1SHOREWALL-RULES(5) Configuration Files SHOREWALL-RULES(5)
2
6 rules - Shorewall rules file
7
9 /etc/shorewall[6]/rules
10
12 Entries in this file govern connection establishment by defining
13 exceptions to the policies laid out in shorewall-policy[1](5). By
14 default, subsequent requests and responses are automatically allowed
15 using connection tracking. For any particular (source,dest) pair of
16 zones, the rules are evaluated in the order in which they appear in
17 this file and the first terminating match is the one that determines
18 the disposition of the request. All rules are terminating except LOG
19 and COUNT rules.
20 Warning
22 If you masquerade or use SNAT from a local system to the internet,
23 you cannot use an ACCEPT rule to allow traffic from the internet to
24 that system. You must use a DNAT rule instead.
25 The rules file is divided into sections. Each section is introduced by
27 a "Section Header" which is a line beginning with ?SECTION and followed
28 by the section name.
29 Sections are as follows and must appear in the order listed:
31 ALL
33 This section was added in Shorewall 4.4.23. Rules in this section
34 are applied, regardless of the connection tracking state of the
35 packet and are applied before rules in the other sections.
36 ESTABLISHED
38 Packets in the ESTABLISHED state are processed by rules in this
39 section.
40 The only ACTIONs allowed in this section are ACCEPT, DROP, REJECT,
42 LOG, NFLOG, NFQUEUE and QUEUE
43 There is an implicit ACCEPT rule inserted at the end of this
45 section.
46 RELATED
48 Packets in the RELATED state are processed by rules in this
49 section.
50 The only ACTIONs allowed in this section are ACCEPT, DROP, REJECT,
52 LOG, NFLOG, NFQUEUE and QUEUE
53 There is an implicit rule added at the end of this section that
55 invokes the RELATED_DISPOSITION (shorewall.conf[2](5)).
56 INVALID
58 Added in Shorewall 4.5.13. Packets in the INVALID state are
59 processed by rules in this section.
60 The only Actions allowed in this section are ACCEPT, DROP, REJECT,
62 LOG, NFLOG, NFQUEUE and QUEUE.
63 There is an implicit rule added at the end of this section that
65 invokes the INVALID_DISPOSITION (shorewall.conf[2](5)).
66 UNTRACKED
68 Added in Shorewall 4.5.13. Packets in the UNTRACKED state are
69 processed by rules in this section.
70 The only Actions allowed in this section are ACCEPT, DROP, REJECT,
72 LOG, NFLOG, NFQUEUE and QUEUE.
73 There is an implicit rule added at the end of this section that
75 invokes the UNTRACKED_DISPOSITION (shorewall.conf[2](5)).
76 NEW
78 Packets in the NEW state are processed by rules in this section. If
79 the INVALID and/or UNTRACKED sections are empty or not included,
80 then the packets in the corresponding state(s) are also processed
81 in this section.
82 Note
84 If you are not familiar with Netfilter to the point where you are
85 comfortable with the differences between the various connection
86 tracking states, then it is suggested that you place all of your
87 rules in the NEW section (That's after the line that reads ?SECTION
88 NEW').
89 Warning
91 If you specify FASTACCEPT=Yes in shorewall.conf[2](5) then the ALL,
92 ESTABLISHED and RELATED sections must be empty.
93 An exception is made if you are running Shorewall 4.4.27 or later
95 and you have specified a non-default value for RELATED_DISPOSITION
96 or RELATED_LOG_LEVEL. In that case, you may have rules in the
97 RELATED section of this file.
98 You may omit any section that you don't need. If no Section Headers
100 appear in the file then all rules are assumed to be in the NEW section.
101 When defining rules that rewrite the destination IP address and/or port
103 number (namely DNAT and REDIRECT rules), it is important to keep
104 straight which columns in the file specify the packet before rewriting
105 and which specify how the packet will look after rewriting.
106 · The DEST column specifies the final destination for the packet
108 after rewriting and can include the final IP address and/or port
109 number.
110 · The remaining columns specify characteristics of the packet before
112 rewriting. In particular, the ORIGDEST column gives the original
113 destination IP address of the packet and the DPORT column give the
114 original destination port(s).
115 The columns in the file are as follows (where the column name is
117 followed by a different name in parentheses, the different name is used
118 in the alternate specification syntax).
119 ACTION - target[:{log-level|none}[!][:tag]]
121 Specifies the action to be taken if the connection request matches
122 the rule. target must be one of the following.
123 ACCEPT
125 Allow the connection request.
126 ACCEPT+
128 like ACCEPT but also excludes the connection from any
129 subsequent matching DNAT[-] or REDIRECT[-] rules. Use with IPv6
130 requires Shorewall 4.5.14 or later.
131 ACCEPT!
133 like ACCEPT but exempts the rule from being suppressed by
134 OPTIMIZE=1 in shorewall.conf[2](5).
135 action
137 The name of an action declared in shorewall-actions[3](5) or in
138 /usr/share/shorewall[6]/actions.std.
139 ADD(ipset:flags[:timeout])
141 Added in Shorewall 4.4.12. Causes addresses and/or port numbers
142 to be added to the named ipset. The flags specify the address
143 or tuple to be added to the set and must match the type of
144 ipset involved. For example, for an iphash ipset, either the
145 SOURCE or DESTINATION address can be added using flags src or
146 dst respectively (see the -A command in ipset (8)).
147 Beginning with Shorewall 5.0.3, an optional timeout can be
149 specified. This is the number of seconds that the new entry in
150 the ipset is to remain valid and overrides any timeout
151 specified when the ipset was created.
152 ADD is non-terminating. Even if a packet matches the rule, it
154 is passed on to the next rule.
155 AUDIT[(accept|drop|reject)]
157 Added in Shorewall 4.5.10. Audits the packet with the specified
158 type; if the type is omitted, then drop is assumed. Require
159 AUDIT_TARGET support in the kernel and iptables.
160 A_ACCEPT, A_ACCEPT+ and A_ACCEPT!
162 Added in Shorewall 4.4.20. Audited versions of ACCEPT, ACCEPT+
163 and ACCEPT! respectively. Require AUDIT_TARGET support in the
164 kernel and iptables. A_ACCEPT+ with IPv6 requires Shorewall
165 4.5.14 or later.
166 A_DROP and A_DROP!
168 Added in Shorewall 4.4.20. Audited versions of DROP and DROP!
169 respectively. Require AUDIT_TARGET support in the kernel and
170 iptables.
171 A_REJECT AND A_REJECT!
173 Added in Shorewall 4.4.20. Audited versions of REJECT and
174 REJECT! respectively. Require AUDIT_TARGET support in the
175 kernel and iptables.
176 ?COMMENT
178 the rest of the line will be attached as a comment to the
179 Netfilter rule(s) generated by the following entries. The
180 comment will appear delimited by "/* ... */" in the output of
181 "shorewall show <chain>". To stop the comment from being
182 attached to further rules, simply include ?COMMENT on a line by
183 itself.
184 CONMARK({mark})
186 Added in Shorewall 5.0.7, CONNMARK is identical to MARK with
187 the exception that the mark is assigned to connection to which
188 the packet belongs is marked rather than to the packet itself.
189 CONTINUE
191 For experts only.
192 Do not process any of the following rules for this (source
194 zone,destination zone). If the source and/or destination IP
195 address falls into a zone defined later in
196 shorewall-zones[4](5) or in a parent zone of the source or
197 destination zones, then this connection request will be passed
198 to the rules defined for that (those) zone(s). See
199 shorewall-nesting[5](5) for additional information.
200 CONTINUE!
202 like CONTINUE but exempts the rule from being suppressed by
203 OPTIMIZE=1 in shorewall.conf[2](5).
204 COUNT
206 Simply increment the rule's packet and byte count and pass the
207 packet to the next rule.
208 DEL(ipset:flags)
210 Added in Shorewall 4.4.12. Causes an entry to be deleted from
211 the named ipset. The flags specify the address or tuple to be
212 deleted from the set and must match the type of ipset involved.
213 For example, for an iphash ipset, either the SOURCE or
214 DESTINATION address can be deleted using flags src or dst
215 respectively (see the -D command in ipset (8)).
216 DEL is non-terminating. Even if a packet matches the rule, it
218 is passed on to the next rule.
219 DNAT
221 Forward the request to another system (and optionally another
222 port). Use with IPv6 requires Shorewall 4.5.14 or later.
223 DNAT-
225 Advanced users only.
226 Like DNAT but only generates the DNAT iptables rule and not the
228 companion ACCEPT rule. Use with IPv6 requires Shorewall 4.5.14
229 or later.
230 DROP
232 Ignore the request.
233 DROP!
235 like DROP but exempts the rule from being suppressed by
236 OPTIMIZE=1 in shorewall.conf[2](5).
237 HELPER
239 Added in Shorewall 4.5.7. This action requires that the HELPER
240 column contains the name of the Netfilter helper to be
241 associated with connections matching this connection. May only
242 be specified in the NEW section and is useful for being able to
243 specify a helper when the applicable policy is ACCEPT. No
244 destination zone should be specified in HELPER rules.
245 INLINE[(action)]
247 Added in Shorewall 4.5.16. This action allows you to construct
248 most of the rule yourself using iptables syntax. The part that
249 you specify must follow two semicolons (';;') and is completely
250 free-form. If the target of the rule (the part following 'j')
251 is something that Shorewall supports in the ACTION column, then
252 you may enclose it in parentheses (e.g., INLINE(ACCEPT)).
253 Otherwise, you can include it after the semicolon(s). In this
254 case, you must declare the target as a builtin action in
255 shorewall-actions[3](5).
256 Some considerations when using INLINE:
258 · The p, s, d, i, o, policy, and state match (state or
260 conntrack --ctstate) matches will always appear in the
261 front of the rule in that order.
262 · When multiple matches are specified, the compiler will keep
264 them in the order in which they appear (excluding the above
265 listed ones), but they will not necessarily be at the end
266 of the generated rule. For example, if addresses are
267 specified in the SOURCE and/or DEST columns, their
268 generated matches will appear after those specified using
269 ';;' or ';'.
270 IPTABLES({iptables-target [option ...])
272 IPv4 only. This action allows you to specify an iptables target
273 with options (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If
274 the iptables-target is not one recognized by Shorewall, the
275 following error message will be issued:
276 ERROR: Unknown target (iptables-target)
278 This error message may be eliminated by adding the
280 iptables-target as a builtin action in shorewall-actions[3](5).
281 Important
283 If you specify REJECT as the iptables-target, the target of
284 the rule will be the iptables REJECT target and not
285 Shorewall's builtin 'reject' chain which is used when
286 REJECT (see below) is specified as the target in the ACTION
287 column.
288 IP6TABLES({ip6tables-target [option ...])
290 IPv6 only. This action allows you to specify an ip6tables
291 target with options (e.g., 'IPTABLES(MARK --set-xmark
292 0x01/0xff)'. If the ip6tables-target is not one recognized by
293 Shorewall, the following error message will be issued:
294 ERROR: Unknown target (ip6tables-target)
296 This error message may be eliminated by adding the
298 ip6tables-target as a builtin action in
299 shorewall-actions[3](5).
300 Important
302 If you specify REJECT as the ip6tables-target, the target
303 of the rule will be the i6ptables REJECT target and not
304 Shorewall's builtin 'reject' chain which is used when
305 REJECT (see below) is specified as the target in the ACTION
306 column.
307 LOG:level
309 Simply log the packet and continue with the next rule.
310 macro[(macrotarget)]
312 The name of a macro defined in a file named macro.macro. If the
313 macro accepts an action parameter (Look at the macro source to
314 see if it has PARAM in the TARGET column) then the macro name
315 is followed by the parenthesized macrotarget (ACCEPT, DROP,
316 REJECT, ...) to be substituted for the parameter.
317 Example: FTP(ACCEPT).
319 The older syntax where the macro name and the target are
321 separated by a slash (e.g. FTP/ACCEPT) is still allowed but is
322 deprecated.
323 MARK({mark})
325 where mark is a packet mark value.
326 Added in Shorewall 5.0.7, MARK requires "Mark in filter table"
328 support in your kernel and iptables.
329 Normally will set the mark value of the current packet. If
331 preceded by a vertical bar ("|"), the mark value will be
332 logically ORed with the current mark value to produce a new
333 mark value. If preceded by an ampersand ("&"), will be
334 logically ANDed with the current mark value to produce a new
335 mark value.
336 Both "|" and "&" require Extended MARK Target support in your
338 kernel and iptables.
339 The mark value may be optionally followed by "/" and a mask
341 value (used to determine those bits of the connection mark to
342 actually be set). When a mask is specified, the result of
343 logically ANDing the mark value with the mask must be the same
344 as the mark value.
345 NFLOG[(nflog-parameters)]
347 Added in Shorewall 4.5.9.3. Queues matching packets to a back
348 end logging daemon via a netlink socket then continues to the
349 next rule. See https://shorewall.org/shorewall_logging.html[6].
350 The nflog-parameters are a comma-separated list of up to 3
352 numbers:
353 · The first number specifies the netlink group (0-65535). If
355 omitted (e.g., NFLOG(,0,10)) then a value of 0 is assumed.
356 · The second number specifies the maximum number of bytes to
358 copy. If omitted, 0 (no limit) is assumed.
359 · The third number specifies the number of log messages that
361 should be buffered in the kernel before they are sent to
362 user space. The default is 1.
363 NFLOG is similar to LOG:NFLOG[(nflog-parameters)], except that
365 the log level is not changed when this ACTION is used in an
366 action or macro body and the invocation of that action or macro
367 specifies a log level.
368 NFQUEUE[([queuenumber1[:queuenumber2[c]][,bypass]]|bypass)]
370 Queues the packet to a user-space application using the
371 nfnetlink_queue mechanism. If a queuenumber1 is not specified,
372 queue zero (0) is assumed. Beginning with Shorewall 4.6.10, the
373 keyword bypass can be given. By default, if no userspace
374 program is listening on an NFQUEUE, then all packets that are
375 to be queued are dropped. When this option is used, the NFQUEUE
376 rule behaves like ACCEPT instead. Also beginning in Shorewall
377 4.6.10, a second queue number (queuenumber2) may be specified.
378 This specifies a range of queues to use. Packets are then
379 balanced across the given queues. This is useful for multicore
380 systems: start multiple instances of the userspace program on
381 queues x, x+1, .. x+n and use "x:x+n". Packets belonging to the
382 same connection are put into the same nfqueue.
383 Beginning with Shorewall 5.1.0, queuenumber2 may be followed by
385 the letter 'c' to indicate that the CPU ID will be used as an
386 index to map packets to the queues. The idea is that you can
387 improve performance if there's a queue per CPU. Requires the
388 NFQUEUE CPU Fanout capability in your kernel and iptables.
389 NFQUEUE![([queuenumber1[:queuenumber2[c]][,bypass]]|bypass)]
391 like NFQUEUE but exempts the rule from being suppressed by
392 OPTIMIZE=1 in shorewall.conf[2](5).
393 NONAT
395 Excludes the connection from any subsequent DNAT[-] or
396 REDIRECT[-] rules but doesn't generate a rule to accept the
397 traffic. Use with IPv6 requires Shorewall 4.5.14 or later.
398 QUEUE
400 Queue the packet to a user-space application such as ftwall
401 (http://p2pwall.sf.net). The application may reinsert the
402 packet for further processing.
403 QUEUE!
405 like QUEUE but exempts the rule from being suppressed by
406 OPTIMIZE=1 in shorewall.conf[2](5).
407 REJECT[(option)]
409 disallow the request and return an icmp-unreachable or an RST
410 packet. If no option is passed, Shorewall selects the
411 appropriate option based on the protocol of the packet.
412 Beginning with Shorewall 5.0.8, the type of reject may be
414 specified in the option paramater. Valid IPv4 option values
415 are:
416 icmp-net-unreachable
417 icmp-host-unreachable
418 icmp-port-unreachable
419 icmp-proto-unreachable
420 icmp-net-prohibited
421 icmp-host-prohibited
422 icmp-admin-prohibited
423 icmp-tcp-reset (the PROTO column
424 must specify TCP). Beginning with
425 Shorewall 5.1.3, this
426 option may also be specified as
427 tcp-reset.
428 Valid IPv6 option values are:
429 icmp6-no-route
430 no-route
431 icmp6-adm-prohibited
432 adm-prohibited
433 icmp6-addr-unreachable
434 addr-unreach
435 icmp6-port-unreachable
436 tcp-reset (the PROTO column must
437 specify TCP)
438 REJECT!
440 like REJECT but exempts the rule from being suppressed by
441 OPTIMIZE=1 in shorewall.conf[2](5).
442 REDIRECT
444 Redirect the request to a server running on the firewall. Use
445 with IPv6 requires Shorewall 4.5.14 or later.
446 REDIRECT-
448 Advanced users only.
449 Like REDIRECT but only generates the REDIRECT iptables rule and
451 not the companion ACCEPT rule. Use with IPv6 requires Shorewall
452 4.5.14 or later.
453 TARPIT [(tarpit | honeypot | reset)]
455 Added in Shorewall 4.6.6.
456 TARPIT captures and holds incoming TCP connections using no
458 local per-connection resources.
459 TARPIT only works with the PROTO column set to tcp (6), and is
461 totally application agnostic. This module will answer a TCP
462 request and play along like a listening server, but aside from
463 sending an ACK or RST, no data is sent. Incoming packets are
464 ignored and dropped. The attacker will terminate the session
465 eventually. This module allows the initial packets of an attack
466 to be captured by other software for inspection. In most cases
467 this is sufficient to determine the nature of the attack.
468 This offers similar functionality to LaBrea
470 <http://www.hackbusters.net/LaBrea/> but does not require
471 dedicated hardware or IPs. Any TCP port that you would normally
472 DROP or REJECT can instead become a tarpit.
473 The target accepts a single optional parameter:
475 tarpit
477 This mode is the default and completes a connection with
478 the attacker but limits the window size to 0, thus keeping
479 the attacker waiting long periods of time. While he is
480 maintaining state of the connection and trying to continue
481 every 60-240 seconds, we keep none, so it is very
482 lightweight. Attempts to close the connection are ignored,
483 forcing the remote side to time out the connection in 12-24
484 minutes.
485 honeypot
487 This mode completes a connection with the attacker, but
488 signals a normal window size, so that the remote side will
489 attempt to send data, often with some very nasty exploit
490 attempts. We can capture these packets for decoding and
491 further analysis. The module does not send any data, so if
492 the remote expects an application level response, the game
493 is up.
494 reset
496 This mode is handy because we can send an inline RST
497 (reset). It has no other function.
498 ULOG[(ulog-parameters)]
500 IPv4 only. Added in Shorewall 4.5.10. Queues matching packets
501 to a back end logging daemon via a netlink socket then
502 continues to the next rule. See shorewall-logging(5)[7].
503 Similar to LOG:ULOG[(ulog-parameters)], except that the log
505 level is not changed when this ACTION is used in an action or
506 macro body and the invocation of that action or macro specifies
507 a log level.
508 The target may optionally be followed by ":" and a syslog log level
510 (e.g, REJECT:info or Web(ACCEPT):debug). This causes the packet to
511 be logged at the specified level. Note that if the ACTION involves
512 destination network address translation (DNAT, REDIRECT, etc.) then
513 the packet is logged before the destination address is rewritten.
514 If the ACTION names an action declared in shorewall-actions[3](5)
516 or in /usr/share/shorewall/actions.std then:
517 · If the log level is followed by "!' then all rules in the
519 action are logged at the log level.
520 · If the log level is not followed by "!" then only those rules
522 in the action that do not specify logging are logged at the
523 specified level.
524 · The special log level none! suppresses logging by the action.
526 You may also specify ULOG (IPv4 only) or NFLOG (must be in upper
528 case) as a log level.This will log to the ULOG or NFLOG target for
529 routing to a separate log through use of ulogd
530 (shorewall-logging(5)[7]).
531 Actions specifying logging may be followed by a log tag (a string
533 of alphanumeric characters) which is appended to the string
534 generated by the LOGPREFIX (in shorewall.conf[2](5)).
535 Example: ACCEPT:info:ftp would include 'ftp ' at the end of the log
537 prefix generated by the LOGPREFIX setting.
538 SOURCE - source-spec[,...]
540 Source hosts to which the rule applies.
541 source-spec is one of the following:
543 zone[,...[+]]
545 The name of a zone defined in shorewall-zones[4](5). When only
546 the zone name is specified, the packet source may be any host
547 in that zone.
548 zone may also be one of the following:
550 all[+]
552 all, without the "-" means "All Zones, including the
553 firewall zone". Normally all omits intra-zone traffic, but
554 intra-zone traffic can be included specifying "+".
555 any[+]
557 any is equivalent to all when there are no nested zones.
558 When there are nested zones, any only refers to top-level
559 zones (those with no parent zones). Note that any excludes
560 all vserver zones, since those zones are nested within the
561 firewall zone.
562 none
564 When none is used either in the SOURCE or DEST column, the
565 rule is ignored.
566 Similar to with all and any, intra-zone traffic is normally
568 excluded when multiple zones are listed. Intra-zone traffic may
569 be included by following the list with a plus sign ("+").
570 all and any may be followed by an exclamation point ("!") and a
572 comma-separated list of zone names to be omitted.
573 zone:[!]interface
575 When this form is used, interface must be the name of an
576 interface associated with the named zone in either
577 shorewall-interfaces[8](5) or shorewall-hosts[9](5). Only
578 packets from hosts in the zone that arrive through the named
579 interface will match the rule.
580 Beginning with Shorweall 5.2.1, the interface may be preceded
582 with '!' which matches all interfaces associated with the zone
583 except the one specified.
584 zone:address[,...]
586 where address can be:
587 · A host or network IP address. A network address may be
589 followed by exclusion (see shorewall-exclusion[10](5)).
590 · An address range, specified using the syntax
592 lowaddress-highaddress.
593 · +ipset where ipset is the name of an ipset and must be
595 preceded by a plus sign ("+").
596 · A MAC address in Shorewall format (preceded by a tilde
598 ("~") and with the hex byte values separated by dashes
599 (e.g., "~00-0a-f6-04-9c-7d").
600 · ^country-code where country-code is a two-character
602 ISO-3661 country code preceded by a caret ("^").
603 · ^country-code-list where country-code-list is a
605 comma-separated list of up to 15 ISO-3661 country codes
606 enclosed in square brackets ("[...]").
607 · The primary IP address of a firewall interface can be
609 specified by an ampersand ('&') followed by the logical
610 name of the interface as found in the INTERFACE column of
611 shorewall-interfaces[8] (5).
612 zone:interface:address[,...]
614 This form combines the preceding two and requires that both the
615 incoming interface and source address match.
616 zone:exclusion
618 This form matches if the host IP address does not match any of
619 the entries in the exclusion (see shorewall-exclusion[10](5)).
620 zone:interface:exclusion
622 This form matches packets from the named zone entering through
623 the specified interface where the source address does not match
624 any entry in the exclusion.
625 Beginning with Shorewall 5.1.0, multiple source-specs may be
627 listed, provided that extended forms of the source-spec are used:
628 zone:(interface)
629 zone:(address[,...])
631 zone:(interface:address[,...])
633 zone:(exclusion)
635 zone:(interface:exclusion) Examples:
637 dmz:192.168.2.2
639 Host 192.168.2.2 in the DMZ
640 net:155.186.235.0/24
642 Subnet 155.186.235.0/24 on the Internet
643 loc:192.168.1.1,192.168.1.2
645 Hosts 192.168.1.1 and 192.168.1.2 in the local zone.
646 loc:~00-A0-C9-15-39-78
648 Host in the local zone with MAC address 00:A0:C9:15:39:78.
649 net:192.0.2.11-192.0.2.17
651 Hosts 192.0.2.11-192.0.2.17 in the net zone.
652 net:!192.0.2.11-192.0.2.17
654 All hosts in the net zone except for 192.0.2.11-192.0.2.17.
655 net:155.186.235.0/24!155.186.235.16/28
657 Subnet 155.186.235.0/24 on the Internet except for
658 155.186.235.16/28
659 $FW:ð0
661 The primary IP address of eth0 in the firewall zone.
662 loc,dmz
664 Both the loc and dmz zones.
665 all!dmz
667 All but the dmz zone.
668 all+!$FW
670 All but the firewall zone and applies to intrazone traffic.
671 net:^CN
673 China.
674 loc:(eth1:1.2.3.4,2.3.4.5),dmz:(eth2:5.6.7.8,9.10.11.12),net
676 Hosts 1.2.3.4 and 2.3.4.5 in the loc zone when the packet
677 arrives through eth1 plus hosts 5.6.7.8 and 9.10.11.12 in the
678 dmz zone when the packet arrives through eth2 plus all of the
679 net zone.
680 dmz:[2002:ce7c:2b4:1::2]
682 Host 2002:ce7c:92b4:1::2 in the DMZ
683 net:2001:4d48:ad51:24::/64
685 Subnet 2001:4d48:ad51:24::/64 on the Internet
686 loc:[2002:cec792b4:1::2],[2002:cec792b4:1::44]
688 Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the local
689 zone.
690 loc:~00-A0-C9-15-39-78
692 Host in the local zone with MAC address 00:A0:C9:15:39:78.
693 net:[2001:4d48:ad51:24::]/64![2001:4d48:ad51:24:6::]/80
695 Subnet 2001:4d48:ad51:24::/64 on the Internet except for
696 2001:4d48:ad51:24:6::/80.
697 DEST - dest-spec[,...]
699 Destination hosts to which the rule applies.
700 dest-spec is one of the following:
702 zone[,...[+]]
704 The name of a zone defined in shorewall-zones[4](5). When only
705 the zone name is specified, the packet destination may be any
706 host in that zone.
707 zone may also be one of the following:
709 all[+]
711 all, without the "-" means "All Zones, including the
712 firewall zone". Normally all omits intra-zone traffic, but
713 intra-zone traffic can be included specifying "+".
714 any[+]
716 any is equivalent to all when there are no nested zones.
717 When there are nested zones, any only refers to top-level
718 zones (those with no parent zones). Note that any excludes
719 all vserver zones, since those zones are nested within the
720 firewall zone.
721 none
723 When none is used either in the SOURCE or DEST column, the
724 rule is ignored.
725 Similar to with all and any, intra-zone traffic is normally
727 excluded when multiple zones are listed. Intra-zone traffic may
728 be included by following the list with a plus sign ("+").
729 all and any may be followed by an exclamation point ("!") and a
731 comma-separated list of zone names to be omitted.
732 zone:[!]interface
734 When this form is used, interface must be the name of an
735 interface associated with the named zone in either
736 shorewall-interfaces[8](5) or shorewall-hosts[11](5). Only
737 packets to hosts in the zone that are sent through the named
738 interface will match the rule.
739 Beginning with Shorweall 5.2.1, the interface may be preceded
741 with '!' which matches all interfaces associated with the zone
742 except the one specified.
743 zone:address[,...]
745 where address can be:
746 · A host or network IP address. A network address may be
748 followed by exclusion (see shorewall-exclusion[10](5)).
749 · An address range, specified using the syntax
751 lowaddress-highaddress.
752 · +ipset where ipset is the name of an ipset and must be
754 preceded by a plus sign ("+").
755 · ^country-code where country-code is a two-character
757 ISO-3661 country code preceded by a caret ("^").
758 · ^country-code-list where country-code-list is a
760 comma-separated list of up to 15 ISO-3661 country codes
761 enclosed in square brackets ("[...]").
762 · The primary IP address of a firewall interface can be
764 specified by an ampersand ('&') followed by the logical
765 name of the interface as found in the INTERFACE column of
766 shorewall-interfaces[8] (5).
767 zone:[!]interface:address[,...]
769 This form combines the preceding two and requires that both the
770 outgoing interface and destinationaddress match.
771 Beginning with Shorweall 5.2.1, the interface may be preceded
773 with '!' which matches all interfaces associated with the zone
774 except the one specified.
775 zone:exclusion
777 This form matches if the host IP address does not match any of
778 the entries in the exclusion (see shorewall-exclusion[10](5)).
779 zone:[!]interface:exclusion
781 This form matches packets to the named zone leaving through the
782 specified interface where the destination address does not
783 match any entry in the exclusion.
784 Beginning with Shorweall 5.2.1, the interface may be preceded
786 with '!' which matches all interfaces associated with the zone
787 except the one specified.
788 [zone]:[server-IP][:port-or-port-range[:random]]
790 This form applies when the ACTION is DNAT[-] or REDIRECT[-].
791 The zone may be omitted in REDIRECT rules ($FW is assumed) and
792 must be omitted in DNAT-, REDIRECT- and NONAT rules.
793 server-IP is not allowed in REDIRECT rules and may be omitted
795 in DNAT[-] rules provided that port-or-port-range is included.
796 · The IP address of the server to which the packet is to be
798 sent.
799 · A range of IP address with the low and high address
801 separated by a dash (:"-"). Connections are distributed
802 among the IP addresses in the range.
803 If server-IP is omitted in a DNAT[-] rule, only the destination
805 port number is modified by the rule.
806 port-or-port-range may be:
808 · An integer port number in the range 1 - 65535.
810 · The name of a service from /etc/services.
812 · A port range with the low and high integer port numbers
814 separated by a dash ("-"). Connections are distributed
815 among the ports in the range.
816 If random is specified, port mapping will be randomized.
818 If the DEST zone is a bport zone, then either:
820 1. the SOURCE must be all[+], or
822 2. the SOURCE zone must be another bport zone associated with the
824 same bridge, or
825 3. the SOURCE zone must be an ipv4 zone that is associated with
827 only the same bridge.
828 Beginning with Shorewall 5.1.0, multiple dest-specs may be listed,
830 provided that extended forms of the source-spec are used:
831 zone:(interface)
832 zone:(address[,...])
834 zone:(interface:address[,...])
836 zone:(exclusion)
838 zone:(interface:exclusion) Multiple dest-specs are not permitted in
840 DNAT[-] and REDIRECT[-] rules.
841 Examples:
843 dmz:192.168.2.2
845 Host 192.168.2.2 in the DMZ
846 net:155.186.235.0/24
848 Subnet 155.186.235.0/24 on the Internet
849 loc:192.168.1.1,192.168.1.2
851 Hosts 192.168.1.1 and 192.168.1.2 in the local zone.
852 net:192.0.2.11-192.0.2.17
854 Hosts 192.0.2.11-192.0.2.17 in the net zone.
855 net:!192.0.2.11-192.0.2.17
857 All hosts in the net zone except for 192.0.2.11-192.0.2.17.
858 net:155.186.235.0/24!155.186.235.16/28
860 Subnet 155.186.235.0/24 on the Internet except for
861 155.186.235.16/28
862 $FW:ð0
864 The primary IP address of eth0 in the firewall zone.
865 loc,dmz
867 Both the loc and dmz zones.
868 all!dmz
870 All but the dmz zone.
871 net:^CN
873 China.
874 dmz:192.168.10.4:25
876 Port 25 on server 192.168.10.4 in the dmz zone (DNAT rule).
877 loc:(eth1:1.2.3.4,2.3.4.5),dmz:(eth2:5.6.7.8,9.10.11.12),net
879 Hosts 1.2.3.4 and 2.3.4.5 in the loc zone when the packet
880 arrives through eth1 plus hosts 5.6.7.8 and 9.10.11.12 in the
881 dmz zone when the packet arrives through eth2 plus all of the
882 net zone.
883 PROTO-
885 {-|tcp:[!]syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-name|all}
886 Optional Protocol - ipp2p* requires ipp2p match support in your
887 kernel and iptables. tcp:syn implies tcp plus the SYN flag must be
888 set and the RST, ACK and FIN flags must be reset. Beginning with
889 Shorewall 5.1.3, you may also specify tcp:!syn, which matches if
890 SYN is not set or if RST, ACK or FIN is set.
891 Beginning with Shorewall 4.4.19, this column can contain a
893 comma-separated list of protocol-numbers and/or protocol names.
894 DPORT -
896 {-|port-name-number-or-range[,port-name-number-or-range]...|+ipset}
897 Optional destination Ports. A comma-separated list of Port names
898 (from services(5)), port numbers or port ranges; if the protocol is
899 icmp, this column is interpreted as the destination icmp-type(s).
900 ICMP types may be specified as a numeric type, a numeric type and
901 code separated by a slash (e.g., 3/4), or a typename. See
902 https://shorewall.org/configuration_file_basics.htm#ICMP[12]. Note
903 that prior to Shorewall 4.4.19, only a single ICMP type may be
904 listed.
905 If the protocol is ipp2p, this column is interpreted as an ipp2p
907 option without the leading "--" (example bit for bit-torrent). If
908 no port is given, ipp2p is assumed.
909 A port range is expressed as lowport:highport.
911 This column is ignored if PROTO = all but must be entered if any of
913 the following columns are supplied. In that case, it is suggested
914 that this field contain a dash (-).
915 If your kernel contains multi-port match support, then only a
917 single Netfilter rule will be generated if in this list and the
918 SPORT list below:
919 1. There are 15 or less ports listed.
921 2. No port ranges are included or your kernel and iptables contain
923 extended multi-port match support.
924 Beginning with Shorewall 4.6.0, an ipset name can be specified in
926 this column. This is intended to be used with bitmap:port ipsets.
927 This column was formerly labelled DEST PORT(S).
929 SPORT -
931 {-|port-name-number-or-range[,port-name-number-or-range]...|+ipset}
932 Optional port(s) used by the client. If omitted, any source port is
933 acceptable. Specified as a comma- separated list of port names,
934 port numbers or port ranges.
935 Beginning with Shorewall 4.5.15, you may place '=' in this column,
937 provided that the DPORT column is non-empty. This causes the rule
938 to match when either the source port or the destination port in a
939 packet matches one of the ports specified in DEST PORTS(S). Use of
940 '=' requires multi-port match in your iptables and kernel.
941 Warning
943 Unless you really understand IP, you should leave this column
944 empty or place a dash (-) in the column. Most people who try to
945 use this column get it wrong.
946 If you don't want to restrict client ports but need to specify an
947 ORIGDEST in the next column, then place "-" in this column.
948 If your kernel contains multi-port match support, then only a
950 single Netfilter rule will be generated if in this list and the
951 DPORT list above:
952 1. There are 15 or less ports listed.
954 2. No port ranges are included or your kernel and iptables contain
956 extended multi-port match support.
957 Beginning with Shorewall 4.6.0, an ipset name can be specified in
959 this column. This is intended to be used with bitmap:port ipsets.
960 This column was formerly labelled SOURCE PORT(S).
962 ORIGDEST - [-|address[,address]...[exclusion]|exclusion]
964 Optional. If ACTION is DNAT[-] or REDIRECT[-] then if this column
965 is included and is different from the IP address given in the DEST
966 column, then connections destined for that address will be
967 forwarded to the IP and port specified in the DEST column.
968 A comma-separated list of addresses may also be used. This is most
970 useful with the REDIRECT target where you want to redirect traffic
971 destined for particular set of hosts. Finally, if the list of
972 addresses begins with "!" (exclusion) then the rule will be
973 followed only if the original destination address in the connection
974 request does not match any of the addresses listed.
975 Beginning with Shorewall 4.4.17, the primary IP address of a
977 firewall interface can be specified by an ampersand ('&') followed
978 by the logical name of the interface as found in the INTERFACE
979 column of shorewall-interfaces[8] (5).
980 For other actions, this column may be included and may contain one
982 or more addresses (host or network) separated by commas. Address
983 ranges are not allowed. When this column is supplied, rules are
984 generated that require that the original destination address
985 matches one of the listed addresses. This feature is most useful
986 when you want to generate a filter rule that corresponds to a DNAT-
987 or REDIRECT- rule. In this usage, the list of addresses should not
988 begin with "!".
989 It is also possible to specify a set of addresses then exclude part
991 of those addresses. For example, 192.168.1.0/24!192.168.1.16/28
992 specifies the addresses 192.168.1.0-182.168.1.15 and
993 192.168.1.32-192.168.1.255. See shorewall-exclusion[10](5).
994 See https://shorewall.org/PortKnocking.html[13] for an example of
996 using an entry in this column with a user-defined action rule.
997 This column was formerly labelled ORIGINAL DEST.
999 RATE - limit
1001 where limit is one of:
1002 [-|[{s|d}[/vlsm]:[name[(ht-buckets,ht-max)]:]rate/{sec|min|hour|day}[:burst]
1003 [s[/vlsm1]:][name1[(ht-buckets1,ht-max1)]:]rate1/{sec|min|hour|day}[:burst1],[d[/vlsm2:][name2[(ht-buckets2,ht-max2)]:]rate2/{sec|min|hour|day}[:burst2]
1004 You may optionally rate-limit the rule by placing a value in this
1005 column:
1006 rate* is the number of connections per interval (sec or min) and
1008 burst* is the largest burst permitted. If no burst is given, a
1009 value of 5 is assumed. There may be no no white-space embedded in
1010 the specification.
1011 Example: 10/sec:20
1013 When s: or d: is specified, the rate applies per source IP address
1015 or per destination IP address respectively. The names may be chosen
1016 by the user and specify a hash table to be used to count matching
1017 connections. If not given, the name shorewallN (where N is a unique
1018 integer) is assumed. Where more than one rule or POLICY specifies
1019 the same name, the connections counts for the rules are aggregated
1020 and the individual rates apply to the aggregated count. Beginning
1021 with Shorewall 5.2.1, the s or d may be followed by a slash ("/")
1022 and an integer vlsm. When a vlsm is specified, all source or
1023 destination addresses encountered will be grouped according to the
1024 given prefix length and the so-created subnet will be subject to
1025 the rate limit.
1026 Example: s/24::10/sec
1028 Beginning with Shorewall 4.6.5, two limits may be specified,
1030 separated by a comma. In this case, the first limit (name1, rate1,
1031 burst1) specifies the per-source IP limit and the second limit
1032 specifies the per-destination IP limit.
1033 Example: client:10/sec:20,:60/sec:100
1035 In this example, the 'client' hash table will be used to enforce
1037 the per-source limit and the compiler will pick a unique name for
1038 the hash table that tracks the per-destination limit.
1039 Beginning with Shorewall 5.2.1, the table name, if any, may be
1041 followed by two integers separated by commas and enclosed in
1042 parentheses. The first integer (ht-buckets) specifies the number of
1043 buckets in the generated hash table. The second integer (ht-max)
1044 specifies the maximum number of entries in the hash table.
1045 Example: s:netfw(1024,65536):10/sec
1047 This column was formerly labelled RATE LIMIT.
1049 USER - [!][user-name-or-number][:group-name-or-number][,...]
1051 This optional column may only be non-empty if the SOURCE is the
1052 firewall itself.
1053 When this column is non-empty, the rule applies only if the program
1055 generating the output is running under the effective user and/or
1056 group specified (or is NOT running under that id if "!" is given).
1057 Beginning with Shorewall 4.5.8, multiple user or group names/ids
1059 separated by commas may be specified.
1060 Examples:
1062 joe
1064 program must be run by joe
1065 :kids
1067 program must be run by a member of the 'kids' group
1068 !:kids
1070 program must not be run by a member of the 'kids' group
1071 2001-2099
1073 UIDs 2001 through 2099 (Shorewall 4.5.6 and later)
1074 This column was formerly labelled USER/GROUP.
1076 MARK - [!]value[/mask][:C]
1078 Defines a test on the existing packet or connection mark. The rule
1079 will match only if the test returns true.
1080 If you don't want to define a test but need to specify anything in
1082 the following columns, place a "-" in this field.
1083 !
1085 Inverts the test (not equal)
1086 value
1088 Value of the packet or connection mark.
1089 mask
1091 A mask to be applied to the mark before testing.
1092 :C
1094 Designates a connection mark. If omitted, the packet mark's
1095 value is tested.
1096 CONNLIMIT - [d:][!]limit[:mask]
1098 May be used to limit the number of simultaneous connections to/from
1099 each individual host or network to limit connections. Requires
1100 connlimit match in your kernel and iptables. While the limit is
1101 only checked on rules specifying CONNLIMIT, the number of current
1102 connections is calculated over all current connections from the
1103 SOURCE or DESTINATION host. By default, limiting is done by SOURCE
1104 host or net, but if the specification begins with d:, then limiting
1105 will be donw by destination host or net.
1106 By default, the limit is applied to each host but can be made to
1108 apply to networks of hosts by specifying a mask. The mask specifies
1109 the width of a VLSM mask to be applied to the source address; the
1110 number of current connections is then taken over all hosts in the
1111 subnet source-address/mask. When ! is specified, the rule matches
1112 when the number of connection exceeds the limit.
1113 TIME - timeelement[&timeelement...]
1115 May be used to limit the rule to a particular time period each day,
1116 to particular days of the week or month, or to a range defined by
1117 dates and times. Requires time match support in your kernel and
1118 iptables.
1119 timeelement may be:
1121 timestart=hh:mm[:ss]
1123 Defines the starting time of day.
1124 timestop=hh:mm[:ss]
1126 Defines the ending time of day.
1127 contiguous
1129 Added in Shoreawll 5.0.12. When timestop is smaller than
1130 timestart value, match this as a single time period instead of
1131 distinct intervals.
1132 utc
1134 Times are expressed in Greenwich Mean Time.
1135 localtz
1137 Deprecated by the Netfilter team in favor of kerneltz. Times
1138 are expressed in Local Civil Time (default).
1139 kerneltz
1141 Added in Shorewall 4.5.2. Times are expressed in Local Kernel
1142 Time (requires iptables 1.4.12 or later).
1143 weekdays=ddd[,ddd]...
1145 where ddd is one of Mon, Tue, Wed, Thu, Fri, Sat or Sun
1146 monthdays=dd[,dd],...
1148 where dd is an ordinal day of the month
1149 datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
1152 Defines the starting date and time.
1153 datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
1155 Defines the ending date and time.
1156 HEADERS - [!][any:|exactly:]header-list (Optional - Added in Shorewall
1158 4.4.15)
1159 This column is only used in IPv6. In IPv4, supply "-" in this
1160 column if you with to place a value in one of the following
1161 columns.
1162 The header-list consists of a comma-separated list of headers from
1164 the following list.
1165 auth, ah, or 51
1167 Authentication Headers extension header.
1168 esp, or 50
1170 Encrypted Security Payload extension header.
1171 hop, hop-by-hop or 0
1173 Hop-by-hop options extension header.
1174 route, ipv6-route or 43
1176 IPv6 Route extension header.
1177 frag, ipv6-frag or 44
1179 IPv6 fragmentation extension header.
1180 none, ipv6-nonxt or 59
1182 No next header
1183 proto, protocol or 255
1185 Any protocol header.
1186 If any: is specified, the rule will match if any of the listed
1188 headers are present. If exactly: is specified, the will match
1189 packets that exactly include all specified headers. If neither is
1190 given, any: is assumed.
1191 If ! is entered, the rule will match those packets which would not
1193 be matched when ! is omitted.
1194 SWITCH - [!]switch-name[={0|1}]
1196 Added in Shorewall 4.4.24 and allows enabling and disabling the
1197 rule without requiring shorewall reload.
1198 The rule is enabled if the value stored in
1200 /proc/net/nf_condition/switch-name is 1. The rule is disabled if
1201 that file contains 0 (the default). If '!' is supplied, the test is
1202 inverted such that the rule is enabled if the file contains 0.
1203 Within the switch-name, '@0' and '@{0}' are replaced by the name of
1205 the chain to which the rule is a added. The switch-name (after
1206 '@...' expansion) must begin with a letter and be composed of
1207 letters, decimal digits, underscores or hyphens. Switch names must
1208 be 30 characters or less in length.
1209 Switches are normally off. To turn a switch on:
1211 echo 1 >
1212 /proc/net/nf_condition/switch-name
1213 To turn it off again:
1214 echo 0 >
1215 /proc/net/nf_condition/switch-name
1216 Switch settings are retained over shorewall reload.
1217 Beginning with Shorewall 4.5.10, when the switch-name is followed
1219 by =0 or =1, then the switch is initialized to off or on
1220 respectively by the start command. Other commands do not affect the
1221 switch setting.
1222 HELPER - [helper]
1224 Added in Shorewall 4.5.7.
1225 In the NEW section, causes the named conntrack helper to be
1227 associated with this connection; the contents of this column are
1228 ignored unless ACTION is ACCEPT*, DNAT* or REDIRECT*.
1229 In the RELATED section, will only match if the related connection
1231 has the named helper associated with it.
1232 The helper may be one of:
1234 amanda
1235 ftp
1236 irc
1237 netbios-ns
1238 pptp
1239 Q.931
1240 RAS
1241 sane
1242 sip
1243 snmp
1244 tftp
1245 If the HELPERS option is specified in shorewall.conf[2](5), then
1246 any module specified in this column must be listed in the HELPERS
1247 setting.
1248
1250 Example 1:
1251 Accept SMTP requests from the DMZ to the internet
1252 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
1254 ACCEPT dmz net tcp smtp
1255 Example 2:
1257 Forward all ssh and http connection requests from the internet to
1258 local system 192.168.1.3
1259 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
1261 DNAT net loc:192.168.1.3 tcp ssh,http
1262 Example 3:
1264 Forward all http connection requests from the internet to local
1265 system 192.168.1.3 with a limit of 3 per second and a maximum burst
1266 of 10
1267 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE
1269 DNAT net loc:192.168.1.3 tcp http - - 3/sec:10
1270 Example 4:
1272 Redirect all locally-originating www connection requests to port
1273 3128 on the firewall (Squid running on the firewall system) except
1274 when the destination address is 192.168.2.2
1275 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
1277 REDIRECT loc 3128 tcp www - !192.168.2.2
1278 Example 5:
1280 All http requests from the internet to address 130.252.100.69 are
1281 to be forwarded to 192.168.1.3
1282 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
1284 DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
1285 Example 6:
1287 You want to accept SSH connections to your firewall only from
1288 internet IP addresses 130.252.100.69 and 130.252.100.70
1289 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
1291 ACCEPT net:130.252.100.69,130.252.100.70 \
1292 $FW tcp 22
1293 Example 7:
1295 You wish to accept connections from the internet to your firewall
1296 on port 2222 and you want to forward them to local system
1297 192.168.1.3, port 22
1298 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
1300 DNAT net loc:192.168.1.3:22 tcp 2222
1301 Example 8:
1303 You want to redirect connection requests to port 80 randomly to the
1304 port range 81-90.
1305 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
1307 REDIRECT net $FW::81-90:random tcp www
1308 Example 9:
1310 Shorewall does not impose as much structure on the Netfilter rules
1311 in the 'nat' table as it does on those in the filter table. As a
1312 consequence, when using Shorewall versions before 4.1.4, care must
1313 be exercised when using DNAT and REDIRECT rules with zones defined
1314 with wildcard interfaces (those ending with '+'. Here is an
1315 example:
1316 shorewall-zones[4](5):
1318 #ZONE TYPE OPTIONS
1320 fw firewall
1321 net ipv4
1322 dmz ipv4
1323 loc ipv4
1324 shorewall-interfaces[8](5):
1326 #ZONE INTERFACE BROADCAST OPTIONS
1328 net ppp0
1329 loc eth1 detect
1330 dmz eth2 detect
1331 - ppp+ # Addresses are assigned from 192.168.3.0/24
1332 shorewall-host[11](5):
1334 #ZONE HOST(S) OPTIONS
1336 loc ppp+:192.168.3.0/24
1337 rules:
1339 #ACTION SOURCE DEST PROTO DPORT
1341 REDIRECT loc 3128 tcp 80
1342 Note that it would have been tempting to simply define the loc zone
1344 entirely in shorewall-interfaces(8):
1345 #******************* INCORRECT *****************
1347 #ZONE INTERFACE BROADCAST OPTIONS
1348 net ppp0
1349 loc eth1 detect
1350 loc ppp+
1351 dmz eth2
1352 This would have made it impossible to run a internet-accessible web
1354 server in the DMZ because all traffic entering ppp+ interfaces
1355 would have been redirected to port 3128 on the firewall and there
1356 would have been no net->fw ACCEPT rule for that traffic.
1357 Example 10:
1359 Add the tuple (source IP, dest port, dest IP) of an incoming SSH
1360 connection to the ipset S:
1361 #ACTION SOURCE DEST PROTO DPORT
1363 ADD(+S:dst,src,dst) net fw tcp 22
1364 Example 11:
1366 You wish to limit SSH connections from remote systems to 1/min with
1367 a burst of three (to allow for limited retry):
1368 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE
1370 SSH(ACCEPT) net all - - - - s:1/min:3
1371 Example 12:
1373 Forward port 80 to dmz host $BACKUP if switch 'primary_down' is on.
1374 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH
1376 DNAT net dmz:$BACKUP tcp 80 - - - - - - - - primary_down
1377 Example 13:
1379 Drop all email from the Anonymous Proxy and Satellite Provider
1380 address ranges:
1381 #ACTION SOURCE DEST PROTO DPORT
1383 DROP net:^A1,A2 fw tcp 25
1384 Example 14:
1386 You want to generate your own rule involving iptables targets and
1387 matches not supported by Shorewall.
1388 #ACTION SOURCE DEST PROTO DPORT
1390 INLINE $FW net ; -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3
1391 The above will generate the following iptables-restore input:
1393 -A fw2net -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3
1395 Note that SECCTX must be defined as a builtin action in
1397 shorewall-actions[3](5):
1398 #ACTION OPTIONS
1400 SECCTX builtin
1401 Example 15:
1403 You want to accept SSH connections to your firewall only from
1404 internet IP addresses 2002:ce7c::92b4:1::2 and
1405 2002:ce7c::92b4:1::22
1406 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
1408 ACCEPT net:<2002:ce7c::92b4:1::2,2002:ce7c::92b4:1::22> \
1409 $FW tcp 22
1410
1412 /etc/shorewall/rules
1413 /etc/shorewall6/rules
1415
1417 shorewall-logging(5)[7]
1418 https://shorewall.org/ipsets.html[14]
1420 https://shorewall.org/configuration_file_basics.htm#Pairs[15]
1422 shorewall(8)
1424
1426 1. shorewall-policy
1427 https://shorewall.org/manpages/shorewall-policy.html
1428 2. shorewall.conf
1430 https://shorewall.org/manpages/shorewall.conf.html
1431 3. shorewall-actions
1433 https://shorewall.org/manpages/shorewall-actions.html
1434 4. shorewall-zones
1436 https://shorewall.org/manpages/shorewall-zones.html
1437 5. shorewall-nesting
1439 https://shorewall.org/manpages/shorewall-nesting.html
1440 6. https://shorewall.org/shorewall_logging.html
1442 https://shorewall.org/shorewall_logging.html
1443 7. shorewall-logging(5)
1445 https://shorewall.org/manpages/shorewall-logging.html
1446 8. shorewall-interfaces
1448 https://shorewall.org/manpages/shorewall-interfaces.html
1449 9. shorewall-hosts
1451 https://shorewall.org/manpages/shorewall.hosts.html
1452 10. shorewall-exclusion
1454 https://shorewall.org/manpages/shorewall-exclusion.html
1455 11. shorewall-hosts
1457 https://shorewall.org/manpages/shorewall-hosts.html
1458 12. https://shorewall.org/configuration_file_basics.htm#ICMP
1460 https://shorewall.org/configuration_file_basics.htm#ICMP
1461 13. https://shorewall.org/PortKnocking.html
1463 https://shorewall.org/PortKnocking.html
1464 14. https://shorewall.org/ipsets.html
1466 https://shorewall.org/ipsets.html
1467 15. https://shorewall.org/configuration_file_basics.htm#Pairs
1469 https://shorewall.org/configuration_file_basics.htm#Pairs
1470Configuration Files 07/29/2020 SHOREWALL-RULES(5)