Shorewall and Ipsets
Tom
Eastep
2005-07-27
2005
Thomas M. Eastep
Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
GNU Free Documentation
License
.
What are Ipsets?
Ipsets are an extention to Netfilter/iptables that are currently
available in Patch-O-Matic-ng (http://www.netfilter.org). Using
ipsets requires that you patch your kernel and iptables and that you build
and install the ipset utility from http://people.netfilter.org/kadlec/ipset/.
Ipset allows you to create one or more named sets of addresses then
use those sets to define Netfilter/iptables rules. Possible uses of ipsets
include:
Blacklists. Ipsets provide an effecient way to represent large
sets of addresses and you can maintain the lists without the need to
restart or even refresh your Shorewall configuration.
Zone definition. Using the /etc/shorewall/hosts file, you can
define a zone based on the (dynamic) contents of an ipset. Again, you
can then add or delete addresses to the ipset without restarting
Shorewall.
See the ipsets site (URL above) for additional information about
ipsets.
Shorewall Support for Ipsets
Support for ipsets was introduced in Shorewall version 2.3.0. In
most places where a host or network address may be used, you may also use
the name of an ipset prefaced by "+".
Example: "+Mirrors"
The name of the set may optionally followed by:
a number from 1 to 6 enclosed in square brackets ([]) -- this
number indicates the maximum number of ipset binding levels that are
to be matched. Depending on the context where the ipset name is used,
either all "src" or all "dst" matches will be used.
Example: "+Mirrors[4]"
a series of "src" and "dst" options separated by commas and
inclosed in square brackets ([]). These will be passed directly to
iptables in the generated --set clause. See the ipset documentation
for details.
Example: "+Mirrors[src,dst,src]"
Note that "+Mirrors[4]" used in the SOURCE column of the rules
file is equivalent to "+Mirrors[src,src,src,src]".
To generate a negative match, prefix the "+" with "!" as in
"!+Mirrors".
Example 1: Blacklist all hosts in an ipset named "blacklist"
/etc/shorewall/blacklist#ADDRESS/SUBNET PROTOCOL PORT
+blacklist
Example 2: Allow SSH from all hosts in an ipset named "sshok:
/etc/shorewall/rules#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT +sshok fw tcp 22
Shorewall can automatically manage the contents of your ipsets for
you. If you specify SAVE_IPSETS=Yes in /etc/shorewall/shorewall.conf then
"shorewall save" will save the contents of your ipsets. The file where the
sets are saved is formed by taking the name where the Shorewall
configuration is stored and appending "-ipsets". So if you enter the
command "shorewall save standard" then your Shorewall
Regardless of the setting of SAVE_IPSETS, the shorewall -f
start and shorewall restore commands will
restore the ipset contents corresponding to the Shorewall configuration
restored provided that the saved Shorewall configuration specified
exists.
For example, shorewall restore standard would
restore the ipset contents from
/var/lib/shorewall/standard-ipsets provided that
/var/lib/shorewall/standard exists and is executable
and that /var/lib/shorewall/standard-ipsets exists
and is executable.
Also regardless of the setting of SAVE_IPSETS, the
shorewall forget command will purge the saved ipset
information (if any) associated with the saved shorewall configuration
being removed.
You can also associate ipset contents with Shorewall configuration
directories using the following command:
ipset -S > <config directory>/ipsets
Example:
ipset -S > /etc/shorewall/ipsets
When you start or restart Shorewall (including using the
try command) from the configuration directory, your
ipsets will be configured from the saved ipsets file. Once again, this
behavior is independent of the setting of SAVE_IPSETS.
As mentioned above, ipsets are well suited for large blacklists. You
can maintain your blacklist using the 'ipset' utility without ever having
to restart or refresh Shorewall. If you use the SAVE_IPSETS=Yes feature
just be sure to "shorewall save" after altering the blacklist ipset(s).
Example:
/etc/shorewall/blacklist:
#ADDRESS/SUBNET PROTOCOL PORT
+Blacklist[src,dst]
+Blacklistnets[src,dst]
Create the blacklist ipsets using:
ipset -N Blacklist iphash
ipset -N Blacklistnets nethash
Add entries:
ipset -A Blacklist 206.124.146.177
ipset -A Blacklistnets 206.124.147.0/24
To allow entries for individual ports:
ipset -N SMTP portmap --from 1 --to 31
ipset -A SMTP 25
ipset -A Blacklist 206.124.146.177
ipset -B Blacklist 206.124.146.177 -b SMTP
Now only port 25 will be blocked from 206.124.146.177.
Defining Dynamic Zones using Ipsets
The use of ipsets provides a much better way to define dynamic zones
than is provided by the native Shorewall implementation. To define a
dynamic zone of hosts dyn that interface
through interface eth3, use:
/etc/shorewall/zones:
#ZONE TYPE OPTIONS IN OPTIONS OUT OPTIONS
dyn plain
/etc/shorewall/interfaces:
#ZONE INTERFACE OPTIONS
- eth3 …
/etc/shorewall/hosts:
#ZONE HOSTS OPTIONS
dyn eth3:+Dyn
Now create an ipmap named Dyn and
you're all set. You can add and delete addresses from Dyn without having
to touch Shorewall.