1SHOREWALL-ACCOUNTIN(5) Configuration Files SHOREWALL-ACCOUNTIN(5)
2
3
4
6 accounting - Shorewall Accounting file
7
9 /etc/shorewall[6]/accounting
10
12 Accounting rules exist simply to count packets and bytes in categories
13 that you define in this file. You may display these rules and their
14 packet and byte counters using the shorewall show accounting command.
15
16 Beginning with Shorewall 4.4.18, the accounting structure can be
17 created with three root chains:
18
19 • accountin: Rules that are valid in the INPUT chain (may not specify
20 an output interface).
21
22 • accountout: Rules that are valid in the OUTPUT chain (may not
23 specify an input interface or a MAC address).
24
25 • accounting: Other rules.
26
27 The new structure is enabled by sectioning the accounting file in a
28 manner similar to the rules file[1]. The sections are INPUT, OUTPUT and
29 FORWARD and must appear in that order (although any of them may be
30 omitted). The first non-commentary record in the accounting file must
31 be a section header when sectioning is used.
32
33 Warning
34 If sections are not used, the Shorewall rules compiler cannot
35 detect certain violations of netfilter restrictions. These
36 violations can result in run-time errors such as the following:
37
38 iptables-restore v1.4.13: Can't use -o with INPUT
39
40 Beginning with Shorewall 4.4.20, the ACCOUNTING_TABLE setting was added
41 to shorewall.conf and shorewall6.conf. That setting determines the
42 Netfilter table (filter or mangle) where the accounting rules are
43 added. When ACCOUNTING_TABLE=mangle is specified, the available
44 sections are PREROUTING, INPUT, OUTPUT, FORWARD and POSTROUTING.
45
46 Section headers have the form:
47
48 ?SECTION section-name
49
50 When sections are enabled:
51
52 • A jump to a user-defined accounting chain must appear before
53 entries that add rules to that chain. This eliminates loops and
54 unreferenced chains.
55
56 • An output interface may not be specified in the PREROUTING and
57 INPUT sections.
58
59 • In the OUTPUT and POSTROUTING sections:
60
61 • An input interface may not be specified
62
63 • Jumps to a chain defined in the INPUT or PREROUTING sections
64 that specifies an input interface are prohibited
65
66 • MAC addresses may not be used
67
68 • Jump to a chain defined in the INPUT or PREROUTING section that
69 specifies a MAC address are prohibited.
70
71 • The default value of the CHAIN column is:
72
73 • accountin in the INPUT section
74
75 • accountout in the OUTPUT section
76
77 • accountfwd in the FORWARD section
78
79 • accountpre in the PREROUTING section
80
81 • accountpost in the POSTROUTING section
82
83 • Traffic addressed to the firewall goes through the rules defined in
84 the INPUT section.
85
86 • Traffic originating on the firewall goes through the rules defined
87 in the OUTPUT section.
88
89 • Traffic being forwarded through the firewall goes through the rules
90 from the FORWARD sections.
91
92 The columns in the file are as follows (where the column name is
93 followed by a different name in parentheses, the different name is used
94 in the alternate specification syntax):
95
96 ACTION -
97 {COUNT|DONE|chain[:{COUNT|JUMP}]|ACCOUNT(table,network)|[?]COMMENT
98 comment}
99 What to do when a matching packet is found.
100
101 COUNT
102 Simply count the match and continue with the next rule
103
104 DONE
105 Count the match and don't attempt to match any other accounting
106 rules in the chain specified in the CHAIN column.
107
108 chain[:COUNT]
109 Where chain is the name of a chain; shorewall will create the
110 chain automatically if it doesn't already exist. If a second
111 chain is mentioned in the CHAIN column, then a jump from this
112 second chain to chain is created. If no chain is named in the
113 CHAIN column, then a jump from the default chain to chain is
114 created. If :COUNT is included, a counting rule matching this
115 entry will be added to chain. The chain may not exceed 29
116 characters in length and may be composed of letters, digits,
117 dash ('-') and underscore ('_').
118
119 chain:JUMP
120 Like the previous option without the :COUNT part.
121
122 ACCOUNT(table,network)
123 This action implements per-IP accounting and was added in
124 Shorewall 4.4.17. Requires the ACCOUNT Target capability in
125 your iptables and kernel (see the output of shorewall show
126 capabilities).
127
128 table
129 is the name of an accounting table (you choose the name).
130 All rules specifying the same name will have their per-IP
131 counters accumulated in the same table.
132
133 network
134 is an IPv4 network in CIDR notation (e.g., 192.168.1.0/24).
135 The network can be as large as a /8 (class A).
136
137 One nice feature of per-IP accounting is that the counters
138 survive shorewall restart. This has a downside, however. If you
139 change the network associated with an accounting table, then
140 you must shorewall stop; shorewall start to have a successful
141 restart (counters will be cleared).
142
143 The counters in a table are printed using the iptaccount
144 utility. For a command synopsis, type:
145
146 iptaccount --help
147
148 As of February 2011, the ACCOUNT Target capability and the
149 iptaccount utility are only available when xtables-addons[2] is
150 installed. See https://shorewall.org/Accounting.html#perIP[3]
151 for additional information.
152
153 INLINE
154 Added in Shorewall 4.5.16. Allows free form iptables matches to
155 be specified following a ';'. In the generated iptables
156 rule(s), the free form matches will follow any matches that are
157 generated by the column contents.
158
159 NFACCT({object[!]}[,...])
160 Added in Shorewall 4.5.7. Provides a form of accounting that
161 survives shorewall stop/shorewall start and shorewall restart.
162 Requires the NFaccnt Match capability in your kernel and
163 iptables. object names an nfacct object (see man nfaccnt(8)).
164 Multiple rules can specify the same object; all packets that
165 match any of the rules increment the packet and bytes count of
166 the object.
167
168 Prior to Shorewall 4.5.16, only one object could be specified.
169 Beginning with Shorewall 4.5.16, an arbitrary number of objects
170 may be given.
171
172 With Shorewall 4.5.16 or later, an nfacct object in the list
173 may optionally be followed by ! to indicate that the nfacct
174 object will be incremented unconditionally for each packet.
175 When ! is omitted, the object will be incremented only if all
176 of the matches in the rule succeed.
177
178 NFLOG[(nflog-parameters)] - Added in Shorewall-4.4.20.
179 Causes each matching packet to be sent via the currently loaded
180 logging back-end (usually nfnetlink_log) where it is available
181 to accounting daemons through a netlink socket.
182
183 ?COMMENT
184 The remainder of the line is treated as a comment which is
185 attached to subsequent rules until another COMMENT line is
186 found or until the end of the file is reached. To stop adding
187 comments to rules, use a line with only the word ?COMMENT.
188
189 CHAIN - {-|chain}
190 The name of a chain. If specified as - the accounting chain is
191 assumed when the file is un-sectioned. When the file is sectioned,
192 the default is one of accountin, accountout, etc. depending on the
193 section. This is the chain where the accounting rule is added. The
194 chain will be created if it doesn't already exist. The chain may
195 not exceed 29 characters in length.
196
197 SOURCE - {-|any|all|interface|interface:address|address}
198 Packet Source.
199
200 The name of an interface, an address (host or net) or an interface
201 name followed by ":" and a host or net address. An ipset name is
202 also accepted as an address.
203
204 DEST - {-|any|all|interface|interface:address|address}
205 This column was formerly named DESTINATION.
206
207 Packet Destination.
208
209 Format same as SOURCE column.
210
211 PROTO -
212 {-|{any|all|protocol-name|protocol-number|ipp2p[:{udp|all}]}[,...]}
213 This column was formerly named PROTOCOL
214
215 A protocol-name (from protocols(5)), a protocol-number, ipp2p,
216 ipp2p:udp or ipp2p:all
217
218 Beginning with Shorewall 4.5.12, this column can accept a
219 comma-separated list of protocols.
220
221 DPORT -
222 {-|any|all|ipp2p-option|port-name-or-number[,port-name-or-number]...}
223 Destination Port number. Service name from services(5) or port
224 number. May only be specified if the protocol is TCP (6), UDP (17),
225 DCCP (33), SCTP (132) or UDPLITE (136).
226
227 You may place a comma-separated list of port names or numbers in
228 this column if your kernel and iptables include multi-port match
229 support.
230
231 If the PROTOCOL is ipp2p then this column must contain an
232 ipp2p-option ("iptables -m ipp2p --help") without the leading "--".
233 If no option is given in this column, ipp2p is assumed.
234
235 This column was formerly named DEST PORT(S).
236
237 SPORT - {-|any|all|port-name-or-number[,port-name-or-number]...}
238 Service name from services(5) or port number. May only be specified
239 if the protocol is TCP (6), UDP (17), DCCP (33), SCTP (132) or
240 UDPLITE (136).
241
242 You may place a comma-separated list of port numbers in this column
243 if your kernel and iptables include multi-port match support.
244
245 Beginning with Shorewall 4.5.15, you may place '=' in this column,
246 provided that the DEST PORT(S) column is non-empty. This causes the
247 rule to match when either the source port or the destination port
248 in a packet matches one of the ports specified in DPORT. Use of '='
249 requires multi-port match in your iptables and kernel.
250
251 This column was formerly labelled SOURCE PORT(S).
252
253 USER - [!][user-name-or-number][:group-name-or-number][+program-name]
254 This column was formerly named USER/GROUP and may only be non-empty
255 if the CHAIN is OUTPUT.
256
257 When this column is non-empty, the rule applies only if the program
258 generating the output is running under the effective user and/or
259 group specified (or is NOT running under that id if "!" is given).
260
261 Examples:
262
263 joe
264 program must be run by joe
265
266 :kids
267 program must be run by a member of the 'kids' group
268
269 !:kids
270 program must not be run by a member of the 'kids' group
271
272 +upnpd
273 #program named upnpd
274
275 Important
276 The ability to specify a program name was removed from
277 Netfilter in kernel version 2.6.14.
278
279 MARK - [!]value[/mask][:C]
280 Defines a test on the existing packet or connection mark. The rule
281 will match only if the test returns true.
282
283 If you don't want to define a test but need to specify anything in
284 the following columns, place a "-" in this field.
285
286 !
287 Inverts the test (not equal)
288
289 value
290 Value of the packet or connection mark.
291
292 mask
293 A mask to be applied to the mark before testing.
294
295 :C
296 Designates a connection mark. If omitted, the packet mark's
297 value is tested.
298
299 IPSEC - option-list (Optional - Added in Shorewall 4.4.13 but broken
300 until 4.5.4.1 )
301 The option-list consists of a comma-separated list of options from
302 the following list. Only packets that will be encrypted or have
303 been decrypted via an SA that matches these options will have their
304 source address changed.
305
306 reqid=number
307 where number is specified using setkey(8) using the
308 'unique:number option for the SPD level.
309
310 spi=<number>
311 where number is the SPI of the SA used to encrypt/decrypt
312 packets.
313
314 proto=ah|esp|ipcomp
315 IPSEC Encapsulation Protocol
316
317 mss=number
318 sets the MSS field in TCP packets
319
320 mode=transport|tunnel
321 IPSEC mode
322
323 tunnel-src=address[/mask]
324 only available with mode=tunnel
325
326 tunnel-dst=address[/mask]
327 only available with mode=tunnel
328
329 strict
330 Means that packets must match all rules.
331
332 next
333 Separates rules; can only be used with strict
334
335 yes or ipsec
336 When used by itself, causes all traffic that will be
337 encrypted/encapsulated or has been decrypted/un-encapsulated to
338 match the rule.
339
340 no or none
341 When used by itself, causes all traffic that will not be
342 encrypted/encapsulated or has been decrypted/un-encapsulated to
343 match the rule.
344
345 in
346 May only be used in the FORWARD section and must be the first
347 or the only item the list. Indicates that matching packets have
348 been decrypted in input.
349
350 out
351 May only be used in the FORWARD section and must be the first
352 or the only item in the list. Indicates that matching packets
353 will be encrypted on output.
354
355 If this column is non-empty and sections are not used, then:
356
357 • A chain NAME appearing in the ACTION column must be a chain
358 branched either directly or indirectly from the accipsecin or
359 accipsecout chain.
360
361 • The CHAIN column must contain either accipsecin or accipsecout
362 or a chain branched either directly or indirectly from those
363 chains.
364
365 • These rules will NOT appear in the accounting chain.
366
367 In all of the above columns except ACTION and CHAIN, the values -, any
368 and all may be used as wildcard'gs. Omitted trailing columns are also
369 treated as wildcard'g.
370
372 /etc/shorewall/accounting
373
374 /etc/shorewall6/accounting
375
377 shorewall-logging(5)[4]
378
379 https://shorewall.org/configuration_file_basics.htm#Pairs[5]
380
381 shorewall(8)
382
384 1. rules file
385 https://shorewall.org/manpages/shorewall-rules.html
386
387 2. xtables-addons
388 http://xtables-addons.sourceforge.net/
389
390 3. https://shorewall.org/Accounting.html#perIP
391 https://shorewall.org/Accounting.html#perIP
392
393 4. shorewall-logging(5)
394 https://shorewall.org/manpages/shorewall-logging.htm
395
396 5. https://shorewall.org/configuration_file_basics.htm#Pairs
397 https://shorewall.org/configuration_file_basics.htm#Pairs
398
399
400
401Configuration Files 09/24/2020 SHOREWALL-ACCOUNTIN(5)