mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-25 07:38:57 +01:00
Finish rules man page
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4890 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
2244bdc84c
commit
c117061c21
@ -47,7 +47,7 @@
|
|||||||
|
|
||||||
<variablelist>
|
<variablelist>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>ESTABLISHED</term>
|
<term><emphasis role="bold">ESTABLISHED</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Packets in the ESTABLISHED state are processed by rules in
|
<para>Packets in the ESTABLISHED state are processed by rules in
|
||||||
@ -62,7 +62,7 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>RELATED</term>
|
<term><emphasis role="bold">RELATED</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Packets in the RELATED state are processed by rules in this
|
<para>Packets in the RELATED state are processed by rules in this
|
||||||
@ -77,7 +77,7 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>NEW</term>
|
<term><emphasis role="bold">NEW</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Packets in the NEW and INVALID states are processed by rules
|
<para>Packets in the NEW and INVALID states are processed by rules
|
||||||
@ -89,34 +89,34 @@
|
|||||||
<note>
|
<note>
|
||||||
<para>If you are not familiar with Netfilter to the point where you are
|
<para>If you are not familiar with Netfilter to the point where you are
|
||||||
comfortable with the differences between the various connection tracking
|
comfortable with the differences between the various connection tracking
|
||||||
states, then I suggest that you omit the ESTABLISHED and RELATED
|
states, then I suggest that you omit the <emphasis
|
||||||
sections and place all of your rules in the NEW section (That's after
|
role="bold">ESTABLISHED</emphasis> and <emphasis
|
||||||
the line that reads SECTION NEW').</para>
|
role="bold">RELATED</emphasis> sections and place all of your rules in
|
||||||
|
the NEW section (That's after the line that reads SECTION NEW').</para>
|
||||||
</note>
|
</note>
|
||||||
|
|
||||||
<warning>
|
<warning>
|
||||||
<para>If you specify FASTACCEPT=Yes in shorewall.conf(5) then the
|
<para>If you specify FASTACCEPT=Yes in shorewall.conf(5) then the
|
||||||
ESTABLISHED and RELATED sections must be empty.</para>
|
<emphasis role="bold">ESTABLISHED</emphasis> and <emphasis
|
||||||
|
role="bold">RELATED</emphasis> sections must be empty.</para>
|
||||||
</warning>
|
</warning>
|
||||||
|
|
||||||
<para>You may omit any section that you don't need. If no Section Headers
|
<para>You may omit any section that you don't need. If no Section Headers
|
||||||
appear in the file then all rules are assumed to be in the NEW section.
|
appear in the file then all rules are assumed to be in the NEW
|
||||||
</para>
|
section.</para>
|
||||||
|
|
||||||
<para>The columns in the file are as follows.</para>
|
<para>The columns in the file are as follows.</para>
|
||||||
|
|
||||||
<variablelist>
|
<variablelist>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>ACTION</term>
|
<term><emphasis role="bold">ACTION</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para> ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE, LOG,
|
<para>Must be one of the following.</para>
|
||||||
QUEUE, COMMENT, a <emphasis>macro</emphasis>, or an
|
|
||||||
<emphasis>action</emphasis>.</para>
|
|
||||||
|
|
||||||
<variablelist>
|
<variablelist>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>ACCEPT</term>
|
<term><emphasis role="bold">ACCEPT</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Allow the connection request.</para>
|
<para>Allow the connection request.</para>
|
||||||
@ -124,16 +124,19 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>ACCEPT+</term>
|
<term><emphasis role="bold">ACCEPT+</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>like ACCEPT but also excludes the connection from any
|
<para>like ACCEPT but also excludes the connection from any
|
||||||
subsequent DNAT[-] or REDIRECT[-] rules</para>
|
subsequent <emphasis role="bold">DNAT</emphasis>[<emphasis
|
||||||
|
role="bold">-</emphasis>] or <emphasis
|
||||||
|
role="bold">REDIRECT</emphasis>[<emphasis
|
||||||
|
role="bold">-</emphasis>] rules</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>NONAT</term>
|
<term><emphasis role="bold">NONAT</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Excludes the connection from any subsequent <emphasis
|
<para>Excludes the connection from any subsequent <emphasis
|
||||||
@ -144,7 +147,7 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>DROP</term>
|
<term><emphasis role="bold">DROP</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Ignore the request.</para>
|
<para>Ignore the request.</para>
|
||||||
@ -152,7 +155,7 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>REJECT</term>
|
<term><emphasis role="bold">REJECT</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>disallow the request and return an icmp-unreachable or
|
<para>disallow the request and return an icmp-unreachable or
|
||||||
@ -161,7 +164,7 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>DNAT</term>
|
<term><emphasis role="bold">DNAT</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Forward the request to another system (and optionally
|
<para>Forward the request to another system (and optionally
|
||||||
@ -170,39 +173,43 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>DNAT-</term>
|
<term><emphasis role="bold">DNAT-</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Advanced users only.</para>
|
<para>Advanced users only.</para>
|
||||||
|
|
||||||
<para> Like DNAT but only generates the DNAT iptables rule and
|
<para>Like <emphasis role="bold">DNAT</emphasis> but only
|
||||||
not the companion ACCEPT rule.</para>
|
generates the <emphasis role="bold">DNAT</emphasis> iptables
|
||||||
|
rule and not the companion <emphasis
|
||||||
|
role="bold">ACCEPT</emphasis> rule.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>SAME</term>
|
<term><emphasis role="bold">SAME</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Similar to DNAT except that the port may not be remapped
|
<para>Similar to <emphasis role="bold">DNAT</emphasis> except
|
||||||
and when multiple server addresses are listed, all requests
|
that the port may not be remapped and when multiple server
|
||||||
from a given remote system go to the same server.</para>
|
addresses are listed, all requests from a given remote system
|
||||||
|
go to the same server.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>SAME-</term>
|
<term><emphasis role="bold">SAME-</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Advanced users only.</para>
|
<para>Advanced users only.</para>
|
||||||
|
|
||||||
<para>Like SAME but only generates the NAT iptables rule and
|
<para>Like SAME but only generates the NAT iptables rule and
|
||||||
not the companion ACCEPT rule.</para>
|
not the companion <emphasis role="bold">ACCEPT</emphasis>
|
||||||
|
rule.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>REDIRECT</term>
|
<term><emphasis role="bold">REDIRECT</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Redirect the request to a server on the firewall.</para>
|
<para>Redirect the request to a server on the firewall.</para>
|
||||||
@ -210,18 +217,20 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>REDIRECT-</term>
|
<term><emphasis role="bold">REDIRECT-</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Advanced users only.</para>
|
<para>Advanced users only.</para>
|
||||||
|
|
||||||
<para>Like REDIRET but only generates the REDIRECT iptables
|
<para>Like <emphasis role="bold">REDIRECT</emphasis> but only
|
||||||
rule and not the companion ACCEPT rule.</para>
|
generates the <emphasis role="bold">REDIRECT</emphasis>
|
||||||
|
iptables rule and not the companion <emphasis
|
||||||
|
role="bold">ACCEPT</emphasis> rule.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>CONTINUE</term>
|
<term><emphasis role="bold">CONTINUE</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>For experts only.</para>
|
<para>For experts only.</para>
|
||||||
@ -235,7 +244,7 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>LOG</term>
|
<term><emphasis role="bold">LOG</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Simply log the packet and continue.</para>
|
<para>Simply log the packet and continue.</para>
|
||||||
@ -243,7 +252,7 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>QUEUE</term>
|
<term><emphasis role="bold">QUEUE</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Queue the packet to a user-space application such as
|
<para>Queue the packet to a user-space application such as
|
||||||
@ -252,7 +261,7 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>COMMENT</term>
|
<term><emphasis role="bold">COMMENT</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>the rest of the line will be attached as a comment to
|
<para>the rest of the line will be attached as a comment to
|
||||||
@ -269,7 +278,7 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The name of an <emphasis>action</emphasis> defined in
|
<para>The name of an <emphasis>action</emphasis> defined in
|
||||||
shorewall.actions(5) or in
|
shorewall-actions(5) or in
|
||||||
/usr/share/shorewall/actions.std.</para>
|
/usr/share/shorewall/actions.std.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -282,7 +291,9 @@
|
|||||||
macro accepts an action parameter (Look at the macro source to
|
macro accepts an action parameter (Look at the macro source to
|
||||||
see if it has PARAM in the TARGET column) then the
|
see if it has PARAM in the TARGET column) then the
|
||||||
<emphasis>macro</emphasis> name is followed by "/" and the
|
<emphasis>macro</emphasis> name is followed by "/" and the
|
||||||
action (ACCEPT, DROP, REJECT, ...) to be substituted for the
|
action (<emphasis role="bold">ACCEPT</emphasis>, <emphasis
|
||||||
|
role="bold">DROP</emphasis>, <emphasis
|
||||||
|
role="bold">REJECT</emphasis>, ...) to be substituted for the
|
||||||
parameter.</para>
|
parameter.</para>
|
||||||
|
|
||||||
<para>Example: FTP/ACCEPT.</para>
|
<para>Example: FTP/ACCEPT.</para>
|
||||||
@ -290,13 +301,14 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
|
||||||
<para>The ACTION may optionally be followed by ":" and a syslog log
|
<para>The <emphasis role="bold">ACTION</emphasis> may optionally be
|
||||||
level (e.g, REJECT:info or DNAT:debug). This causes the packet to be
|
followed by ":" and a syslog log level (e.g, REJECT:info or
|
||||||
logged at the specified level.</para>
|
DNAT:debug). This causes the packet to be logged at the specified
|
||||||
|
level.</para>
|
||||||
|
|
||||||
<para>If the ACTION names an <emphasis>action</emphasis> defined in
|
<para>If the <emphasis role="bold">ACTION</emphasis> names an
|
||||||
shorewall.actions(5) or in /usr/share/shorewall/actions.std
|
<emphasis>action</emphasis> defined in shorewall-actions(5) or in
|
||||||
then:</para>
|
/usr/share/shorewall/actions.std then:</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -329,19 +341,497 @@
|
|||||||
the log prefix generated by the LOGPREFIX setting.</para>
|
the log prefix generated by the LOGPREFIX setting.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">SOURCE</emphasis></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Source hosts to which the rule applies. May be a zone defined
|
||||||
|
in /etc/shorewall/zones, <emphasis role="bold">$FW</emphasis> to
|
||||||
|
indicate the firewall itself, <emphasis role="bold">all</emphasis>,
|
||||||
|
<emphasis role="bold">all+</emphasis>, <emphasis
|
||||||
|
role="bold">all-</emphasis>, <emphasis role="bold">all+-</emphasis>
|
||||||
|
or <emphasis role="bold">none</emphasis>.</para>
|
||||||
|
|
||||||
|
<para>When <emphasis role="bold">none</emphasis> is used either in
|
||||||
|
the <emphasis role="bold">SOURCE</emphasis> or <emphasis
|
||||||
|
role="bold">DEST</emphasis> column, the rule is ignored.</para>
|
||||||
|
|
||||||
|
<para><emphasis role="bold">all</emphasis> means "All Zones",
|
||||||
|
including the firewall itself. <emphasis role="bold">all-</emphasis>
|
||||||
|
means "All Zones, except the firewall itself". When <emphasis
|
||||||
|
role="bold">all</emphasis>[<emphasis role="bold">-</emphasis>] is
|
||||||
|
used either in the <emphasis role="bold">SOURCE</emphasis> or
|
||||||
|
<emphasis role="bold">DEST</emphasis> column intra-zone traffic is
|
||||||
|
not affected. When <emphasis role="bold">all+</emphasis>[<emphasis
|
||||||
|
role="bold">-</emphasis>] is "used, intra-zone traffic is
|
||||||
|
affected.</para>
|
||||||
|
|
||||||
|
<para>Except when <emphasis role="bold">all</emphasis>[<emphasis
|
||||||
|
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
|
||||||
|
specified, clients may be further restricted to a list of subnets
|
||||||
|
and/or hosts by appending ":" and a comma-separated list of subnets
|
||||||
|
and/or hosts. Hosts may be specified by IP or MAC address; mac
|
||||||
|
addresses must begin with "~" and must use "-" as a
|
||||||
|
separator.</para>
|
||||||
|
|
||||||
|
<para>Hosts may be specified as an IP address range using the syntax
|
||||||
|
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
|
||||||
|
This requires that your kernel and iptables contain iprange match
|
||||||
|
support. If you kernel and iptables have ipset match support then
|
||||||
|
you may give the name of an ipset prefaced by "+". The ipset name
|
||||||
|
may be optionally followed by a number from 1 to 6 enclosed in
|
||||||
|
square brackets ([]) to indicate the number of levels of source
|
||||||
|
bindings to be matched.</para>
|
||||||
|
|
||||||
|
<para>Examples:</para>
|
||||||
|
|
||||||
|
<variablelist>
|
||||||
|
<varlistentry>
|
||||||
|
<term>dmz:192.168.2.2 </term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Host 192.168.2.2 in the DMZ</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>net:155.186.235.0/24</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Subnet 155.186.235.0/24 on the Internet</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>loc:192.168.1.1,192.168.1.2</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Hosts 192.168.1.1 and 192.168.1.2 in the local
|
||||||
|
zone.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>loc:~00-A0-C9-15-39-78</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Host in the local zone with MAC address
|
||||||
|
00:A0:C9:15:39:78.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>net:192.0.2.11-192.0.2.17</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Hosts 192.0.2.11-192.0.2.17 in the net zone.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
</variablelist>
|
||||||
|
|
||||||
|
<para>Alternatively, clients may be specified by interface by
|
||||||
|
appending ":" to the zone name followed by the interface name. For
|
||||||
|
example, loc:eth1 specifies a client that communicates with the
|
||||||
|
firewall system through eth1. This may be optionally followed by
|
||||||
|
another colon (":") and an IP/MAC/subnet address as described above
|
||||||
|
(e.g., loc:eth1:192.168.1.5).</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">DEST</emphasis></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Location of Server. May be a zone defined in
|
||||||
|
shorewall-zones(5), $<emphasis role="bold">FW</emphasis> to indicate
|
||||||
|
the firewall itself, <emphasis role="bold">all</emphasis>. <emphasis
|
||||||
|
role="bold">all+</emphasis> or <emphasis
|
||||||
|
role="bold">none</emphasis>.</para>
|
||||||
|
|
||||||
|
<para>When <emphasis role="bold">none</emphasis> is used either in
|
||||||
|
the <emphasis role="bold">SOURCE</emphasis> or <emphasis
|
||||||
|
role="bold">DEST</emphasis> column, the rule is ignored.</para>
|
||||||
|
|
||||||
|
<para>When <emphasis role="bold">all</emphasis> is used either in
|
||||||
|
the <emphasis role="bold">SOURCE</emphasis> or <emphasis
|
||||||
|
role="bold">DEST</emphasis> column intra-zone traffic is not
|
||||||
|
affected. When <emphasis role="bold">all+</emphasis> is used,
|
||||||
|
intra-zone traffic is affected.</para>
|
||||||
|
|
||||||
|
<para>Except when <emphasis role="bold">all</emphasis>[<emphasis
|
||||||
|
role="bold">+</emphasis>] is specified, the server may be further
|
||||||
|
restricted to a particular subnet, host or interface by appending
|
||||||
|
":" and the subnet, host or interface. See above.</para>
|
||||||
|
|
||||||
|
<para>Restrictions:</para>
|
||||||
|
|
||||||
|
<para>1. MAC addresses are not allowed.</para>
|
||||||
|
|
||||||
|
<para>2. In <emphasis role="bold">DNAT</emphasis> rules, only IP
|
||||||
|
addresses are allowed; no FQDNs or subnet addresses are
|
||||||
|
permitted.</para>
|
||||||
|
|
||||||
|
<para>3. You may not specify both an interface and an
|
||||||
|
address.</para>
|
||||||
|
|
||||||
|
<para>Like in the <emphasis role="bold">SOURCE</emphasis> column,
|
||||||
|
you may specify a range of IP addresses using the syntax
|
||||||
|
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
|
||||||
|
When the <emphasis role="bold">ACTION</emphasis> is <emphasis
|
||||||
|
role="bold">DNAT</emphasis> or <emphasis
|
||||||
|
role="bold">DNAT-</emphasis>, the connections will be assigned to
|
||||||
|
addresses in the range in a round-robin fashion.</para>
|
||||||
|
|
||||||
|
<para>If you kernel and iptables have ipset match support then you
|
||||||
|
may give the name of an ipset prefaced by "+". The ipset name may be
|
||||||
|
optionally followed by a number from 1 to 6 enclosed in square
|
||||||
|
brackets ([]) to indicate the number of levels of destination
|
||||||
|
bindings to be matched. Only one of the <emphasis
|
||||||
|
role="bold">SOURCE</emphasis> and <emphasis
|
||||||
|
role="bold">DEST</emphasis> columns may specify an ipset
|
||||||
|
name.</para>
|
||||||
|
|
||||||
|
<para>The port that the server is listening on may be included and
|
||||||
|
separated from the server's IP address by ":". If omitted, the
|
||||||
|
firewall will not modifiy the destination port. A destination port
|
||||||
|
may only be included if the <emphasis role="bold">ACTION</emphasis>
|
||||||
|
is <emphasis role="bold">DNAT</emphasis> or <emphasis
|
||||||
|
role="bold">REDIRECT</emphasis>. Example: </para>
|
||||||
|
|
||||||
|
<variablelist>
|
||||||
|
<varlistentry>
|
||||||
|
<term>Example:</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>"loc:192.168.1.3:3128" specifies a local server at IP
|
||||||
|
address 192.168.1.3 and listening on port 3128. The port
|
||||||
|
number MUST be specified as an integer and not as a name from
|
||||||
|
services(5).</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
</variablelist>
|
||||||
|
|
||||||
|
<para>if the <emphasis role="bold">ACTION</emphasis> is <emphasis
|
||||||
|
role="bold">REDIRECT</emphasis>, this column needs only to contain
|
||||||
|
the port number on the firewall that the request should be
|
||||||
|
redirected to.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">PROTO</emphasis> (Optional)</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Protocol - Must be <emphasis role="bold">tcp</emphasis>,
|
||||||
|
<emphasis role="bold">tcp:syn</emphasis>, <emphasis
|
||||||
|
role="bold">udp</emphasis>, <emphasis role="bold">icmp</emphasis>,
|
||||||
|
<emphasis role="bold">ipp2p</emphasis>,<emphasis role="bold">
|
||||||
|
ipp2p:udp</emphasis>, <emphasis role="bold">ipp2p:all</emphasis> a
|
||||||
|
<emphasis>number</emphasis>, or <emphasis
|
||||||
|
role="bold">all</emphasis>. <emphasis role="bold">ipp2p</emphasis>*
|
||||||
|
requires ipp2p match support in your kernel and iptables. <emphasis
|
||||||
|
role="bold">tcp:syn</emphasis> implies <emphasis
|
||||||
|
role="bold">tcp</emphasis> plus the SYN flag must be set and the
|
||||||
|
RST,ACK and FIN flags must be reset.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">DEST PORT(S) </emphasis>(Optional)</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Destination Ports. A comma-separated list of Port names (from
|
||||||
|
services(5)), port numbers or port ranges; if the protocol is
|
||||||
|
<emphasis role="bold">icmp</emphasis>, this column is interpreted as
|
||||||
|
the destination icmp-type(s).</para>
|
||||||
|
|
||||||
|
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
||||||
|
this column is interpreted as an ipp2p option without the leading
|
||||||
|
"--" (example <emphasis role="bold">bit</emphasis> for bit-torrent).
|
||||||
|
If no port is given, <emphasis role="bold">ipp2p</emphasis> is
|
||||||
|
assumed.</para>
|
||||||
|
|
||||||
|
<para>A port range is expressed as
|
||||||
|
<emphasis>lowport</emphasis>:<emphasis>highport</emphasis>.</para>
|
||||||
|
|
||||||
|
<para>This column is ignored if <emphasis
|
||||||
|
role="bold">PROTO</emphasis> = <emphasis role="bold">all</emphasis>
|
||||||
|
but must be entered if any of the following columns are supplied. In
|
||||||
|
that case, it is suggested that this field contain a dash (<emphasis
|
||||||
|
role="bold">-</emphasis>).</para>
|
||||||
|
|
||||||
|
<para>If your kernel contains multi-port match support, then only a
|
||||||
|
single Netfilter rule will be generated if in this list and the
|
||||||
|
<emphasis role="bold">CLIENT PORT(S)</emphasis> list below:</para>
|
||||||
|
|
||||||
|
<para>1. There are 15 or less ports listed.</para>
|
||||||
|
|
||||||
|
<para>2. No port ranges are included or your kernel and iptables
|
||||||
|
contain extended multiport match support.</para>
|
||||||
|
|
||||||
|
<para>Otherwise, a separate rule will be generated for each
|
||||||
|
port.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">SOURCE PORT(S)</emphasis>
|
||||||
|
(Optional)</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Port(s) used by the client. If omitted, any source port is
|
||||||
|
acceptable. Specified as a comma- separated list of port names, port
|
||||||
|
numbers or port ranges.</para>
|
||||||
|
|
||||||
|
<warning>
|
||||||
|
<para>Unless you really understand TCP/IP, you should leave this
|
||||||
|
column empty or place a dash (<emphasis role="bold">-</emphasis>)
|
||||||
|
in the column. Most people who try to use this column get it
|
||||||
|
wrong.</para>
|
||||||
|
</warning>
|
||||||
|
|
||||||
|
<para>If you don't want to restrict client ports but need to specify
|
||||||
|
an <emphasis role="bold">ORIGINAL DEST</emphasis> in the next
|
||||||
|
column, then place "-" in this column. </para>
|
||||||
|
|
||||||
|
<para>If your kernel contains multi-port match support, then only a
|
||||||
|
single Netfilter rule will be generated if in this list and the
|
||||||
|
<emphasis role="bold">DEST PORT(S)</emphasis> list above: </para>
|
||||||
|
|
||||||
|
<para>1. There are 15 or less ports listed.</para>
|
||||||
|
|
||||||
|
<para>2. No port ranges are included or your kernel and iptables
|
||||||
|
contain extended multiport match support.</para>
|
||||||
|
|
||||||
|
<para>Otherwise, a separate rule will be generated for each
|
||||||
|
port.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">ORIGINAL DEST</emphasis> (Optional)</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>If ACTION is <emphasis role="bold">DNAT</emphasis>[<emphasis
|
||||||
|
role="bold">-</emphasis>] or <emphasis
|
||||||
|
role="bold">REDIRECT</emphasis>[<emphasis role="bold">-</emphasis>]
|
||||||
|
then if included and different from the IP address given in the
|
||||||
|
<emphasis role="bold">SERVER</emphasis> column, this is an address
|
||||||
|
on some interface on the firewall and connections to that address
|
||||||
|
will be forwarded to the IP and port specified in the <emphasis
|
||||||
|
role="bold">DEST</emphasis> column.</para>
|
||||||
|
|
||||||
|
<para>A comma-separated list of addresses may also be used. This is
|
||||||
|
usually most useful with the <emphasis
|
||||||
|
role="bold">REDIRECT</emphasis> target where you want to redirect
|
||||||
|
traffic destined for particular set of hosts. Finally, if the list
|
||||||
|
of addresses begins with "!" then the rule will be followed only if
|
||||||
|
the original destination address in the connection request does not
|
||||||
|
match any of the addresses listed.</para>
|
||||||
|
|
||||||
|
<para>For other actions, this column may be included and may contain
|
||||||
|
one or more addresses (host or network) separated by commas. Address
|
||||||
|
ranges are not allowed. When this column is supplied, rules are
|
||||||
|
generated that require that the original destination address matches
|
||||||
|
one of the listed addresses. This feature is most useful when you
|
||||||
|
want to generate a filter rule that corresponds to a <emphasis
|
||||||
|
role="bold">DNAT-</emphasis> or <emphasis
|
||||||
|
role="bold">REDIRECT-</emphasis> rule. In this usage, the list of
|
||||||
|
addresses should not begin with "!".</para>
|
||||||
|
|
||||||
|
<para>See http://shorewall.net/PortKnocking.html for an example of
|
||||||
|
using an entry in this column with a user-defined action
|
||||||
|
rule.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">RATE LIMIT</emphasis> (Optional)</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>You may rate-limit the rule by placing a value in this column:
|
||||||
|
</para>
|
||||||
|
|
||||||
|
<para><emphasis>rate</emphasis>/<emphasis>interval</emphasis>[:<emphasis>burst</emphasis>]
|
||||||
|
where <emphasis>rate</emphasis> is the number of connections per
|
||||||
|
<emphasis>interval</emphasis> (<emphasis role="bold">sec</emphasis>
|
||||||
|
or <emphasis role="bold">min</emphasis>) and
|
||||||
|
<emphasis>burst</emphasis> is the largest burst permitted. If no
|
||||||
|
<emphasis>burst</emphasis> is given, a value of 5 is assumed. There
|
||||||
|
may be no no whitespace embedded in the specification.</para>
|
||||||
|
|
||||||
|
<para>Example: 10/sec:20</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">USER/GROUP</emphasis> (Optional)</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>This column may only be non-empty if the SOURCE is the
|
||||||
|
firewall itself.</para>
|
||||||
|
|
||||||
|
<para>The column may contain:</para>
|
||||||
|
|
||||||
|
<para>[!][<emphasis>user name or number</emphasis>][:<emphasis>group
|
||||||
|
name or number</emphasis>][+<emphasis>program name</emphasis>]
|
||||||
|
</para>
|
||||||
|
|
||||||
|
<para>When this column is non-empty, the rule applies only if the
|
||||||
|
program generating the output is running under the effective
|
||||||
|
<emphasis>user</emphasis> and/or <emphasis>group</emphasis>
|
||||||
|
specified (or is NOT running under that id if "!" is given).</para>
|
||||||
|
|
||||||
|
<para>Examples:</para>
|
||||||
|
|
||||||
|
<variablelist>
|
||||||
|
<varlistentry>
|
||||||
|
<term>joe</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>program must be run by joe</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>:kids</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>program must be run by a member of the 'kids'
|
||||||
|
group</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>!:kids</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>program must not be run by a member of the 'kids'
|
||||||
|
group</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>+upnpd</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>#program named upnpd</para>
|
||||||
|
|
||||||
|
<important>
|
||||||
|
<para>The ability to specify a program name was removed from
|
||||||
|
Netfilter in kernel version 2.6.14.</para>
|
||||||
|
</important>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
</variablelist>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
<refsect1>
|
<refsect1>
|
||||||
<title>Example</title>
|
<title>Example</title>
|
||||||
|
|
||||||
<para></para>
|
<variablelist>
|
||||||
|
<varlistentry>
|
||||||
|
<term>Example 1:</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Accept SMTP requests from the DMZ to the internet</para>
|
||||||
|
|
||||||
|
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||||
|
# PORT PORT(S) DEST
|
||||||
|
ACCEPT dmz net tcp smtp</programlisting>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>Example 2:</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Forward all ssh and http connection requests from the internet
|
||||||
|
to local system 192.168.1.3</para>
|
||||||
|
|
||||||
|
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||||
|
# PORT PORT(S) DEST
|
||||||
|
DNAT net loc:192.168.1.3 tcp ssh,http</programlisting>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>Example 3:</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Forward all http connection requests from the internet to
|
||||||
|
local system 192.168.1.3 with a limit of 3 per second and a maximum
|
||||||
|
burst of 10<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
||||||
|
# PORT PORT(S) DEST LIMIT
|
||||||
|
DNAT net loc:192.168.1.3 tcp http - - 3/sec:10</programlisting></para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>Example 4:</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Redirect all locally-originating www connection requests to
|
||||||
|
port 3128 on the firewall (Squid running on the firewall system)
|
||||||
|
except when the destination address is 192.168.2.2</para>
|
||||||
|
|
||||||
|
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||||
|
# PORT PORT(S) DEST
|
||||||
|
REDIRECT loc 3128 tcp www - !192.168.2.2</programlisting>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>Example 5:</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>All http requests from the internet to address 130.252.100.69
|
||||||
|
are to be forwarded to 192.168.1.3</para>
|
||||||
|
|
||||||
|
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||||
|
# PORT PORT(S) DEST
|
||||||
|
DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69</programlisting>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>Example 6:</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>You want to accept SSH connections to your firewall only from
|
||||||
|
internet IP addresses 130.252.100.69 and 130.252.100.70</para>
|
||||||
|
|
||||||
|
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||||
|
# PORT PORT(S) DEST
|
||||||
|
ACCEPT net:130.252.100.69,130.252.100.70 $FW \
|
||||||
|
tcp 22</programlisting>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>Example 7:</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>You wish to accept connections from the internet to your
|
||||||
|
firewall on port 2222 and you want to forward them to local system
|
||||||
|
192.168.1.3, port 22</para>
|
||||||
|
|
||||||
|
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||||
|
# PORT PORT(S) DEST
|
||||||
|
ACCEPT net loc:192.168.1.3:22 tcp 2222</programlisting>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
</variablelist>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
<refsect1>
|
<refsect1>
|
||||||
<title>FILES</title>
|
<title>FILES</title>
|
||||||
|
|
||||||
<para>/etc/shorewall/</para>
|
<para>/etc/shorewall/rules</para>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
<refsect1>
|
<refsect1>
|
||||||
|
Loading…
Reference in New Issue
Block a user