2006-11-15 22:02:04 +01:00
|
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
|
|
<refentry>
|
|
|
|
<refmeta>
|
|
|
|
<refentrytitle>shorewall-rules</refentrytitle>
|
|
|
|
|
|
|
|
<manvolnum>5</manvolnum>
|
|
|
|
</refmeta>
|
|
|
|
|
|
|
|
<refnamediv>
|
|
|
|
<refname>rules</refname>
|
|
|
|
|
|
|
|
<refpurpose>Shorewall rules file</refpurpose>
|
|
|
|
</refnamediv>
|
|
|
|
|
|
|
|
<refsynopsisdiv>
|
|
|
|
<cmdsynopsis>
|
|
|
|
<command>/etc/shorewall/rules</command>
|
|
|
|
</cmdsynopsis>
|
|
|
|
</refsynopsisdiv>
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
<title>Description</title>
|
|
|
|
|
|
|
|
<para>Rules in this file govern connection establishment. Requests and
|
|
|
|
responses are automatically allowed using connection tracking. For any
|
|
|
|
particular (source,dest) pair of zones, the rules are evaluated in the
|
|
|
|
order in which they appear in this file and the first match is the one
|
|
|
|
that determines the disposition of the request.</para>
|
|
|
|
|
|
|
|
<para>In most places where an IP address or subnet is allowed, you can
|
|
|
|
preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to indicate
|
|
|
|
that the rule matches all addresses except the address/subnet given.
|
|
|
|
Notice that no white space is permitted between "!" and the
|
|
|
|
address/subnet.</para>
|
|
|
|
|
|
|
|
<warning>
|
|
|
|
<para>If you masquerade or use SNAT from a local system to the internet,
|
|
|
|
you cannot use an ACCEPT rule to allow traffic from the internet to that
|
|
|
|
system. You *must* use a DNAT rule instead.</para>
|
|
|
|
</warning>
|
|
|
|
|
|
|
|
<para>The rules file is divided into sections. Each section is introduced
|
|
|
|
by a "Section Header" which is a line beginning with SECTION followed by
|
|
|
|
the section name.</para>
|
|
|
|
|
|
|
|
<para>Sections are as follows and must appear in the order listed:</para>
|
|
|
|
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
2006-11-16 00:32:14 +01:00
|
|
|
<term><emphasis role="bold">ESTABLISHED</emphasis></term>
|
2006-11-15 22:02:04 +01:00
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Packets in the ESTABLISHED state are processed by rules in
|
|
|
|
this section.</para>
|
|
|
|
|
|
|
|
<para>The only ACTIONs allowed in this section are ACCEPT, DROP,
|
|
|
|
REJECT, LOG and QUEUE</para>
|
|
|
|
|
|
|
|
<para>There is an implicit ACCEPT rule inserted at the end of this
|
|
|
|
section.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2006-11-16 00:32:14 +01:00
|
|
|
<term><emphasis role="bold">RELATED</emphasis></term>
|
2006-11-15 22:02:04 +01:00
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Packets in the RELATED state are processed by rules in this
|
|
|
|
section.</para>
|
|
|
|
|
|
|
|
<para>The only ACTIONs allowed in this section are ACCEPT, DROP,
|
|
|
|
REJECT, LOG and QUEUE</para>
|
|
|
|
|
|
|
|
<para>There is an implicit ACCEPT rule inserted at the end of this
|
|
|
|
section.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2006-11-16 00:32:14 +01:00
|
|
|
<term><emphasis role="bold">NEW</emphasis></term>
|
2006-11-15 22:02:04 +01:00
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Packets in the NEW and INVALID states are processed by rules
|
|
|
|
in this section.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
|
|
|
|
<note>
|
|
|
|
<para>If you are not familiar with Netfilter to the point where you are
|
|
|
|
comfortable with the differences between the various connection tracking
|
2006-11-16 00:32:14 +01:00
|
|
|
states, then I suggest that you omit the <emphasis
|
|
|
|
role="bold">ESTABLISHED</emphasis> and <emphasis
|
|
|
|
role="bold">RELATED</emphasis> sections and place all of your rules in
|
|
|
|
the NEW section (That's after the line that reads SECTION NEW').</para>
|
2006-11-15 22:02:04 +01:00
|
|
|
</note>
|
|
|
|
|
|
|
|
<warning>
|
|
|
|
<para>If you specify FASTACCEPT=Yes in shorewall.conf(5) then the
|
2006-11-16 00:32:14 +01:00
|
|
|
<emphasis role="bold">ESTABLISHED</emphasis> and <emphasis
|
|
|
|
role="bold">RELATED</emphasis> sections must be empty.</para>
|
2006-11-15 22:02:04 +01:00
|
|
|
</warning>
|
|
|
|
|
|
|
|
<para>You may omit any section that you don't need. If no Section Headers
|
2006-11-16 00:32:14 +01:00
|
|
|
appear in the file then all rules are assumed to be in the NEW
|
|
|
|
section.</para>
|
2006-11-15 22:02:04 +01:00
|
|
|
|
|
|
|
<para>The columns in the file are as follows.</para>
|
|
|
|
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
2006-11-16 00:32:14 +01:00
|
|
|
<term><emphasis role="bold">ACTION</emphasis></term>
|
2006-11-15 22:02:04 +01:00
|
|
|
|
|
|
|
<listitem>
|
2006-11-16 00:32:14 +01:00
|
|
|
<para>Must be one of the following.</para>
|
2006-11-15 22:02:04 +01:00
|
|
|
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
2006-11-16 00:32:14 +01:00
|
|
|
<term><emphasis role="bold">ACCEPT</emphasis></term>
|
2006-11-15 22:02:04 +01:00
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Allow the connection request.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2006-11-16 00:32:14 +01:00
|
|
|
<term><emphasis role="bold">ACCEPT+</emphasis></term>
|
2006-11-15 22:02:04 +01:00
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>like ACCEPT but also excludes the connection from any
|
2006-11-16 00:32:14 +01:00
|
|
|
subsequent <emphasis role="bold">DNAT</emphasis>[<emphasis
|
|
|
|
role="bold">-</emphasis>] or <emphasis
|
|
|
|
role="bold">REDIRECT</emphasis>[<emphasis
|
|
|
|
role="bold">-</emphasis>] rules</para>
|
2006-11-15 22:02:04 +01:00
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2006-11-16 00:32:14 +01:00
|
|
|
<term><emphasis role="bold">NONAT</emphasis></term>
|
2006-11-15 22:02:04 +01:00
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Excludes the connection from any subsequent <emphasis
|
|
|
|
role="bold">DNAT</emphasis>[-] or <emphasis
|
|
|
|
role="bold">REDIRECT</emphasis>[-] rules but doesn't generate
|
|
|
|
a rule to accept the traffic.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2006-11-16 00:32:14 +01:00
|
|
|
<term><emphasis role="bold">DROP</emphasis></term>
|
2006-11-15 22:02:04 +01:00
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Ignore the request.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2006-11-16 00:32:14 +01:00
|
|
|
<term><emphasis role="bold">REJECT</emphasis></term>
|
2006-11-15 22:02:04 +01:00
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>disallow the request and return an icmp-unreachable or
|
|
|
|
an RST packet.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2006-11-16 00:32:14 +01:00
|
|
|
<term><emphasis role="bold">DNAT</emphasis></term>
|
2006-11-15 22:02:04 +01:00
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Forward the request to another system (and optionally
|
|
|
|
another port).</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2006-11-16 00:32:14 +01:00
|
|
|
<term><emphasis role="bold">DNAT-</emphasis></term>
|
2006-11-15 22:02:04 +01:00
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Advanced users only.</para>
|
|
|
|
|
2006-11-16 00:32:14 +01:00
|
|
|
<para>Like <emphasis role="bold">DNAT</emphasis> but only
|
|
|
|
generates the <emphasis role="bold">DNAT</emphasis> iptables
|
|
|
|
rule and not the companion <emphasis
|
|
|
|
role="bold">ACCEPT</emphasis> rule.</para>
|
2006-11-15 22:02:04 +01:00
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2006-11-16 00:32:14 +01:00
|
|
|
<term><emphasis role="bold">SAME</emphasis></term>
|
2006-11-15 22:02:04 +01:00
|
|
|
|
|
|
|
<listitem>
|
2006-11-16 00:32:14 +01:00
|
|
|
<para>Similar to <emphasis role="bold">DNAT</emphasis> except
|
|
|
|
that the port may not be remapped and when multiple server
|
|
|
|
addresses are listed, all requests from a given remote system
|
|
|
|
go to the same server.</para>
|
2006-11-15 22:02:04 +01:00
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2006-11-16 00:32:14 +01:00
|
|
|
<term><emphasis role="bold">SAME-</emphasis></term>
|
2006-11-15 22:02:04 +01:00
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Advanced users only.</para>
|
|
|
|
|
|
|
|
<para>Like SAME but only generates the NAT iptables rule and
|
2006-11-16 00:32:14 +01:00
|
|
|
not the companion <emphasis role="bold">ACCEPT</emphasis>
|
|
|
|
rule.</para>
|
2006-11-15 22:02:04 +01:00
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2006-11-16 00:32:14 +01:00
|
|
|
<term><emphasis role="bold">REDIRECT</emphasis></term>
|
2006-11-15 22:02:04 +01:00
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Redirect the request to a server on the firewall.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2006-11-16 00:32:14 +01:00
|
|
|
<term><emphasis role="bold">REDIRECT-</emphasis></term>
|
2006-11-15 22:02:04 +01:00
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Advanced users only.</para>
|
|
|
|
|
2006-11-16 00:32:14 +01:00
|
|
|
<para>Like <emphasis role="bold">REDIRECT</emphasis> but only
|
|
|
|
generates the <emphasis role="bold">REDIRECT</emphasis>
|
|
|
|
iptables rule and not the companion <emphasis
|
|
|
|
role="bold">ACCEPT</emphasis> rule.</para>
|
2006-11-15 22:02:04 +01:00
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2006-11-16 00:32:14 +01:00
|
|
|
<term><emphasis role="bold">CONTINUE</emphasis></term>
|
2006-11-15 22:02:04 +01:00
|
|
|
|
|
|
|
<listitem>
|
2006-11-16 00:32:14 +01:00
|
|
|
<para>For experts only.</para>
|
2006-11-15 22:02:04 +01:00
|
|
|
|
|
|
|
<para>Do not process any of the following rules for this
|
|
|
|
(source zone,destination zone). If the source and/or
|
|
|
|
destination IP address falls into a zone defined later in
|
|
|
|
shorewall-zones(5), this connection request will be passed to
|
|
|
|
the rules defined for that (those) zone(s).</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2006-11-16 00:32:14 +01:00
|
|
|
<term><emphasis role="bold">LOG</emphasis></term>
|
2006-11-15 22:02:04 +01:00
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Simply log the packet and continue.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2006-11-16 00:32:14 +01:00
|
|
|
<term><emphasis role="bold">QUEUE</emphasis></term>
|
2006-11-15 22:02:04 +01:00
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Queue the packet to a user-space application such as
|
|
|
|
ftwall (http://p2pwall.sf.net).</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2006-11-16 00:32:14 +01:00
|
|
|
<term><emphasis role="bold">COMMENT</emphasis></term>
|
2006-11-15 22:02:04 +01:00
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>the rest of the line will be attached as a comment to
|
2006-11-20 18:52:52 +01:00
|
|
|
the Netfilter rule(s) generated by the following entrIes. The
|
2006-11-15 22:02:04 +01:00
|
|
|
comment will appear delimited by "/* ... */" in the output of
|
|
|
|
"shorewall show <chain>". To stop the comment from being
|
|
|
|
attached to further rules, simply include COMMENT on a line by
|
|
|
|
itself.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis>action</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>The name of an <emphasis>action</emphasis> defined in
|
2006-11-16 00:32:14 +01:00
|
|
|
shorewall-actions(5) or in
|
2006-11-15 22:02:04 +01:00
|
|
|
/usr/share/shorewall/actions.std.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis>macro</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>The name of a macro defined in a file named macro.If the
|
|
|
|
macro accepts an action parameter (Look at the macro source to
|
|
|
|
see if it has PARAM in the TARGET column) then the
|
|
|
|
<emphasis>macro</emphasis> name is followed by "/" and the
|
2006-11-16 00:32:14 +01:00
|
|
|
action (<emphasis role="bold">ACCEPT</emphasis>, <emphasis
|
|
|
|
role="bold">DROP</emphasis>, <emphasis
|
|
|
|
role="bold">REJECT</emphasis>, ...) to be substituted for the
|
2006-11-15 22:02:04 +01:00
|
|
|
parameter.</para>
|
|
|
|
|
|
|
|
<para>Example: FTP/ACCEPT.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
|
2006-11-16 00:32:14 +01:00
|
|
|
<para>The <emphasis role="bold">ACTION</emphasis> may optionally be
|
|
|
|
followed by ":" and a syslog log level (e.g, REJECT:info or
|
|
|
|
DNAT:debug). This causes the packet to be logged at the specified
|
|
|
|
level.</para>
|
2006-11-15 22:02:04 +01:00
|
|
|
|
2006-11-16 00:32:14 +01:00
|
|
|
<para>If the <emphasis role="bold">ACTION</emphasis> names an
|
|
|
|
<emphasis>action</emphasis> defined in shorewall-actions(5) or in
|
|
|
|
/usr/share/shorewall/actions.std then:</para>
|
2006-11-15 22:02:04 +01:00
|
|
|
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem>
|
|
|
|
<para>If the log level is followed by "!' then all rules in the
|
|
|
|
action are logged at the log level.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>If the log level is not followed by "!" then only those
|
|
|
|
rules in the action that do not specify logging are logged at
|
|
|
|
the specified level.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>The special log level 'none!' suppresses logging by the
|
|
|
|
action.</para>
|
|
|
|
</listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
|
|
|
|
<para>You may also specify ULOG (must be in upper case) as a log
|
|
|
|
level.This will log to the ULOG target for routing to a separate log
|
|
|
|
through use of ulogd
|
|
|
|
(http://www.gnumonks.org/projects/ulogd).</para>
|
|
|
|
|
|
|
|
<para>Actions specifying logging may be followed by a log tag (a
|
|
|
|
string of alphanumeric characters) are appended to the string
|
|
|
|
generated by the LOGPREFIX (in shorewall.conf(5)).</para>
|
|
|
|
|
|
|
|
<para>Example: ACCEPT:info:ftp would include 'ftp ' at the end of
|
|
|
|
the log prefix generated by the LOGPREFIX setting.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
2006-11-16 00:32:14 +01:00
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">SOURCE</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Source hosts to which the rule applies. May be a zone defined
|
|
|
|
in /etc/shorewall/zones, <emphasis role="bold">$FW</emphasis> to
|
|
|
|
indicate the firewall itself, <emphasis role="bold">all</emphasis>,
|
|
|
|
<emphasis role="bold">all+</emphasis>, <emphasis
|
|
|
|
role="bold">all-</emphasis>, <emphasis role="bold">all+-</emphasis>
|
|
|
|
or <emphasis role="bold">none</emphasis>.</para>
|
|
|
|
|
|
|
|
<para>When <emphasis role="bold">none</emphasis> is used either in
|
|
|
|
the <emphasis role="bold">SOURCE</emphasis> or <emphasis
|
|
|
|
role="bold">DEST</emphasis> column, the rule is ignored.</para>
|
|
|
|
|
|
|
|
<para><emphasis role="bold">all</emphasis> means "All Zones",
|
|
|
|
including the firewall itself. <emphasis role="bold">all-</emphasis>
|
|
|
|
means "All Zones, except the firewall itself". When <emphasis
|
|
|
|
role="bold">all</emphasis>[<emphasis role="bold">-</emphasis>] is
|
|
|
|
used either in the <emphasis role="bold">SOURCE</emphasis> or
|
|
|
|
<emphasis role="bold">DEST</emphasis> column intra-zone traffic is
|
|
|
|
not affected. When <emphasis role="bold">all+</emphasis>[<emphasis
|
|
|
|
role="bold">-</emphasis>] is "used, intra-zone traffic is
|
|
|
|
affected.</para>
|
|
|
|
|
|
|
|
<para>Except when <emphasis role="bold">all</emphasis>[<emphasis
|
|
|
|
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
|
|
|
|
specified, clients may be further restricted to a list of subnets
|
|
|
|
and/or hosts by appending ":" and a comma-separated list of subnets
|
|
|
|
and/or hosts. Hosts may be specified by IP or MAC address; mac
|
|
|
|
addresses must begin with "~" and must use "-" as a
|
|
|
|
separator.</para>
|
|
|
|
|
|
|
|
<para>Hosts may be specified as an IP address range using the syntax
|
|
|
|
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
|
|
|
|
This requires that your kernel and iptables contain iprange match
|
2006-11-20 18:52:52 +01:00
|
|
|
support. If your kernel and iptables have ipset match support then
|
2006-11-16 00:32:14 +01:00
|
|
|
you may give the name of an ipset prefaced by "+". The ipset name
|
|
|
|
may be optionally followed by a number from 1 to 6 enclosed in
|
|
|
|
square brackets ([]) to indicate the number of levels of source
|
|
|
|
bindings to be matched.</para>
|
|
|
|
|
|
|
|
<para>Examples:</para>
|
|
|
|
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
2006-11-20 18:52:52 +01:00
|
|
|
<term>dmz:192.168.2.2</term>
|
2006-11-16 00:32:14 +01:00
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Host 192.168.2.2 in the DMZ</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>net:155.186.235.0/24</term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Subnet 155.186.235.0/24 on the Internet</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>loc:192.168.1.1,192.168.1.2</term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Hosts 192.168.1.1 and 192.168.1.2 in the local
|
|
|
|
zone.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>loc:~00-A0-C9-15-39-78</term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Host in the local zone with MAC address
|
|
|
|
00:A0:C9:15:39:78.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>net:192.0.2.11-192.0.2.17</term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Hosts 192.0.2.11-192.0.2.17 in the net zone.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
|
|
|
|
<para>Alternatively, clients may be specified by interface by
|
|
|
|
appending ":" to the zone name followed by the interface name. For
|
|
|
|
example, loc:eth1 specifies a client that communicates with the
|
|
|
|
firewall system through eth1. This may be optionally followed by
|
|
|
|
another colon (":") and an IP/MAC/subnet address as described above
|
|
|
|
(e.g., loc:eth1:192.168.1.5).</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">DEST</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Location of Server. May be a zone defined in
|
|
|
|
shorewall-zones(5), $<emphasis role="bold">FW</emphasis> to indicate
|
|
|
|
the firewall itself, <emphasis role="bold">all</emphasis>. <emphasis
|
|
|
|
role="bold">all+</emphasis> or <emphasis
|
|
|
|
role="bold">none</emphasis>.</para>
|
|
|
|
|
|
|
|
<para>When <emphasis role="bold">none</emphasis> is used either in
|
|
|
|
the <emphasis role="bold">SOURCE</emphasis> or <emphasis
|
|
|
|
role="bold">DEST</emphasis> column, the rule is ignored.</para>
|
|
|
|
|
|
|
|
<para>When <emphasis role="bold">all</emphasis> is used either in
|
|
|
|
the <emphasis role="bold">SOURCE</emphasis> or <emphasis
|
|
|
|
role="bold">DEST</emphasis> column intra-zone traffic is not
|
|
|
|
affected. When <emphasis role="bold">all+</emphasis> is used,
|
|
|
|
intra-zone traffic is affected.</para>
|
|
|
|
|
|
|
|
<para>Except when <emphasis role="bold">all</emphasis>[<emphasis
|
|
|
|
role="bold">+</emphasis>] is specified, the server may be further
|
|
|
|
restricted to a particular subnet, host or interface by appending
|
|
|
|
":" and the subnet, host or interface. See above.</para>
|
|
|
|
|
|
|
|
<para>Restrictions:</para>
|
|
|
|
|
|
|
|
<para>1. MAC addresses are not allowed.</para>
|
|
|
|
|
|
|
|
<para>2. In <emphasis role="bold">DNAT</emphasis> rules, only IP
|
|
|
|
addresses are allowed; no FQDNs or subnet addresses are
|
|
|
|
permitted.</para>
|
|
|
|
|
|
|
|
<para>3. You may not specify both an interface and an
|
|
|
|
address.</para>
|
|
|
|
|
|
|
|
<para>Like in the <emphasis role="bold">SOURCE</emphasis> column,
|
|
|
|
you may specify a range of IP addresses using the syntax
|
|
|
|
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
|
|
|
|
When the <emphasis role="bold">ACTION</emphasis> is <emphasis
|
|
|
|
role="bold">DNAT</emphasis> or <emphasis
|
|
|
|
role="bold">DNAT-</emphasis>, the connections will be assigned to
|
|
|
|
addresses in the range in a round-robin fashion.</para>
|
|
|
|
|
|
|
|
<para>If you kernel and iptables have ipset match support then you
|
|
|
|
may give the name of an ipset prefaced by "+". The ipset name may be
|
|
|
|
optionally followed by a number from 1 to 6 enclosed in square
|
|
|
|
brackets ([]) to indicate the number of levels of destination
|
|
|
|
bindings to be matched. Only one of the <emphasis
|
|
|
|
role="bold">SOURCE</emphasis> and <emphasis
|
|
|
|
role="bold">DEST</emphasis> columns may specify an ipset
|
|
|
|
name.</para>
|
|
|
|
|
|
|
|
<para>The port that the server is listening on may be included and
|
|
|
|
separated from the server's IP address by ":". If omitted, the
|
|
|
|
firewall will not modifiy the destination port. A destination port
|
|
|
|
may only be included if the <emphasis role="bold">ACTION</emphasis>
|
|
|
|
is <emphasis role="bold">DNAT</emphasis> or <emphasis
|
2006-11-20 18:52:52 +01:00
|
|
|
role="bold">REDIRECT</emphasis>. Example:</para>
|
2006-11-16 00:32:14 +01:00
|
|
|
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
|
|
|
<term>Example:</term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>"loc:192.168.1.3:3128" specifies a local server at IP
|
|
|
|
address 192.168.1.3 and listening on port 3128. The port
|
|
|
|
number MUST be specified as an integer and not as a name from
|
|
|
|
services(5).</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
|
|
|
|
<para>if the <emphasis role="bold">ACTION</emphasis> is <emphasis
|
|
|
|
role="bold">REDIRECT</emphasis>, this column needs only to contain
|
|
|
|
the port number on the firewall that the request should be
|
|
|
|
redirected to.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">PROTO</emphasis> (Optional)</term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Protocol - Must be <emphasis role="bold">tcp</emphasis>,
|
|
|
|
<emphasis role="bold">tcp:syn</emphasis>, <emphasis
|
|
|
|
role="bold">udp</emphasis>, <emphasis role="bold">icmp</emphasis>,
|
|
|
|
<emphasis role="bold">ipp2p</emphasis>,<emphasis role="bold">
|
|
|
|
ipp2p:udp</emphasis>, <emphasis role="bold">ipp2p:all</emphasis> a
|
|
|
|
<emphasis>number</emphasis>, or <emphasis
|
|
|
|
role="bold">all</emphasis>. <emphasis role="bold">ipp2p</emphasis>*
|
|
|
|
requires ipp2p match support in your kernel and iptables. <emphasis
|
|
|
|
role="bold">tcp:syn</emphasis> implies <emphasis
|
|
|
|
role="bold">tcp</emphasis> plus the SYN flag must be set and the
|
|
|
|
RST,ACK and FIN flags must be reset.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">DEST PORT(S) </emphasis>(Optional)</term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Destination Ports. A comma-separated list of Port names (from
|
|
|
|
services(5)), port numbers or port ranges; if the protocol is
|
|
|
|
<emphasis role="bold">icmp</emphasis>, this column is interpreted as
|
|
|
|
the destination icmp-type(s).</para>
|
|
|
|
|
|
|
|
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
|
|
|
this column is interpreted as an ipp2p option without the leading
|
|
|
|
"--" (example <emphasis role="bold">bit</emphasis> for bit-torrent).
|
|
|
|
If no port is given, <emphasis role="bold">ipp2p</emphasis> is
|
|
|
|
assumed.</para>
|
|
|
|
|
|
|
|
<para>A port range is expressed as
|
|
|
|
<emphasis>lowport</emphasis>:<emphasis>highport</emphasis>.</para>
|
|
|
|
|
|
|
|
<para>This column is ignored if <emphasis
|
|
|
|
role="bold">PROTO</emphasis> = <emphasis role="bold">all</emphasis>
|
|
|
|
but must be entered if any of the following columns are supplied. In
|
|
|
|
that case, it is suggested that this field contain a dash (<emphasis
|
|
|
|
role="bold">-</emphasis>).</para>
|
|
|
|
|
|
|
|
<para>If your kernel contains multi-port match support, then only a
|
|
|
|
single Netfilter rule will be generated if in this list and the
|
|
|
|
<emphasis role="bold">CLIENT PORT(S)</emphasis> list below:</para>
|
|
|
|
|
|
|
|
<para>1. There are 15 or less ports listed.</para>
|
|
|
|
|
|
|
|
<para>2. No port ranges are included or your kernel and iptables
|
|
|
|
contain extended multiport match support.</para>
|
|
|
|
|
|
|
|
<para>Otherwise, a separate rule will be generated for each
|
|
|
|
port.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">SOURCE PORT(S)</emphasis>
|
|
|
|
(Optional)</term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Port(s) used by the client. If omitted, any source port is
|
|
|
|
acceptable. Specified as a comma- separated list of port names, port
|
|
|
|
numbers or port ranges.</para>
|
|
|
|
|
|
|
|
<warning>
|
|
|
|
<para>Unless you really understand TCP/IP, you should leave this
|
|
|
|
column empty or place a dash (<emphasis role="bold">-</emphasis>)
|
|
|
|
in the column. Most people who try to use this column get it
|
|
|
|
wrong.</para>
|
|
|
|
</warning>
|
|
|
|
|
|
|
|
<para>If you don't want to restrict client ports but need to specify
|
|
|
|
an <emphasis role="bold">ORIGINAL DEST</emphasis> in the next
|
2006-11-20 18:52:52 +01:00
|
|
|
column, then place "-" in this column.</para>
|
2006-11-16 00:32:14 +01:00
|
|
|
|
|
|
|
<para>If your kernel contains multi-port match support, then only a
|
|
|
|
single Netfilter rule will be generated if in this list and the
|
2006-11-20 18:52:52 +01:00
|
|
|
<emphasis role="bold">DEST PORT(S)</emphasis> list above:</para>
|
2006-11-16 00:32:14 +01:00
|
|
|
|
|
|
|
<para>1. There are 15 or less ports listed.</para>
|
|
|
|
|
|
|
|
<para>2. No port ranges are included or your kernel and iptables
|
|
|
|
contain extended multiport match support.</para>
|
|
|
|
|
|
|
|
<para>Otherwise, a separate rule will be generated for each
|
|
|
|
port.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">ORIGINAL DEST</emphasis> (Optional)</term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>If ACTION is <emphasis role="bold">DNAT</emphasis>[<emphasis
|
|
|
|
role="bold">-</emphasis>] or <emphasis
|
|
|
|
role="bold">REDIRECT</emphasis>[<emphasis role="bold">-</emphasis>]
|
|
|
|
then if included and different from the IP address given in the
|
|
|
|
<emphasis role="bold">SERVER</emphasis> column, this is an address
|
|
|
|
on some interface on the firewall and connections to that address
|
|
|
|
will be forwarded to the IP and port specified in the <emphasis
|
|
|
|
role="bold">DEST</emphasis> column.</para>
|
|
|
|
|
|
|
|
<para>A comma-separated list of addresses may also be used. This is
|
|
|
|
usually most useful with the <emphasis
|
|
|
|
role="bold">REDIRECT</emphasis> target where you want to redirect
|
|
|
|
traffic destined for particular set of hosts. Finally, if the list
|
|
|
|
of addresses begins with "!" then the rule will be followed only if
|
|
|
|
the original destination address in the connection request does not
|
|
|
|
match any of the addresses listed.</para>
|
|
|
|
|
|
|
|
<para>For other actions, this column may be included and may contain
|
|
|
|
one or more addresses (host or network) separated by commas. Address
|
|
|
|
ranges are not allowed. When this column is supplied, rules are
|
|
|
|
generated that require that the original destination address matches
|
|
|
|
one of the listed addresses. This feature is most useful when you
|
|
|
|
want to generate a filter rule that corresponds to a <emphasis
|
|
|
|
role="bold">DNAT-</emphasis> or <emphasis
|
|
|
|
role="bold">REDIRECT-</emphasis> rule. In this usage, the list of
|
|
|
|
addresses should not begin with "!".</para>
|
|
|
|
|
|
|
|
<para>See http://shorewall.net/PortKnocking.html for an example of
|
|
|
|
using an entry in this column with a user-defined action
|
|
|
|
rule.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">RATE LIMIT</emphasis> (Optional)</term>
|
|
|
|
|
|
|
|
<listitem>
|
2006-11-20 18:52:52 +01:00
|
|
|
<para>You may rate-limit the rule by placing a value in this
|
|
|
|
column:</para>
|
2006-11-16 00:32:14 +01:00
|
|
|
|
|
|
|
<para><emphasis>rate</emphasis>/<emphasis>interval</emphasis>[:<emphasis>burst</emphasis>]
|
|
|
|
where <emphasis>rate</emphasis> is the number of connections per
|
|
|
|
<emphasis>interval</emphasis> (<emphasis role="bold">sec</emphasis>
|
|
|
|
or <emphasis role="bold">min</emphasis>) and
|
|
|
|
<emphasis>burst</emphasis> is the largest burst permitted. If no
|
|
|
|
<emphasis>burst</emphasis> is given, a value of 5 is assumed. There
|
|
|
|
may be no no whitespace embedded in the specification.</para>
|
|
|
|
|
|
|
|
<para>Example: 10/sec:20</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">USER/GROUP</emphasis> (Optional)</term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>This column may only be non-empty if the SOURCE is the
|
|
|
|
firewall itself.</para>
|
|
|
|
|
|
|
|
<para>The column may contain:</para>
|
|
|
|
|
|
|
|
<para>[!][<emphasis>user name or number</emphasis>][:<emphasis>group
|
2006-11-20 18:52:52 +01:00
|
|
|
name or number</emphasis>][+<emphasis>program
|
|
|
|
name</emphasis>]</para>
|
2006-11-16 00:32:14 +01:00
|
|
|
|
|
|
|
<para>When this column is non-empty, the rule applies only if the
|
|
|
|
program generating the output is running under the effective
|
|
|
|
<emphasis>user</emphasis> and/or <emphasis>group</emphasis>
|
|
|
|
specified (or is NOT running under that id if "!" is given).</para>
|
|
|
|
|
|
|
|
<para>Examples:</para>
|
|
|
|
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
|
|
|
<term>joe</term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>program must be run by joe</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>:kids</term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>program must be run by a member of the 'kids'
|
|
|
|
group</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>!:kids</term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>program must not be run by a member of the 'kids'
|
|
|
|
group</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>+upnpd</term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>#program named upnpd</para>
|
|
|
|
|
|
|
|
<important>
|
|
|
|
<para>The ability to specify a program name was removed from
|
|
|
|
Netfilter in kernel version 2.6.14.</para>
|
|
|
|
</important>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
2006-11-15 22:02:04 +01:00
|
|
|
</variablelist>
|
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
<title>Example</title>
|
|
|
|
|
2006-11-16 00:32:14 +01:00
|
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
|
|
|
<term>Example 1:</term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Accept SMTP requests from the DMZ to the internet</para>
|
|
|
|
|
|
|
|
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
|
|
|
# PORT PORT(S) DEST
|
|
|
|
ACCEPT dmz net tcp smtp</programlisting>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>Example 2:</term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Forward all ssh and http connection requests from the internet
|
|
|
|
to local system 192.168.1.3</para>
|
|
|
|
|
|
|
|
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
|
|
|
# PORT PORT(S) DEST
|
|
|
|
DNAT net loc:192.168.1.3 tcp ssh,http</programlisting>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>Example 3:</term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Forward all http connection requests from the internet to
|
|
|
|
local system 192.168.1.3 with a limit of 3 per second and a maximum
|
|
|
|
burst of 10<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
|
|
|
# PORT PORT(S) DEST LIMIT
|
|
|
|
DNAT net loc:192.168.1.3 tcp http - - 3/sec:10</programlisting></para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>Example 4:</term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Redirect all locally-originating www connection requests to
|
|
|
|
port 3128 on the firewall (Squid running on the firewall system)
|
|
|
|
except when the destination address is 192.168.2.2</para>
|
|
|
|
|
|
|
|
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
|
|
|
# PORT PORT(S) DEST
|
|
|
|
REDIRECT loc 3128 tcp www - !192.168.2.2</programlisting>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>Example 5:</term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>All http requests from the internet to address 130.252.100.69
|
|
|
|
are to be forwarded to 192.168.1.3</para>
|
|
|
|
|
|
|
|
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
|
|
|
# PORT PORT(S) DEST
|
|
|
|
DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69</programlisting>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>Example 6:</term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>You want to accept SSH connections to your firewall only from
|
|
|
|
internet IP addresses 130.252.100.69 and 130.252.100.70</para>
|
|
|
|
|
|
|
|
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
|
|
|
# PORT PORT(S) DEST
|
|
|
|
ACCEPT net:130.252.100.69,130.252.100.70 $FW \
|
|
|
|
tcp 22</programlisting>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>Example 7:</term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>You wish to accept connections from the internet to your
|
|
|
|
firewall on port 2222 and you want to forward them to local system
|
|
|
|
192.168.1.3, port 22</para>
|
|
|
|
|
|
|
|
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
|
|
|
# PORT PORT(S) DEST
|
|
|
|
ACCEPT net loc:192.168.1.3:22 tcp 2222</programlisting>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
2006-11-15 22:02:04 +01:00
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
<title>FILES</title>
|
|
|
|
|
2006-11-16 00:32:14 +01:00
|
|
|
<para>/etc/shorewall/rules</para>
|
2006-11-15 22:02:04 +01:00
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
<title>See ALSO</title>
|
|
|
|
|
|
|
|
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
|
|
|
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
|
|
|
|
shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
|
|
|
|
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
|
|
|
|
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
|
|
|
|
shorewall-route_routes(5), shorewall-routestopped(5), shorewall.conf(5),
|
|
|
|
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
|
|
|
|
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
|
|
|
|
</refsect1>
|
|
|
|
</refentry>
|