mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-04 21:41:15 +01:00
462 lines
16 KiB
Plaintext
462 lines
16 KiB
Plaintext
#
|
|
# Shorewall version 4 - Macro Template
|
|
#
|
|
# /usr/share/shorewall/macro.template
|
|
#
|
|
# Macro files are similar to action files with the following exceptions:
|
|
#
|
|
# - A macro file is not processed unless the marcro that it defines is
|
|
# referenced in the /etc/shorewall/rules file or in an action
|
|
# definition file.
|
|
#
|
|
# - Macros are translated directly into one or more rules whereas
|
|
# actions become their own chain.
|
|
#
|
|
# - All entries in a macro undergo substitution when the macro is
|
|
# invoked in the rules file.
|
|
#
|
|
# - Macros used in action bodies may not invoke other macros.
|
|
#
|
|
# The columns in the file are the same as those in the action.template file but
|
|
# have different restrictions:
|
|
#
|
|
# Columns are:
|
|
#
|
|
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
|
|
# LOG, QUEUE, PARAM or an <action> name.
|
|
#
|
|
# ACCEPT -- allow the connection request
|
|
# ACCEPT+ -- like ACCEPT but also excludes the
|
|
# connection from any subsequent
|
|
# DNAT[-] or REDIRECT[-] rules
|
|
# NONAT -- Excludes the connection from any
|
|
# subsequent DNAT[-] or REDIRECT[-]
|
|
# rules but doesn't generate a rule
|
|
# to accept the traffic.
|
|
# DROP -- ignore the request
|
|
# REJECT -- disallow the request and return an
|
|
# icmp-unreachable or an RST packet.
|
|
# DNAT -- Forward the request to another
|
|
# system (and optionally another
|
|
# port).
|
|
# DNAT- -- Advanced users only.
|
|
# Like DNAT but only generates the
|
|
# DNAT iptables rule and not
|
|
# the companion ACCEPT rule.
|
|
# SAME -- Similar to DNAT except that the
|
|
# port may not be remapped and when
|
|
# multiple server addresses are
|
|
# listed, all requests from a given
|
|
# remote system go to the same
|
|
# server.
|
|
# SAME- -- Advanced users only.
|
|
# Like SAME but only generates the
|
|
# NAT iptables rule and not
|
|
# the companion ACCEPT rule.
|
|
# REDIRECT -- Redirect the request to a local
|
|
# port on the firewall.
|
|
# REDIRECT-
|
|
# -- Advanced users only.
|
|
# Like REDIRET but only generates the
|
|
# REDIRECT iptables rule and not
|
|
# the companion ACCEPT rule.
|
|
#
|
|
# CONTINUE -- (For experts only). Do not process
|
|
# any of the following rules for this
|
|
# (source zone,destination zone). If
|
|
# The source and/or destination IP
|
|
# address falls into a zone defined
|
|
# later in /etc/shorewall/zones, this
|
|
# connection request will be passed
|
|
# to the rules defined for that
|
|
# (those) zone(s).
|
|
# LOG -- Simply log the packet and continue.
|
|
# QUEUE -- Queue the packet to a user-space
|
|
# application such as ftwall
|
|
# (http://p2pwall.sf.net).
|
|
# PARAM -- If you code PARAM as the action in
|
|
# a macro then when you invoke the
|
|
# macro, you can include the name of
|
|
# the macro followed by a slash ("/")
|
|
# and an ACTION (either builtin or
|
|
# user-defined. All instances of
|
|
# PARAM in the body of the macro will
|
|
# be replaced with the ACTION.
|
|
# <action> -- The name of an action defined in
|
|
# /usr/share/shorewall/actions.std or
|
|
# in /etc/shorewall/actions.
|
|
#
|
|
# The ACTION may optionally be followed
|
|
# by ":" and a syslog log level (e.g, REJECT:info or
|
|
# DNAT:debug). This causes the packet to be
|
|
# logged at the specified level.
|
|
#
|
|
# You may also specify ULOG (must be in upper case) as a
|
|
# log level.This will log to the ULOG target for routing
|
|
# to a separate log through use of ulogd
|
|
# (http://www.gnumonks.org/projects/ulogd).
|
|
#
|
|
# Actions specifying logging may be followed by a
|
|
# log tag (a string of alphanumeric characters)
|
|
# are appended to the string generated by the
|
|
# LOGPREFIX (in /etc/shorewall/shorewall.conf).
|
|
#
|
|
# Example: ACCEPT:info:ftp would include 'ftp '
|
|
# at the end of the log prefix generated by the
|
|
# LOGPREFIX setting.
|
|
#
|
|
# SOURCE Source hosts to which the rule applies. May be a zone
|
|
# defined in /etc/shorewall/zones, $FW to indicate the
|
|
# firewall itself, "all", "all+" or "none" If the ACTION
|
|
# is DNAT or REDIRECT, sub-zones of the specified zone
|
|
# may be excluded from the rule by following the zone
|
|
# name with "!' and a comma-separated list of sub-zone
|
|
# names.
|
|
#
|
|
# When "none" is used either in the SOURCE or DEST
|
|
# column, the rule is ignored.
|
|
#
|
|
# When "all" is used either in the SOURCE or DEST column
|
|
# intra-zone traffic is not affected. When "all+" is
|
|
# used, intra-zone traffic is affected.
|
|
#
|
|
# Except when "all[+]" is specified, clients may be
|
|
# further restricted to a list of subnets and/or hosts by
|
|
# appending ":" and a comma-separated list of subnets
|
|
# and/or hosts. Hosts may be specified by IP or MAC
|
|
# address; mac addresses must begin with "~" and must use
|
|
# "-" as a separator.
|
|
#
|
|
# Hosts may be specified as an IP address range using the
|
|
# syntax <low address>-<high address>. This requires that
|
|
# your kernel and iptables contain iprange match support.
|
|
# If you kernel and iptables have ipset match support
|
|
# then you may give the name of an ipset prefaced by "+".
|
|
# The ipset name may be optionally followed by a number
|
|
# from 1 to 6 enclosed in square brackets ([]) to
|
|
# indicate the number of levels of source bindings to be
|
|
# matched.
|
|
#
|
|
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
|
|
#
|
|
# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the
|
|
# Internet
|
|
#
|
|
# loc:192.168.1.1,192.168.1.2
|
|
# Hosts 192.168.1.1 and
|
|
# 192.168.1.2 in the local zone.
|
|
# loc:~00-A0-C9-15-39-78 Host in the local zone with
|
|
# MAC address 00:A0:C9:15:39:78.
|
|
#
|
|
# net:192.0.2.11-192.0.2.17
|
|
# Hosts 192.0.2.11-192.0.2.17 in
|
|
# the net zone.
|
|
#
|
|
# Alternatively, clients may be specified by interface
|
|
# by appending ":" to the zone name followed by the
|
|
# interface name. For example, loc:eth1 specifies a
|
|
# client that communicates with the firewall system
|
|
# through eth1. This may be optionally followed by
|
|
# another colon (":") and an IP/MAC/subnet address
|
|
# as described above (e.g., loc:eth1:192.168.1.5).
|
|
#
|
|
# DEST Location of Server. May be a zone defined in
|
|
# /etc/shorewall/zones, $FW to indicate the firewall
|
|
# itself, "all". "all+" or "none".
|
|
#
|
|
# When "none" is used either in the SOURCE or DEST
|
|
# column, the rule is ignored.
|
|
#
|
|
# When "all" is used either in the SOURCE or DEST column
|
|
# intra-zone traffic is not affected. When "all+" is
|
|
# used, intra-zone traffic is affected.
|
|
#
|
|
# Except when "all[+]" is specified, the server may be
|
|
# further restricted to a particular subnet, host or
|
|
# interface by appending ":" and the subnet, host or
|
|
# interface. See above.
|
|
#
|
|
# Restrictions:
|
|
#
|
|
# 1. MAC addresses are not allowed.
|
|
# 2. In DNAT rules, only IP addresses are
|
|
# allowed; no FQDNs or subnet addresses
|
|
# are permitted.
|
|
# 3. You may not specify both an interface and
|
|
# an address.
|
|
#
|
|
# Like in the SOURCE column, you may specify a range of
|
|
# up to 256 IP addresses using the syntax
|
|
# <first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
|
|
# the connections will be assigned to addresses in the
|
|
# range in a round-robin fashion.
|
|
#
|
|
# If you kernel and iptables have ipset match support
|
|
# then you may give the name of an ipset prefaced by "+".
|
|
# The ipset name may be optionally followed by a number
|
|
# from 1 to 6 enclosed in square brackets ([]) to
|
|
# indicate the number of levels of destination bindings
|
|
# to be matched. Only one of the SOURCE and DEST columns
|
|
# may specify an ipset name.
|
|
#
|
|
# The port that the server is listening on may be
|
|
# included and separated from the server's IP address by
|
|
# ":". If omitted, the firewall will not modifiy the
|
|
# destination port. A destination port may only be
|
|
# included if the ACTION is DNAT or REDIRECT.
|
|
#
|
|
# Example: loc:192.168.1.3:3128 specifies a local
|
|
# server at IP address 192.168.1.3 and listening on port
|
|
# 3128. The port number MUST be specified as an integer
|
|
# and not as a name from /etc/services.
|
|
#
|
|
# if the ACTION is REDIRECT, this column needs only to
|
|
# contain the port number on the firewall that the
|
|
# request should be redirected to.
|
|
#
|
|
# PROTO Protocol - Must be "tcp", "tcp:syn", "udp", "icmp",
|
|
# "ipp2p", "ipp2p:udp", "ipp2p:all" a number, or "all".
|
|
# "ipp2p*" requires ipp2p match support in your kernel
|
|
# and iptables.
|
|
#
|
|
# "tcp:syn" implies "tcp" plus the SYN flag must be
|
|
# set and the RST,ACK and FIN flags must be reset.
|
|
#
|
|
# DEST PORT(S) Destination Ports. A comma-separated list of Port
|
|
# names (from /etc/services), port numbers or port
|
|
# ranges; if the protocol is "icmp", this column is
|
|
# interpreted as the destination icmp-type(s).
|
|
#
|
|
# If the protocol is ipp2p*, this column is interpreted
|
|
# as an ipp2p option without the leading "--" (example
|
|
# "bit" for bit-torrent). If no port is given, "ipp2p" is
|
|
# assumed.
|
|
#
|
|
# A port range is expressed as <low port>:<high port>.
|
|
#
|
|
# This column is ignored if PROTOCOL = all but must be
|
|
# entered if any of the following ields are supplied.
|
|
# In that case, it is suggested that this field contain
|
|
# "-"
|
|
#
|
|
# If your kernel contains multi-port match support, then
|
|
# only a single Netfilter rule will be generated if in
|
|
# this list and the CLIENT PORT(S) list below:
|
|
# 1. There are 15 or less ports listed.
|
|
# 2. No port ranges are included.
|
|
# Otherwise, a separate rule will be generated for each
|
|
# port.
|
|
#
|
|
# SOURCE PORT(S) (Optional) Port(s) used by the client. If omitted,
|
|
# any source port is acceptable. Specified as a comma-
|
|
# separated list of port names, port numbers or port
|
|
# ranges.
|
|
#
|
|
# If you don't want to restrict client ports but need to
|
|
# specify an ORIGINAL DEST in the next column, then
|
|
# place "-" in this column.
|
|
#
|
|
# If your kernel contains multi-port match support, then
|
|
# only a single Netfilter rule will be generated if in
|
|
# this list and the DEST PORT(S) list above:
|
|
# 1. There are 15 or less ports listed.
|
|
# 2. No port ranges are included.
|
|
# Otherwise, a separate rule will be generated for each
|
|
# port.
|
|
#
|
|
# ORIGINAL Original destination IP address. Must be omitted (
|
|
# DEST or '-') if the macro is to be used from within
|
|
# an action. See 'man shorewall-rules'.
|
|
#
|
|
# RATE LIMIT You may rate-limit the rule by placing a value in
|
|
# this column:
|
|
#
|
|
# <rate>/<interval>[:<burst>]
|
|
#
|
|
# where <rate> is the number of connections per
|
|
# <interval> ("sec" or "min") and <burst> is the
|
|
# largest burst permitted. If no <burst> is given,
|
|
# a value of 5 is assumed. There may be no
|
|
# no whitespace embedded in the specification.
|
|
#
|
|
# Example: 10/sec:20
|
|
#
|
|
# USER/GROUP This column may only be non-empty if the SOURCE is
|
|
# the firewall itself.
|
|
#
|
|
# The column may contain:
|
|
#
|
|
# [!][<user name or number>][:<group name or number>][+<program name>]
|
|
#
|
|
# When this column is non-empty, the rule applies only
|
|
# if the program generating the output is running under
|
|
# the effective <user> and/or <group> specified (or is
|
|
# NOT running under that id if "!" is given).
|
|
#
|
|
# Examples:
|
|
#
|
|
# joe #program must be run by joe
|
|
# :kids #program must be run by a member of
|
|
# #the 'kids' group
|
|
# !:kids #program must not be run by a member
|
|
# #of the 'kids' group
|
|
# +upnpd #program named upnpd (This feature was
|
|
# #removed from Netfilter in kernel
|
|
# #version 2.6.14).
|
|
#
|
|
# MARK Specifies a MARK value to match. Must be empty or
|
|
# '-' if the macro is to be used within an action.
|
|
#
|
|
# [!]value[/mask][:C]
|
|
#
|
|
# Defines a test on the existing packet or connection
|
|
# mark. The rule will match only if the test returns
|
|
# true.
|
|
#
|
|
# If you don't want to define a test but need to
|
|
# specify anything in the following columns,
|
|
# place a "-" in this field.
|
|
#
|
|
# !
|
|
#
|
|
# Inverts the test (not equal)
|
|
#
|
|
# value
|
|
#
|
|
# Value of the packet or connection mark.
|
|
#
|
|
# mask
|
|
#
|
|
# A mask to be applied to the mark before
|
|
# testing.
|
|
#
|
|
# :C
|
|
#
|
|
# Designates a connection mark. If omitted, the
|
|
# packet mark's value is tested.
|
|
#
|
|
# CONNLIMIT Must be empty or '-' if the macro is to be used within
|
|
# an action.
|
|
#
|
|
# [!]limit[:mask]
|
|
#
|
|
# May be used to limit the number of simultaneous
|
|
# connections from each individual host to limit
|
|
# connections. Requires connlimit match in your kernel
|
|
# and iptables. While the limit is only checked on rules
|
|
# specifying CONNLIMIT, the number of current connections
|
|
# is calculated over all current connections from the
|
|
# SOURCE host. By default, the limit is applied to each
|
|
# host but can be made to apply to networks of hosts by
|
|
# specifying a mask. The mask specifies the width of a
|
|
# VLSM mask to be applied to the source address; the
|
|
# number of current connections is then taken over all
|
|
# hosts in the subnet source-address/mask. When ! is
|
|
# specified, the rule matches when the number of
|
|
# connection exceeds the limit.
|
|
#
|
|
# TIME Must be empty or '-' if the macro is to be used within
|
|
# an action.
|
|
#
|
|
#
|
|
# <timeelement>[&...]
|
|
#
|
|
# timeelement may be:
|
|
#
|
|
# timestart=hh:mm[:ss]
|
|
#
|
|
# Defines the starting time of day.
|
|
#
|
|
# timestop=hh:mm[:ss]
|
|
#
|
|
# Defines the ending time of day.
|
|
#
|
|
# utc
|
|
#
|
|
# Times are expressed in Greenwich Mean
|
|
# Time.
|
|
#
|
|
# localtz
|
|
#
|
|
# Times are expressed in Local Civil Time
|
|
# (default).
|
|
#
|
|
# weekdays=ddd[,ddd]...
|
|
#
|
|
# where ddd is one of Mon, Tue, Wed, Thu,
|
|
# Fri, Sat or Sun
|
|
#
|
|
# monthdays=dd[,dd],...
|
|
#
|
|
# where dd is an ordinal day of the month#
|
|
#
|
|
# datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
|
|
#
|
|
# Defines the starting date and time.
|
|
#
|
|
# datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
|
|
#
|
|
# Defines the ending date and time.
|
|
#
|
|
# A few examples should help show how Macros work.
|
|
#
|
|
# /etc/shorewall/macro.FwdFTP:
|
|
#
|
|
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
|
# # PORT(S) PORT(S) DEST LIMIT GROUP
|
|
# DNAT - - tcp 21
|
|
#
|
|
# /etc/shorewall/rules:
|
|
#
|
|
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
|
# # PORT(S) PORT(S) DEST LIMIT GROUP
|
|
# FwdFTP net loc:192.168.1.5
|
|
#
|
|
# The result is equivalent to:
|
|
#
|
|
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
|
# # PORT(S) PORT(S) DEST LIMIT GROUP
|
|
# DNAT net loc:192.168.1.5 tcp 21
|
|
#
|
|
# The substitution rules are as follows:
|
|
#
|
|
# ACTION column If in the invocation of the macro, the macro
|
|
# name is followed by slash ("/") and a second
|
|
# name, the second name is substituted for each
|
|
# entry in the macro whose ACTION is PARAM
|
|
#
|
|
# For example, if macro FOO is invoked as
|
|
# FOO/ACCEPT then when expanding macro.FOO,
|
|
# Shorewall will substitute ACCEPT in each
|
|
# entry in macro.FOO whose ACTION column
|
|
# contains PARAM. PARAM may be optionally
|
|
# followed by a colon and a log level.
|
|
#
|
|
# You may also follow the
|
|
#
|
|
# Any logging specified when the macro is
|
|
# invoked is applied to each entry in the macros.
|
|
#
|
|
# SOURCE and DEST If the column in the macro is empty then the
|
|
# columns value in the rules file is used. If the column
|
|
# in the macro is non-empty then any value in
|
|
# the rules file is appended with a ":"
|
|
# separator.
|
|
#
|
|
# Example: ###############################################
|
|
# #ACTION SOURCE DEST PROTO DEST
|
|
# # PORT(S)
|
|
# macro.FTP File PARAM net loc tcp 21
|
|
# rules File FTP/DNAT - 192.168.1.5
|
|
# Result DNAT net loc:192.168.1.5 tcp 21
|
|
#
|
|
# Remaining Any value in the rules file REPLACES the value
|
|
# columns given in the macro file.
|
|
#
|
|
#######################################################################################################
|
|
# DO NOT REMOVE THE FOLLOWING LINE
|
|
FORMAT 2
|
|
#######################################################################################################
|
|
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ ORIGINAL
|
|
# PORT(S) PORT(S) DEST LIMIT GROUP DEST
|