mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-23 08:03:11 +01:00
1573d32665
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5011 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
955 lines
39 KiB
XML
955 lines
39 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<refentry>
|
|
<refmeta>
|
|
<refentrytitle>shorewall-rules</refentrytitle>
|
|
|
|
<manvolnum>5</manvolnum>
|
|
</refmeta>
|
|
|
|
<refnamediv>
|
|
<refname>rules</refname>
|
|
|
|
<refpurpose>Shorewall rules file</refpurpose>
|
|
</refnamediv>
|
|
|
|
<refsynopsisdiv>
|
|
<cmdsynopsis>
|
|
<command>/etc/shorewall/rules</command>
|
|
</cmdsynopsis>
|
|
</refsynopsisdiv>
|
|
|
|
<refsect1>
|
|
<title>Description</title>
|
|
|
|
<para>Rules in this file govern connection establishment. By default,
|
|
subsequent requests and responses are automatically allowed using
|
|
connection tracking. For any particular (source,dest) pair of zones, the
|
|
rules are evaluated in the order in which they appear in this file and the
|
|
first terminating match is the one that determines the disposition of the
|
|
request. All rules are terminating except LOG and QUEUE rules.</para>
|
|
|
|
<para>In most places where an IP address or subnet is allowed, you can
|
|
preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to indicate
|
|
that the rule matches all addresses except the address/subnet given.
|
|
Notice that no white space is permitted between "!" and the
|
|
address/subnet.</para>
|
|
|
|
<warning>
|
|
<para>If you masquerade or use SNAT from a local system to the internet,
|
|
you cannot use an ACCEPT rule to allow traffic from the internet to that
|
|
system. You <emphasis role="bold">must</emphasis> use a DNAT rule
|
|
instead.</para>
|
|
</warning>
|
|
|
|
<para>The rules file is divided into sections. Each section is introduced
|
|
by a "Section Header" which is a line beginning with SECTION and followed
|
|
by the section name.</para>
|
|
|
|
<para>Sections are as follows and must appear in the order listed:</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">ESTABLISHED</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Packets in the ESTABLISHED state are processed by rules in
|
|
this section.</para>
|
|
|
|
<para>The only ACTIONs allowed in this section are ACCEPT, DROP,
|
|
REJECT, LOG and QUEUE</para>
|
|
|
|
<para>There is an implicit ACCEPT rule inserted at the end of this
|
|
section.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">RELATED</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Packets in the RELATED state are processed by rules in this
|
|
section.</para>
|
|
|
|
<para>The only ACTIONs allowed in this section are ACCEPT, DROP,
|
|
REJECT, LOG and QUEUE</para>
|
|
|
|
<para>There is an implicit ACCEPT rule inserted at the end of this
|
|
section.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">NEW</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Packets in the NEW and INVALID states are processed by rules
|
|
in this section.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
|
|
<note>
|
|
<para>If you are not familiar with Netfilter to the point where you are
|
|
comfortable with the differences between the various connection tracking
|
|
states, then I suggest that you omit the <emphasis
|
|
role="bold">ESTABLISHED</emphasis> and <emphasis
|
|
role="bold">RELATED</emphasis> sections and place all of your rules in
|
|
the NEW section (That's after the line that reads SECTION NEW').</para>
|
|
</note>
|
|
|
|
<warning>
|
|
<para>If you specify FASTACCEPT=Yes in shorewall.conf(5) then the
|
|
<emphasis role="bold">ESTABLISHED</emphasis> and <emphasis
|
|
role="bold">RELATED</emphasis> sections must be empty.</para>
|
|
</warning>
|
|
|
|
<para>You may omit any section that you don't need. If no Section Headers
|
|
appear in the file then all rules are assumed to be in the NEW
|
|
section.</para>
|
|
|
|
<para>The columns in the file are as follows.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">ACTION</emphasis> — {<emphasis
|
|
role="bold">ACCEPT</emphasis>[<emphasis
|
|
role="bold">+</emphasis>]|<emphasis
|
|
role="bold">NONAT</emphasis>|<emphasis
|
|
role="bold">DROP</emphasis>|<emphasis
|
|
role="bold">REJECT</emphasis>|<emphasis
|
|
role="bold">DNAT</emphasis>[<emphasis
|
|
role="bold">-</emphasis>]|<emphasis
|
|
role="bold">SAME</emphasis>[<emphasis
|
|
role="bold">-</emphasis>]|<emphasis
|
|
role="bold">REDIRECT</emphasis>[<emphasis
|
|
role="bold">-</emphasis>]|<emphasis
|
|
role="bold">CONTINUE</emphasis>|<emphasis
|
|
role="bold">LOG</emphasis>|<emphasis
|
|
role="bold">QUEUE</emphasis>|<emphasis
|
|
role="bold">COMMENT</emphasis>|<emphasis>action</emphasis>|<emphasis>macro</emphasis>[<emphasis
|
|
role="bold">/</emphasis><emphasis>target</emphasis>}<emphasis
|
|
role="bold">[:</emphasis>{<emphasis>log-level</emphasis>|<emphasis
|
|
role="bold">none</emphasis>}[<emphasis role="bold"><emphasis
|
|
role="bold">!</emphasis></emphasis>][<emphasis
|
|
role="bold">:</emphasis><emphasis>tag</emphasis>]]</term>
|
|
|
|
<listitem>
|
|
<para>Specifies the action to be taken if the connection request
|
|
matches the rule. Must be one of the following.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">ACCEPT</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Allow the connection request.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">ACCEPT+</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>like ACCEPT but also excludes the connection from any
|
|
subsequent matching <emphasis
|
|
role="bold">DNAT</emphasis>[<emphasis
|
|
role="bold">-</emphasis>] or <emphasis
|
|
role="bold">REDIRECT</emphasis>[<emphasis
|
|
role="bold">-</emphasis>] rules</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">NONAT</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Excludes the connection from any subsequent <emphasis
|
|
role="bold">DNAT</emphasis>[-] or <emphasis
|
|
role="bold">REDIRECT</emphasis>[-] rules but doesn't generate
|
|
a rule to accept the traffic.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">DROP</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Ignore the request.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">REJECT</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>disallow the request and return an icmp-unreachable or
|
|
an RST packet.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">DNAT</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Forward the request to another system (and optionally
|
|
another port).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">DNAT-</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Advanced users only.</para>
|
|
|
|
<para>Like <emphasis role="bold">DNAT</emphasis> but only
|
|
generates the <emphasis role="bold">DNAT</emphasis> iptables
|
|
rule and not the companion <emphasis
|
|
role="bold">ACCEPT</emphasis> rule.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">SAME</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Similar to <emphasis role="bold">DNAT</emphasis> except
|
|
that the port may not be remapped and when multiple server
|
|
addresses are listed, all requests from a given remote system
|
|
go to the same server.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">SAME-</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Advanced users only.</para>
|
|
|
|
<para>Like SAME but only generates the nat iptables rule and
|
|
not the companion <emphasis role="bold">ACCEPT</emphasis>
|
|
rule.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">REDIRECT</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Redirect the request to a server running on the
|
|
firewall.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">REDIRECT-</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Advanced users only.</para>
|
|
|
|
<para>Like <emphasis role="bold">REDIRECT</emphasis> but only
|
|
generates the <emphasis role="bold">REDIRECT</emphasis>
|
|
iptables rule and not the companion <emphasis
|
|
role="bold">ACCEPT</emphasis> rule.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">CONTINUE</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>For experts only.</para>
|
|
|
|
<para>Do not process any of the following rules for this
|
|
(source zone,destination zone). If the source and/or
|
|
destination IP address falls into a zone defined later in
|
|
shorewall-zones(5) or in a parent zone of the source or
|
|
destination zones, then this connection request will be passed
|
|
to the rules defined for that (those) zone(s).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">LOG</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Simply log the packet and continue with the next
|
|
rule.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">QUEUE</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Queue the packet to a user-space application such as
|
|
ftwall (http://p2pwall.sf.net). The application may reinsert
|
|
the packet for further processing.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">COMMENT</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>the rest of the line will be attached as a comment to
|
|
the Netfilter rule(s) generated by the following entrIes. The
|
|
comment will appear delimited by "/* ... */" in the output of
|
|
"shorewall show <chain>". To stop the comment from being
|
|
attached to further rules, simply include COMMENT on a line by
|
|
itself.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis>action</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>The name of an <emphasis>action</emphasis> defined in
|
|
shorewall-actions(5) or in
|
|
/usr/share/shorewall/actions.std.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis>macro</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>The name of a macro defined in a file named
|
|
macro.<emphasis>macro</emphasis>. If the macro accepts an
|
|
action parameter (Look at the macro source to see if it has
|
|
PARAM in the TARGET column) then the
|
|
<emphasis>macro</emphasis> name is followed by "/" and the
|
|
<emphasis>target</emphasis> (<emphasis
|
|
role="bold">ACCEPT</emphasis>, <emphasis
|
|
role="bold">DROP</emphasis>, <emphasis
|
|
role="bold">REJECT</emphasis>, ...) to be substituted for the
|
|
parameter.</para>
|
|
|
|
<para>Example: FTP/ACCEPT.</para>
|
|
|
|
<programlisting></programlisting>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
|
|
<blockquote>
|
|
<para>The <emphasis role="bold">ACTION</emphasis> may optionally
|
|
be followed by ":" and a syslog log level (e.g, REJECT:info or
|
|
DNAT:debug). This causes the packet to be logged at the specified
|
|
level. Note that if the <emphasis role="bold">ACTION</emphasis>
|
|
involves destination network address translation (DNAT, REDIRECT,
|
|
SAME, etc.) then the packet is logged <emphasis
|
|
role="bold">before</emphasis> the destination address is
|
|
rewritten.</para>
|
|
|
|
<para>If the <emphasis role="bold">ACTION</emphasis> names an
|
|
<emphasis>action</emphasis> defined in shorewall-actions(5) or in
|
|
/usr/share/shorewall/actions.std then:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>If the log level is followed by "!' then all rules in
|
|
the action are logged at the log level.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>If the log level is not followed by "!" then only those
|
|
rules in the action that do not specify logging are logged at
|
|
the specified level.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>The special log level <emphasis
|
|
role="bold">none!</emphasis> suppresses logging by the
|
|
action.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>You may also specify <emphasis role="bold">ULOG</emphasis>
|
|
(must be in upper case) as a log level.This will log to the ULOG
|
|
target for routing to a separate log through use of ulogd
|
|
(http://www.gnumonks.org/projects/ulogd).</para>
|
|
|
|
<para>Actions specifying logging may be followed by a log tag (a
|
|
string of alphanumeric characters) which is appended to the string
|
|
generated by the LOGPREFIX (in shorewall.conf(5)).</para>
|
|
|
|
<para>Example: ACCEPT:info:ftp would include 'ftp ' at the end of
|
|
the log prefix generated by the LOGPREFIX setting.</para>
|
|
</blockquote>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">SOURCE</emphasis> —
|
|
{<emphasis>zone</emphasis>|<emphasis
|
|
role="bold">all</emphasis>[<emphasis
|
|
role="bold">+</emphasis>][<emphasis
|
|
role="bold">-</emphasis>]}<emphasis
|
|
role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
|
|
role="bold">:</emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
|
|
role="bold">+</emphasis><emphasis>ipset</emphasis>}</term>
|
|
|
|
<listitem>
|
|
<para>Source hosts to which the rule applies. May be a zone defined
|
|
in /etc/shorewall/zones, <emphasis role="bold">$FW</emphasis> to
|
|
indicate the firewall itself, <emphasis role="bold">all</emphasis>,
|
|
<emphasis role="bold">all+</emphasis>, <emphasis
|
|
role="bold">all-</emphasis>, <emphasis role="bold">all+-</emphasis>
|
|
or <emphasis role="bold">none</emphasis>.</para>
|
|
|
|
<para>When <emphasis role="bold">none</emphasis> is used either in
|
|
the <emphasis role="bold">SOURCE</emphasis> or <emphasis
|
|
role="bold">DEST</emphasis> column, the rule is ignored.</para>
|
|
|
|
<para><emphasis role="bold">all</emphasis> means "All Zones",
|
|
including the firewall itself. <emphasis role="bold">all-</emphasis>
|
|
means "All Zones, except the firewall itself". When <emphasis
|
|
role="bold">all</emphasis>[<emphasis role="bold">-</emphasis>] is
|
|
used either in the <emphasis role="bold">SOURCE</emphasis> or
|
|
<emphasis role="bold">DEST</emphasis> column intra-zone traffic is
|
|
not affected. When <emphasis role="bold">all+</emphasis>[<emphasis
|
|
role="bold">-</emphasis>] is "used, intra-zone traffic is
|
|
affected.</para>
|
|
|
|
<para>Except when <emphasis role="bold">all</emphasis>[<emphasis
|
|
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
|
|
specified, clients may be further restricted to a list of networks
|
|
and/or hosts by appending ":" and a comma-separated list of network
|
|
and/or host addresses. Hosts may be specified by IP or MAC address;
|
|
mac addresses must begin with "~" and must use "-" as a
|
|
separator.</para>
|
|
|
|
<para>Hosts may also be specified as an IP address range using the
|
|
syntax
|
|
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
|
|
This requires that your kernel and iptables contain iprange match
|
|
support. If your kernel and iptables have ipset match support then
|
|
you may give the name of an ipset prefaced by "+". The ipset name
|
|
may be optionally followed by a number from 1 to 6 enclosed in
|
|
square brackets ([]) to indicate the number of levels of source
|
|
bindings to be matched.</para>
|
|
|
|
<para>You may exclude certain hosts from the set already defined
|
|
through use of an <emphasis>exclusion</emphasis> (see
|
|
shorewall-exclusion(5)).</para>
|
|
|
|
<para>Examples:</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>dmz:192.168.2.2</term>
|
|
|
|
<listitem>
|
|
<para>Host 192.168.2.2 in the DMZ</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>net:155.186.235.0/24</term>
|
|
|
|
<listitem>
|
|
<para>Subnet 155.186.235.0/24 on the Internet</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>loc:192.168.1.1,192.168.1.2</term>
|
|
|
|
<listitem>
|
|
<para>Hosts 192.168.1.1 and 192.168.1.2 in the local
|
|
zone.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>loc:~00-A0-C9-15-39-78</term>
|
|
|
|
<listitem>
|
|
<para>Host in the local zone with MAC address
|
|
00:A0:C9:15:39:78.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>net:192.0.2.11-192.0.2.17</term>
|
|
|
|
<listitem>
|
|
<para>Hosts 192.0.2.11-192.0.2.17 in the net zone.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>net:!192.0.2.11-192.0.2.17</term>
|
|
|
|
<listitem>
|
|
<para>All hosts in the net zone except for
|
|
192.0.2.11-192.0.2.17.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>net:155.186.235.0/24!155.186.235.16/28</term>
|
|
|
|
<listitem>
|
|
<para>Subnet 155.186.235.0/24 on the Internet except for
|
|
155.186.235.16/28</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
|
|
<blockquote>
|
|
<para>Alternatively, clients may be specified by interface by
|
|
appending ":" to the zone name followed by the interface name. For
|
|
example, <emphasis role="bold">loc:eth1</emphasis> specifies a
|
|
client that communicates with the firewall system through eth1.
|
|
This may be optionally followed by another colon (":") and an
|
|
IP/MAC/subnet address as described above (e.g., <emphasis
|
|
role="bold">loc:eth1:192.168.1.5</emphasis>).</para>
|
|
</blockquote>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">DEST</emphasis> —
|
|
{<emphasis>zone</emphasis>|<emphasis
|
|
role="bold">all</emphasis>[<emphasis
|
|
role="bold">+</emphasis>][<emphasis
|
|
role="bold">-</emphasis>]}<emphasis
|
|
role="bold">[:{</emphasis><emphasis>interface</emphasis>|<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
|
|
role="bold">+</emphasis><emphasis>ipset</emphasis>}]</term>
|
|
|
|
<listitem>
|
|
<para>Location of Server. May be a zone defined in
|
|
shorewall-zones(5), $<emphasis role="bold">FW</emphasis> to indicate
|
|
the firewall itself, <emphasis role="bold">all</emphasis>. <emphasis
|
|
role="bold">all+</emphasis> or <emphasis
|
|
role="bold">none</emphasis>.</para>
|
|
|
|
<para>When <emphasis role="bold">none</emphasis> is used either in
|
|
the <emphasis role="bold">SOURCE</emphasis> or <emphasis
|
|
role="bold">DEST</emphasis> column, the rule is ignored.</para>
|
|
|
|
<para>When <emphasis role="bold">all</emphasis> is used either in
|
|
the <emphasis role="bold">SOURCE</emphasis> or <emphasis
|
|
role="bold">DEST</emphasis> column intra-zone traffic is not
|
|
affected. When <emphasis role="bold">all+</emphasis> is used,
|
|
intra-zone traffic is affected.</para>
|
|
|
|
<para>Except when <emphasis role="bold">all</emphasis>[<emphasis
|
|
role="bold">+</emphasis>] is specified, the server may be further
|
|
restricted to a particular network, host or interface by appending
|
|
":" and the network, host or interface. See <emphasis
|
|
role="bold">SOURCE</emphasis> above.</para>
|
|
|
|
<para>You may exclude certain hosts from the set already defined
|
|
through use of an <emphasis>exclusion</emphasis> (see
|
|
shorewall-exclusion(5)).</para>
|
|
|
|
<para>Restrictions:</para>
|
|
|
|
<para>1. MAC addresses are not allowed (this is a Netfilter
|
|
restriction).</para>
|
|
|
|
<para>2. In <emphasis role="bold">DNAT</emphasis> rules, only IP
|
|
addresses are allowed; no FQDNs or subnet addresses are
|
|
permitted.</para>
|
|
|
|
<para>3. You may not specify both an interface and an
|
|
address.</para>
|
|
|
|
<para>Like in the <emphasis role="bold">SOURCE</emphasis> column,
|
|
you may specify a range of IP addresses using the syntax
|
|
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
|
|
When the <emphasis role="bold">ACTION</emphasis> is <emphasis
|
|
role="bold">DNAT</emphasis> or <emphasis
|
|
role="bold">DNAT-</emphasis>, the connections will be assigned to
|
|
addresses in the range in a round-robin fashion.</para>
|
|
|
|
<para>If you kernel and iptables have ipset match support then you
|
|
may give the name of an ipset prefaced by "+". The ipset name may be
|
|
optionally followed by a number from 1 to 6 enclosed in square
|
|
brackets ([]) to indicate the number of levels of destination
|
|
bindings to be matched. Only one of the <emphasis
|
|
role="bold">SOURCE</emphasis> and <emphasis
|
|
role="bold">DEST</emphasis> columns may specify an ipset
|
|
name.</para>
|
|
|
|
<para>The port that the server is listening on may be included and
|
|
separated from the server's IP address by ":". If omitted, the
|
|
firewall will not modifiy the destination port. A destination port
|
|
may only be included if the <emphasis role="bold">ACTION</emphasis>
|
|
is <emphasis role="bold">DNAT</emphasis> or <emphasis
|
|
role="bold">REDIRECT</emphasis>. Example:</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>Example:</term>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">loc:192.168.1.3:3128</emphasis>
|
|
specifies a local server at IP address 192.168.1.3 and
|
|
listening on port 3128. The port number MUST be specified as
|
|
an integer and not as a name from services(5).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
|
|
<blockquote>
|
|
<para>if the <emphasis role="bold">ACTION</emphasis> is <emphasis
|
|
role="bold">REDIRECT</emphasis> or <emphasis
|
|
role="bold">REDIRECT-</emphasis>, this column needs only to
|
|
contain the port number on the firewall that the request should be
|
|
redirected to.</para>
|
|
</blockquote>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">PROTO</emphasis> (Optional) — {<emphasis
|
|
role="bold">-</emphasis>|<emphasis
|
|
role="bold">tcp:syn</emphasis>|<emphasis
|
|
role="bold">ipp2p</emphasis>|<emphasis
|
|
role="bold">ipp2p:udp</emphasis>|<emphasis
|
|
role="bold">ipp2p:all</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis
|
|
role="bold">all}</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Protocol - <emphasis role="bold">ipp2p</emphasis>* requires
|
|
ipp2p match support in your kernel and iptables. <emphasis
|
|
role="bold">tcp:syn</emphasis> implies <emphasis
|
|
role="bold">tcp</emphasis> plus the SYN flag must be set and the
|
|
RST,ACK and FIN flags must be reset.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">DEST PORT(S) </emphasis>(Optional) —
|
|
{<emphasis
|
|
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
|
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...}</term>
|
|
|
|
<listitem>
|
|
<para>Destination Ports. A comma-separated list of Port names (from
|
|
services(5)), port numbers or port ranges; if the protocol is
|
|
<emphasis role="bold">icmp</emphasis>, this column is interpreted as
|
|
the destination icmp-type(s).</para>
|
|
|
|
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
|
this column is interpreted as an ipp2p option without the leading
|
|
"--" (example <emphasis role="bold">bit</emphasis> for bit-torrent).
|
|
If no port is given, <emphasis role="bold">ipp2p</emphasis> is
|
|
assumed.</para>
|
|
|
|
<para>A port range is expressed as
|
|
<emphasis>lowport</emphasis>:<emphasis>highport</emphasis>.</para>
|
|
|
|
<para>This column is ignored if <emphasis
|
|
role="bold">PROTO</emphasis> = <emphasis role="bold">all</emphasis>
|
|
but must be entered if any of the following columns are supplied. In
|
|
that case, it is suggested that this field contain a dash (<emphasis
|
|
role="bold">-</emphasis>).</para>
|
|
|
|
<para>If your kernel contains multi-port match support, then only a
|
|
single Netfilter rule will be generated if in this list and the
|
|
<emphasis role="bold">CLIENT PORT(S)</emphasis> list below:</para>
|
|
|
|
<para>1. There are 15 or less ports listed.</para>
|
|
|
|
<para>2. No port ranges are included or your kernel and iptables
|
|
contain extended multiport match support.</para>
|
|
|
|
<para>Otherwise, a separate rule will be generated for each
|
|
port.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (Optional) —
|
|
{<emphasis
|
|
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
|
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...}</term>
|
|
|
|
<listitem>
|
|
<para>Port(s) used by the client. If omitted, any source port is
|
|
acceptable. Specified as a comma- separated list of port names, port
|
|
numbers or port ranges.</para>
|
|
|
|
<warning>
|
|
<para>Unless you really understand TCP/IP, you should leave this
|
|
column empty or place a dash (<emphasis role="bold">-</emphasis>)
|
|
in the column. Most people who try to use this column get it
|
|
wrong.</para>
|
|
</warning>
|
|
|
|
<blockquote>
|
|
<para>If you don't want to restrict client ports but need to
|
|
specify an <emphasis role="bold">ORIGINAL DEST</emphasis> in the
|
|
next column, then place "-" in this column.</para>
|
|
|
|
<para>If your kernel contains multi-port match support, then only
|
|
a single Netfilter rule will be generated if in this list and the
|
|
<emphasis role="bold">DEST PORT(S)</emphasis> list above:</para>
|
|
|
|
<para>1. There are 15 or less ports listed.</para>
|
|
|
|
<para>2. No port ranges are included or your kernel and iptables
|
|
contain extended multiport match support.</para>
|
|
|
|
<para>Otherwise, a separate rule will be generated for each
|
|
port.</para>
|
|
</blockquote>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">ORIGINAL DEST</emphasis> (Optional) —
|
|
[<emphasis
|
|
role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
|
|
|
|
<listitem>
|
|
<para>If ACTION is <emphasis role="bold">DNAT</emphasis>[<emphasis
|
|
role="bold">-</emphasis>] or <emphasis
|
|
role="bold">REDIRECT</emphasis>[<emphasis role="bold">-</emphasis>]
|
|
then if this column is included and is different from the IP address
|
|
given in the <emphasis role="bold">SERVER</emphasis> column, then
|
|
connections destined for that address will be forwarded to the IP
|
|
and port specified in the <emphasis role="bold">DEST</emphasis>
|
|
column.</para>
|
|
|
|
<para>A comma-separated list of addresses may also be used. This is
|
|
most useful with the <emphasis role="bold">REDIRECT</emphasis>
|
|
target where you want to redirect traffic destined for particular
|
|
set of hosts. Finally, if the list of addresses begins with "!"
|
|
(<emphasis>exclusion</emphasis>) then the rule will be followed only
|
|
if the original destination address in the connection request does
|
|
not match any of the addresses listed.</para>
|
|
|
|
<para>For other actions, this column may be included and may contain
|
|
one or more addresses (host or network) separated by commas. Address
|
|
ranges are not allowed. When this column is supplied, rules are
|
|
generated that require that the original destination address matches
|
|
one of the listed addresses. This feature is most useful when you
|
|
want to generate a filter rule that corresponds to a <emphasis
|
|
role="bold">DNAT-</emphasis> or <emphasis
|
|
role="bold">REDIRECT-</emphasis> rule. In this usage, the list of
|
|
addresses should not begin with "!".</para>
|
|
|
|
<para>It is also possible to specify a set of addresses then exclude
|
|
part of those addresses. For example, <emphasis
|
|
role="bold">192.168.1.0/24!192.168.1.16/28</emphasis> specifies the
|
|
addresses 192.168.1.0-182.168.1.15 and
|
|
192.168.1.32-192.168.1.255.</para>
|
|
|
|
<para>See http://shorewall.net/PortKnocking.html for an example of
|
|
using an entry in this column with a user-defined action
|
|
rule.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">RATE LIMIT</emphasis> (Optional) —
|
|
[<emphasis role="bold">-</emphasis>|<emphasis>rate</emphasis><emphasis
|
|
role="bold">/</emphasis>{<emphasis
|
|
role="bold">sec</emphasis>|<emphasis
|
|
role="bold">min</emphasis>}[:<emphasis>burst</emphasis>]</term>
|
|
|
|
<listitem>
|
|
<para>You may rate-limit the rule by placing a value in this
|
|
column:</para>
|
|
|
|
<para><emphasis>rate</emphasis> is the number of connections per
|
|
interval (<emphasis role="bold">sec</emphasis> or <emphasis
|
|
role="bold">min</emphasis>) and <emphasis>burst</emphasis> is the
|
|
largest burst permitted. If no <emphasis>burst</emphasis> is given,
|
|
a value of 5 is assumed. There may be no no whitespace embedded in
|
|
the specification.</para>
|
|
|
|
<para>Example: <emphasis role="bold">10/sec:20</emphasis></para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">USER/GROUP</emphasis> (Optional) —
|
|
[<emphasis
|
|
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
|
|
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
|
|
role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
|
|
|
|
<listitem>
|
|
<para>This column may only be non-empty if the SOURCE is the
|
|
firewall itself.</para>
|
|
|
|
<para>When this column is non-empty, the rule applies only if the
|
|
program generating the output is running under the effective
|
|
<emphasis>user</emphasis> and/or <emphasis>group</emphasis>
|
|
specified (or is NOT running under that id if "!" is given).</para>
|
|
|
|
<para>Examples:</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>joe</term>
|
|
|
|
<listitem>
|
|
<para>program must be run by joe</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>:kids</term>
|
|
|
|
<listitem>
|
|
<para>program must be run by a member of the 'kids'
|
|
group</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>!:kids</term>
|
|
|
|
<listitem>
|
|
<para>program must not be run by a member of the 'kids'
|
|
group</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>+upnpd</term>
|
|
|
|
<listitem>
|
|
<para>#program named upnpd</para>
|
|
|
|
<important>
|
|
<para>The ability to specify a program name was removed from
|
|
Netfilter in kernel version 2.6.14.</para>
|
|
</important>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Example</title>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>Example 1:</term>
|
|
|
|
<listitem>
|
|
<para>Accept SMTP requests from the DMZ to the internet</para>
|
|
|
|
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
|
# PORT PORT(S) DEST
|
|
ACCEPT dmz net tcp smtp</programlisting>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>Example 2:</term>
|
|
|
|
<listitem>
|
|
<para>Forward all ssh and http connection requests from the internet
|
|
to local system 192.168.1.3</para>
|
|
|
|
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
|
# PORT PORT(S) DEST
|
|
DNAT net loc:192.168.1.3 tcp ssh,http</programlisting>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>Example 3:</term>
|
|
|
|
<listitem>
|
|
<para>Forward all http connection requests from the internet to
|
|
local system 192.168.1.3 with a limit of 3 per second and a maximum
|
|
burst of 10<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
|
# PORT PORT(S) DEST LIMIT
|
|
DNAT net loc:192.168.1.3 tcp http - - 3/sec:10</programlisting></para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>Example 4:</term>
|
|
|
|
<listitem>
|
|
<para>Redirect all locally-originating www connection requests to
|
|
port 3128 on the firewall (Squid running on the firewall system)
|
|
except when the destination address is 192.168.2.2</para>
|
|
|
|
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
|
# PORT PORT(S) DEST
|
|
REDIRECT loc 3128 tcp www - !192.168.2.2</programlisting>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>Example 5:</term>
|
|
|
|
<listitem>
|
|
<para>All http requests from the internet to address 130.252.100.69
|
|
are to be forwarded to 192.168.1.3</para>
|
|
|
|
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
|
# PORT PORT(S) DEST
|
|
DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69</programlisting>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>Example 6:</term>
|
|
|
|
<listitem>
|
|
<para>You want to accept SSH connections to your firewall only from
|
|
internet IP addresses 130.252.100.69 and 130.252.100.70</para>
|
|
|
|
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
|
# PORT PORT(S) DEST
|
|
ACCEPT net:130.252.100.69,130.252.100.70 $FW \
|
|
tcp 22</programlisting>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>Example 7:</term>
|
|
|
|
<listitem>
|
|
<para>You wish to accept connections from the internet to your
|
|
firewall on port 2222 and you want to forward them to local system
|
|
192.168.1.3, port 22</para>
|
|
|
|
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
|
# PORT PORT(S) DEST
|
|
ACCEPT net loc:192.168.1.3:22 tcp 2222</programlisting>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>FILES</title>
|
|
|
|
<para>/etc/shorewall/rules</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>See ALSO</title>
|
|
|
|
<para><ulink
|
|
url="http://shorewall.net/Documentation.htm#Rules">http://shorewall.net/Documentation.htm#Rules</ulink></para>
|
|
|
|
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
|
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
|
|
shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
|
|
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
|
|
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
|
|
shorewall-route_routes(5), shorewall-routestopped(5), shorewall.conf(5),
|
|
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
|
|
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
|
|
</refsect1>
|
|
</refentry> |