Shorewall and Ipsets Tom Eastep 2005 2008 2010 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. This article applies to Shorewall 4.4 and later. If you are running a version of Shorewall earlier than Shorewall 4.4.0 then please see the documentation appropriate for your version.
What are Ipsets? Ipsets are an extension to Netfilter/iptables that are currently available in xtables-addons. Instructions for installing xtables-addons may be found in the Dynamic Zones article. Ipset allows you to create one or more named sets of addresses then use those sets to define Netfilter/iptables rules. Possible uses of ipsets include: Blacklists. Ipsets provide an efficient way to represent large sets of addresses and you can maintain the lists without the need to restart or even refresh your Shorewall configuration. Zone definition. Using the /etc/shorewall/hosts file, you can define a zone based on the (dynamic) contents of an ipset. Again, you can then add or delete addresses to the ipset without restarting Shorewall. See the ipsets site (URL above) for additional information about ipsets.
Shorewall Support for Ipsets Support for ipsets was introduced in Shorewall version 2.3.0. In most places where a host or network address may be used, you may also use the name of an ipset prefaced by "+". Example: "+Mirrors" When using Shorewall, the names of ipsets are restricted as follows: They must begin with a letter (after the '+'). They must be composed of letters, digits or underscores ("_"). To generate a negative match, prefix the "+" with "!" as in "!+Mirrors". Example 1: Blacklist all hosts in an ipset named "blacklist" /etc/shorewall/blacklist#ADDRESS/SUBNET PROTOCOL PORT +blacklist Example 2: Allow SSH from all hosts in an ipset named "sshok: /etc/shorewall/rules#ACTION SOURCE DEST PROTO DEST PORT(S) ACCEPT net:+sshok $FW tcp 22 The name of the ipset can be optionally followed by a comma-separated list of flags enclosed in square brackets ([...]). Each flag is either src or dst and specifies whether it is the SOURCE address or port number or the DESTINATION address or port number that should be matched. The number of flags must be appropriate for the type of ipset. If no flags are given, Shorewall assumes that the set takes a single flag and will select the flag based on the context. For example, in the blacklist file and when the ipset appears in the SOURCE column of the rules file, src is assumed. If the ipset appears in the DEST column of the rules file, dst is assumed. Note that by using [dst] in the blacklist file, you can coerce the rule into matching the destination IP address rather than the source. Shorewall can save/restore your ipset contents with certain restrictions: You must set SAVE_IPSETS=Yes in shorewall.conf (5). You cannot use an ipset in shorewall-routestopped (5). The restore command cannot restore ipset contents saved by the save command unless the firewall is first stopped.