Shorewall and Ipsets
Tom
Eastep
2005
2008
Thomas M. Eastep
Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
GNU Free Documentation
License
.
What are Ipsets?
Ipsets are an extension to Netfilter/iptables that are currently
available in xtables-addons.
Instructions for installing xtables-addons may be found in the Dynamic Zones article.
Ipset allows you to create one or more named sets of addresses then
use those sets to define Netfilter/iptables rules. Possible uses of ipsets
include:
Blacklists. Ipsets provide an efficient way to represent large
sets of addresses and you can maintain the lists without the need to
restart or even refresh your Shorewall configuration.
Zone definition. Using the /etc/shorewall/hosts file, you can
define a zone based on the (dynamic)
contents of an ipset. Again, you can then add or delete
addresses to the ipset without restarting Shorewall.
See the ipsets site (URL above) for additional information about
ipsets.
Shorewall Support for Ipsets
Support for ipsets was introduced in Shorewall version 2.3.0. In
most places where a host or network address may be used, you may also use
the name of an ipset prefaced by "+".
Example: "+Mirrors"
When using Shorewall, the names of ipsets are restricted as
follows:
They must begin with a letter (after the '+').
They must be composed of letters, digits or underscores
("_").
To generate a negative match, prefix the "+" with "!" as in
"!+Mirrors".
Example 1: Blacklist all hosts in an ipset named "blacklist"
/etc/shorewall/blacklist#ADDRESS/SUBNET PROTOCOL PORT
+blacklist
Example 2: Allow SSH from all hosts in an ipset named "sshok:
/etc/shorewall/rules#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT net:+sshok $FW tcp 22
Shorewall is not in the ipset load/reload business because the
Netfilter rule set is never cleared. That means that there is no
opportunity for Shorewall to load/reload your ipsets since that cannot be
done while there are any current rules using ipsets.
So:
Your ipsets must be loaded before Shorewall starts. You are free
to try to do that with the following code in
/etc/shorewall/init (it works for me; your mileage may
vary):
if [ "$COMMAND" = start ]; then
ipset -F
ipset -X
ipset -R < /etc/shorewall/ipsets
fi
The file /etc/shorewall/ipsets will
normally be produced using the ipset -S
command.
The above will work most of the time but will fail in a
shorewall stop - shorewall start
sequence if you use ipsets in your routestopped file (see
below).
Your ipsets may not be reloaded until Shorewall is stopped or
cleared.
If you specify ipsets in your routestopped file then Shorewall
must be cleared in order to reload your ipsets.
As a consequence, scripts generated by the Perl-based compiler will
ignore /etc/shorewall/ipsets and will issue a warning
if you set SAVE_IPSETS=Yes in shorewall.conf