1SHOREWALL-ACCOUNTIN(5) Configuration Files SHOREWALL-ACCOUNTIN(5)
2
3
4
6 accounting - Shorewall Accounting file
7
9 /etc/shorewall[6]/accounting
10
12 Accounting rules exist simply to count packets and bytes in categories
13 that you define in this file. You may display these rules and their
14 packet and byte counters using the shorewall show accounting command.
15
16 Beginning with Shorewall 4.4.18, the accounting structure can be
17 created with three root chains:
18
19 · accountin: Rules that are valid in the INPUT chain (may not specify
20 an output interface).
21
22 · accountout: Rules that are valid in the OUTPUT chain (may not
23 specify an input interface or a MAC address).
24
25 · accounting: Other rules.
26
27 The new structure is enabled by sectioning the accounting file in a
28 manner similar to the rules file[1]. The sections are INPUT, OUTPUT and
29 FORWARD and must appear in that order (although any of them may be
30 omitted). The first non-commentary record in the accounting file must
31 be a section header when sectioning is used.
32
33 Warning
34 If sections are not used, the Shorewall rules compiler cannot
35 detect certain violations of netfilter restrictions. These
36 violations can result in run-time errors such as the following:
37
38 iptables-restore v1.4.13: Can't use -o with INPUT
39
40 Beginning with Shorewall 4.4.20, the ACCOUNTING_TABLE setting was added
41 to shorewall.conf and shorewall6.conf. That setting determines the
42 Netfilter table (filter or mangle) where the accounting rules are
43 added. When ACCOUNTING_TABLE=mangle is specified, the available
44 sections are PREROUTING, INPUT, OUTPUT, FORWARD and POSTROUTING.
45
46 Section headers have the form:
47
48 ?SECTION section-name
49
50 When sections are enabled:
51
52 · A jump to a user-defined accounting chain must appear before
53 entries that add rules to that chain. This eliminates loops and
54 unreferenced chains.
55
56 · An output interface may not be specified in the PREROUTING and
57 INPUT sections.
58
59 · In the OUTPUT and POSTROUTING sections:
60
61 · An input interface may not be specified
62
63 · Jumps to a chain defined in the INPUT or PREROUTING sections
64 that specifies an input interface are prohibited
65
66 · MAC addresses may not be used
67
68 · Jump to a chain defined in the INPUT or PREROUTING section that
69 specifies a MAC address are prohibited.
70
71 · The default value of the CHAIN column is:
72
73 · accountin in the INPUT section
74
75 · accountout in the OUTPUT section
76
77 · accountfwd in the FORWARD section
78
79 · accountpre in the PREROUTING section
80
81 · accountpost in the POSTROUTING section
82
83 · Traffic addressed to the firewall goes through the rules defined in
84 the INPUT section.
85
86 · Traffic originating on the firewall goes through the rules defined
87 in the OUTPUT section.
88
89 · Traffic being forwarded through the firewall goes through the rules
90 from the FORWARD sections.
91
92 The columns in the file are as follows (where the column name is
93 followed by a different name in parentheses, the different name is used
94 in the alternate specification syntax):
95
96 ACTION -
97 {COUNT|DONE|chain[:{COUNT|JUMP}]|ACCOUNT(table,network)|[?]COMMENT
98 comment}
99 What to do when a matching packet is found.
100
101 COUNT
102 Simply count the match and continue with the next rule
103
104 DONE
105 Count the match and don't attempt to match any other accounting
106 rules in the chain specified in the CHAIN column.
107
108 chain[:COUNT]
109 Where chain is the name of a chain; shorewall will create the
110 chain automatically if it doesn't already exist. If a second
111 chain is mentioned in the CHAIN column, then a jump from this
112 second chain to chain is created. If no chain is named in the
113 CHAIN column, then a jump from the default chain to chain is
114 created. If :COUNT is included, a counting rule matching this
115 entry will be added to chain. The chain may not exceed 29
116 characters in length and may be composed of letters, digits,
117 dash ('-') and underscore ('_').
118
119 chain:JUMP
120 Like the previous option without the :COUNT part.
121
122 ACCOUNT(table,network)
123 This action implements per-IP accounting and was added in
124 Shorewall 4.4.17. Requires the ACCOUNT Target capability in
125 your iptables and kernel (see the output of shorewall show
126 capabilities).
127
128 table
129 is the name of an accounting table (you choose the name).
130 All rules specifying the same name will have their per-IP
131 counters accumulated in the same table.
132
133 network
134 is an IPv4 network in CIDR notation (e.g., 192.168.1.0/24).
135 The network can be as large as a /8 (class A).
136
137 One nice feature of per-IP accounting is that the counters
138 survive shorewall restart. This has a downside, however. If you
139 change the network associated with an accounting table, then
140 you must shorewall stop; shorewall start to have a successful
141 restart (counters will be cleared).
142
143 The counters in a table are printed using the iptaccount
144 utility. For a command synopsis, type:
145
146 iptaccount --help
147
148 As of February 2011, the ACCOUNT Target capability and the
149 iptaccount utility are only available when xtables-addons[2] is
150 installed. See
151 http://www.shorewall.net/Accounting.html#perIP[3] for
152 additional information.
153
154 INLINE
155 Added in Shorewall 4.5.16. Allows free form iptables matches to
156 be specified following a ';'. In the generated iptables
157 rule(s), the free form matches will follow any matches that are
158 generated by the column contents.
159
160 NFACCT({object[!]}[,...])
161 Added in Shorewall 4.5.7. Provides a form of accounting that
162 survives shorewall stop/shorewall start and shorewall restart.
163 Requires the NFaccnt Match capability in your kernel and
164 iptables. object names an nfacct object (see man nfaccnt(8)).
165 Multiple rules can specify the same object; all packets that
166 match any of the rules increment the packet and bytes count of
167 the object.
168
169 Prior to Shorewall 4.5.16, only one object could be specified.
170 Beginning with Shorewall 4.5.16, an arbitrary number of objects
171 may be given.
172
173 With Shorewall 4.5.16 or later, an nfacct object in the list
174 may optionally be followed by ! to indicate that the nfacct
175 object will be incremented unconditionally for each packet.
176 When ! is omitted, the object will be incremented only if all
177 of the matches in the rule succeed.
178
179 NFLOG[(nflog-parameters)] - Added in Shorewall-4.4.20.
180 Causes each matching packet to be sent via the currently loaded
181 logging back-end (usually nfnetlink_log) where it is available
182 to accounting daemons through a netlink socket.
183
184 ?COMMENT
185 The remainder of the line is treated as a comment which is
186 attached to subsequent rules until another COMMENT line is
187 found or until the end of the file is reached. To stop adding
188 comments to rules, use a line with only the word ?COMMENT.
189
190 CHAIN - {-|chain}
191 The name of a chain. If specified as - the accounting chain is
192 assumed when the file is un-sectioned. When the file is sectioned,
193 the default is one of accountin, accountout, etc. depending on the
194 section. This is the chain where the accounting rule is added. The
195 chain will be created if it doesn't already exist. The chain may
196 not exceed 29 characters in length.
197
198 SOURCE - {-|any|all|interface|interface:address|address}
199 Packet Source.
200
201 The name of an interface, an address (host or net) or an interface
202 name followed by ":" and a host or net address. An ipset name is
203 also accepted as an address.
204
205 DEST - {-|any|all|interface|interface:address|address}
206 This column was formerly named DESTINATION.
207
208 Packet Destination.
209
210 Format same as SOURCE column.
211
212 PROTO -
213 {-|{any|all|protocol-name|protocol-number|ipp2p[:{udp|all}]}[,...]}
214 This column was formerly named PROTOCOL
215
216 A protocol-name (from protocols(5)), a protocol-number, ipp2p,
217 ipp2p:udp or ipp2p:all
218
219 Beginning with Shorewall 4.5.12, this column can accept a
220 comma-separated list of protocols.
221
222 DPORT -
223 {-|any|all|ipp2p-option|port-name-or-number[,port-name-or-number]...}
224 Destination Port number. Service name from services(5) or port
225 number. May only be specified if the protocol is TCP (6), UDP (17),
226 DCCP (33), SCTP (132) or UDPLITE (136).
227
228 You may place a comma-separated list of port names or numbers in
229 this column if your kernel and iptables include multi-port match
230 support.
231
232 If the PROTOCOL is ipp2p then this column must contain an
233 ipp2p-option ("iptables -m ipp2p --help") without the leading "--".
234 If no option is given in this column, ipp2p is assumed.
235
236 This column was formerly named DEST PORT(S).
237
238 SPORT - {-|any|all|port-name-or-number[,port-name-or-number]...}
239 Service name from services(5) or port number. May only be specified
240 if the protocol is TCP (6), UDP (17), DCCP (33), SCTP (132) or
241 UDPLITE (136).
242
243 You may place a comma-separated list of port numbers in this column
244 if your kernel and iptables include multi-port match support.
245
246 Beginning with Shorewall 4.5.15, you may place '=' in this column,
247 provided that the DEST PORT(S) column is non-empty. This causes the
248 rule to match when either the source port or the destination port
249 in a packet matches one of the ports specified in DPORT. Use of '='
250 requires multi-port match in your iptables and kernel.
251
252 This column was formerly labelled SOURCE PORT(S).
253
254 USER - [!][user-name-or-number][:group-name-or-number][+program-name]
255 This column was formerly named USER/GROUP and may only be non-empty
256 if the CHAIN is OUTPUT.
257
258 When this column is non-empty, the rule applies only if the program
259 generating the output is running under the effective user and/or
260 group specified (or is NOT running under that id if "!" is given).
261
262 Examples:
263
264 joe
265 program must be run by joe
266
267 :kids
268 program must be run by a member of the 'kids' group
269
270 !:kids
271 program must not be run by a member of the 'kids' group
272
273 +upnpd
274 #program named upnpd
275
276 Important
277 The ability to specify a program name was removed from
278 Netfilter in kernel version 2.6.14.
279
280 MARK - [!]value[/mask][:C]
281 Defines a test on the existing packet or connection mark. The rule
282 will match only if the test returns true.
283
284 If you don't want to define a test but need to specify anything in
285 the following columns, place a "-" in this field.
286
287 !
288 Inverts the test (not equal)
289
290 value
291 Value of the packet or connection mark.
292
293 mask
294 A mask to be applied to the mark before testing.
295
296 :C
297 Designates a connection mark. If omitted, the packet mark's
298 value is tested.
299
300 IPSEC - option-list (Optional - Added in Shorewall 4.4.13 but broken
301 until 4.5.4.1 )
302 The option-list consists of a comma-separated list of options from
303 the following list. Only packets that will be encrypted or have
304 been decrypted via an SA that matches these options will have their
305 source address changed.
306
307 reqid=number
308 where number is specified using setkey(8) using the
309 'unique:number option for the SPD level.
310
311 spi=<number>
312 where number is the SPI of the SA used to encrypt/decrypt
313 packets.
314
315 proto=ah|esp|ipcomp
316 IPSEC Encapsulation Protocol
317
318 mss=number
319 sets the MSS field in TCP packets
320
321 mode=transport|tunnel
322 IPSEC mode
323
324 tunnel-src=address[/mask]
325 only available with mode=tunnel
326
327 tunnel-dst=address[/mask]
328 only available with mode=tunnel
329
330 strict
331 Means that packets must match all rules.
332
333 next
334 Separates rules; can only be used with strict
335
336 yes or ipsec
337 When used by itself, causes all traffic that will be
338 encrypted/encapsulated or has been decrypted/un-encapsulated to
339 match the rule.
340
341 no or none
342 When used by itself, causes all traffic that will not be
343 encrypted/encapsulated or has been decrypted/un-encapsulated to
344 match the rule.
345
346 in
347 May only be used in the FORWARD section and must be the first
348 or the only item the list. Indicates that matching packets have
349 been decrypted in input.
350
351 out
352 May only be used in the FORWARD section and must be the first
353 or the only item in the list. Indicates that matching packets
354 will be encrypted on output.
355
356 If this column is non-empty and sections are not used, then:
357
358 · A chain NAME appearing in the ACTION column must be a chain
359 branched either directly or indirectly from the accipsecin or
360 accipsecout chain.
361
362 · The CHAIN column must contain either accipsecin or accipsecout
363 or a chain branched either directly or indirectly from those
364 chains.
365
366 · These rules will NOT appear in the accounting chain.
367
368 In all of the above columns except ACTION and CHAIN, the values -, any
369 and all may be used as wildcard'gs. Omitted trailing columns are also
370 treated as wildcard'g.
371
373 /etc/shorewall/accounting
374
375 /etc/shorewall6/accounting
376
378 shorewall-logging(5)[4]
379
380 http://www.shorewall.net/configuration_file_basics.htm#Pairs[5]
381
382 shorewall(8)
383
385 1. rules file
386 http://www.shorewall.net/manpages/shorewall-rules.html
387
388 2. xtables-addons
389 http://xtables-addons.sourceforge.net/
390
391 3. http://www.shorewall.net/Accounting.html#perIP
392 http://www.shorewall.net/Accounting.html#perIP
393
394 4. shorewall-logging(5)
395 http://www.shorewall.netshorewall-logging.htm
396
397 5. http://www.shorewall.net/configuration_file_basics.htm#Pairs
398 http://www.shorewall.net/configuration_file_basics.htm#Pairs
399
400
401
402Configuration Files 08/05/2018 SHOREWALL-ACCOUNTIN(5)