. The first integer (ht-buckets) specifies the number of
1044 buckets in the generated hash table. The second integer (ht-max)
1045 specifies the maximum number of entries in the hash table.
1046 Example: s:netfw(1024,65536):10/sec
1048 This column was formerly labelled RATE LIMIT.
1050 USER - [!][user-name-or-number][:group-name-or-number][,...]
1052 This optional column may only be non-empty if the SOURCE is the
1053 firewall itself.
1054 When this column is non-empty, the rule applies only if the program
1056 generating the output is running under the effective user and/or
1057 group specified (or is NOT running under that id if "!" is given).
1058 Beginning with Shorewall 4.5.8, multiple user or group names/ids
1060 separated by commas may be specified.
1061 Examples:
1063 joe
1065 program must be run by joe
1066 :kids
1068 program must be run by a member of the 'kids' group
1069 !:kids
1071 program must not be run by a member of the 'kids' group
1072 2001-2099
1074 UIDs 2001 through 2099 (Shorewall 4.5.6 and later)
1075 This column was formerly labelled USER/GROUP.
1077 MARK - [!]value[/mask][:C]
1079 Defines a test on the existing packet or connection mark. The rule
1080 will match only if the test returns true.
1081 If you don't want to define a test but need to specify anything in
1083 the following columns, place a "-" in this field.
1084 !
1086 Inverts the test (not equal)
1087 value
1089 Value of the packet or connection mark.
1090 mask
1092 A mask to be applied to the mark before testing.
1093 :C
1095 Designates a connection mark. If omitted, the packet mark's
1096 value is tested.
1097 CONNLIMIT - [d:][!]limit[:mask]
1099 May be used to limit the number of simultaneous connections to/from
1100 each individual host or network to limit connections. Requires
1101 connlimit match in your kernel and iptables. While the limit is
1102 only checked on rules specifying CONNLIMIT, the number of current
1103 connections is calculated over all current connections from the
1104 SOURCE or DESTINATION host. By default, limiting is done by SOURCE
1105 host or net, but if the specification begins with d:, then limiting
1106 will be donw by destination host or net.
1107 By default, the limit is applied to each host but can be made to
1109 apply to networks of hosts by specifying a mask. The mask specifies
1110 the width of a VLSM mask to be applied to the source address; the
1111 number of current connections is then taken over all hosts in the
1112 subnet source-address/mask. When ! is specified, the rule matches
1113 when the number of connection exceeds the limit.
1114 TIME - timeelement[&timeelement...]
1116 May be used to limit the rule to a particular time period each day,
1117 to particular days of the week or month, or to a range defined by
1118 dates and times. Requires time match support in your kernel and
1119 iptables.
1120 timeelement may be:
1122 timestart=hh:mm[:ss]
1124 Defines the starting time of day.
1125 timestop=hh:mm[:ss]
1127 Defines the ending time of day.
1128 contiguous
1130 Added in Shoreawll 5.0.12. When timestop is smaller than
1131 timestart value, match this as a single time period instead of
1132 distinct intervals.
1133 utc
1135 Times are expressed in Greenwich Mean Time.
1136 localtz
1138 Deprecated by the Netfilter team in favor of kerneltz. Times
1139 are expressed in Local Civil Time (default).
1140 kerneltz
1142 Added in Shorewall 4.5.2. Times are expressed in Local Kernel
1143 Time (requires iptables 1.4.12 or later).
1144 weekdays=ddd[,ddd]...
1146 where ddd is one of Mon, Tue, Wed, Thu, Fri, Sat or Sun
1147 monthdays=dd[,dd],...
1149 where dd is an ordinal day of the month
1150 datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
1153 Defines the starting date and time.
1154 datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
1156 Defines the ending date and time.
1157 HEADERS - [!][any:|exactly:]header-list (Optional - Added in Shorewall
1159 4.4.15)
1160 This column is only used in IPv6. In IPv4, supply "-" in this
1161 column if you with to place a value in one of the following
1162 columns.
1163 The header-list consists of a comma-separated list of headers from
1165 the following list.
1166 auth, ah, or 51
1168 Authentication Headers extension header.
1169 esp, or 50
1171 Encrypted Security Payload extension header.
1172 hop, hop-by-hop or 0
1174 Hop-by-hop options extension header.
1175 route, ipv6-route or 43
1177 IPv6 Route extension header.
1178 frag, ipv6-frag or 44
1180 IPv6 fragmentation extension header.
1181 none, ipv6-nonxt or 59
1183 No next header
1184 proto, protocol or 255
1186 Any protocol header.
1187 If any: is specified, the rule will match if any of the listed
1189 headers are present. If exactly: is specified, the will match
1190 packets that exactly include all specified headers. If neither is
1191 given, any: is assumed.
1192 If ! is entered, the rule will match those packets which would not
1194 be matched when ! is omitted.
1195 SWITCH - [!]switch-name[={0|1}]
1197 Added in Shorewall 4.4.24 and allows enabling and disabling the
1198 rule without requiring shorewall restart.
1199 The rule is enabled if the value stored in
1201 /proc/net/nf_condition/switch-name is 1. The rule is disabled if
1202 that file contains 0 (the default). If '!' is supplied, the test is
1203 inverted such that the rule is enabled if the file contains 0.
1204 Within the switch-name, '@0' and '@{0}' are replaced by the name of
1206 the chain to which the rule is a added. The switch-name (after
1207 '@...' expansion) must begin with a letter and be composed of
1208 letters, decimal digits, underscores or hyphens. Switch names must
1209 be 30 characters or less in length.
1210 Switches are normally off. To turn a switch on:
1212 echo 1 >
1213 /proc/net/nf_condition/switch-name
1214 To turn it off again:
1215 echo 0 >
1216 /proc/net/nf_condition/switch-name
1217 Switch settings are retained over shorewall restart.
1218 Beginning with Shorewall 4.5.10, when the switch-name is followed
1220 by =0 or =1, then the switch is initialized to off or on
1221 respectively by the start command. Other commands do not affect the
1222 switch setting.
1223 HELPER - [helper]
1225 Added in Shorewall 4.5.7.
1226 In the NEW section, causes the named conntrack helper to be
1228 associated with this connection; the contents of this column are
1229 ignored unless ACTION is ACCEPT*, DNAT* or REDIRECT*.
1230 In the RELATED section, will only match if the related connection
1232 has the named helper associated with it.
1233 The helper may be one of:
1235 amanda
1236 ftp
1237 irc
1238 netbios-ns
1239 pptp
1240 Q.931
1241 RAS
1242 sane
1243 sip
1244 snmp
1245 tftp
1246 If the HELPERS option is specified in shorewall.conf[2](5), then
1247 any module specified in this column must be listed in the HELPERS
1248 setting.
1249
1251 Example 1:
1252 Accept SMTP requests from the DMZ to the internet
1253 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
1255 ACCEPT dmz net tcp smtp
1256 Example 2:
1258 Forward all ssh and http connection requests from the internet to
1259 local system 192.168.1.3
1260 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
1262 DNAT net loc:192.168.1.3 tcp ssh,http
1263 Example 3:
1265 Forward all http connection requests from the internet to local
1266 system 192.168.1.3 with a limit of 3 per second and a maximum burst
1267 of 10
1268 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE
1270 DNAT net loc:192.168.1.3 tcp http - - 3/sec:10
1271 Example 4:
1273 Redirect all locally-originating www connection requests to port
1274 3128 on the firewall (Squid running on the firewall system) except
1275 when the destination address is 192.168.2.2
1276 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
1278 REDIRECT loc 3128 tcp www - !192.168.2.2
1279 Example 5:
1281 All http requests from the internet to address 130.252.100.69 are
1282 to be forwarded to 192.168.1.3
1283 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
1285 DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
1286 Example 6:
1288 You want to accept SSH connections to your firewall only from
1289 internet IP addresses 130.252.100.69 and 130.252.100.70
1290 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
1292 ACCEPT net:130.252.100.69,130.252.100.70 \
1293 $FW tcp 22
1294 Example 7:
1296 You wish to accept connections from the internet to your firewall
1297 on port 2222 and you want to forward them to local system
1298 192.168.1.3, port 22
1299 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
1301 DNAT net loc:192.168.1.3:22 tcp 2222
1302 Example 8:
1304 You want to redirect connection requests to port 80 randomly to the
1305 port range 81-90.
1306 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
1308 REDIRECT net $FW::81-90:random tcp www
1309 Example 9:
1311 Shorewall does not impose as much structure on the Netfilter rules
1312 in the 'nat' table as it does on those in the filter table. As a
1313 consequence, when using Shorewall versions before 4.1.4, care must
1314 be exercised when using DNAT and REDIRECT rules with zones defined
1315 with wildcard interfaces (those ending with '+'. Here is an
1316 example:
1317 shorewall-zones[4](5):
1319 #ZONE TYPE OPTIONS
1321 fw firewall
1322 net ipv4
1323 dmz ipv4
1324 loc ipv4
1325 shorewall-interfaces[8](5):
1327 #ZONE INTERFACE BROADCAST OPTIONS
1329 net ppp0
1330 loc eth1 detect
1331 dmz eth2 detect
1332 - ppp+ # Addresses are assigned from 192.168.3.0/24
1333 shorewall-host[11](5):
1335 #ZONE HOST(S) OPTIONS
1337 loc ppp+:192.168.3.0/24
1338 rules:
1340 #ACTION SOURCE DEST PROTO DPORT
1342 REDIRECT loc 3128 tcp 80
1343 Note that it would have been tempting to simply define the loc zone
1345 entirely in shorewall-interfaces(8):
1346 #******************* INCORRECT *****************
1348 #ZONE INTERFACE BROADCAST OPTIONS
1349 net ppp0
1350 loc eth1 detect
1351 loc ppp+
1352 dmz eth2
1353 This would have made it impossible to run a internet-accessible web
1355 server in the DMZ because all traffic entering ppp+ interfaces
1356 would have been redirected to port 3128 on the firewall and there
1357 would have been no net->fw ACCEPT rule for that traffic.
1358 Example 10:
1360 Add the tuple (source IP, dest port, dest IP) of an incoming SSH
1361 connection to the ipset S:
1362 #ACTION SOURCE DEST PROTO DPORT
1364 ADD(+S:dst,src,dst) net fw tcp 22
1365 Example 11:
1367 You wish to limit SSH connections from remote systems to 1/min with
1368 a burst of three (to allow for limited retry):
1369 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE
1371 SSH(ACCEPT) net all - - - - s:1/min:3
1372 Example 12:
1374 Forward port 80 to dmz host $BACKUP if switch 'primary_down' is on.
1375 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH
1377 DNAT net dmz:$BACKUP tcp 80 - - - - - - - - primary_down
1378 Example 13:
1380 Drop all email from the Anonymous Proxy and Satellite Provider
1381 address ranges:
1382 #ACTION SOURCE DEST PROTO DPORT
1384 DROP net:^A1,A2 fw tcp 25
1385 Example 14:
1387 You want to generate your own rule involving iptables targets and
1388 matches not supported by Shorewall.
1389 #ACTION SOURCE DEST PROTO DPORT
1391 INLINE $FW net ; -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3
1392 The above will generate the following iptables-restore input:
1394 -A fw2net -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3
1396 Note that SECCTX must be defined as a builtin action in
1398 shorewall-actions[3](5):
1399 #ACTION OPTIONS
1401 SECCTX builtin
1402 Example 15:
1404 You want to accept SSH connections to your firewall only from
1405 internet IP addresses 2002:ce7c::92b4:1::2 and
1406 2002:ce7c::92b4:1::22
1407 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
1409 ACCEPT net:<2002:ce7c::92b4:1::2,2002:ce7c::92b4:1::22> \
1410 $FW tcp 22
1411
1413 /etc/shorewall/rules
1414 /etc/shorewall6/rules
1416
1418 shorewall-logging(5)[7]
1419 http://www.shorewall.net/ipsets.html[14]
1421 http://www.shorewall.net/configuration_file_basics.htm#Pairs[15]
1423 shorewall(8)
1425
1427 1. shorewall-policy
1428 https://shorewall.org/manpages/shorewall-policy.html
1429 2. shorewall.conf
1431 https://shorewall.org/manpages/shorewall.conf.html
1432 3. shorewall-actions
1434 https://shorewall.org/manpages/shorewall-actions.html
1435 4. shorewall-zones
1437 https://shorewall.org/manpages/shorewall-zones.html
1438 5. shorewall-nesting
1440 https://shorewall.org/manpages/shorewall-nesting.html
1441 6. http://www.shorewall.net/shorewall_logging.html
1443 https://shorewall.org/shorewall_logging.html
1444 7. shorewall-logging(5)
1446 https://shorewall.orgshorewall-logging.html
1447 8. shorewall-interfaces
1449 https://shorewall.org/manpages/shorewall-interfaces.html
1450 9. shorewall-hosts
1452 https://shorewall.org/manpages/shorewall.hosts.html
1453 10. shorewall-exclusion
1455 https://shorewall.org/manpages/shorewall-exclusion.html
1456 11. shorewall-hosts
1458 https://shorewall.org/manpages/shorewall-hosts.html
1459 12. http://www.shorewall.net/configuration_file_basics.htm#ICMP
1461 https://shorewall.org/configuration_file_basics.htm#ICMP
1462 13. http://www.shorewall.net/PortKnocking.html
1464 https://shorewall.org/PortKnocking.html
1465 14. http://www.shorewall.net/ipsets.html
1467 https://shorewall.org/ipsets.html
1468 15. http://www.shorewall.net/configuration_file_basics.htm#Pairs
1470 https://shorewall.org/configuration_file_basics.htm#Pairs
1471Configuration Files 01/15/2020 SHOREWALL-RULES(5)