1SHOREWALL-RULES(5)            Configuration Files           SHOREWALL-RULES(5)
2
3
4

NAME

6       rules - Shorewall rules file
7

SYNOPSIS

9       /etc/shorewall[6]/rules
10

DESCRIPTION

12       Entries in this file govern connection establishment by defining
13       exceptions to the policies laid out in shorewall-policy[1](5). By
14       default, subsequent requests and responses are automatically allowed
15       using connection tracking. For any particular (source,dest) pair of
16       zones, the rules are evaluated in the order in which they appear in
17       this file and the first terminating match is the one that determines
18       the disposition of the request. All rules are terminating except LOG
19       and COUNT rules.
20
21           Warning
22           If you masquerade or use SNAT from a local system to the internet,
23           you cannot use an ACCEPT rule to allow traffic from the internet to
24           that system. You must use a DNAT rule instead.
25
26       The rules file is divided into sections. Each section is introduced by
27       a "Section Header" which is a line beginning with ?SECTION and followed
28       by the section name.
29
30       Sections are as follows and must appear in the order listed:
31
32       ALL
33           This section was added in Shorewall 4.4.23. Rules in this section
34           are applied, regardless of the connection tracking state of the
35           packet and are applied before rules in the other sections.
36
37       ESTABLISHED
38           Packets in the ESTABLISHED state are processed by rules in this
39           section.
40
41           The only ACTIONs allowed in this section are ACCEPT, DROP, REJECT,
42           LOG, NFLOG, NFQUEUE and QUEUE
43
44           There is an implicit ACCEPT rule inserted at the end of this
45           section.
46
47       RELATED
48           Packets in the RELATED state are processed by rules in this
49           section.
50
51           The only ACTIONs allowed in this section are ACCEPT, DROP, REJECT,
52           LOG, NFLOG, NFQUEUE and QUEUE
53
54           There is an implicit rule added at the end of this section that
55           invokes the RELATED_DISPOSITION (shorewall.conf[2](5)).
56
57       INVALID
58           Added in Shorewall 4.5.13. Packets in the INVALID state are
59           processed by rules in this section.
60
61           The only Actions allowed in this section are ACCEPT, DROP, REJECT,
62           LOG, NFLOG, NFQUEUE and QUEUE.
63
64           There is an implicit rule added at the end of this section that
65           invokes the INVALID_DISPOSITION (shorewall.conf[2](5)).
66
67       UNTRACKED
68           Added in Shorewall 4.5.13. Packets in the UNTRACKED state are
69           processed by rules in this section.
70
71           The only Actions allowed in this section are ACCEPT, DROP, REJECT,
72           LOG, NFLOG, NFQUEUE and QUEUE.
73
74           There is an implicit rule added at the end of this section that
75           invokes the UNTRACKED_DISPOSITION (shorewall.conf[2](5)).
76
77       NEW
78           Packets in the NEW state are processed by rules in this section. If
79           the INVALID and/or UNTRACKED sections are empty or not included,
80           then the packets in the corresponding state(s) are also processed
81           in this section.
82
83           Note
84           If you are not familiar with Netfilter to the point where you are
85           comfortable with the differences between the various connection
86           tracking states, then it is suggested that you place all of your
87           rules in the NEW section (That's after the line that reads ?SECTION
88           NEW').
89
90           Warning
91           If you specify FASTACCEPT=Yes in shorewall.conf[2](5) then the ALL,
92           ESTABLISHED and RELATED sections must be empty.
93
94           An exception is made if you are running Shorewall 4.4.27 or later
95           and you have specified a non-default value for RELATED_DISPOSITION
96           or RELATED_LOG_LEVEL. In that case, you may have rules in the
97           RELATED section of this file.
98
99       You may omit any section that you don't need. If no Section Headers
100       appear in the file then all rules are assumed to be in the NEW section.
101
102       When defining rules that rewrite the destination IP address and/or port
103       number (namely DNAT and REDIRECT rules), it is important to keep
104       straight which columns in the file specify the packet before rewriting
105       and which specify how the packet will look after rewriting.
106
107       •   The DEST column specifies the final destination for the packet
108           after rewriting and can include the final IP address and/or port
109           number.
110
111       •   The remaining columns specify characteristics of the packet before
112           rewriting. In particular, the ORIGDEST column gives the original
113           destination IP address of the packet and the DPORT column give the
114           original destination port(s).
115
116       The columns in the file are as follows (where the column name is
117       followed by a different name in parentheses, the different name is used
118       in the alternate specification syntax).
119
120       ACTION - target[:{log-level|none}[!][:tag]]
121           Specifies the action to be taken if the connection request matches
122           the rule.  target must be one of the following.
123
124           ACCEPT
125               Allow the connection request.
126
127           ACCEPT+
128               like ACCEPT but also excludes the connection from any
129               subsequent matching DNAT[-] or REDIRECT[-] rules. Use with IPv6
130               requires Shorewall 4.5.14 or later.
131
132           ACCEPT!
133               like ACCEPT but exempts the rule from being suppressed by
134               OPTIMIZE=1 in shorewall.conf[2](5).
135
136           action
137               The name of an action declared in shorewall-actions[3](5) or in
138               /usr/share/shorewall[6]/actions.std.
139
140           ADD(ipset:flags[:timeout])
141               Added in Shorewall 4.4.12. Causes addresses and/or port numbers
142               to be added to the named ipset. The flags specify the address
143               or tuple to be added to the set and must match the type of
144               ipset involved. For example, for an iphash ipset, either the
145               SOURCE or DESTINATION address can be added using flags src or
146               dst respectively (see the -A command in ipset (8)).
147
148               Beginning with Shorewall 5.0.3, an optional timeout can be
149               specified. This is the number of seconds that the new entry in
150               the ipset is to remain valid and overrides any timeout
151               specified when the ipset was created.
152
153               ADD is non-terminating. Even if a packet matches the rule, it
154               is passed on to the next rule.
155
156           AUDIT[(accept|drop|reject)]
157               Added in Shorewall 4.5.10. Audits the packet with the specified
158               type; if the type is omitted, then drop is assumed. Require
159               AUDIT_TARGET support in the kernel and iptables.
160
161           A_ACCEPT, A_ACCEPT+ and A_ACCEPT!
162               Added in Shorewall 4.4.20. Audited versions of ACCEPT, ACCEPT+
163               and ACCEPT! respectively. Require AUDIT_TARGET support in the
164               kernel and iptables. A_ACCEPT+ with IPv6 requires Shorewall
165               4.5.14 or later.
166
167           A_DROP and A_DROP!
168               Added in Shorewall 4.4.20. Audited versions of DROP and DROP!
169               respectively. Require AUDIT_TARGET support in the kernel and
170               iptables.
171
172           A_REJECT AND A_REJECT!
173               Added in Shorewall 4.4.20. Audited versions of REJECT and
174               REJECT! respectively. Require AUDIT_TARGET support in the
175               kernel and iptables.
176
177           ?COMMENT
178               the rest of the line will be attached as a comment to the
179               Netfilter rule(s) generated by the following entries. The
180               comment will appear delimited by "/* ... */" in the output of
181               "shorewall show <chain>". To stop the comment from being
182               attached to further rules, simply include ?COMMENT on a line by
183               itself.
184
185           CONMARK({mark})
186               Added in Shorewall 5.0.7, CONNMARK is identical to MARK with
187               the exception that the mark is assigned to connection to which
188               the packet belongs is marked rather than to the packet itself.
189
190           CONTINUE
191               For experts only.
192
193               Do not process any of the following rules for this (source
194               zone,destination zone). If the source and/or destination IP
195               address falls into a zone defined later in
196               shorewall-zones[4](5) or in a parent zone of the source or
197               destination zones, then this connection request will be passed
198               to the rules defined for that (those) zone(s). See
199               shorewall-nesting[5](5) for additional information.
200
201           CONTINUE!
202               like CONTINUE but exempts the rule from being suppressed by
203               OPTIMIZE=1 in shorewall.conf[2](5).
204
205           COUNT
206               Simply increment the rule's packet and byte count and pass the
207               packet to the next rule.
208
209           DEL(ipset:flags)
210               Added in Shorewall 4.4.12. Causes an entry to be deleted from
211               the named ipset. The flags specify the address or tuple to be
212               deleted from the set and must match the type of ipset involved.
213               For example, for an iphash ipset, either the SOURCE or
214               DESTINATION address can be deleted using flags src or dst
215               respectively (see the -D command in ipset (8)).
216
217               DEL is non-terminating. Even if a packet matches the rule, it
218               is passed on to the next rule.
219
220           DNAT
221               Forward the request to another system (and optionally another
222               port). Use with IPv6 requires Shorewall 4.5.14 or later.
223
224           DNAT-
225               Advanced users only.
226
227               Like DNAT but only generates the DNAT iptables rule and not the
228               companion ACCEPT rule. Use with IPv6 requires Shorewall 4.5.14
229               or later.
230
231           DROP
232               Ignore the request.
233
234           DROP!
235               like DROP but exempts the rule from being suppressed by
236               OPTIMIZE=1 in shorewall.conf[2](5).
237
238           HELPER
239               Added in Shorewall 4.5.7. This action requires that the HELPER
240               column contains the name of the Netfilter helper to be
241               associated with connections matching this connection. May only
242               be specified in the NEW section and is useful for being able to
243               specify a helper when the applicable policy is ACCEPT. No
244               destination zone should be specified in HELPER rules.
245
246           INLINE[(action)]
247               Added in Shorewall 4.5.16. This action allows you to construct
248               most of the rule yourself using iptables syntax. The part that
249               you specify must follow two semicolons (';;') and is completely
250               free-form. If the target of the rule (the part following 'j')
251               is something that Shorewall supports in the ACTION column, then
252               you may enclose it in parentheses (e.g., INLINE(ACCEPT)).
253               Otherwise, you can include it after the semicolon(s). In this
254               case, you must declare the target as a builtin action in
255               shorewall-actions[3](5).
256
257               Some considerations when using INLINE:
258
259               •   The p, s, d, i, o, policy, and state match (state or
260                   conntrack --ctstate) matches will always appear in the
261                   front of the rule in that order.
262
263               •   When multiple matches are specified, the compiler will keep
264                   them in the order in which they appear (excluding the above
265                   listed ones), but they will not necessarily be at the end
266                   of the generated rule. For example, if addresses are
267                   specified in the SOURCE and/or DEST columns, their
268                   generated matches will appear after those specified using
269                   ';;' or ';'.
270
271           IPTABLES({iptables-target [option ...])
272               IPv4 only. This action allows you to specify an iptables target
273               with options (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If
274               the iptables-target is not one recognized by Shorewall, the
275               following error message will be issued:
276
277                       ERROR: Unknown target (iptables-target)
278
279               This error message may be eliminated by adding the
280               iptables-target as a builtin action in shorewall-actions[3](5).
281
282                   Important
283                   If you specify REJECT as the iptables-target, the target of
284                   the rule will be the iptables REJECT target and not
285                   Shorewall's builtin 'reject' chain which is used when
286                   REJECT (see below) is specified as the target in the ACTION
287                   column.
288
289           IP6TABLES({ip6tables-target [option ...])
290               IPv6 only. This action allows you to specify an ip6tables
291               target with options (e.g., 'IPTABLES(MARK --set-xmark
292               0x01/0xff)'. If the ip6tables-target is not one recognized by
293               Shorewall, the following error message will be issued:
294
295                       ERROR: Unknown target (ip6tables-target)
296
297               This error message may be eliminated by adding the
298               ip6tables-target as a builtin action in
299               shorewall-actions[3](5).
300
301                   Important
302                   If you specify REJECT as the ip6tables-target, the target
303                   of the rule will be the i6ptables REJECT target and not
304                   Shorewall's builtin 'reject' chain which is used when
305                   REJECT (see below) is specified as the target in the ACTION
306                   column.
307
308           LOG:level
309               Simply log the packet and continue with the next rule.
310
311           macro[(macrotarget)]
312               The name of a macro defined in a file named macro.macro. If the
313               macro accepts an action parameter (Look at the macro source to
314               see if it has PARAM in the TARGET column) then the macro name
315               is followed by the parenthesized macrotarget (ACCEPT, DROP,
316               REJECT, ...) to be substituted for the parameter.
317
318               Example: FTP(ACCEPT).
319
320               The older syntax where the macro name and the target are
321               separated by a slash (e.g. FTP/ACCEPT) is still allowed but is
322               deprecated.
323
324           MARK({mark})
325               where mark is a packet mark value.
326
327               Added in Shorewall 5.0.7, MARK requires "Mark in filter table"
328               support in your kernel and iptables.
329
330               Normally will set the mark value of the current packet. If
331               preceded by a vertical bar ("|"), the mark value will be
332               logically ORed with the current mark value to produce a new
333               mark value. If preceded by an ampersand ("&"), will be
334               logically ANDed with the current mark value to produce a new
335               mark value.
336
337               Both "|" and "&" require Extended MARK Target support in your
338               kernel and iptables.
339
340               The mark value may be optionally followed by "/" and a mask
341               value (used to determine those bits of the connection mark to
342               actually be set). When a mask is specified, the result of
343               logically ANDing the mark value with the mask must be the same
344               as the mark value.
345
346           NFLOG[(nflog-parameters)]
347               Added in Shorewall 4.5.9.3. Queues matching packets to a back
348               end logging daemon via a netlink socket then continues to the
349               next rule. See https://shorewall.org/shorewall_logging.html[6].
350
351               The nflog-parameters are a comma-separated list of up to 3
352               numbers:
353
354               •   The first number specifies the netlink group (0-65535). If
355                   omitted (e.g., NFLOG(,0,10)) then a value of 0 is assumed.
356
357               •   The second number specifies the maximum number of bytes to
358                   copy. If omitted, 0 (no limit) is assumed.
359
360               •   The third number specifies the number of log messages that
361                   should be buffered in the kernel before they are sent to
362                   user space. The default is 1.
363
364               NFLOG is similar to LOG:NFLOG[(nflog-parameters)], except that
365               the log level is not changed when this ACTION is used in an
366               action or macro body and the invocation of that action or macro
367               specifies a log level.
368
369           NFQUEUE[([queuenumber1[:queuenumber2[c]][,bypass]]|bypass)]
370               Queues the packet to a user-space application using the
371               nfnetlink_queue mechanism. If a queuenumber1 is not specified,
372               queue zero (0) is assumed. Beginning with Shorewall 4.6.10, the
373               keyword bypass can be given. By default, if no userspace
374               program is listening on an NFQUEUE, then all packets that are
375               to be queued are dropped. When this option is used, the NFQUEUE
376               rule behaves like ACCEPT instead. Also beginning in Shorewall
377               4.6.10, a second queue number (queuenumber2) may be specified.
378               This specifies a range of queues to use. Packets are then
379               balanced across the given queues. This is useful for multicore
380               systems: start multiple instances of the userspace program on
381               queues x, x+1, .. x+n and use "x:x+n". Packets belonging to the
382               same connection are put into the same nfqueue.
383
384               Beginning with Shorewall 5.1.0, queuenumber2 may be followed by
385               the letter 'c' to indicate that the CPU ID will be used as an
386               index to map packets to the queues. The idea is that you can
387               improve performance if there's a queue per CPU. Requires the
388               NFQUEUE CPU Fanout capability in your kernel and iptables.
389
390           NFQUEUE![([queuenumber1[:queuenumber2[c]][,bypass]]|bypass)]
391               like NFQUEUE but exempts the rule from being suppressed by
392               OPTIMIZE=1 in shorewall.conf[2](5).
393
394           NONAT
395               Excludes the connection from any subsequent DNAT[-] or
396               REDIRECT[-] rules but doesn't generate a rule to accept the
397               traffic. Use with IPv6 requires Shorewall 4.5.14 or later.
398
399           QUEUE
400               Queue the packet to a user-space application such as ftwall
401               (http://p2pwall.sf.net). The application may reinsert the
402               packet for further processing.
403
404           QUEUE!
405               like QUEUE but exempts the rule from being suppressed by
406               OPTIMIZE=1 in shorewall.conf[2](5).
407
408           REJECT[(option)]
409               disallow the request and return an icmp-unreachable or an RST
410               packet. If no option is passed, Shorewall selects the
411               appropriate option based on the protocol of the packet.
412
413               Beginning with Shorewall 5.0.8, the type of reject may be
414               specified in the option paramater. Valid IPv4 option values
415               are:
416                   icmp-net-unreachable
417                   icmp-host-unreachable
418                   icmp-port-unreachable
419                   icmp-proto-unreachable
420                   icmp-net-prohibited
421                   icmp-host-prohibited
422                   icmp-admin-prohibited
423                   icmp-tcp-reset (the PROTO column
424                                     must specify TCP). Beginning with
425                   Shorewall 5.1.3, this
426                                     option may also be specified as
427                                     tcp-reset.
428               Valid IPv6 option values are:
429                   icmp6-no-route
430                   no-route
431                   icmp6-adm-prohibited
432                   adm-prohibited
433                   icmp6-addr-unreachable
434                   addr-unreach
435                   icmp6-port-unreachable
436                   tcp-reset (the PROTO column must
437                                     specify TCP)
438
439           REJECT!
440               like REJECT but exempts the rule from being suppressed by
441               OPTIMIZE=1 in shorewall.conf[2](5).
442
443           REDIRECT
444               Redirect the request to a server running on the firewall. Use
445               with IPv6 requires Shorewall 4.5.14 or later.
446
447           REDIRECT-
448               Advanced users only.
449
450               Like REDIRECT but only generates the REDIRECT iptables rule and
451               not the companion ACCEPT rule. Use with IPv6 requires Shorewall
452               4.5.14 or later.
453
454           TARPIT [(tarpit | honeypot | reset)]
455               Added in Shorewall 4.6.6.
456
457               TARPIT captures and holds incoming TCP connections using no
458               local per-connection resources.
459
460               TARPIT only works with the PROTO column set to tcp (6), and is
461               totally application agnostic. This module will answer a TCP
462               request and play along like a listening server, but aside from
463               sending an ACK or RST, no data is sent. Incoming packets are
464               ignored and dropped. The attacker will terminate the session
465               eventually. This module allows the initial packets of an attack
466               to be captured by other software for inspection. In most cases
467               this is sufficient to determine the nature of the attack.
468
469               This offers similar functionality to LaBrea
470               <http://www.hackbusters.net/LaBrea/> but does not require
471               dedicated hardware or IPs. Any TCP port that you would normally
472               DROP or REJECT can instead become a tarpit.
473
474               The target accepts a single optional parameter:
475
476               tarpit
477                   This mode is the default and completes a connection with
478                   the attacker but limits the window size to 0, thus keeping
479                   the attacker waiting long periods of time. While he is
480                   maintaining state of the connection and trying to continue
481                   every 60-240 seconds, we keep none, so it is very
482                   lightweight. Attempts to close the connection are ignored,
483                   forcing the remote side to time out the connection in 12-24
484                   minutes.
485
486               honeypot
487                   This mode completes a connection with the attacker, but
488                   signals a normal window size, so that the remote side will
489                   attempt to send data, often with some very nasty exploit
490                   attempts. We can capture these packets for decoding and
491                   further analysis. The module does not send any data, so if
492                   the remote expects an application level response, the game
493                   is up.
494
495               reset
496                   This mode is handy because we can send an inline RST
497                   (reset). It has no other function.
498
499           ULOG[(ulog-parameters)]
500               IPv4 only. Added in Shorewall 4.5.10. Queues matching packets
501               to a back end logging daemon via a netlink socket then
502               continues to the next rule. See shorewall-logging(5)[7].
503
504               Similar to LOG:ULOG[(ulog-parameters)], except that the log
505               level is not changed when this ACTION is used in an action or
506               macro body and the invocation of that action or macro specifies
507               a log level.
508
509           The target may optionally be followed by ":" and a syslog log level
510           (e.g, REJECT:info or Web(ACCEPT):debug). This causes the packet to
511           be logged at the specified level. Note that if the ACTION involves
512           destination network address translation (DNAT, REDIRECT, etc.) then
513           the packet is logged before the destination address is rewritten.
514
515           If the ACTION names an action declared in shorewall-actions[3](5)
516           or in /usr/share/shorewall/actions.std then:
517
518           •   If the log level is followed by "!' then all rules in the
519               action are logged at the log level.
520
521           •   If the log level is not followed by "!" then only those rules
522               in the action that do not specify logging are logged at the
523               specified level.
524
525           •   The special log level none!  suppresses logging by the action.
526
527           You may also specify ULOG (IPv4 only) or NFLOG (must be in upper
528           case) as a log level.This will log to the ULOG or NFLOG target for
529           routing to a separate log through use of ulogd
530           (shorewall-logging(5)[7]).
531
532           Actions specifying logging may be followed by a log tag (a string
533           of alphanumeric characters) which is appended to the string
534           generated by the LOGPREFIX (in shorewall.conf[2](5)).
535
536           Example: ACCEPT:info:ftp would include 'ftp ' at the end of the log
537           prefix generated by the LOGPREFIX setting.
538
539       SOURCE - source-spec[,...]
540           Source hosts to which the rule applies.
541
542           source-spec is one of the following:
543
544           zone[,...[+]]
545               The name of a zone defined in shorewall-zones[4](5). When only
546               the zone name is specified, the packet source may be any host
547               in that zone.
548
549               zone may also be one of the following:
550
551               all[+]
552                   all, without the "-" means "All Zones, including the
553                   firewall zone". Normally all omits intra-zone traffic, but
554                   intra-zone traffic can be included specifying "+".
555
556               any[+]
557                   any is equivalent to all when there are no nested zones.
558                   When there are nested zones, any only refers to top-level
559                   zones (those with no parent zones). Note that any excludes
560                   all vserver zones, since those zones are nested within the
561                   firewall zone.
562
563               none
564                   When none is used either in the SOURCE or DEST column, the
565                   rule is ignored.
566
567               Similar to with all and any, intra-zone traffic is normally
568               excluded when multiple zones are listed. Intra-zone traffic may
569               be included by following the list with a plus sign ("+").
570
571               all and any may be followed by an exclamation point ("!") and a
572               comma-separated list of zone names to be omitted.
573
574           zone:[!]interface
575               When this form is used, interface must be the name of an
576               interface associated with the named zone in either
577               shorewall-interfaces[8](5) or shorewall-hosts[9](5). Only
578               packets from hosts in the zone that arrive through the named
579               interface will match the rule.
580
581               Beginning with Shorweall 5.2.1, the interface may be preceded
582               with '!' which matches all interfaces associated with the zone
583               except the one specified.
584
585           zone:address[,...]
586               where address can be:
587
588               •   A host or network IP address. A network address may be
589                   followed by exclusion (see shorewall-exclusion[10](5)).
590
591               •   An address range, specified using the syntax
592                   lowaddress-highaddress.
593
594               •   +ipset where ipset is the name of an ipset and must be
595                   preceded by a plus sign ("+").
596
597               •   A MAC address in Shorewall format (preceded by a tilde
598                   ("~") and with the hex byte values separated by dashes
599                   (e.g., "~00-0a-f6-04-9c-7d").
600
601               •   ^country-code where country-code is a two-character
602                   ISO-3661 country code preceded by a caret ("^").
603
604               •   ^country-code-list where country-code-list is a
605                   comma-separated list of up to 15 ISO-3661 country codes
606                   enclosed in square brackets ("[...]").
607
608               •   The primary IP address of a firewall interface can be
609                   specified by an ampersand ('&') followed by the logical
610                   name of the interface as found in the INTERFACE column of
611                   shorewall-interfaces[8] (5).
612
613           zone:interface:address[,...]
614               This form combines the preceding two and requires that both the
615               incoming interface and source address match.
616
617           zone:exclusion
618               This form matches if the host IP address does not match any of
619               the entries in the exclusion (see shorewall-exclusion[10](5)).
620
621           zone:interface:exclusion
622               This form matches packets from the named zone entering through
623               the specified interface where the source address does not match
624               any entry in the exclusion.
625
626           Beginning with Shorewall 5.1.0, multiple source-specs may be
627           listed, provided that extended forms of the source-spec are used:
628           zone:(interface)
629
630           zone:(address[,...])
631
632           zone:(interface:address[,...])
633
634           zone:(exclusion)
635
636           zone:(interface:exclusion) Examples:
637
638           dmz:192.168.2.2
639               Host 192.168.2.2 in the DMZ
640
641           net:155.186.235.0/24
642               Subnet 155.186.235.0/24 on the Internet
643
644           loc:192.168.1.1,192.168.1.2
645               Hosts 192.168.1.1 and 192.168.1.2 in the local zone.
646
647           loc:~00-A0-C9-15-39-78
648               Host in the local zone with MAC address 00:A0:C9:15:39:78.
649
650           net:192.0.2.11-192.0.2.17
651               Hosts 192.0.2.11-192.0.2.17 in the net zone.
652
653           net:!192.0.2.11-192.0.2.17
654               All hosts in the net zone except for 192.0.2.11-192.0.2.17.
655
656           net:155.186.235.0/24!155.186.235.16/28
657               Subnet 155.186.235.0/24 on the Internet except for
658               155.186.235.16/28
659
660           $FW:&eth0
661               The primary IP address of eth0 in the firewall zone.
662
663           loc,dmz
664               Both the loc and dmz zones.
665
666           all!dmz
667               All but the dmz zone.
668
669           all+!$FW
670               All but the firewall zone and applies to intrazone traffic.
671
672           net:^CN
673               China.
674
675           loc:(eth1:1.2.3.4,2.3.4.5),dmz:(eth2:5.6.7.8,9.10.11.12),net
676               Hosts 1.2.3.4 and 2.3.4.5 in the loc zone when the packet
677               arrives through eth1 plus hosts 5.6.7.8 and 9.10.11.12 in the
678               dmz zone when the packet arrives through eth2 plus all of the
679               net zone.
680
681           dmz:[2002:ce7c:2b4:1::2]
682               Host 2002:ce7c:92b4:1::2 in the DMZ
683
684           net:2001:4d48:ad51:24::/64
685               Subnet 2001:4d48:ad51:24::/64 on the Internet
686
687           loc:[2002:cec792b4:1::2],[2002:cec792b4:1::44]
688               Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the local
689               zone.
690
691           loc:~00-A0-C9-15-39-78
692               Host in the local zone with MAC address 00:A0:C9:15:39:78.
693
694           net:[2001:4d48:ad51:24::]/64![2001:4d48:ad51:24:6::]/80
695               Subnet 2001:4d48:ad51:24::/64 on the Internet except for
696               2001:4d48:ad51:24:6::/80.
697
698       DEST - dest-spec[,...]
699           Destination hosts to which the rule applies.
700
701           dest-spec is one of the following:
702
703           zone[,...[+]]
704               The name of a zone defined in shorewall-zones[4](5). When only
705               the zone name is specified, the packet destination may be any
706               host in that zone.
707
708               zone may also be one of the following:
709
710               all[+]
711                   all, without the "-" means "All Zones, including the
712                   firewall zone". Normally all omits intra-zone traffic, but
713                   intra-zone traffic can be included specifying "+".
714
715               any[+]
716                   any is equivalent to all when there are no nested zones.
717                   When there are nested zones, any only refers to top-level
718                   zones (those with no parent zones). Note that any excludes
719                   all vserver zones, since those zones are nested within the
720                   firewall zone.
721
722               none
723                   When none is used either in the SOURCE or DEST column, the
724                   rule is ignored.
725
726               Similar to with all and any, intra-zone traffic is normally
727               excluded when multiple zones are listed. Intra-zone traffic may
728               be included by following the list with a plus sign ("+").
729
730               all and any may be followed by an exclamation point ("!") and a
731               comma-separated list of zone names to be omitted.
732
733           zone:[!]interface
734               When this form is used, interface must be the name of an
735               interface associated with the named zone in either
736               shorewall-interfaces[8](5) or shorewall-hosts[11](5). Only
737               packets to hosts in the zone that are sent through the named
738               interface will match the rule.
739
740               Beginning with Shorweall 5.2.1, the interface may be preceded
741               with '!' which matches all interfaces associated with the zone
742               except the one specified.
743
744           zone:address[,...]
745               where address can be:
746
747               •   A host or network IP address. A network address may be
748                   followed by exclusion (see shorewall-exclusion[10](5)).
749
750               •   An address range, specified using the syntax
751                   lowaddress-highaddress.
752
753               •   +ipset where ipset is the name of an ipset and must be
754                   preceded by a plus sign ("+").
755
756               •   ^country-code where country-code is a two-character
757                   ISO-3661 country code preceded by a caret ("^").
758
759               •   ^country-code-list where country-code-list is a
760                   comma-separated list of up to 15 ISO-3661 country codes
761                   enclosed in square brackets ("[...]").
762
763               •   The primary IP address of a firewall interface can be
764                   specified by an ampersand ('&') followed by the logical
765                   name of the interface as found in the INTERFACE column of
766                   shorewall-interfaces[8] (5).
767
768           zone:[!]interface:address[,...]
769               This form combines the preceding two and requires that both the
770               outgoing interface and destinationaddress match.
771
772               Beginning with Shorweall 5.2.1, the interface may be preceded
773               with '!' which matches all interfaces associated with the zone
774               except the one specified.
775
776           zone:exclusion
777               This form matches if the host IP address does not match any of
778               the entries in the exclusion (see shorewall-exclusion[10](5)).
779
780           zone:[!]interface:exclusion
781               This form matches packets to the named zone leaving through the
782               specified interface where the destination address does not
783               match any entry in the exclusion.
784
785               Beginning with Shorweall 5.2.1, the interface may be preceded
786               with '!' which matches all interfaces associated with the zone
787               except the one specified.
788
789           [zone]:[server-IP][:port-or-port-range[:random]]
790               This form applies when the ACTION is DNAT[-] or REDIRECT[-].
791               The zone may be omitted in REDIRECT rules ($FW is assumed) and
792               must be omitted in DNAT-, REDIRECT- and NONAT rules.
793
794               server-IP is not allowed in REDIRECT rules and may be omitted
795               in DNAT[-] rules provided that port-or-port-range is included.
796
797               •   The IP address of the server to which the packet is to be
798                   sent.
799
800               •   A range of IP address with the low and high address
801                   separated by a dash (:"-"). Connections are distributed
802                   among the IP addresses in the range.
803
804               If server-IP is omitted in a DNAT[-] rule, only the destination
805               port number is modified by the rule.
806
807               port-or-port-range may be:
808
809               •   An integer port number in the range 1 - 65535.
810
811               •   The name of a service from /etc/services.
812
813               •   A port range with the low and high integer port numbers
814                   separated by a dash ("-"). Connections are distributed
815                   among the ports in the range.
816
817               If random is specified, port mapping will be randomized.
818
819           If the DEST zone is a bport zone, then either:
820
821            1. the SOURCE must be all[+], or
822
823            2. the SOURCE zone must be another bport zone associated with the
824               same bridge, or
825
826            3. the SOURCE zone must be an ipv4 zone that is associated with
827               only the same bridge.
828
829           Beginning with Shorewall 5.1.0, multiple dest-specs may be listed,
830           provided that extended forms of the source-spec are used:
831           zone:(interface)
832
833           zone:(address[,...])
834
835           zone:(interface:address[,...])
836
837           zone:(exclusion)
838
839           zone:(interface:exclusion) Multiple dest-specs are not permitted in
840           DNAT[-] and REDIRECT[-] rules.
841
842           Examples:
843
844           dmz:192.168.2.2
845               Host 192.168.2.2 in the DMZ
846
847           net:155.186.235.0/24
848               Subnet 155.186.235.0/24 on the Internet
849
850           loc:192.168.1.1,192.168.1.2
851               Hosts 192.168.1.1 and 192.168.1.2 in the local zone.
852
853           net:192.0.2.11-192.0.2.17
854               Hosts 192.0.2.11-192.0.2.17 in the net zone.
855
856           net:!192.0.2.11-192.0.2.17
857               All hosts in the net zone except for 192.0.2.11-192.0.2.17.
858
859           net:155.186.235.0/24!155.186.235.16/28
860               Subnet 155.186.235.0/24 on the Internet except for
861               155.186.235.16/28
862
863           $FW:&eth0
864               The primary IP address of eth0 in the firewall zone.
865
866           loc,dmz
867               Both the loc and dmz zones.
868
869           all!dmz
870               All but the dmz zone.
871
872           net:^CN
873               China.
874
875           dmz:192.168.10.4:25
876               Port 25 on server 192.168.10.4 in the dmz zone (DNAT rule).
877
878           loc:(eth1:1.2.3.4,2.3.4.5),dmz:(eth2:5.6.7.8,9.10.11.12),net
879               Hosts 1.2.3.4 and 2.3.4.5 in the loc zone when the packet
880               arrives through eth1 plus hosts 5.6.7.8 and 9.10.11.12 in the
881               dmz zone when the packet arrives through eth2 plus all of the
882               net zone.
883
884       PROTO-
885       {-|tcp:[!]syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-name|all}
886           Optional Protocol - ipp2p* requires ipp2p match support in your
887           kernel and iptables.  tcp:syn implies tcp plus the SYN flag must be
888           set and the RST, ACK and FIN flags must be reset. Beginning with
889           Shorewall 5.1.3, you may also specify tcp:!syn, which matches if
890           SYN is not set or if RST, ACK or FIN is set.
891
892           Beginning with Shorewall 4.4.19, this column can contain a
893           comma-separated list of protocol-numbers and/or protocol names.
894
895       DPORT -
896       {-|port-name-number-or-range[,port-name-number-or-range]...|+ipset}
897           Optional destination Ports. A comma-separated list of Port names
898           (from services(5)), port numbers or port ranges; if the protocol is
899           icmp, this column is interpreted as the destination icmp-type(s).
900           ICMP types may be specified as a numeric type, a numeric type and
901           code separated by a slash (e.g., 3/4), or a typename. See
902           https://shorewall.org/configuration_file_basics.htm#ICMP[12]. Note
903           that prior to Shorewall 4.4.19, only a single ICMP type may be
904           listed.
905
906           If the protocol is ipp2p, this column is interpreted as an ipp2p
907           option without the leading "--" (example bit for bit-torrent). If
908           no port is given, ipp2p is assumed.
909
910           A port range is expressed as lowport:highport.
911
912           This column is ignored if PROTO = all but must be entered if any of
913           the following columns are supplied. In that case, it is suggested
914           that this field contain a dash (-).
915
916           If your kernel contains multi-port match support, then only a
917           single Netfilter rule will be generated if in this list and the
918           SPORT list below:
919
920           1. There are 15 or less ports listed.
921
922           2. No port ranges are included or your kernel and iptables contain
923           extended multi-port match support.
924
925           Beginning with Shorewall 4.6.0, an ipset name can be specified in
926           this column. This is intended to be used with bitmap:port ipsets.
927
928           This column was formerly labelled DEST PORT(S).
929
930       SPORT -
931       {-|port-name-number-or-range[,port-name-number-or-range]...|+ipset}
932           Optional port(s) used by the client. If omitted, any source port is
933           acceptable. Specified as a comma- separated list of port names,
934           port numbers or port ranges.
935
936           Beginning with Shorewall 4.5.15, you may place '=' in this column,
937           provided that the DPORT column is non-empty. This causes the rule
938           to match when either the source port or the destination port in a
939           packet matches one of the ports specified in DEST PORTS(S). Use of
940           '=' requires multi-port match in your iptables and kernel.
941
942               Warning
943               Unless you really understand IP, you should leave this column
944               empty or place a dash (-) in the column. Most people who try to
945               use this column get it wrong.
946           If you don't want to restrict client ports but need to specify an
947           ORIGDEST in the next column, then place "-" in this column.
948
949           If your kernel contains multi-port match support, then only a
950           single Netfilter rule will be generated if in this list and the
951           DPORT list above:
952
953           1. There are 15 or less ports listed.
954
955           2. No port ranges are included or your kernel and iptables contain
956           extended multi-port match support.
957
958           Beginning with Shorewall 4.6.0, an ipset name can be specified in
959           this column. This is intended to be used with bitmap:port ipsets.
960
961           This column was formerly labelled SOURCE PORT(S).
962
963       ORIGDEST - [-|address[,address]...[exclusion]|exclusion]
964           Optional. If ACTION is DNAT[-] or REDIRECT[-] then if this column
965           is included and is different from the IP address given in the DEST
966           column, then connections destined for that address will be
967           forwarded to the IP and port specified in the DEST column.
968
969           A comma-separated list of addresses may also be used. This is most
970           useful with the REDIRECT target where you want to redirect traffic
971           destined for particular set of hosts. Finally, if the list of
972           addresses begins with "!" (exclusion) then the rule will be
973           followed only if the original destination address in the connection
974           request does not match any of the addresses listed.
975
976           Beginning with Shorewall 4.4.17, the primary IP address of a
977           firewall interface can be specified by an ampersand ('&') followed
978           by the logical name of the interface as found in the INTERFACE
979           column of shorewall-interfaces[8] (5).
980
981           For other actions, this column may be included and may contain one
982           or more addresses (host or network) separated by commas. Address
983           ranges are not allowed. When this column is supplied, rules are
984           generated that require that the original destination address
985           matches one of the listed addresses. This feature is most useful
986           when you want to generate a filter rule that corresponds to a DNAT-
987           or REDIRECT- rule. In this usage, the list of addresses should not
988           begin with "!".
989
990           It is also possible to specify a set of addresses then exclude part
991           of those addresses. For example, 192.168.1.0/24!192.168.1.16/28
992           specifies the addresses 192.168.1.0-182.168.1.15 and
993           192.168.1.32-192.168.1.255. See shorewall-exclusion[10](5).
994
995           See https://shorewall.org/PortKnocking.html[13] for an example of
996           using an entry in this column with a user-defined action rule.
997
998           This column was formerly labelled ORIGINAL DEST.
999
1000       RATE - limit
1001           where limit is one of:
1002               [-|[{s|d}[/vlsm]:[name[(ht-buckets,ht-max)]:]rate/{sec|min|hour|day}[:burst]
1003               [s[/vlsm1]:][name1[(ht-buckets1,ht-max1)]:]rate1/{sec|min|hour|day}[:burst1],[d[/vlsm2:][name2[(ht-buckets2,ht-max2)]:]rate2/{sec|min|hour|day}[:burst2]
1004           You may optionally rate-limit the rule by placing a value in this
1005           column:
1006
1007           rate* is the number of connections per interval (sec or min) and
1008           burst* is the largest burst permitted. If no burst is given, a
1009           value of 5 is assumed. There may be no no white-space embedded in
1010           the specification.
1011
1012           Example: 10/sec:20
1013
1014           When s: or d: is specified, the rate applies per source IP address
1015           or per destination IP address respectively. The names may be chosen
1016           by the user and specify a hash table to be used to count matching
1017           connections. If not given, the name shorewallN (where N is a unique
1018           integer) is assumed. Where more than one rule or POLICY specifies
1019           the same name, the connections counts for the rules are aggregated
1020           and the individual rates apply to the aggregated count. Beginning
1021           with Shorewall 5.2.1, the s or d may be followed by a slash ("/")
1022           and an integer vlsm. When a vlsm is specified, all source or
1023           destination addresses encountered will be grouped according to the
1024           given prefix length and the so-created subnet will be subject to
1025           the rate limit.
1026
1027           Example: s/24::10/sec
1028
1029           Beginning with Shorewall 4.6.5, two limits may be specified,
1030           separated by a comma. In this case, the first limit (name1, rate1,
1031           burst1) specifies the per-source IP limit and the second limit
1032           specifies the per-destination IP limit.
1033
1034           Example: client:10/sec:20,:60/sec:100
1035
1036           In this example, the 'client' hash table will be used to enforce
1037           the per-source limit and the compiler will pick a unique name for
1038           the hash table that tracks the per-destination limit.
1039
1040           Beginning with Shorewall 5.2.1, the table name, if any, may be
1041           followed by two integers separated by commas and enclosed in
1042           parentheses. The first integer (ht-buckets) specifies the number of
1043           buckets in the generated hash table. The second integer (ht-max)
1044           specifies the maximum number of entries in the hash table.
1045
1046           Example: s:netfw(1024,65536):10/sec
1047
1048           This column was formerly labelled RATE LIMIT.
1049
1050       USER - [!][user-name-or-number][:group-name-or-number][,...]
1051           This optional column may only be non-empty if the SOURCE is the
1052           firewall itself.
1053
1054           When this column is non-empty, the rule applies only if the program
1055           generating the output is running under the effective user and/or
1056           group specified (or is NOT running under that id if "!" is given).
1057
1058           Beginning with Shorewall 4.5.8, multiple user or group names/ids
1059           separated by commas may be specified.
1060
1061           Examples:
1062
1063           joe
1064               program must be run by joe
1065
1066           :kids
1067               program must be run by a member of the 'kids' group
1068
1069           !:kids
1070               program must not be run by a member of the 'kids' group
1071
1072           2001-2099
1073               UIDs 2001 through 2099 (Shorewall 4.5.6 and later)
1074
1075           This column was formerly labelled USER/GROUP.
1076
1077       MARK - [!]value[/mask][:C]
1078           Defines a test on the existing packet or connection mark. The rule
1079           will match only if the test returns true.
1080
1081           If you don't want to define a test but need to specify anything in
1082           the following columns, place a "-" in this field.
1083
1084           !
1085               Inverts the test (not equal)
1086
1087           value
1088               Value of the packet or connection mark.
1089
1090           mask
1091               A mask to be applied to the mark before testing.
1092
1093           :C
1094               Designates a connection mark. If omitted, the packet mark's
1095               value is tested.
1096
1097       CONNLIMIT - [d:][!]limit[:mask]
1098           May be used to limit the number of simultaneous connections to/from
1099           each individual host or network to limit connections. Requires
1100           connlimit match in your kernel and iptables. While the limit is
1101           only checked on rules specifying CONNLIMIT, the number of current
1102           connections is calculated over all current connections from the
1103           SOURCE or DESTINATION host. By default, limiting is done by SOURCE
1104           host or net, but if the specification begins with d:, then limiting
1105           will be donw by destination host or net.
1106
1107           By default, the limit is applied to each host but can be made to
1108           apply to networks of hosts by specifying a mask. The mask specifies
1109           the width of a VLSM mask to be applied to the source address; the
1110           number of current connections is then taken over all hosts in the
1111           subnet source-address/mask. When !  is specified, the rule matches
1112           when the number of connection exceeds the limit.
1113
1114       TIME - timeelement[&timeelement...]
1115           May be used to limit the rule to a particular time period each day,
1116           to particular days of the week or month, or to a range defined by
1117           dates and times. Requires time match support in your kernel and
1118           iptables.
1119
1120           timeelement may be:
1121
1122           timestart=hh:mm[:ss]
1123               Defines the starting time of day.
1124
1125           timestop=hh:mm[:ss]
1126               Defines the ending time of day.
1127
1128           contiguous
1129               Added in Shoreawll 5.0.12. When timestop is smaller than
1130               timestart value, match this as a single time period instead of
1131               distinct intervals.
1132
1133           utc
1134               Times are expressed in Greenwich Mean Time.
1135
1136           localtz
1137               Deprecated by the Netfilter team in favor of kerneltz. Times
1138               are expressed in Local Civil Time (default).
1139
1140           kerneltz
1141               Added in Shorewall 4.5.2. Times are expressed in Local Kernel
1142               Time (requires iptables 1.4.12 or later).
1143
1144           weekdays=ddd[,ddd]...
1145               where ddd is one of Mon, Tue, Wed, Thu, Fri, Sat or Sun
1146
1147           monthdays=dd[,dd],...
1148               where dd is an ordinal day of the month
1149
1150
1151           datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
1152               Defines the starting date and time.
1153
1154           datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
1155               Defines the ending date and time.
1156
1157       HEADERS - [!][any:|exactly:]header-list (Optional - Added in Shorewall
1158       4.4.15)
1159           This column is only used in IPv6. In IPv4, supply "-" in this
1160           column if you with to place a value in one of the following
1161           columns.
1162
1163           The header-list consists of a comma-separated list of headers from
1164           the following list.
1165
1166           auth, ah, or 51
1167               Authentication Headers extension header.
1168
1169           esp, or 50
1170               Encrypted Security Payload extension header.
1171
1172           hop, hop-by-hop or 0
1173               Hop-by-hop options extension header.
1174
1175           route, ipv6-route or 43
1176               IPv6 Route extension header.
1177
1178           frag, ipv6-frag or 44
1179               IPv6 fragmentation extension header.
1180
1181           none, ipv6-nonxt or 59
1182               No next header
1183
1184           proto, protocol or 255
1185               Any protocol header.
1186
1187           If any: is specified, the rule will match if any of the listed
1188           headers are present. If exactly: is specified, the will match
1189           packets that exactly include all specified headers. If neither is
1190           given, any: is assumed.
1191
1192           If !  is entered, the rule will match those packets which would not
1193           be matched when !  is omitted.
1194
1195       SWITCH - [!]switch-name[={0|1}]
1196           Added in Shorewall 4.4.24 and allows enabling and disabling the
1197           rule without requiring shorewall reload.
1198
1199           The rule is enabled if the value stored in
1200           /proc/net/nf_condition/switch-name is 1. The rule is disabled if
1201           that file contains 0 (the default). If '!' is supplied, the test is
1202           inverted such that the rule is enabled if the file contains 0.
1203
1204           Within the switch-name, '@0' and '@{0}' are replaced by the name of
1205           the chain to which the rule is a added. The switch-name (after
1206           '@...' expansion) must begin with a letter and be composed of
1207           letters, decimal digits, underscores or hyphens. Switch names must
1208           be 30 characters or less in length.
1209
1210           Switches are normally off. To turn a switch on:
1211               echo 1 >
1212                           /proc/net/nf_condition/switch-name
1213           To turn it off again:
1214               echo 0 >
1215                           /proc/net/nf_condition/switch-name
1216           Switch settings are retained over shorewall reload.
1217
1218           Beginning with Shorewall 4.5.10, when the switch-name is followed
1219           by =0 or =1, then the switch is initialized to off or on
1220           respectively by the start command. Other commands do not affect the
1221           switch setting.
1222
1223       HELPER - [helper]
1224           Added in Shorewall 4.5.7.
1225
1226           In the NEW section, causes the named conntrack helper to be
1227           associated with this connection; the contents of this column are
1228           ignored unless ACTION is ACCEPT*, DNAT* or REDIRECT*.
1229
1230           In the RELATED section, will only match if the related connection
1231           has the named helper associated with it.
1232
1233           The helper may be one of:
1234               amanda
1235               ftp
1236               irc
1237               netbios-ns
1238               pptp
1239               Q.931
1240               RAS
1241               sane
1242               sip
1243               snmp
1244               tftp
1245           If the HELPERS option is specified in shorewall.conf[2](5), then
1246           any module specified in this column must be listed in the HELPERS
1247           setting.
1248

EXAMPLES

1250       Example 1:
1251           Accept SMTP requests from the DMZ to the internet
1252
1253                        #ACTION SOURCE  DEST      PROTO      DPORT   SPORT   ORIGDEST
1254                        ACCEPT  dmz     net       tcp        smtp
1255
1256       Example 2:
1257           Forward all ssh and http connection requests from the internet to
1258           local system 192.168.1.3
1259
1260                       #ACTION SOURCE  DEST            PROTO   DPORT   SPORT   ORIGDEST
1261                       DNAT    net     loc:192.168.1.3 tcp     ssh,http
1262
1263       Example 3:
1264           Forward all http connection requests from the internet to local
1265           system 192.168.1.3 with a limit of 3 per second and a maximum burst
1266           of 10
1267
1268                       #ACTION SOURCE DEST             PROTO  DPORT SPORT   ORIGDEST RATE
1269                       DNAT    net    loc:192.168.1.3  tcp    http  -       -        3/sec:10
1270
1271       Example 4:
1272           Redirect all locally-originating www connection requests to port
1273           3128 on the firewall (Squid running on the firewall system) except
1274           when the destination address is 192.168.2.2
1275
1276                       #ACTION  SOURCE DEST      PROTO DPORT   SPORT   ORIGDEST
1277                       REDIRECT loc    3128      tcp   www      -      !192.168.2.2
1278
1279       Example 5:
1280           All http requests from the internet to address 130.252.100.69 are
1281           to be forwarded to 192.168.1.3
1282
1283                       #ACTION  SOURCE DEST            PROTO   DPORT   SPORT   ORIGDEST
1284                       DNAT      net   loc:192.168.1.3 tcp     80      -       130.252.100.69
1285
1286       Example 6:
1287           You want to accept SSH connections to your firewall only from
1288           internet IP addresses 130.252.100.69 and 130.252.100.70
1289
1290                       #ACTION  SOURCE DEST            PROTO   DPORT   SPORT   ORIGDEST
1291                       ACCEPT   net:130.252.100.69,130.252.100.70 \
1292                                       $FW             tcp     22
1293
1294       Example 7:
1295           You wish to accept connections from the internet to your firewall
1296           on port 2222 and you want to forward them to local system
1297           192.168.1.3, port 22
1298
1299                       #ACTION  SOURCE DEST                PROTO   DPORT   SPORT   ORIGDEST
1300                       DNAT     net    loc:192.168.1.3:22  tcp     2222
1301
1302       Example 8:
1303           You want to redirect connection requests to port 80 randomly to the
1304           port range 81-90.
1305
1306                       #ACTION  SOURCE DEST                PROTO DPORT   SPORT   ORIGDEST
1307                       REDIRECT net    $FW::81-90:random   tcp   www
1308
1309       Example 9:
1310           Shorewall does not impose as much structure on the Netfilter rules
1311           in the 'nat' table as it does on those in the filter table. As a
1312           consequence, when using Shorewall versions before 4.1.4, care must
1313           be exercised when using DNAT and REDIRECT rules with zones defined
1314           with wildcard interfaces (those ending with '+'. Here is an
1315           example:
1316
1317           shorewall-zones[4](5):
1318
1319                       #ZONE       TYPE    OPTIONS
1320                       fw          firewall
1321                       net         ipv4
1322                       dmz         ipv4
1323                       loc         ipv4
1324
1325           shorewall-interfaces[8](5):
1326
1327                       #ZONE       INTERFACE       BROADCAST      OPTIONS
1328                       net         ppp0
1329                       loc         eth1            detect
1330                       dmz         eth2            detect
1331                       -           ppp+                           # Addresses are assigned from 192.168.3.0/24
1332
1333           shorewall-host[11](5):
1334
1335                       #ZONE       HOST(S)              OPTIONS
1336                       loc         ppp+:192.168.3.0/24
1337
1338           rules:
1339
1340                       #ACTION     SOURCE          DEST       PROTO       DPORT
1341                       REDIRECT    loc             3128       tcp         80
1342
1343           Note that it would have been tempting to simply define the loc zone
1344           entirely in shorewall-interfaces(8):
1345
1346                       #******************* INCORRECT *****************
1347                       #ZONE       INTERFACE       BROADCAST      OPTIONS
1348                       net         ppp0
1349                       loc         eth1            detect
1350                       loc         ppp+
1351                       dmz         eth2
1352
1353           This would have made it impossible to run a internet-accessible web
1354           server in the DMZ because all traffic entering ppp+ interfaces
1355           would have been redirected to port 3128 on the firewall and there
1356           would have been no net->fw ACCEPT rule for that traffic.
1357
1358       Example 10:
1359           Add the tuple (source IP, dest port, dest IP) of an incoming SSH
1360           connection to the ipset S:
1361
1362                       #ACTION                       SOURCE           DEST           PROTO       DPORT
1363                       ADD(+S:dst,src,dst)           net              fw             tcp         22
1364
1365       Example 11:
1366           You wish to limit SSH connections from remote systems to 1/min with
1367           a burst of three (to allow for limited retry):
1368
1369                       #ACTION     SOURCE          DEST       PROTO       DPORT        SPORT     ORIGDEST         RATE
1370                       SSH(ACCEPT) net             all        -           -            -         -                s:1/min:3
1371
1372       Example 12:
1373           Forward port 80 to dmz host $BACKUP if switch 'primary_down' is on.
1374
1375                       #ACTION     SOURCE          DEST        PROTO       DPORT        SPORT     ORIGDEST   RATE      USER      MARK    CONNLIMIT     TIME     HEADERS    SWITCH
1376                       DNAT        net             dmz:$BACKUP tcp         80           -         -          -         -         -       -             -        -          primary_down
1377
1378       Example 13:
1379           Drop all email from the Anonymous Proxy and Satellite Provider
1380           address ranges:
1381
1382                       #ACTION                       SOURCE           DEST           PROTO       DPORT
1383                       DROP                          net:^A1,A2       fw             tcp         25
1384
1385       Example 14:
1386           You want to generate your own rule involving iptables targets and
1387           matches not supported by Shorewall.
1388
1389                       #ACTION                       SOURCE           DEST           PROTO       DPORT
1390                       INLINE                        $FW              net ; -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3
1391
1392           The above will generate the following iptables-restore input:
1393
1394                       -A fw2net -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3
1395
1396           Note that SECCTX must be defined as a builtin action in
1397           shorewall-actions[3](5):
1398
1399                       #ACTION            OPTIONS
1400                       SECCTX             builtin
1401
1402       Example 15:
1403           You want to accept SSH connections to your firewall only from
1404           internet IP addresses 2002:ce7c::92b4:1::2 and
1405           2002:ce7c::92b4:1::22
1406
1407                       #ACTION  SOURCE DEST            PROTO   DPORT   SPORT   ORIGDEST
1408                       ACCEPT   net:<2002:ce7c::92b4:1::2,2002:ce7c::92b4:1::22> \
1409                                       $FW              tcp     22
1410

FILES

1412       /etc/shorewall/rules
1413
1414       /etc/shorewall6/rules
1415

SEE ALSO

1417       shorewall-logging(5)[7]
1418
1419       https://shorewall.org/ipsets.html[14]
1420
1421       https://shorewall.org/configuration_file_basics.htm#Pairs[15]
1422
1423       shorewall(8)
1424

NOTES

1426        1. shorewall-policy
1427           https://shorewall.org/manpages/shorewall-policy.html
1428
1429        2. shorewall.conf
1430           https://shorewall.org/manpages/shorewall.conf.html
1431
1432        3. shorewall-actions
1433           https://shorewall.org/manpages/shorewall-actions.html
1434
1435        4. shorewall-zones
1436           https://shorewall.org/manpages/shorewall-zones.html
1437
1438        5. shorewall-nesting
1439           https://shorewall.org/manpages/shorewall-nesting.html
1440
1441        6. https://shorewall.org/shorewall_logging.html
1442           https://shorewall.org/shorewall_logging.html
1443
1444        7. shorewall-logging(5)
1445           https://shorewall.org/manpages/shorewall-logging.html
1446
1447        8. shorewall-interfaces
1448           https://shorewall.org/manpages/shorewall-interfaces.html
1449
1450        9. shorewall-hosts
1451           https://shorewall.org/manpages/shorewall.hosts.html
1452
1453       10. shorewall-exclusion
1454           https://shorewall.org/manpages/shorewall-exclusion.html
1455
1456       11. shorewall-hosts
1457           https://shorewall.org/manpages/shorewall-hosts.html
1458
1459       12. https://shorewall.org/configuration_file_basics.htm#ICMP
1460           https://shorewall.org/configuration_file_basics.htm#ICMP
1461
1462       13. https://shorewall.org/PortKnocking.html
1463           https://shorewall.org/PortKnocking.html
1464
1465       14. https://shorewall.org/ipsets.html
1466           https://shorewall.org/ipsets.html
1467
1468       15. https://shorewall.org/configuration_file_basics.htm#Pairs
1469           https://shorewall.org/configuration_file_basics.htm#Pairs
1470
1471
1472
1473Configuration Files               09/24/2020                SHOREWALL-RULES(5)
Impressum