Shorewall and Ipsets
Tom
Eastep
2005
2008
2010
Thomas M. Eastep
Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
GNU Free Documentation
License
.
This article applies to Shorewall 4.4 and
later. If you are running a version of Shorewall earlier than Shorewall
4.3.5 then please see the documentation appropriate for your
version.
What are Ipsets?
Ipsets are an extension to Netfilter/iptables that are currently
available in xtables-addons.
Instructions for installing xtables-addons may be found in the Dynamic Zones article.
Ipset allows you to create one or more named sets of addresses then
use those sets to define Netfilter/iptables rules. Possible uses of ipsets
include:
Blacklists. Ipsets provide an efficient way to represent large
sets of addresses and you can maintain the lists without the need to
restart or even refresh your Shorewall configuration.
Zone definition. Using the /etc/shorewall/hosts file, you can
define a zone based on the (dynamic)
contents of an ipset. Again, you can then add or delete
addresses to the ipset without restarting Shorewall.
Triggers. Using an iptree ipset with a timeout together with the
ADD and DEL commands in shorewall-rules (5) allows
you to implement triggers.
See the ipsets site (URL above) for additional information about
ipsets.
Shorewall Support for Ipsets
Support for ipsets was introduced in Shorewall version 2.3.0. In
most places where a host or network address may be used, you may also use
the name of an ipset prefaced by "+".
Example: "+Mirrors"
When using Shorewall, the names of ipsets are restricted as
follows:
They must begin with a letter (after the '+').
They must be composed of letters, digits or underscores
("_").
To generate a negative match, prefix the "+" with "!" as in
"!+Mirrors".
Example 1: Blacklist all hosts in an ipset named "blacklist"
/etc/shorewall/blacklist#ADDRESS/SUBNET PROTOCOL PORT
+blacklist
Example 2: Allow SSH from all hosts in an ipset named "sshok:
/etc/shorewall/rules#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT net:+sshok $FW tcp 22
The name of the ipset can be optionally followed by a
comma-separated list of flags enclosed in square brackets ([...]). Each
flag is either src or dst and specifies whether it is the SOURCE address
or port number or the DESTINATION address or port number that should be
matched. The number of flags must be appropriate for the type of ipset. If
no flags are given, Shorewall assumes that the set takes a single flag and
will select the flag based on the context. For example, in the blacklist
file and when the ipset appears in the SOURCE column of the rules file,
src is assumed. If the ipset appears in
the DEST column of the rules file, dst is
assumed. Note that by using [dst] in the
blacklist file, you can coerce the rule into matching the destination IP
address rather than the source.
Shorewall can save/restore your ipset contents with certain
restrictions:
You must set SAVE_IPSETS=Yes in shorewall.conf (5).
You cannot use an ipset in shorewall-routestopped
(5).
The restore command cannot restore ipset
contents saved by the save command unless the
firewall is first stopped.