1shorewall-rules(5)                                          shorewall-rules(5)
2
3
4

NAME

6       rules - Shorewall rules file
7

SYNOPSIS

9       /etc/shorewall/rules
10

DESCRIPTION

12       Entries in this file govern connection establishment by defining excep‐
13       tions to the policies layed out in shorewall-policy
14       ⟨shorewall-policy.html⟩  (5).  By  default, subsequent requests and re‐
15       sponses are automatically allowed using connection  tracking.  For  any
16       particular  (source,dest) pair of zones, the rules are evaluated in the
17       order in which they appear in this file and the first terminating match
18       is  the  one  that determines the disposition of the request. All rules
19       are terminating except LOG and QUEUE rules.
20              Warning
21
22              If you masquerade or use SNAT from a local system to the  inter‐
23              net, you cannot use an ACCEPT rule to allow traffic from the in‐
24              ternet to that system. You must use a DNAT rule instead.
25
26       The rules file is divided into sections. Each section is introduced  by
27       a  "Section Header" which is a line beginning with SECTION and followed
28       by the section name.
29
30       Sections are as follows and must appear in the order listed:
31
32       ESTABLISHED
33              Packets in the ESTABLISHED state are processed by rules in  this
34              section.
35
36              The  only  ACTIONs allowed in this section are ACCEPT, DROP, RE‐
37              JECT, LOG and QUEUE
38
39              There is an implicit ACCEPT rule inserted at  the  end  of  this
40              section.
41
42       RELATED
43              Packets in the RELATED state are processed by rules in this sec‐
44              tion.
45
46              The only ACTIONs allowed in this section are ACCEPT,  DROP,  RE‐
47              JECT, LOG and QUEUE
48
49              There  is  an  implicit  ACCEPT rule inserted at the end of this
50              section.
51
52       NEW    Packets in the NEW and INVALID states are processed by rules  in
53              this section.
54              Note
55
56              If  you  are  not familiar with Netfilter to the point where you
57              are comfortable with the differences between the various connec‐
58              tion tracking states, then it is suggested that you omit the ES‐
59              TABLISHED and RELATED sections and place all of  your  rules  in
60              the NEW section (That's after the line that reads SECTION NEW').
61              Warning
62
63              If you specify FASTACCEPT=Yes in shorewall.conf
64              ⟨shorewall.conf.html⟩ (5) then the ESTABLISHED and RELATED  sec‐
65              tions must be empty.
66
67       You may omit any section that you don't need. If no Section Headers ap‐
68       pear in the file then all rules are assumed to be in the NEW section.
69
70       When defining rules that rewrite the destination IP address and/or port
71       number  (namely  DNAT  and  REDIRECT  rules),  it  is important to keep
72       straight which columns in the file specify the packet before  rewriting
73       and which specify how the packet will look after rewriting.
74
75       · The  DEST column specifies the final destination for the packet after
76         rewriting and can include the final IP address and/or port number.
77
78       · The remaining columns specify characteristics of  the  packet  before
79         rewriting. In particular, the ORIGINAL DEST column gives the original
80         destination IP address of the packet and the DEST PORT(S) column give
81         the original destination port(s).
82
83       The columns in the file are as follows.
84
85       ACTION   —   {ACCEPT[+|!]|NONAT|DROP[!]|REJECT[!]|DNAT[-]|SAME[-]|REDI‐
86       RECT[-]|CONTINUE[!]|LOG|QUEUE[!]|NFQUEUE[/queuenumber]|COMMENT|ac‐
87       tion|macro[/target]}[:{log-level|none}[!][:tag]]
88              Specifies  the  action  to  be  taken  if the connection request
89              matches the rule. Must be one of the following.
90
91              ACCEPT Allow the connection request.
92
93              ACCEPT+
94                     like ACCEPT but also excludes  the  connection  from  any
95                     subsequent matching DNAT[-] or REDIRECT[-] rules
96
97              ACCEPT!
98                     like ACCEPT but exempts the rule from being suppressed by
99                     OPTIMIZE=1 in shorewall.conf ⟨shorewall.conf.html⟩ (5).
100
101              NONAT  Excludes the connection from any  subsequent  DNAT[-]  or
102                     REDIRECT[-]  rules  but doesn't generate a rule to accept
103                     the traffic.
104
105              DROP   Ignore the request.
106
107              DROP!  like DROP but exempts the rule from being  suppressed  by
108                     OPTIMIZE=1 in shorewall.conf ⟨shorewall.conf.html⟩ (5).
109
110              REJECT disallow the request and return an icmp-unreachable or an
111                     RST packet.
112
113              REJECT!
114                     like REJECT but exempts the rule from being suppressed by
115                     OPTIMIZE=1 in shorewall.conf ⟨shorewall.conf.html⟩ (5).
116
117              DNAT   Forward the request to another system (and optionally an‐
118                     other port).
119
120              DNAT-  Advanced users only.
121
122                     Like DNAT but only generates the DNAT iptables  rule  and
123                     not the companion ACCEPT rule.
124
125              SAME   Similar  to DNAT except that the port may not be remapped
126                     and when multiple server addresses are  listed,  all  re‐
127                     quests from a given remote system go to the same server.
128                     Warning
129
130                     Support  for SAME is scheduled for removal from the Linux
131                     kernel in 2008.
132
133              SAME-  Advanced users only.
134
135                     Like SAME but only generates the nat  iptables  rule  and
136                     not the companion ACCEPT rule.
137
138              REDIRECT
139                     Redirect the request to a server running on the firewall.
140
141              REDIRECT-
142                     Advanced users only.
143
144                     Like  REDIRECT  but  only generates the REDIRECT iptables
145                     rule and not the companion ACCEPT rule.
146
147              CONTINUE
148                     For experts only.
149
150                     Do not process  any  of  the  following  rules  for  this
151                     (source zone,destination zone). If the source and/or des‐
152                     tination IP address falls into a zone defined later in
153                     shorewall-zones ⟨shorewall-zones.html⟩ (5) or in a parent
154                     zone of the source or destination zones, then  this  con‐
155                     nection  request  will be passed to the rules defined for
156                     that (those) zone(s). See shorewall-nesting
157                     ⟨shorewall-nesting.html⟩ (5) for additional information.
158
159              CONTINUE!
160                     like  CONTINUE but exempts the rule from being suppressed
161                     by  OPTIMIZE=1  in  shorewall.conf  ⟨shorewall.conf.html⟩
162                     (5).
163
164              LOG    Simply log the packet and continue with the next rule.
165
166              QUEUE  Queue  the packet to a user-space application such as ft‐
167                     wall (http://p2pwall.sf.net). The application  may  rein‐
168                     sert the packet for further processing.
169
170              QUEUE! like  QUEUE but exempts the rule from being suppressed by
171                     OPTIMIZE=1 in shorewall.conf ⟨shorewall.conf.html⟩ (5).
172
173              NFQUEUE
174                     Only supported by Shorewall-perl >= 4.0.3.
175
176                     Queues the packet to a user-space application  using  the
177                     nfnetlink_queue mechanism. If a queuenumber is not speci‐
178                     fied, queue zero (0) is assumed.
179
180              NFQUEUE!
181                     like NFQUEUE but exempts the rule from  being  suppressed
182                     by  OPTIMIZE=1  in  shorewall.conf  ⟨shorewall.conf.html⟩
183                     (5).
184
185              COMMENT
186                     the rest of the line will be attached as a comment to the
187                     Netfilter rule(s) generated by the following entries. The
188                     comment will appear delimited by "/* ... */" in the  out‐
189                     put of "shorewall show <chain>". To stop the comment from
190                     being attached to further rules, simply  include  COMMENT
191                     on a line by itself.
192
193              action The name of an action declared in shorewall-actions
194                     ⟨shorewall-actions.html⟩  (5)  or  in   /usr/share/shore‐
195                     wall/actions.std.
196
197              macro  The  name of a macro defined in a file named macro.macro.
198                     If the macro accepts an action  parameter  (Look  at  the
199                     macro source to see if it has PARAM in the TARGET column)
200                     then the macro name is followed by  "/"  and  the  target
201                     (ACCEPT, DROP, REJECT, ...) to be substituted for the pa‐
202                     rameter.
203
204                     Example: FTP/ACCEPT.
205
206                     .fi
207              The ACTION may optionally
208              be followed by ":" and a syslog log level (e.g, REJECT:info or
209              DNAT:debug). This causes the packet to be logged at the specified
210              level. Note that if the ACTION
211              involves destination network address translation (DNAT, REDIRECT,
212              SAME, etc.) then the packet is logged before the destination address is
213              rewritten.
214
215              If the ACTION names an
216              action declared in
217              shorewall-actions
218              ⟨shorewall-actions.html⟩
219              (5) or in
220              /usr/share/shorewall/actions.std then:
221
222                     · If the log level is followed by "!' then all rules in
223                       the action are logged at the log level.
224
225                     · If the log level is not followed by "!" then only those
226                       rules in the action that do not specify logging are logged at
227                       the specified level.
228
229                     · The special log level none! suppresses logging by the
230                       action.
231
232              You may also specify ULOG
233              (must be in upper case) as a log level.This will log to the ULOG
234              target for routing to a separate log through use of ulogd (⟨http://www.netfilter.org/projects/ulogd/index.html⟩).
235
236              Actions specifying logging may be followed by a log tag (a
237              string of alphanumeric characters) which is appended to the string
238              generated by the LOGPREFIX (in
239              shorewall.conf
240              ⟨shorewall.conf.html⟩
241              (5)).
242
243              Example: ACCEPT:info:ftp would include 'ftp ' at the end of
244              the log prefix generated by the LOGPREFIX setting.
245
246       SOURCE — {zone|all[+][-]}[:interface][:{address-or-range[,address-or-range]...[exclusion]|exclusion|+ipset}
247              Source hosts to which the rule applies. May be a zone declared
248              in /etc/shorewall/zones, $FW to
249              indicate the firewall itself, all,
250              all+, all-, all+-
251              or none.
252
253              When none is used either in
254              the SOURCE or DEST column, the rule is ignored.
255
256              all means "All Zones",
257              including the firewall itself. all-
258              means "All Zones, except the firewall itself". When all[-] is
259              used either in the SOURCE or
260              DEST column intra-zone traffic is
261              not affected. When all+[-] is "used, intra-zone traffic is
262              affected.
263
264              Except when all[+][-] is
265              specified, clients may be further restricted to a list of networks
266              and/or hosts by appending ":" and a comma-separated list of network
267              and/or host addresses. Hosts may be specified by IP or MAC address;
268              mac addresses must begin with "~" and must use "-" as a
269              separator.
270
271              Hosts may also be specified as an IP address range using the
272              syntax
273              lowaddress-highaddress.
274              This requires that your kernel and iptables contain iprange match
275              support. If your kernel and iptables have ipset match support then
276              you may give the name of an ipset prefaced by "+". The ipset name
277              may be optionally followed by a number from 1 to 6 enclosed in
278              square brackets ([]) to indicate the number of levels of source
279              bindings to be matched.
280
281              You may exclude certain hosts from the set already defined
282              through use of an exclusion (see
283              shorewall-exclusion
284              ⟨shorewall-exclusion.html⟩
285              (5)).
286
287              Examples:
288
289              dmz:192.168.2.2
290                     Host 192.168.2.2 in the DMZ
291
292              net:155.186.235.0/24
293                     Subnet 155.186.235.0/24 on the Internet
294
295              loc:192.168.1.1,192.168.1.2
296                     Hosts 192.168.1.1 and 192.168.1.2 in the local
297                     zone.
298
299              loc:~00-A0-C9-15-39-78
300                     Host in the local zone with MAC address
301                     00:A0:C9:15:39:78.
302
303              net:192.0.2.11-192.0.2.17
304                     Hosts 192.0.2.11-192.0.2.17 in the net zone.
305
306              net:!192.0.2.11-192.0.2.17
307                     All hosts in the net zone except for
308                     192.0.2.11-192.0.2.17.
309
310              net:155.186.235.0/24!155.186.235.16/28
311                     Subnet 155.186.235.0/24 on the Internet except for
312                     155.186.235.16/28
313              Alternatively, clients may be specified by interface by
314              appending ":" to the zone name followed by the interface name. For
315              example, loc:eth1 specifies a
316              client that communicates with the firewall system through eth1.
317              This may be optionally followed by another colon (":") and an
318              IP/MAC/subnet address as described above (e.g., loc:eth1:192.168.1.5).
319
320              It is important to note that when using
321              Shorewall-shell and specifying an address list that will
322              be split (i.e., a comma separated list), there is a subtle behavior
323              which has the potential to cause confusion. Consider the two
324              examples below:
325
326       Examples:
327
328              loc:eth1:192.168.1.3,192.168.1.5
329                     Hosts 192.168.1.3 and 192.168.1.5 in the Local zone,
330                     with 192.168.1.3 coming from eth1 and 192.168.1.5 originating
331                     from any interface in the zone.
332
333              loc:eth1:192.168.1.3,eth1:192.168.1.5
334                     Hosts 192.168.1.3 and 192.168.1.5 in the Local zone,
335                     with both originating from
336                     eth1.
337              That is, the interface name must be explicitly stated for
338              each member of the comma separated list. Again, this distinction
339              in behavior only occurs when using
340              Shorewall-shell.
341
342       DEST — {zone|all[+][-]}[:{interface|address-or-range[,address-or-range]...[exclusion]|exclusion|+ipset}][:port[:random]]
343              Location of Server. May be a zone declared in
344              shorewall-zones
345              ⟨shorewall-zones.html⟩
346              (5), $FW to indicate the firewall itself, all. all+ or
347              none.
348
349              When none is used either in
350              the SOURCE or DEST column, the rule is ignored.
351
352              When all is used either in
353              the SOURCE or DEST column intra-zone traffic is not
354              affected. When all+ is used,
355              intra-zone traffic is affected.
356
357              If the DEST zone is a bport zone,
358              then either:
359
360              1.  the SOURCE must be all[+][-], or
361
362              2.  the SOURCE zone must be
363                  another bport zone associated with the same bridge, or
364
365              3.  the SOURCE zone must be an
366                  ipv4 zone that is associated with only the same bridge.
367
368              Except when all[+]|[-] is specified, the server may be
369              further restricted to a particular network, host or interface by
370              appending ":" and the network, host or interface. See SOURCE above.
371
372              You may exclude certain hosts from the set already defined
373              through use of an exclusion (see
374              shorewall-exclusion
375              ⟨shorewall-exclusion.html⟩
376              (5)).
377
378              Restrictions:
379
380              1. MAC addresses are not allowed (this is a Netfilter
381              restriction).
382
383              2. In DNAT rules, only IP
384              addresses are allowed; no FQDNs or subnet addresses are
385              permitted.
386
387              3. You may not specify both an interface and an
388              address.
389
390              Like in the SOURCE column,
391              you may specify a range of IP addresses using the syntax
392              lowaddress-highaddress.
393              When the ACTION is DNAT or DNAT-, the connections will be assigned to
394              addresses in the range in a round-robin fashion.
395
396              If you kernel and iptables have ipset match support then you
397              may give the name of an ipset prefaced by "+". The ipset name may
398              be optionally followed by a number from 1 to 6 enclosed in square
399              brackets ([]) to indicate the number of levels of destination
400              bindings to be matched. Only one of the SOURCE and DEST columns may specify an ipset
401              name.
402
403              The port that the server is
404              listening on may be included and separated from the server's IP
405              address by ":". If omitted, the firewall will not modifiy the
406              destination port. A destination port may only be included if the
407              ACTION is DNAT or REDIRECT.
408
409                     Example:
410                            loc:192.168.1.3:3128
411                            specifies a local server at IP address 192.168.1.3 and
412                            listening on port 3128.
413
414              If you are using Shorewall-shell or Shorewall-perl before
415              version 4.0.5, then the port number MUST be specified as an
416              integer and not as a name from services(5). Shorewall-perl 4.0.5
417              and later permit the port to be specified as
418              a service name. Additionally, Shorewall-perl 4.0.5 and later
419              permit specifying a port range in the form
420              lowport-highport to cause connections to be
421              assigned to ports in the range in round-robin fashion. When a port
422              range is specified, lowport and
423              highport must be given as integers; service
424              names are not permitted. Beginning with Shorewall 4.0.6, the port
425              range may be optionally followed by :random which causes assignment to ports in
426              the list to be random.
427
428              If the ACTION is REDIRECT or REDIRECT-, this column needs only to
429              contain the port number on the firewall that the request should be
430              redirected to. That is equivalent to specifying
431              $FW::port.
432
433       PROTO (Optional) — {-|tcp:syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-name|all}
434              Protocol - ipp2p* requires
435              ipp2p match support in your kernel and iptables. tcp:syn implies tcp plus the SYN flag must be set and the
436              RST,ACK and FIN flags must be reset.
437
438       DEST PORT(S) (Optional) — {-|port-name-number-or-range[,port-name-number-or-range]...}
439              Destination Ports. A comma-separated list of Port names (from
440              services(5)), port numbers or port ranges; if the protocol is
441              icmp, this column is interpreted as
442              the destination icmp-type(s).
443
444              If the protocol is ipp2p,
445              this column is interpreted as an ipp2p option without the leading
446              "--" (example bit for bit-torrent).
447              If no port is given, ipp2p is
448              assumed.
449
450              A port range is expressed as
451              lowport:highport.
452
453              This column is ignored if PROTO = all
454              but must be entered if any of the following columns are supplied. In
455              that case, it is suggested that this field contain a dash (-).
456
457              If your kernel contains multi-port match support, then only a
458              single Netfilter rule will be generated if in this list and the
459              CLIENT PORT(S) list below:
460
461              1. There are 15 or less ports listed.
462
463              2. No port ranges are included or your kernel and iptables
464              contain extended multiport match support.
465
466              Otherwise, unless you are using
467              Shorewall-perl
468              ⟨../Shorewall-perl.html⟩
469              , a separate rule
470              will be generated for each port. Shorewall-perl does not
471              automatically break up lists into individual rules.
472
473       SOURCE PORT(S) (Optional) — {-|port-name-number-or-range[,port-name-number-or-range]...}
474              Port(s) used by the client. If omitted, any source port is
475              acceptable. Specified as a comma- separated list of port names, port
476              numbers or port ranges.
477              Warning
478
479              Unless you really understand IP, you should leave this
480              column empty or place a dash (-)
481              in the column. Most people who try to use this column get it
482              wrong.
483              If you don't want to restrict client ports but need to
484              specify an ORIGINAL DEST in the
485              next column, then place "-" in this column.
486
487              If your kernel contains multi-port match support, then only
488              a single Netfilter rule will be generated if in this list and the
489              DEST PORT(S) list above:
490
491              1. There are 15 or less ports listed.
492
493              2. No port ranges are included or your kernel and iptables
494              contain extended multiport match support.
495
496              Otherwise, unless you are using
497              Shorewall-perl
498              ⟨../Shorewall-perl.html⟩
499              , a separate
500              rule will be generated for each port. Shorewall-perl does not
501              automatically break up lists into individual rules.
502
503       ORIGINAL DEST (Optional) — [-|address[,address]...[exclusion]|exclusion]
504              If ACTION is DNAT[-] or REDIRECT[-]
505              then if this column is included and is different from the IP address
506              given in the SERVER column, then
507              connections destined for that address will be forwarded to the IP
508              and port specified in the DEST
509              column.
510
511              A comma-separated list of addresses may also be used. This is
512              most useful with the REDIRECT
513              target where you want to redirect traffic destined for particular
514              set of hosts. Finally, if the list of addresses begins with "!"
515              (exclusion) then the rule will be followed only
516              if the original destination address in the connection request does
517              not match any of the addresses listed.
518
519              For other actions, this column may be included and may contain
520              one or more addresses (host or network) separated by commas. Address
521              ranges are not allowed. When this column is supplied, rules are
522              generated that require that the original destination address matches
523              one of the listed addresses. This feature is most useful when you
524              want to generate a filter rule that corresponds to a DNAT- or REDIRECT- rule. In this usage, the list of
525              addresses should not begin with "!".
526
527              It is also possible to specify a set of addresses then exclude
528              part of those addresses. For example, 192.168.1.0/24!192.168.1.16/28 specifies the
529              addresses 192.168.1.0-182.168.1.15 and 192.168.1.32-192.168.1.255.
530              See
531              shorewall-exclusion
532              ⟨shorewall-exclusion.html⟩
533              (5).
534
535              See
536              http://shorewall.net/PortKnocking.html
537              ⟨../PortKnocking.html⟩
538              for an example of using an entry in this column with a user-defined
539              action rule.
540
541       RATE LIMIT (Optional) — [-|rate/{sec|min}[:burst]
542              You may rate-limit the rule by placing a value in this
543              column:
544
545              rate is the number of connections per
546              interval (sec or min) and burst is the
547              largest burst permitted. If no burst is given,
548              a value of 5 is assumed. There may be no no whitespace embedded in
549              the specification.
550
551              Example: 10/sec:20
552
553       USER/GROUP (Optional) — [!][user-name-or-number][:group-name-or-number][+program-name]
554              This column may only be non-empty if the SOURCE is the
555              firewall itself.
556
557              When this column is non-empty, the rule applies only if the
558              program generating the output is running under the effective
559              user and/or group
560              specified (or is NOT running under that id if "!" is given).
561
562              Examples:
563
564              joe    program must be run by joe
565
566              :kids  program must be run by a member of the 'kids'
567                     group
568
569              !:kids program must not be run by a member of the 'kids'
570                     group
571
572              +upnpd #program named upnpd
573                     Important
574
575                     The ability to specify a program name was removed from
576                     Netfilter in kernel version 2.6.14.
577
578       MARK — [!]value[/mask][:C]
579              Defines a test on the existing packet or connection mark. The
580              rule will match only if the test returns true.
581
582              If you don't want to define a test but need to specify
583              anything in the following columns, place a "-" in this field.
584
585              !      Inverts the test (not equal)
586
587              value  Value of the packet or connection mark.
588
589              mask   A mask to be applied to the mark before testing.
590
591              :C     Designates a connection mark. If omitted, the packet
592                     mark's value is tested. This option is only supported by
593                     Shorewall-perl.
594

RESTRICTIONS

596       Unless you are using Shorewall-perl ⟨../Shorewall-perl.html⟩  and  your
597       iptables/kernel  have Repeat Match support (see the output of shorewall
598       show capabilities), if you specify a list of DEST PORT(S), then you may
599       not specify SOURCE PORT(S) and vice versa.
600

EXAMPLE

602       Example 1:
603              Accept SMTP requests from the DMZ to the internet
604
605                       #ACTION SOURCE  DEST PROTO      DEST    SOURCE  ORIGINAL
606                       #                               PORT    PORT(S) DEST
607                       ACCEPT  dmz     net       tcp   smtp
608
609       Example 2:
610              Forward  all  ssh and http connection requests from the internet
611              to local system 192.168.1.3
612
613                      #ACTION SOURCE  DEST            PROTO   DEST    SOURCE  ORIGINAL
614                      #                                       PORT    PORT(S) DEST
615                      DNAT    net     loc:192.168.1.3 tcp     ssh,http
616
617       Example 3:
618              Forward all http connection requests from the internet to  local
619              system  192.168.1.3  with  a limit of 3 per second and a maximum
620              burst of 10
621
622                      #ACTION SOURCE DEST            PROTO  DEST  SOURCE  ORIGINAL RATE
623                      #                                     PORT  PORT(S) DEST     LIMIT
624                      DNAT    net    loc:192.168.1.3 tcp    http  -       -        3/sec:10
625
626       Example 4:
627              Redirect all locally-originating www connection requests to port
628              3128  on the firewall (Squid running on the firewall system) ex‐
629              cept when the destination address is 192.168.2.2
630
631                      #ACTION  SOURCE DEST      PROTO DEST    SOURCE  ORIGINAL
632                      #                               PORT    PORT(S) DEST
633                      REDIRECT loc    3128      tcp   www      -      !192.168.2.2
634
635       Example 5:
636              All http requests from the internet  to  address  130.252.100.69
637              are to be forwarded to 192.168.1.3
638
639                      #ACTION  SOURCE DEST            PROTO   DEST    SOURCE  ORIGINAL
640                      #                                       PORT    PORT(S) DEST
641                      DNAT      net   loc:192.168.1.3 tcp     80      -       130.252.100.69
642
643       Example 6:
644              You  want  to  accept SSH connections to your firewall only from
645              internet IP addresses 130.252.100.69 and 130.252.100.70
646
647                      #ACTION  SOURCE DEST            PROTO   DEST    SOURCE  ORIGINAL
648                      #                                       PORT    PORT(S) DEST
649                      ACCEPT   net:130.252.100.69,130.252.100.70 $FW \
650                                                      tcp     22
651
652       Example 7:
653              You wish to accept connections from the internet to  your  fire‐
654              wall  on  port 2222 and you want to forward them to local system
655              192.168.1.3, port 22
656
657                      #ACTION  SOURCE DEST                PROTO   DEST    SOURCE  ORIGINAL
658                      #                                           PORT    PORT(S) DEST
659                      DNAT     net    loc:192.168.1.3:22  tcp     2222
660
661       Example 8:
662              You want to redirect connection requests to port 80 randomly  to
663              the port range 81-90.
664
665                      #ACTION  SOURCE DEST                PROTO DEST    SOURCE  ORIGINAL
666                      #                                         PORT    PORT(S) DEST
667                      REDIRECT net    $FW::81-90:random   tcp   www
668
669       Example 9:
670              Shorewall  does  not  impose  as much structure on the Netfilter
671              rules in the 'nat' table as it does on those in the  filter  ta‐
672              ble.  As  a  consequence, care must be exercised when using DNAT
673              and REDIRECT rules with zones defined with  wildcard  interfaces
674              (those ending with '+'. Here is an example:
675
676              shorewall-zones ⟨shorewall-zones.html⟩ (8):
677
678                      #ZONE       TYPE    OPTIONS
679                      fw          firewall
680                      net         ipv4
681                      dmz         ipv4
682                      loc         ipv4
683
684              shorewall-interfaces ⟨shorewall-interfaces.html⟩ (8):
685
686                      #ZONE       INTERFACE       BROADCAST      OPTIONS
687                      net         ppp0
688                      loc         eth1            detect
689                      dmz         eth2            detect
690                      -           ppp+                           # Addresses are assigned from 192.168.3.0/24
691
692              shorewall-host ⟨shorewall-hosts.html⟩ (8):
693
694                      #ZONE       HOST(S)              OPTIONS
695                      loc         ppp+:192.168.3.0/24
696
697              rules:
698
699                      #ACTION     SOURCE          DEST       PROTO       DEST
700                      #                                                  PORT(S)
701                      REDIRECT    loc             3128       tcp         80
702
703              Note  that  it would have been tempting to simply define the loc
704              zone entirely in shorewall-interfaces(8):
705
706                      #******************* INCORRECT *****************
707                      #ZONE       INTERFACE       BROADCAST      OPTIONS
708                      net         ppp0
709                      loc         eth1            detect
710                      loc         ppp+
711                      dmz         eth2
712
713              This would have made it impossible to run a  internet-accessible
714              web  server  in the DMZ because all traffic entering ppp+ inter‐
715              faces would have been redirected to port 3128  on  the  firewall
716              and  there would have been no net->fw ACCEPT rule for that traf‐
717              fic.
718

FILES

720       /etc/shorewall/rules
721

SEE ALSO

723       shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-
724       blacklist(5),  shorewall-hosts(5),  shorewall-interfaces(5), shorewall-
725       ipsec(5),  shorewall-maclist(5),  shorewall-masq(5),  shorewall-nat(5),
726       shorewall-netmap(5),  shorewall-params(5),  shorewall-policy(5), shore‐
727       wall-providers(5),  shorewall-proxyarp(5),   shorewall-route_routes(5),
728       shorewall-routestopped(5),  shorewall.conf(5),  shorewall-tcclasses(5),
729       shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),  shore‐
730       wall-tunnels(5), shorewall-zones(5)
731
732
733
734                                  19 May 2008               shorewall-rules(5)
Impressum