2002-05-01 01:13:15 +02:00
|
|
|
#
|
2003-02-15 01:09:44 +01:00
|
|
|
# Shorewall version 1.4 - Rules File
|
2002-05-01 01:13:15 +02:00
|
|
|
#
|
2002-05-18 15:45:23 +02:00
|
|
|
# /etc/shorewall/rules
|
2002-05-01 01:13:15 +02:00
|
|
|
#
|
|
|
|
# Rules in this file govern connection establishment. Requests and
|
|
|
|
# responses are automatically allowed using connection tracking.
|
|
|
|
#
|
|
|
|
# In most places where an IP address or subnet is allowed, you
|
|
|
|
# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
|
|
|
|
# indicate that the rule matches all addresses except the address/subnet
|
|
|
|
# given. Notice that no white space is permitted between "!" and the
|
|
|
|
# address/subnet.
|
|
|
|
#
|
|
|
|
# Columns are:
|
|
|
|
#
|
|
|
|
#
|
2003-03-21 20:28:31 +01:00
|
|
|
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE
|
|
|
|
# or LOG.
|
2002-05-01 01:13:15 +02:00
|
|
|
#
|
2002-05-18 15:45:23 +02:00
|
|
|
# ACCEPT -- allow the connection request
|
|
|
|
# DROP -- ignore the request
|
|
|
|
# REJECT -- disallow the request and return an
|
|
|
|
# icmp-unreachable or an RST packet.
|
|
|
|
# DNAT -- Forward the request to another
|
2002-05-18 16:48:11 +02:00
|
|
|
# system (and optionally another
|
|
|
|
# port).
|
2003-02-23 15:10:37 +01:00
|
|
|
# DNAT- -- Advanced users only.
|
2002-12-31 02:10:28 +01:00
|
|
|
# Like DNAT but only generates the
|
|
|
|
# DNAT iptables rule and not
|
|
|
|
# the companion ACCEPT rule.
|
2002-05-18 15:45:23 +02:00
|
|
|
# REDIRECT -- Redirect the request to a local
|
|
|
|
# port on the firewall.
|
2003-05-21 01:27:11 +02:00
|
|
|
# REDIRECT-
|
|
|
|
# -- Advanced users only.
|
|
|
|
# Like REDIRET but only generates the
|
|
|
|
# REDIRECT iptables rule and not
|
|
|
|
# the companion ACCEPT rule.
|
2003-02-20 00:52:03 +01:00
|
|
|
# CONTINUE -- (For experts only). Do not process
|
|
|
|
# any of the following rules for this
|
|
|
|
# (source zone,destination zone). If
|
|
|
|
# The source and/or destination IP
|
|
|
|
# address falls into a zone defined
|
|
|
|
# later in /etc/shorewall/zones, this
|
|
|
|
# connection request will be passed
|
|
|
|
# to the rules defined for that
|
|
|
|
# (those) zone(s).
|
2003-03-21 20:28:31 +01:00
|
|
|
# LOG -- Simply log the packet and continue.
|
2002-05-01 01:13:15 +02:00
|
|
|
#
|
|
|
|
# May optionally be followed by ":" and a syslog log
|
|
|
|
# level (e.g, REJECT:info). This causes the packet to be
|
|
|
|
# logged at the specified level.
|
|
|
|
#
|
2003-02-20 00:52:03 +01:00
|
|
|
# You may also specify ULOG (must be in upper case) as a
|
|
|
|
# log level.This will log to the ULOG target for routing
|
|
|
|
# to a separate log through use of ulogd
|
2002-12-23 00:34:26 +01:00
|
|
|
# (http://www.gnumonks.org/projects/ulogd).
|
2002-12-13 05:06:24 +01:00
|
|
|
#
|
2002-05-18 21:04:45 +02:00
|
|
|
# SOURCE Source hosts to which the rule applies. May be a zone
|
2002-11-11 20:21:47 +01:00
|
|
|
# defined in /etc/shorewall/zones, $FW to indicate the
|
|
|
|
# firewall itself, or "all" If the ACTION is DNAT or
|
|
|
|
# REDIRECT, sub-zones of the specified zone may be
|
|
|
|
# excluded from the rule by following the zone name with
|
|
|
|
# "!' and a comma-separated list of sub-zone names.
|
|
|
|
#
|
|
|
|
# Except when "all" is specified, clients may be further
|
|
|
|
# restricted to a list of subnets and/or hosts by
|
|
|
|
# appending ":" and a comma-separated list of subnets
|
|
|
|
# and/or hosts. Hosts may be specified by IP or MAC
|
|
|
|
# address; mac addresses must begin with "~" and must use
|
|
|
|
# "-" as a separator.
|
2002-05-01 01:13:15 +02:00
|
|
|
#
|
|
|
|
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
|
|
|
|
#
|
|
|
|
# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the
|
|
|
|
# Internet
|
|
|
|
#
|
|
|
|
# loc:192.168.1.1,192.168.1.2
|
|
|
|
# Hosts 192.168.1.1 and
|
|
|
|
# 192.168.1.2 in the local zone.
|
2002-05-18 15:45:23 +02:00
|
|
|
# loc:~00-A0-C9-15-39-78 Host in the local zone with
|
2002-05-01 01:13:15 +02:00
|
|
|
# MAC address 00:A0:C9:15:39:78.
|
|
|
|
#
|
|
|
|
# Alternatively, clients may be specified by interface
|
2002-09-19 01:38:09 +02:00
|
|
|
# by appending ":" to the zone name followed by the
|
|
|
|
# interface name. For example, loc:eth1 specifies a
|
|
|
|
# client that communicates with the firewall system
|
|
|
|
# through eth1. This may be optionally followed by
|
|
|
|
# another colon (":") and an IP/MAC/subnet address
|
|
|
|
# as described above (e.g., loc:eth1:192.168.1.5).
|
2002-05-01 01:13:15 +02:00
|
|
|
#
|
2002-05-18 15:45:23 +02:00
|
|
|
# DEST Location of Server. May be a zone defined in
|
2002-11-11 20:21:47 +01:00
|
|
|
# /etc/shorewall/zones, $FW to indicate the firewall
|
|
|
|
# itself or "all"
|
2002-05-01 01:13:15 +02:00
|
|
|
#
|
2002-11-11 20:21:47 +01:00
|
|
|
# Except when "all" is specified, the server may be
|
|
|
|
# further restricted to a particular subnet, host or
|
|
|
|
# interface by appending ":" and the subnet, host or
|
|
|
|
# interface. See above.
|
2002-05-01 01:13:15 +02:00
|
|
|
#
|
2002-09-25 01:13:36 +02:00
|
|
|
# Restrictions:
|
|
|
|
#
|
|
|
|
# 1. MAC addresses are not allowed.
|
|
|
|
# 2. In DNAT rules, only IP addresses are
|
|
|
|
# allowed; no FQDNs or subnet addresses
|
|
|
|
# are permitted.
|
2003-03-07 00:21:25 +01:00
|
|
|
# 3. You may not specify both an interface and
|
|
|
|
# an address.
|
2002-09-25 01:13:36 +02:00
|
|
|
#
|
2002-05-01 01:13:15 +02:00
|
|
|
# The port that the server is listening on may be
|
|
|
|
# included and separated from the server's IP address by
|
|
|
|
# ":". If omitted, the firewall will not modifiy the
|
2002-07-17 23:42:30 +02:00
|
|
|
# destination port. A destination port may only be
|
|
|
|
# included if the ACTION is DNAT or REDIRECT.
|
2002-05-01 01:13:15 +02:00
|
|
|
#
|
2002-05-18 15:45:23 +02:00
|
|
|
# Example: loc:192.168.1.3:3128 specifies a local
|
2002-05-01 01:13:15 +02:00
|
|
|
# server at IP address 192.168.1.3 and listening on port
|
2002-05-18 15:45:23 +02:00
|
|
|
# 3128. The port number MUST be specified as an integer
|
2002-05-01 01:13:15 +02:00
|
|
|
# and not as a name from /etc/services.
|
|
|
|
#
|
2002-07-23 18:26:45 +02:00
|
|
|
# if the ACTION is REDIRECT, this column needs only to
|
2002-05-18 16:48:11 +02:00
|
|
|
# contain the port number on the firewall that the
|
|
|
|
# request should be redirected to.
|
2002-05-18 15:45:23 +02:00
|
|
|
#
|
2003-02-20 00:52:03 +01:00
|
|
|
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
|
|
|
|
# "all".
|
2002-05-01 01:13:15 +02:00
|
|
|
#
|
2002-05-18 15:45:23 +02:00
|
|
|
# DEST PORT(S) Destination Ports. A comma-separated list of Port
|
2002-05-01 01:13:15 +02:00
|
|
|
# names (from /etc/services), port numbers or port
|
|
|
|
# ranges; if the protocol is "icmp", this column is
|
|
|
|
# interpreted as the destination icmp-type(s).
|
|
|
|
#
|
2002-07-24 05:59:41 +02:00
|
|
|
# A port range is expressed as <low port>:<high port>.
|
2003-02-23 15:10:37 +01:00
|
|
|
#
|
2002-05-01 01:13:15 +02:00
|
|
|
# This column is ignored if PROTOCOL = all but must be
|
|
|
|
# entered if any of the following ields are supplied.
|
|
|
|
# In that case, it is suggested that this field contain
|
|
|
|
# "-"
|
|
|
|
#
|
2002-06-02 23:29:29 +02:00
|
|
|
# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then
|
|
|
|
# only a single Netfilter rule will be generated if in
|
|
|
|
# this list and the CLIENT PORT(S) list below:
|
|
|
|
# 1. There are 15 or less ports listed.
|
|
|
|
# 2. No port ranges are included.
|
|
|
|
# Otherwise, a separate rule will be generated for each
|
|
|
|
# port.
|
|
|
|
#
|
2002-05-01 01:13:15 +02:00
|
|
|
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
|
|
|
|
# any source port is acceptable. Specified as a comma-
|
|
|
|
# separated list of port names, port numbers or port
|
|
|
|
# ranges.
|
|
|
|
#
|
|
|
|
# If you don't want to restrict client ports but need to
|
|
|
|
# specify an ADDRESS in the next column, then place "-"
|
|
|
|
# in this column.
|
|
|
|
#
|
2002-06-02 23:29:29 +02:00
|
|
|
# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then
|
|
|
|
# only a single Netfilter rule will be generated if in
|
|
|
|
# this list and the DEST PORT(S) list above:
|
|
|
|
# 1. There are 15 or less ports listed.
|
|
|
|
# 2. No port ranges are included.
|
|
|
|
# Otherwise, a separate rule will be generated for each
|
|
|
|
# port.
|
|
|
|
#
|
2003-05-31 17:29:14 +02:00
|
|
|
# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT[-] or
|
|
|
|
# REDIRECT[-]) If included and different from the IP
|
2002-05-01 01:13:15 +02:00
|
|
|
# address given in the SERVER column, this is an address
|
|
|
|
# on some interface on the firewall and connections to
|
|
|
|
# that address will be forwarded to the IP and port
|
2002-05-18 16:16:26 +02:00
|
|
|
# specified in the DEST column.
|
2002-05-01 01:13:15 +02:00
|
|
|
#
|
2003-05-31 17:29:14 +02:00
|
|
|
# A comma-separated list of addresses may also be used.
|
|
|
|
# This is usually most useful with the REDIRECT target.
|
|
|
|
# Finally, if the list of addresses begins with "!" then
|
|
|
|
# the rule will be followed only if the original
|
|
|
|
# destination address in the connection request does not
|
|
|
|
# match any of the addresses listed.
|
|
|
|
#
|
2002-05-18 15:45:23 +02:00
|
|
|
# The address may optionally be followed by
|
|
|
|
# a colon (":") and a second IP address. This causes
|
|
|
|
# Shorewall to use the second IP address as the source
|
|
|
|
# address in forwarded packets. See the Shorewall
|
|
|
|
# documentation for restrictions concerning this feature.
|
|
|
|
# If no source IP address is given, the original source
|
|
|
|
# address is not altered.
|
|
|
|
#
|
|
|
|
# Example: Accept SMTP requests from the DMZ to the internet
|
|
|
|
#
|
2002-05-18 16:16:26 +02:00
|
|
|
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
|
|
|
# # PORT PORT(S) DEST
|
2002-05-18 15:45:23 +02:00
|
|
|
# ACCEPT dmz net tcp smtp
|
2002-05-01 01:13:15 +02:00
|
|
|
#
|
|
|
|
# Example: Forward all ssh and http connection requests from the internet
|
|
|
|
# to local system 192.168.1.3
|
|
|
|
#
|
2002-05-18 16:16:26 +02:00
|
|
|
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
|
|
|
# # PORT PORT(S) DEST
|
2002-05-18 15:45:23 +02:00
|
|
|
# DNAT net loc:192.168.1.3 tcp ssh,http
|
2002-05-01 01:13:15 +02:00
|
|
|
#
|
|
|
|
# Example: Redirect all locally-originating www connection requests to
|
2002-05-18 15:45:23 +02:00
|
|
|
# port 3128 on the firewall (Squid running on the firewall
|
|
|
|
# system) except when the destination address is 192.168.2.2
|
2002-05-01 01:13:15 +02:00
|
|
|
#
|
2002-05-18 16:16:26 +02:00
|
|
|
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
|
|
|
# # PORT PORT(S) DEST
|
2002-05-18 15:45:23 +02:00
|
|
|
# REDIRECT loc 3128 tcp www - !192.168.2.2
|
2002-05-01 01:13:15 +02:00
|
|
|
#
|
2002-05-18 15:45:23 +02:00
|
|
|
# Example: All http requests from the internet to address
|
|
|
|
# 130.252.100.69 are to be forwarded to 192.168.1.3
|
2002-05-01 01:13:15 +02:00
|
|
|
#
|
2002-05-18 16:16:26 +02:00
|
|
|
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
|
|
|
# # PORT PORT(S) DEST
|
|
|
|
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
|
2002-05-18 15:45:23 +02:00
|
|
|
##############################################################################
|
2002-05-18 16:17:56 +02:00
|
|
|
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
|
|
|
# PORT PORT(S) DEST
|
2002-05-01 01:13:15 +02:00
|
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|