1SHOREWALL-RULES(5) Configuration Files SHOREWALL-RULES(5)
2
3
4
6 rules - Shorewall rules file
7
9 /etc/shorewall[6]/rules
10
12 Entries in this file govern connection establishment by defining
13 exceptions to the policies laid out in shorewall-policy[1](5). By
14 default, subsequent requests and responses are automatically allowed
15 using connection tracking. For any particular (source,dest) pair of
16 zones, the rules are evaluated in the order in which they appear in
17 this file and the first terminating match is the one that determines
18 the disposition of the request. All rules are terminating except LOG
19 and COUNT rules.
20
21 Warning
22 If you masquerade or use SNAT from a local system to the internet,
23 you cannot use an ACCEPT rule to allow traffic from the internet to
24 that system. You must use a DNAT rule instead.
25
26 The rules file is divided into sections. Each section is introduced by
27 a "Section Header" which is a line beginning with ?SECTION and followed
28 by the section name.
29
30 Sections are as follows and must appear in the order listed:
31
32 ALL
33 This section was added in Shorewall 4.4.23. Rules in this section
34 are applied, regardless of the connection tracking state of the
35 packet and are applied before rules in the other sections.
36
37 ESTABLISHED
38 Packets in the ESTABLISHED state are processed by rules in this
39 section.
40
41 The only ACTIONs allowed in this section are ACCEPT, DROP, REJECT,
42 LOG, NFLOG, NFQUEUE and QUEUE
43
44 There is an implicit ACCEPT rule inserted at the end of this
45 section.
46
47 RELATED
48 Packets in the RELATED state are processed by rules in this
49 section.
50
51 The only ACTIONs allowed in this section are ACCEPT, DROP, REJECT,
52 LOG, NFLOG, NFQUEUE and QUEUE
53
54 There is an implicit rule added at the end of this section that
55 invokes the RELATED_DISPOSITION (shorewall.conf[2](5)).
56
57 INVALID
58 Added in Shorewall 4.5.13. Packets in the INVALID state are
59 processed by rules in this section.
60
61 The only Actions allowed in this section are ACCEPT, DROP, REJECT,
62 LOG, NFLOG, NFQUEUE and QUEUE.
63
64 There is an implicit rule added at the end of this section that
65 invokes the INVALID_DISPOSITION (shorewall.conf[2](5)).
66
67 UNTRACKED
68 Added in Shorewall 4.5.13. Packets in the UNTRACKED state are
69 processed by rules in this section.
70
71 The only Actions allowed in this section are ACCEPT, DROP, REJECT,
72 LOG, NFLOG, NFQUEUE and QUEUE.
73
74 There is an implicit rule added at the end of this section that
75 invokes the UNTRACKED_DISPOSITION (shorewall.conf[2](5)).
76
77 NEW
78 Packets in the NEW state are processed by rules in this section. If
79 the INVALID and/or UNTRACKED sections are empty or not included,
80 then the packets in the corresponding state(s) are also processed
81 in this section.
82
83 Note
84 If you are not familiar with Netfilter to the point where you are
85 comfortable with the differences between the various connection
86 tracking states, then it is suggested that you place all of your
87 rules in the NEW section (That's after the line that reads ?SECTION
88 NEW').
89
90 Warning
91 If you specify FASTACCEPT=Yes in shorewall.conf[2](5) then the ALL,
92 ESTABLISHED and RELATED sections must be empty.
93
94 An exception is made if you are running Shorewall 4.4.27 or later
95 and you have specified a non-default value for RELATED_DISPOSITION
96 or RELATED_LOG_LEVEL. In that case, you may have rules in the
97 RELATED section of this file.
98
99 You may omit any section that you don't need. If no Section Headers
100 appear in the file then all rules are assumed to be in the NEW section.
101
102 When defining rules that rewrite the destination IP address and/or port
103 number (namely DNAT and REDIRECT rules), it is important to keep
104 straight which columns in the file specify the packet before rewriting
105 and which specify how the packet will look after rewriting.
106
107 • The DEST column specifies the final destination for the packet
108 after rewriting and can include the final IP address and/or port
109 number.
110
111 • The remaining columns specify characteristics of the packet before
112 rewriting. In particular, the ORIGDEST column gives the original
113 destination IP address of the packet and the DPORT column give the
114 original destination port(s).
115
116 The columns in the file are as follows (where the column name is
117 followed by a different name in parentheses, the different name is used
118 in the alternate specification syntax).
119
120 ACTION - target[:{log-level|none}[!][:tag]]
121 Specifies the action to be taken if the connection request matches
122 the rule. target must be one of the following.
123
124 ACCEPT
125 Allow the connection request.
126
127 ACCEPT+
128 like ACCEPT but also excludes the connection from any
129 subsequent matching DNAT[-] or REDIRECT[-] rules. Use with IPv6
130 requires Shorewall 4.5.14 or later.
131
132 ACCEPT!
133 like ACCEPT but exempts the rule from being suppressed by
134 OPTIMIZE=1 in shorewall.conf[2](5).
135
136 action
137 The name of an action declared in shorewall-actions[3](5) or in
138 /usr/share/shorewall[6]/actions.std.
139
140 ADD(ipset:flags[:timeout])
141 Added in Shorewall 4.4.12. Causes addresses and/or port numbers
142 to be added to the named ipset. The flags specify the address
143 or tuple to be added to the set and must match the type of
144 ipset involved. For example, for an iphash ipset, either the
145 SOURCE or DESTINATION address can be added using flags src or
146 dst respectively (see the -A command in ipset (8)).
147
148 Beginning with Shorewall 5.0.3, an optional timeout can be
149 specified. This is the number of seconds that the new entry in
150 the ipset is to remain valid and overrides any timeout
151 specified when the ipset was created.
152
153 ADD is non-terminating. Even if a packet matches the rule, it
154 is passed on to the next rule.
155
156 AUDIT[(accept|drop|reject)]
157 Added in Shorewall 4.5.10. Audits the packet with the specified
158 type; if the type is omitted, then drop is assumed. Require
159 AUDIT_TARGET support in the kernel and iptables.
160
161 A_ACCEPT, A_ACCEPT+ and A_ACCEPT!
162 Added in Shorewall 4.4.20. Audited versions of ACCEPT, ACCEPT+
163 and ACCEPT! respectively. Require AUDIT_TARGET support in the
164 kernel and iptables. A_ACCEPT+ with IPv6 requires Shorewall
165 4.5.14 or later.
166
167 A_DROP and A_DROP!
168 Added in Shorewall 4.4.20. Audited versions of DROP and DROP!
169 respectively. Require AUDIT_TARGET support in the kernel and
170 iptables.
171
172 A_REJECT AND A_REJECT!
173 Added in Shorewall 4.4.20. Audited versions of REJECT and
174 REJECT! respectively. Require AUDIT_TARGET support in the
175 kernel and iptables.
176
177 ?COMMENT
178 the rest of the line will be attached as a comment to the
179 Netfilter rule(s) generated by the following entries. The
180 comment will appear delimited by "/* ... */" in the output of
181 "shorewall show <chain>". To stop the comment from being
182 attached to further rules, simply include ?COMMENT on a line by
183 itself.
184
185 CONMARK({mark})
186 Added in Shorewall 5.0.7, CONNMARK is identical to MARK with
187 the exception that the mark is assigned to connection to which
188 the packet belongs is marked rather than to the packet itself.
189
190 CONTINUE
191 For experts only.
192
193 Do not process any of the following rules for this (source
194 zone,destination zone). If the source and/or destination IP
195 address falls into a zone defined later in
196 shorewall-zones[4](5) or in a parent zone of the source or
197 destination zones, then this connection request will be passed
198 to the rules defined for that (those) zone(s). See
199 shorewall-nesting[5](5) for additional information.
200
201 CONTINUE!
202 like CONTINUE but exempts the rule from being suppressed by
203 OPTIMIZE=1 in shorewall.conf[2](5).
204
205 COUNT
206 Simply increment the rule's packet and byte count and pass the
207 packet to the next rule.
208
209 DEL(ipset:flags)
210 Added in Shorewall 4.4.12. Causes an entry to be deleted from
211 the named ipset. The flags specify the address or tuple to be
212 deleted from the set and must match the type of ipset involved.
213 For example, for an iphash ipset, either the SOURCE or
214 DESTINATION address can be deleted using flags src or dst
215 respectively (see the -D command in ipset (8)).
216
217 DEL is non-terminating. Even if a packet matches the rule, it
218 is passed on to the next rule.
219
220 DNAT
221 Forward the request to another system (and optionally another
222 port). Use with IPv6 requires Shorewall 4.5.14 or later.
223
224 DNAT-
225 Advanced users only.
226
227 Like DNAT but only generates the DNAT iptables rule and not the
228 companion ACCEPT rule. Use with IPv6 requires Shorewall 4.5.14
229 or later.
230
231 DROP
232 Ignore the request.
233
234 DROP!
235 like DROP but exempts the rule from being suppressed by
236 OPTIMIZE=1 in shorewall.conf[2](5).
237
238 HELPER
239 Added in Shorewall 4.5.7. This action requires that the HELPER
240 column contains the name of the Netfilter helper to be
241 associated with connections matching this connection. May only
242 be specified in the NEW section and is useful for being able to
243 specify a helper when the applicable policy is ACCEPT. No
244 destination zone should be specified in HELPER rules.
245
246 INLINE[(action)]
247 Added in Shorewall 4.5.16. This action allows you to construct
248 most of the rule yourself using iptables syntax. The part that
249 you specify must follow two semicolons (';;') and is completely
250 free-form. If the target of the rule (the part following 'j')
251 is something that Shorewall supports in the ACTION column, then
252 you may enclose it in parentheses (e.g., INLINE(ACCEPT)).
253 Otherwise, you can include it after the semicolon(s). In this
254 case, you must declare the target as a builtin action in
255 shorewall-actions[3](5).
256
257 Some considerations when using INLINE:
258
259 • The p, s, d, i, o, policy, and state match (state or
260 conntrack --ctstate) matches will always appear in the
261 front of the rule in that order.
262
263 • When multiple matches are specified, the compiler will keep
264 them in the order in which they appear (excluding the above
265 listed ones), but they will not necessarily be at the end
266 of the generated rule. For example, if addresses are
267 specified in the SOURCE and/or DEST columns, their
268 generated matches will appear after those specified using
269 ';;' or ';'.
270
271 IPTABLES({iptables-target [option ...])
272 IPv4 only. This action allows you to specify an iptables target
273 with options (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If
274 the iptables-target is not one recognized by Shorewall, the
275 following error message will be issued:
276
277 ERROR: Unknown target (iptables-target)
278
279 This error message may be eliminated by adding the
280 iptables-target as a builtin action in shorewall-actions[3](5).
281
282 Important
283 If you specify REJECT as the iptables-target, the target of
284 the rule will be the iptables REJECT target and not
285 Shorewall's builtin 'reject' chain which is used when
286 REJECT (see below) is specified as the target in the ACTION
287 column.
288
289 IP6TABLES({ip6tables-target [option ...])
290 IPv6 only. This action allows you to specify an ip6tables
291 target with options (e.g., 'IPTABLES(MARK --set-xmark
292 0x01/0xff)'. If the ip6tables-target is not one recognized by
293 Shorewall, the following error message will be issued:
294
295 ERROR: Unknown target (ip6tables-target)
296
297 This error message may be eliminated by adding the
298 ip6tables-target as a builtin action in
299 shorewall-actions[3](5).
300
301 Important
302 If you specify REJECT as the ip6tables-target, the target
303 of the rule will be the i6ptables REJECT target and not
304 Shorewall's builtin 'reject' chain which is used when
305 REJECT (see below) is specified as the target in the ACTION
306 column.
307
308 LOG:level
309 Simply log the packet and continue with the next rule.
310
311 macro[(macrotarget)]
312 The name of a macro defined in a file named macro.macro. If the
313 macro accepts an action parameter (Look at the macro source to
314 see if it has PARAM in the TARGET column) then the macro name
315 is followed by the parenthesized macrotarget (ACCEPT, DROP,
316 REJECT, ...) to be substituted for the parameter.
317
318 Example: FTP(ACCEPT).
319
320 The older syntax where the macro name and the target are
321 separated by a slash (e.g. FTP/ACCEPT) is still allowed but is
322 deprecated.
323
324 MARK({mark})
325 where mark is a packet mark value.
326
327 Added in Shorewall 5.0.7, MARK requires "Mark in filter table"
328 support in your kernel and iptables.
329
330 Normally will set the mark value of the current packet. If
331 preceded by a vertical bar ("|"), the mark value will be
332 logically ORed with the current mark value to produce a new
333 mark value. If preceded by an ampersand ("&"), will be
334 logically ANDed with the current mark value to produce a new
335 mark value.
336
337 Both "|" and "&" require Extended MARK Target support in your
338 kernel and iptables.
339
340 The mark value may be optionally followed by "/" and a mask
341 value (used to determine those bits of the connection mark to
342 actually be set). When a mask is specified, the result of
343 logically ANDing the mark value with the mask must be the same
344 as the mark value.
345
346 NFLOG[(nflog-parameters)]
347 Added in Shorewall 4.5.9.3. Queues matching packets to a back
348 end logging daemon via a netlink socket then continues to the
349 next rule. See https://shorewall.org/shorewall_logging.html[6].
350
351 The nflog-parameters are a comma-separated list of up to 3
352 numbers:
353
354 • The first number specifies the netlink group (0-65535). If
355 omitted (e.g., NFLOG(,0,10)) then a value of 0 is assumed.
356
357 • The second number specifies the maximum number of bytes to
358 copy. If omitted, 0 (no limit) is assumed.
359
360 • The third number specifies the number of log messages that
361 should be buffered in the kernel before they are sent to
362 user space. The default is 1.
363
364 NFLOG is similar to LOG:NFLOG[(nflog-parameters)], except that
365 the log level is not changed when this ACTION is used in an
366 action or macro body and the invocation of that action or macro
367 specifies a log level.
368
369 NFQUEUE[([queuenumber1[:queuenumber2[c]][,bypass]]|bypass)]
370 Queues the packet to a user-space application using the
371 nfnetlink_queue mechanism. If a queuenumber1 is not specified,
372 queue zero (0) is assumed. Beginning with Shorewall 4.6.10, the
373 keyword bypass can be given. By default, if no userspace
374 program is listening on an NFQUEUE, then all packets that are
375 to be queued are dropped. When this option is used, the NFQUEUE
376 rule behaves like ACCEPT instead. Also beginning in Shorewall
377 4.6.10, a second queue number (queuenumber2) may be specified.
378 This specifies a range of queues to use. Packets are then
379 balanced across the given queues. This is useful for multicore
380 systems: start multiple instances of the userspace program on
381 queues x, x+1, .. x+n and use "x:x+n". Packets belonging to the
382 same connection are put into the same nfqueue.
383
384 Beginning with Shorewall 5.1.0, queuenumber2 may be followed by
385 the letter 'c' to indicate that the CPU ID will be used as an
386 index to map packets to the queues. The idea is that you can
387 improve performance if there's a queue per CPU. Requires the
388 NFQUEUE CPU Fanout capability in your kernel and iptables.
389
390 NFQUEUE![([queuenumber1[:queuenumber2[c]][,bypass]]|bypass)]
391 like NFQUEUE but exempts the rule from being suppressed by
392 OPTIMIZE=1 in shorewall.conf[2](5).
393
394 NONAT
395 Excludes the connection from any subsequent DNAT[-] or
396 REDIRECT[-] rules but doesn't generate a rule to accept the
397 traffic. Use with IPv6 requires Shorewall 4.5.14 or later.
398
399 QUEUE
400 Queue the packet to a user-space application such as ftwall
401 (http://p2pwall.sf.net). The application may reinsert the
402 packet for further processing.
403
404 QUEUE!
405 like QUEUE but exempts the rule from being suppressed by
406 OPTIMIZE=1 in shorewall.conf[2](5).
407
408 REJECT[(option)]
409 disallow the request and return an icmp-unreachable or an RST
410 packet. If no option is passed, Shorewall selects the
411 appropriate option based on the protocol of the packet.
412
413 Beginning with Shorewall 5.0.8, the type of reject may be
414 specified in the option paramater. Valid IPv4 option values
415 are:
416 icmp-net-unreachable
417 icmp-host-unreachable
418 icmp-port-unreachable
419 icmp-proto-unreachable
420 icmp-net-prohibited
421 icmp-host-prohibited
422 icmp-admin-prohibited
423 icmp-tcp-reset (the PROTO column
424 must specify TCP). Beginning with
425 Shorewall 5.1.3, this
426 option may also be specified as
427 tcp-reset.
428 Valid IPv6 option values are:
429 icmp6-no-route
430 no-route
431 icmp6-adm-prohibited
432 adm-prohibited
433 icmp6-addr-unreachable
434 addr-unreach
435 icmp6-port-unreachable
436 tcp-reset (the PROTO column must
437 specify TCP)
438
439 REJECT!
440 like REJECT but exempts the rule from being suppressed by
441 OPTIMIZE=1 in shorewall.conf[2](5).
442
443 REDIRECT
444 Redirect the request to a server running on the firewall. Use
445 with IPv6 requires Shorewall 4.5.14 or later.
446
447 REDIRECT-
448 Advanced users only.
449
450 Like REDIRECT but only generates the REDIRECT iptables rule and
451 not the companion ACCEPT rule. Use with IPv6 requires Shorewall
452 4.5.14 or later.
453
454 TARPIT [(tarpit | honeypot | reset)]
455 Added in Shorewall 4.6.6.
456
457 TARPIT captures and holds incoming TCP connections using no
458 local per-connection resources.
459
460 TARPIT only works with the PROTO column set to tcp (6), and is
461 totally application agnostic. This module will answer a TCP
462 request and play along like a listening server, but aside from
463 sending an ACK or RST, no data is sent. Incoming packets are
464 ignored and dropped. The attacker will terminate the session
465 eventually. This module allows the initial packets of an attack
466 to be captured by other software for inspection. In most cases
467 this is sufficient to determine the nature of the attack.
468
469 This offers similar functionality to LaBrea
470 <http://www.hackbusters.net/LaBrea/> but does not require
471 dedicated hardware or IPs. Any TCP port that you would normally
472 DROP or REJECT can instead become a tarpit.
473
474 The target accepts a single optional parameter:
475
476 tarpit
477 This mode is the default and completes a connection with
478 the attacker but limits the window size to 0, thus keeping
479 the attacker waiting long periods of time. While he is
480 maintaining state of the connection and trying to continue
481 every 60-240 seconds, we keep none, so it is very
482 lightweight. Attempts to close the connection are ignored,
483 forcing the remote side to time out the connection in 12-24
484 minutes.
485
486 honeypot
487 This mode completes a connection with the attacker, but
488 signals a normal window size, so that the remote side will
489 attempt to send data, often with some very nasty exploit
490 attempts. We can capture these packets for decoding and
491 further analysis. The module does not send any data, so if
492 the remote expects an application level response, the game
493 is up.
494
495 reset
496 This mode is handy because we can send an inline RST
497 (reset). It has no other function.
498
499 ULOG[(ulog-parameters)]
500 IPv4 only. Added in Shorewall 4.5.10. Queues matching packets
501 to a back end logging daemon via a netlink socket then
502 continues to the next rule. See shorewall-logging(5)[7].
503
504 Similar to LOG:ULOG[(ulog-parameters)], except that the log
505 level is not changed when this ACTION is used in an action or
506 macro body and the invocation of that action or macro specifies
507 a log level.
508
509 The target may optionally be followed by ":" and a syslog log level
510 (e.g, REJECT:info or Web(ACCEPT):debug). This causes the packet to
511 be logged at the specified level. Note that if the ACTION involves
512 destination network address translation (DNAT, REDIRECT, etc.) then
513 the packet is logged before the destination address is rewritten.
514
515 If the ACTION names an action declared in shorewall-actions[3](5)
516 or in /usr/share/shorewall/actions.std then:
517
518 • If the log level is followed by "!' then all rules in the
519 action are logged at the log level.
520
521 • If the log level is not followed by "!" then only those rules
522 in the action that do not specify logging are logged at the
523 specified level.
524
525 • The special log level none! suppresses logging by the action.
526
527 You may also specify ULOG (IPv4 only) or NFLOG (must be in upper
528 case) as a log level.This will log to the ULOG or NFLOG target for
529 routing to a separate log through use of ulogd
530 (shorewall-logging(5)[7]).
531
532 Actions specifying logging may be followed by a log tag (a string
533 of alphanumeric characters) which is appended to the string
534 generated by the LOGPREFIX (in shorewall.conf[2](5)).
535
536 Example: ACCEPT:info:ftp would include 'ftp ' at the end of the log
537 prefix generated by the LOGPREFIX setting.
538
539 SOURCE - source-spec[,...]
540 Source hosts to which the rule applies.
541
542 source-spec is one of the following:
543
544 zone[,...[+]]
545 The name of a zone defined in shorewall-zones[4](5). When only
546 the zone name is specified, the packet source may be any host
547 in that zone.
548
549 zone may also be one of the following:
550
551 all[+]
552 all, without the "-" means "All Zones, including the
553 firewall zone". Normally all omits intra-zone traffic, but
554 intra-zone traffic can be included specifying "+".
555
556 any[+]
557 any is equivalent to all when there are no nested zones.
558 When there are nested zones, any only refers to top-level
559 zones (those with no parent zones). Note that any excludes
560 all vserver zones, since those zones are nested within the
561 firewall zone.
562
563 none
564 When none is used either in the SOURCE or DEST column, the
565 rule is ignored.
566
567 Similar to with all and any, intra-zone traffic is normally
568 excluded when multiple zones are listed. Intra-zone traffic may
569 be included by following the list with a plus sign ("+").
570
571 all and any may be followed by an exclamation point ("!") and a
572 comma-separated list of zone names to be omitted.
573
574 zone:[!]interface
575 When this form is used, interface must be the name of an
576 interface associated with the named zone in either
577 shorewall-interfaces[8](5) or shorewall-hosts[9](5). Only
578 packets from hosts in the zone that arrive through the named
579 interface will match the rule.
580
581 Beginning with Shorweall 5.2.1, the interface may be preceded
582 with '!' which matches all interfaces associated with the zone
583 except the one specified.
584
585 zone:address[,...]
586 where address can be:
587
588 • A host or network IP address. A network address may be
589 followed by exclusion (see shorewall-exclusion[10](5)).
590
591 • An address range, specified using the syntax
592 lowaddress-highaddress.
593
594 • +ipset where ipset is the name of an ipset and must be
595 preceded by a plus sign ("+").
596
597 • A MAC address in Shorewall format (preceded by a tilde
598 ("~") and with the hex byte values separated by dashes
599 (e.g., "~00-0a-f6-04-9c-7d").
600
601 • ^country-code where country-code is a two-character
602 ISO-3661 country code preceded by a caret ("^").
603
604 • ^country-code-list where country-code-list is a
605 comma-separated list of up to 15 ISO-3661 country codes
606 enclosed in square brackets ("[...]").
607
608 • The primary IP address of a firewall interface can be
609 specified by an ampersand ('&') followed by the logical
610 name of the interface as found in the INTERFACE column of
611 shorewall-interfaces[8] (5).
612
613 zone:interface:address[,...]
614 This form combines the preceding two and requires that both the
615 incoming interface and source address match.
616
617 zone:exclusion
618 This form matches if the host IP address does not match any of
619 the entries in the exclusion (see shorewall-exclusion[10](5)).
620
621 zone:interface:exclusion
622 This form matches packets from the named zone entering through
623 the specified interface where the source address does not match
624 any entry in the exclusion.
625
626 Beginning with Shorewall 5.1.0, multiple source-specs may be
627 listed, provided that extended forms of the source-spec are used:
628 zone:(interface)
629
630 zone:(address[,...])
631
632 zone:(interface:address[,...])
633
634 zone:(exclusion)
635
636 zone:(interface:exclusion) Examples:
637
638 dmz:192.168.2.2
639 Host 192.168.2.2 in the DMZ
640
641 net:155.186.235.0/24
642 Subnet 155.186.235.0/24 on the Internet
643
644 loc:192.168.1.1,192.168.1.2
645 Hosts 192.168.1.1 and 192.168.1.2 in the local zone.
646
647 loc:~00-A0-C9-15-39-78
648 Host in the local zone with MAC address 00:A0:C9:15:39:78.
649
650 net:192.0.2.11-192.0.2.17
651 Hosts 192.0.2.11-192.0.2.17 in the net zone.
652
653 net:!192.0.2.11-192.0.2.17
654 All hosts in the net zone except for 192.0.2.11-192.0.2.17.
655
656 net:155.186.235.0/24!155.186.235.16/28
657 Subnet 155.186.235.0/24 on the Internet except for
658 155.186.235.16/28
659
660 $FW:ð0
661 The primary IP address of eth0 in the firewall zone.
662
663 loc,dmz
664 Both the loc and dmz zones.
665
666 all!dmz
667 All but the dmz zone.
668
669 all+!$FW
670 All but the firewall zone and applies to intrazone traffic.
671
672 net:^CN
673 China.
674
675 loc:(eth1:1.2.3.4,2.3.4.5),dmz:(eth2:5.6.7.8,9.10.11.12),net
676 Hosts 1.2.3.4 and 2.3.4.5 in the loc zone when the packet
677 arrives through eth1 plus hosts 5.6.7.8 and 9.10.11.12 in the
678 dmz zone when the packet arrives through eth2 plus all of the
679 net zone.
680
681 dmz:[2002:ce7c:2b4:1::2]
682 Host 2002:ce7c:92b4:1::2 in the DMZ
683
684 net:2001:4d48:ad51:24::/64
685 Subnet 2001:4d48:ad51:24::/64 on the Internet
686
687 loc:[2002:cec792b4:1::2],[2002:cec792b4:1::44]
688 Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the local
689 zone.
690
691 loc:~00-A0-C9-15-39-78
692 Host in the local zone with MAC address 00:A0:C9:15:39:78.
693
694 net:[2001:4d48:ad51:24::]/64![2001:4d48:ad51:24:6::]/80
695 Subnet 2001:4d48:ad51:24::/64 on the Internet except for
696 2001:4d48:ad51:24:6::/80.
697
698 DEST - dest-spec[,...]
699 Destination hosts to which the rule applies.
700
701 dest-spec is one of the following:
702
703 zone[,...[+]]
704 The name of a zone defined in shorewall-zones[4](5). When only
705 the zone name is specified, the packet destination may be any
706 host in that zone.
707
708 zone may also be one of the following:
709
710 all[+]
711 all, without the "-" means "All Zones, including the
712 firewall zone". Normally all omits intra-zone traffic, but
713 intra-zone traffic can be included specifying "+".
714
715 any[+]
716 any is equivalent to all when there are no nested zones.
717 When there are nested zones, any only refers to top-level
718 zones (those with no parent zones). Note that any excludes
719 all vserver zones, since those zones are nested within the
720 firewall zone.
721
722 none
723 When none is used either in the SOURCE or DEST column, the
724 rule is ignored.
725
726 Similar to with all and any, intra-zone traffic is normally
727 excluded when multiple zones are listed. Intra-zone traffic may
728 be included by following the list with a plus sign ("+").
729
730 all and any may be followed by an exclamation point ("!") and a
731 comma-separated list of zone names to be omitted.
732
733 zone:[!]interface
734 When this form is used, interface must be the name of an
735 interface associated with the named zone in either
736 shorewall-interfaces[8](5) or shorewall-hosts[11](5). Only
737 packets to hosts in the zone that are sent through the named
738 interface will match the rule.
739
740 Beginning with Shorweall 5.2.1, the interface may be preceded
741 with '!' which matches all interfaces associated with the zone
742 except the one specified.
743
744 zone:address[,...]
745 where address can be:
746
747 • A host or network IP address. A network address may be
748 followed by exclusion (see shorewall-exclusion[10](5)).
749
750 • An address range, specified using the syntax
751 lowaddress-highaddress.
752
753 • +ipset where ipset is the name of an ipset and must be
754 preceded by a plus sign ("+").
755
756 • ^country-code where country-code is a two-character
757 ISO-3661 country code preceded by a caret ("^").
758
759 • ^country-code-list where country-code-list is a
760 comma-separated list of up to 15 ISO-3661 country codes
761 enclosed in square brackets ("[...]").
762
763 • The primary IP address of a firewall interface can be
764 specified by an ampersand ('&') followed by the logical
765 name of the interface as found in the INTERFACE column of
766 shorewall-interfaces[8] (5).
767
768 zone:[!]interface:address[,...]
769 This form combines the preceding two and requires that both the
770 outgoing interface and destinationaddress match.
771
772 Beginning with Shorweall 5.2.1, the interface may be preceded
773 with '!' which matches all interfaces associated with the zone
774 except the one specified.
775
776 zone:exclusion
777 This form matches if the host IP address does not match any of
778 the entries in the exclusion (see shorewall-exclusion[10](5)).
779
780 zone:[!]interface:exclusion
781 This form matches packets to the named zone leaving through the
782 specified interface where the destination address does not
783 match any entry in the exclusion.
784
785 Beginning with Shorweall 5.2.1, the interface may be preceded
786 with '!' which matches all interfaces associated with the zone
787 except the one specified.
788
789 [zone]:[server-IP][:port-or-port-range[:random]]
790 This form applies when the ACTION is DNAT[-] or REDIRECT[-].
791 The zone may be omitted in REDIRECT rules ($FW is assumed) and
792 must be omitted in DNAT-, REDIRECT- and NONAT rules.
793
794 server-IP is not allowed in REDIRECT rules and may be omitted
795 in DNAT[-] rules provided that port-or-port-range is included.
796
797 • The IP address of the server to which the packet is to be
798 sent.
799
800 • A range of IP address with the low and high address
801 separated by a dash (:"-"). Connections are distributed
802 among the IP addresses in the range.
803
804 If server-IP is omitted in a DNAT[-] rule, only the destination
805 port number is modified by the rule.
806
807 port-or-port-range may be:
808
809 • An integer port number in the range 1 - 65535.
810
811 • The name of a service from /etc/services.
812
813 • A port range with the low and high integer port numbers
814 separated by a dash ("-"). Connections are distributed
815 among the ports in the range.
816
817 If random is specified, port mapping will be randomized.
818
819 If the DEST zone is a bport zone, then either:
820
821 1. the SOURCE must be all[+], or
822
823 2. the SOURCE zone must be another bport zone associated with the
824 same bridge, or
825
826 3. the SOURCE zone must be an ipv4 zone that is associated with
827 only the same bridge.
828
829 Beginning with Shorewall 5.1.0, multiple dest-specs may be listed,
830 provided that extended forms of the source-spec are used:
831 zone:(interface)
832
833 zone:(address[,...])
834
835 zone:(interface:address[,...])
836
837 zone:(exclusion)
838
839 zone:(interface:exclusion) Multiple dest-specs are not permitted in
840 DNAT[-] and REDIRECT[-] rules.
841
842 Examples:
843
844 dmz:192.168.2.2
845 Host 192.168.2.2 in the DMZ
846
847 net:155.186.235.0/24
848 Subnet 155.186.235.0/24 on the Internet
849
850 loc:192.168.1.1,192.168.1.2
851 Hosts 192.168.1.1 and 192.168.1.2 in the local zone.
852
853 net:192.0.2.11-192.0.2.17
854 Hosts 192.0.2.11-192.0.2.17 in the net zone.
855
856 net:!192.0.2.11-192.0.2.17
857 All hosts in the net zone except for 192.0.2.11-192.0.2.17.
858
859 net:155.186.235.0/24!155.186.235.16/28
860 Subnet 155.186.235.0/24 on the Internet except for
861 155.186.235.16/28
862
863 $FW:ð0
864 The primary IP address of eth0 in the firewall zone.
865
866 loc,dmz
867 Both the loc and dmz zones.
868
869 all!dmz
870 All but the dmz zone.
871
872 net:^CN
873 China.
874
875 dmz:192.168.10.4:25
876 Port 25 on server 192.168.10.4 in the dmz zone (DNAT rule).
877
878 loc:(eth1:1.2.3.4,2.3.4.5),dmz:(eth2:5.6.7.8,9.10.11.12),net
879 Hosts 1.2.3.4 and 2.3.4.5 in the loc zone when the packet
880 arrives through eth1 plus hosts 5.6.7.8 and 9.10.11.12 in the
881 dmz zone when the packet arrives through eth2 plus all of the
882 net zone.
883
884 PROTO-
885 {-|tcp:[!]syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-name|all}
886 Optional Protocol - ipp2p* requires ipp2p match support in your
887 kernel and iptables. tcp:syn implies tcp plus the SYN flag must be
888 set and the RST, ACK and FIN flags must be reset. Beginning with
889 Shorewall 5.1.3, you may also specify tcp:!syn, which matches if
890 SYN is not set or if RST, ACK or FIN is set.
891
892 Beginning with Shorewall 4.4.19, this column can contain a
893 comma-separated list of protocol-numbers and/or protocol names.
894
895 DPORT -
896 {-|port-name-number-or-range[,port-name-number-or-range]...|+ipset}
897 Optional destination Ports. A comma-separated list of Port names
898 (from services(5)), port numbers or port ranges; if the protocol is
899 icmp, this column is interpreted as the destination icmp-type(s).
900 ICMP types may be specified as a numeric type, a numeric type and
901 code separated by a slash (e.g., 3/4), or a typename. See
902 https://shorewall.org/configuration_file_basics.htm#ICMP[12]. Note
903 that prior to Shorewall 4.4.19, only a single ICMP type may be
904 listed.
905
906 If the protocol is ipp2p, this column is interpreted as an ipp2p
907 option without the leading "--" (example bit for bit-torrent). If
908 no port is given, ipp2p is assumed.
909
910 A port range is expressed as lowport:highport.
911
912 This column is ignored if PROTO = all but must be entered if any of
913 the following columns are supplied. In that case, it is suggested
914 that this field contain a dash (-).
915
916 If your kernel contains multi-port match support, then only a
917 single Netfilter rule will be generated if in this list and the
918 SPORT list below:
919
920 1. There are 15 or less ports listed.
921
922 2. No port ranges are included or your kernel and iptables contain
923 extended multi-port match support.
924
925 Beginning with Shorewall 4.6.0, an ipset name can be specified in
926 this column. This is intended to be used with bitmap:port ipsets.
927
928 This column was formerly labelled DEST PORT(S).
929
930 SPORT -
931 {-|port-name-number-or-range[,port-name-number-or-range]...|+ipset}
932 Optional port(s) used by the client. If omitted, any source port is
933 acceptable. Specified as a comma- separated list of port names,
934 port numbers or port ranges.
935
936 Beginning with Shorewall 4.5.15, you may place '=' in this column,
937 provided that the DPORT column is non-empty. This causes the rule
938 to match when either the source port or the destination port in a
939 packet matches one of the ports specified in DEST PORTS(S). Use of
940 '=' requires multi-port match in your iptables and kernel.
941
942 Warning
943 Unless you really understand IP, you should leave this column
944 empty or place a dash (-) in the column. Most people who try to
945 use this column get it wrong.
946 If you don't want to restrict client ports but need to specify an
947 ORIGDEST in the next column, then place "-" in this column.
948
949 If your kernel contains multi-port match support, then only a
950 single Netfilter rule will be generated if in this list and the
951 DPORT list above:
952
953 1. There are 15 or less ports listed.
954
955 2. No port ranges are included or your kernel and iptables contain
956 extended multi-port match support.
957
958 Beginning with Shorewall 4.6.0, an ipset name can be specified in
959 this column. This is intended to be used with bitmap:port ipsets.
960
961 This column was formerly labelled SOURCE PORT(S).
962
963 ORIGDEST - [-|address[,address]...[exclusion]|exclusion]
964 Optional. If ACTION is DNAT[-] or REDIRECT[-] then if this column
965 is included and is different from the IP address given in the DEST
966 column, then connections destined for that address will be
967 forwarded to the IP and port specified in the DEST column.
968
969 A comma-separated list of addresses may also be used. This is most
970 useful with the REDIRECT target where you want to redirect traffic
971 destined for particular set of hosts. Finally, if the list of
972 addresses begins with "!" (exclusion) then the rule will be
973 followed only if the original destination address in the connection
974 request does not match any of the addresses listed.
975
976 Beginning with Shorewall 4.4.17, the primary IP address of a
977 firewall interface can be specified by an ampersand ('&') followed
978 by the logical name of the interface as found in the INTERFACE
979 column of shorewall-interfaces[8] (5).
980
981 For other actions, this column may be included and may contain one
982 or more addresses (host or network) separated by commas. Address
983 ranges are not allowed. When this column is supplied, rules are
984 generated that require that the original destination address
985 matches one of the listed addresses. This feature is most useful
986 when you want to generate a filter rule that corresponds to a DNAT-
987 or REDIRECT- rule. In this usage, the list of addresses should not
988 begin with "!".
989
990 It is also possible to specify a set of addresses then exclude part
991 of those addresses. For example, 192.168.1.0/24!192.168.1.16/28
992 specifies the addresses 192.168.1.0-182.168.1.15 and
993 192.168.1.32-192.168.1.255. See shorewall-exclusion[10](5).
994
995 See https://shorewall.org/PortKnocking.html[13] for an example of
996 using an entry in this column with a user-defined action rule.
997
998 This column was formerly labelled ORIGINAL DEST.
999
1000 RATE - limit
1001 where limit is one of:
1002 [-|[{s|d}[/vlsm]:[name[(ht-buckets,ht-max)]:]rate/{sec|min|hour|day}[:burst]
1003 [s[/vlsm1]:][name1[(ht-buckets1,ht-max1)]:]rate1/{sec|min|hour|day}[:burst1],[d[/vlsm2:][name2[(ht-buckets2,ht-max2)]:]rate2/{sec|min|hour|day}[:burst2]
1004 You may optionally rate-limit the rule by placing a value in this
1005 column:
1006
1007 rate* is the number of connections per interval (sec or min) and
1008 burst* is the largest burst permitted. If no burst is given, a
1009 value of 5 is assumed. There may be no no white-space embedded in
1010 the specification.
1011
1012 Example: 10/sec:20
1013
1014 When s: or d: is specified, the rate applies per source IP address
1015 or per destination IP address respectively. The names may be chosen
1016 by the user and specify a hash table to be used to count matching
1017 connections. If not given, the name shorewallN (where N is a unique
1018 integer) is assumed. Where more than one rule or POLICY specifies
1019 the same name, the connections counts for the rules are aggregated
1020 and the individual rates apply to the aggregated count. Beginning
1021 with Shorewall 5.2.1, the s or d may be followed by a slash ("/")
1022 and an integer vlsm. When a vlsm is specified, all source or
1023 destination addresses encountered will be grouped according to the
1024 given prefix length and the so-created subnet will be subject to
1025 the rate limit.
1026
1027 Example: s/24::10/sec
1028
1029 Beginning with Shorewall 4.6.5, two limits may be specified,
1030 separated by a comma. In this case, the first limit (name1, rate1,
1031 burst1) specifies the per-source IP limit and the second limit
1032 specifies the per-destination IP limit.
1033
1034 Example: client:10/sec:20,:60/sec:100
1035
1036 In this example, the 'client' hash table will be used to enforce
1037 the per-source limit and the compiler will pick a unique name for
1038 the hash table that tracks the per-destination limit.
1039
1040 Beginning with Shorewall 5.2.1, the table name, if any, may be
1041 followed by two integers separated by commas and enclosed in
1042 parentheses. The first integer (ht-buckets) specifies the number of
1043 buckets in the generated hash table. The second integer (ht-max)
1044 specifies the maximum number of entries in the hash table.
1045
1046 Example: s:netfw(1024,65536):10/sec
1047
1048 This column was formerly labelled RATE LIMIT.
1049
1050 USER - [!][user-name-or-number][:group-name-or-number][,...]
1051 This optional column may only be non-empty if the SOURCE is the
1052 firewall itself.
1053
1054 When this column is non-empty, the rule applies only if the program
1055 generating the output is running under the effective user and/or
1056 group specified (or is NOT running under that id if "!" is given).
1057
1058 Beginning with Shorewall 4.5.8, multiple user or group names/ids
1059 separated by commas may be specified.
1060
1061 Examples:
1062
1063 joe
1064 program must be run by joe
1065
1066 :kids
1067 program must be run by a member of the 'kids' group
1068
1069 !:kids
1070 program must not be run by a member of the 'kids' group
1071
1072 2001-2099
1073 UIDs 2001 through 2099 (Shorewall 4.5.6 and later)
1074
1075 This column was formerly labelled USER/GROUP.
1076
1077 MARK - [!]value[/mask][:C]
1078 Defines a test on the existing packet or connection mark. The rule
1079 will match only if the test returns true.
1080
1081 If you don't want to define a test but need to specify anything in
1082 the following columns, place a "-" in this field.
1083
1084 !
1085 Inverts the test (not equal)
1086
1087 value
1088 Value of the packet or connection mark.
1089
1090 mask
1091 A mask to be applied to the mark before testing.
1092
1093 :C
1094 Designates a connection mark. If omitted, the packet mark's
1095 value is tested.
1096
1097 CONNLIMIT - [d:][!]limit[:mask]
1098 May be used to limit the number of simultaneous connections to/from
1099 each individual host or network to limit connections. Requires
1100 connlimit match in your kernel and iptables. While the limit is
1101 only checked on rules specifying CONNLIMIT, the number of current
1102 connections is calculated over all current connections from the
1103 SOURCE or DESTINATION host. By default, limiting is done by SOURCE
1104 host or net, but if the specification begins with d:, then limiting
1105 will be donw by destination host or net.
1106
1107 By default, the limit is applied to each host but can be made to
1108 apply to networks of hosts by specifying a mask. The mask specifies
1109 the width of a VLSM mask to be applied to the source address; the
1110 number of current connections is then taken over all hosts in the
1111 subnet source-address/mask. When ! is specified, the rule matches
1112 when the number of connection exceeds the limit.
1113
1114 TIME - timeelement[&timeelement...]
1115 May be used to limit the rule to a particular time period each day,
1116 to particular days of the week or month, or to a range defined by
1117 dates and times. Requires time match support in your kernel and
1118 iptables.
1119
1120 timeelement may be:
1121
1122 timestart=hh:mm[:ss]
1123 Defines the starting time of day.
1124
1125 timestop=hh:mm[:ss]
1126 Defines the ending time of day.
1127
1128 contiguous
1129 Added in Shoreawll 5.0.12. When timestop is smaller than
1130 timestart value, match this as a single time period instead of
1131 distinct intervals.
1132
1133 utc
1134 Times are expressed in Greenwich Mean Time.
1135
1136 localtz
1137 Deprecated by the Netfilter team in favor of kerneltz. Times
1138 are expressed in Local Civil Time (default).
1139
1140 kerneltz
1141 Added in Shorewall 4.5.2. Times are expressed in Local Kernel
1142 Time (requires iptables 1.4.12 or later).
1143
1144 weekdays=ddd[,ddd]...
1145 where ddd is one of Mon, Tue, Wed, Thu, Fri, Sat or Sun
1146
1147 monthdays=dd[,dd],...
1148 where dd is an ordinal day of the month
1149
1150
1151 datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
1152 Defines the starting date and time.
1153
1154 datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
1155 Defines the ending date and time.
1156
1157 HEADERS - [!][any:|exactly:]header-list (Optional - Added in Shorewall
1158 4.4.15)
1159 This column is only used in IPv6. In IPv4, supply "-" in this
1160 column if you with to place a value in one of the following
1161 columns.
1162
1163 The header-list consists of a comma-separated list of headers from
1164 the following list.
1165
1166 auth, ah, or 51
1167 Authentication Headers extension header.
1168
1169 esp, or 50
1170 Encrypted Security Payload extension header.
1171
1172 hop, hop-by-hop or 0
1173 Hop-by-hop options extension header.
1174
1175 route, ipv6-route or 43
1176 IPv6 Route extension header.
1177
1178 frag, ipv6-frag or 44
1179 IPv6 fragmentation extension header.
1180
1181 none, ipv6-nonxt or 59
1182 No next header
1183
1184 proto, protocol or 255
1185 Any protocol header.
1186
1187 If any: is specified, the rule will match if any of the listed
1188 headers are present. If exactly: is specified, the will match
1189 packets that exactly include all specified headers. If neither is
1190 given, any: is assumed.
1191
1192 If ! is entered, the rule will match those packets which would not
1193 be matched when ! is omitted.
1194
1195 SWITCH - [!]switch-name[={0|1}]
1196 Added in Shorewall 4.4.24 and allows enabling and disabling the
1197 rule without requiring shorewall reload.
1198
1199 The rule is enabled if the value stored in
1200 /proc/net/nf_condition/switch-name is 1. The rule is disabled if
1201 that file contains 0 (the default). If '!' is supplied, the test is
1202 inverted such that the rule is enabled if the file contains 0.
1203
1204 Within the switch-name, '@0' and '@{0}' are replaced by the name of
1205 the chain to which the rule is a added. The switch-name (after
1206 '@...' expansion) must begin with a letter and be composed of
1207 letters, decimal digits, underscores or hyphens. Switch names must
1208 be 30 characters or less in length.
1209
1210 Switches are normally off. To turn a switch on:
1211 echo 1 >
1212 /proc/net/nf_condition/switch-name
1213 To turn it off again:
1214 echo 0 >
1215 /proc/net/nf_condition/switch-name
1216 Switch settings are retained over shorewall reload.
1217
1218 Beginning with Shorewall 4.5.10, when the switch-name is followed
1219 by =0 or =1, then the switch is initialized to off or on
1220 respectively by the start command. Other commands do not affect the
1221 switch setting.
1222
1223 HELPER - [helper]
1224 Added in Shorewall 4.5.7.
1225
1226 In the NEW section, causes the named conntrack helper to be
1227 associated with this connection; the contents of this column are
1228 ignored unless ACTION is ACCEPT*, DNAT* or REDIRECT*.
1229
1230 In the RELATED section, will only match if the related connection
1231 has the named helper associated with it.
1232
1233 The helper may be one of:
1234 amanda
1235 ftp
1236 irc
1237 netbios-ns
1238 pptp
1239 Q.931
1240 RAS
1241 sane
1242 sip
1243 snmp
1244 tftp
1245 If the HELPERS option is specified in shorewall.conf[2](5), then
1246 any module specified in this column must be listed in the HELPERS
1247 setting.
1248
1250 Example 1:
1251 Accept SMTP requests from the DMZ to the internet
1252
1253 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
1254 ACCEPT dmz net tcp smtp
1255
1256 Example 2:
1257 Forward all ssh and http connection requests from the internet to
1258 local system 192.168.1.3
1259
1260 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
1261 DNAT net loc:192.168.1.3 tcp ssh,http
1262
1263 Example 3:
1264 Forward all http connection requests from the internet to local
1265 system 192.168.1.3 with a limit of 3 per second and a maximum burst
1266 of 10
1267
1268 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE
1269 DNAT net loc:192.168.1.3 tcp http - - 3/sec:10
1270
1271 Example 4:
1272 Redirect all locally-originating www connection requests to port
1273 3128 on the firewall (Squid running on the firewall system) except
1274 when the destination address is 192.168.2.2
1275
1276 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
1277 REDIRECT loc 3128 tcp www - !192.168.2.2
1278
1279 Example 5:
1280 All http requests from the internet to address 130.252.100.69 are
1281 to be forwarded to 192.168.1.3
1282
1283 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
1284 DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
1285
1286 Example 6:
1287 You want to accept SSH connections to your firewall only from
1288 internet IP addresses 130.252.100.69 and 130.252.100.70
1289
1290 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
1291 ACCEPT net:130.252.100.69,130.252.100.70 \
1292 $FW tcp 22
1293
1294 Example 7:
1295 You wish to accept connections from the internet to your firewall
1296 on port 2222 and you want to forward them to local system
1297 192.168.1.3, port 22
1298
1299 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
1300 DNAT net loc:192.168.1.3:22 tcp 2222
1301
1302 Example 8:
1303 You want to redirect connection requests to port 80 randomly to the
1304 port range 81-90.
1305
1306 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
1307 REDIRECT net $FW::81-90:random tcp www
1308
1309 Example 9:
1310 Shorewall does not impose as much structure on the Netfilter rules
1311 in the 'nat' table as it does on those in the filter table. As a
1312 consequence, when using Shorewall versions before 4.1.4, care must
1313 be exercised when using DNAT and REDIRECT rules with zones defined
1314 with wildcard interfaces (those ending with '+'. Here is an
1315 example:
1316
1317 shorewall-zones[4](5):
1318
1319 #ZONE TYPE OPTIONS
1320 fw firewall
1321 net ipv4
1322 dmz ipv4
1323 loc ipv4
1324
1325 shorewall-interfaces[8](5):
1326
1327 #ZONE INTERFACE BROADCAST OPTIONS
1328 net ppp0
1329 loc eth1 detect
1330 dmz eth2 detect
1331 - ppp+ # Addresses are assigned from 192.168.3.0/24
1332
1333 shorewall-host[11](5):
1334
1335 #ZONE HOST(S) OPTIONS
1336 loc ppp+:192.168.3.0/24
1337
1338 rules:
1339
1340 #ACTION SOURCE DEST PROTO DPORT
1341 REDIRECT loc 3128 tcp 80
1342
1343 Note that it would have been tempting to simply define the loc zone
1344 entirely in shorewall-interfaces(8):
1345
1346 #******************* INCORRECT *****************
1347 #ZONE INTERFACE BROADCAST OPTIONS
1348 net ppp0
1349 loc eth1 detect
1350 loc ppp+
1351 dmz eth2
1352
1353 This would have made it impossible to run a internet-accessible web
1354 server in the DMZ because all traffic entering ppp+ interfaces
1355 would have been redirected to port 3128 on the firewall and there
1356 would have been no net->fw ACCEPT rule for that traffic.
1357
1358 Example 10:
1359 Add the tuple (source IP, dest port, dest IP) of an incoming SSH
1360 connection to the ipset S:
1361
1362 #ACTION SOURCE DEST PROTO DPORT
1363 ADD(+S:dst,src,dst) net fw tcp 22
1364
1365 Example 11:
1366 You wish to limit SSH connections from remote systems to 1/min with
1367 a burst of three (to allow for limited retry):
1368
1369 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE
1370 SSH(ACCEPT) net all - - - - s:1/min:3
1371
1372 Example 12:
1373 Forward port 80 to dmz host $BACKUP if switch 'primary_down' is on.
1374
1375 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH
1376 DNAT net dmz:$BACKUP tcp 80 - - - - - - - - primary_down
1377
1378 Example 13:
1379 Drop all email from the Anonymous Proxy and Satellite Provider
1380 address ranges:
1381
1382 #ACTION SOURCE DEST PROTO DPORT
1383 DROP net:^A1,A2 fw tcp 25
1384
1385 Example 14:
1386 You want to generate your own rule involving iptables targets and
1387 matches not supported by Shorewall.
1388
1389 #ACTION SOURCE DEST PROTO DPORT
1390 INLINE $FW net ; -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3
1391
1392 The above will generate the following iptables-restore input:
1393
1394 -A fw2net -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3
1395
1396 Note that SECCTX must be defined as a builtin action in
1397 shorewall-actions[3](5):
1398
1399 #ACTION OPTIONS
1400 SECCTX builtin
1401
1402 Example 15:
1403 You want to accept SSH connections to your firewall only from
1404 internet IP addresses 2002:ce7c::92b4:1::2 and
1405 2002:ce7c::92b4:1::22
1406
1407 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
1408 ACCEPT net:<2002:ce7c::92b4:1::2,2002:ce7c::92b4:1::22> \
1409 $FW tcp 22
1410
1412 /etc/shorewall/rules
1413
1414 /etc/shorewall6/rules
1415
1417 shorewall-logging(5)[7]
1418
1419 https://shorewall.org/ipsets.html[14]
1420
1421 https://shorewall.org/configuration_file_basics.htm#Pairs[15]
1422
1423 shorewall(8)
1424
1426 1. shorewall-policy
1427 https://shorewall.org/manpages/shorewall-policy.html
1428
1429 2. shorewall.conf
1430 https://shorewall.org/manpages/shorewall.conf.html
1431
1432 3. shorewall-actions
1433 https://shorewall.org/manpages/shorewall-actions.html
1434
1435 4. shorewall-zones
1436 https://shorewall.org/manpages/shorewall-zones.html
1437
1438 5. shorewall-nesting
1439 https://shorewall.org/manpages/shorewall-nesting.html
1440
1441 6. https://shorewall.org/shorewall_logging.html
1442 https://shorewall.org/shorewall_logging.html
1443
1444 7. shorewall-logging(5)
1445 https://shorewall.org/manpages/shorewall-logging.html
1446
1447 8. shorewall-interfaces
1448 https://shorewall.org/manpages/shorewall-interfaces.html
1449
1450 9. shorewall-hosts
1451 https://shorewall.org/manpages/shorewall.hosts.html
1452
1453 10. shorewall-exclusion
1454 https://shorewall.org/manpages/shorewall-exclusion.html
1455
1456 11. shorewall-hosts
1457 https://shorewall.org/manpages/shorewall-hosts.html
1458
1459 12. https://shorewall.org/configuration_file_basics.htm#ICMP
1460 https://shorewall.org/configuration_file_basics.htm#ICMP
1461
1462 13. https://shorewall.org/PortKnocking.html
1463 https://shorewall.org/PortKnocking.html
1464
1465 14. https://shorewall.org/ipsets.html
1466 https://shorewall.org/ipsets.html
1467
1468 15. https://shorewall.org/configuration_file_basics.htm#Pairs
1469 https://shorewall.org/configuration_file_basics.htm#Pairs
1470
1471
1472
1473Configuration Files 09/24/2020 SHOREWALL-RULES(5)