# # Shorewall version 2.2 -- Sample Rules File For Three Interfaces # # /etc/shorewall/rules # # Rules in this file govern connection establishment. Requests and # responses are automatically allowed using connection tracking. For any # particular (source,dest) pair of zones, the rules are evaluated in the # order in which they appear in this file and the first mactch is the one # that determines the disposition of the request. # # In most places where an IP address or subnet is allowed, you # can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to # indicate that the rule matches all addresses except the address/subnet # given. Notice that no white space is permitted between "!" and the # address/subnet. # # WARNING: If you masquerade or use SNAT from a local system to the internet. # you cannot use an ACCEPT rule to allow traffic from the internet to # that system. You "must" use a DNAT rule instead. # # Columns are: # # # ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, # REDIRECT-, CONTINUE, LOG, QUEUE or an . # # ACCEPT # Allow the connection request. # ACCEPT+ # Like ACCEPT but also excludes the # connection from any subsequent # DNAT[-] or REDIRECT[-] rules # NONAT # Excludes the connection from any # subsequent DNAT[-] or REDIRECT[-] # rules but doesn't generate a rule # to accept the traffic. # DROP # Ignore the request. # REJECT # Disallow the request and return an # icmp-unreachable or an RST packet. # DNAT # Forward the request to another # system (and optionally another # port). # DNAT- # Advanced users only. # Like DNAT but only generates the # DNAT iptables rule and not # the companion ACCEPT rule. # REDIRECT # Redirect the request to a local # port on the firewall. # REDIRECT- # Advanced users only. # Like REDIRECT but only generates the # REDIRECT iptables rules and not the # companion ACCEPT rule. # CONTINUE # (For experts only). Do Not Process # any of the following rules for this # (source zone,destination zone). If # the source and/or destination IP # address falls into a zone defined # later in /etc/shorewall/zones, this # connection request will be passed # to the rules defined for that # (those) zones(s). # LOG # Simply log the packet and continue. # QUEUE # Queue the packet to a user-space # application such as ftwall. # (http://p2pwall.sf.net). # # The name of an action defined in # /etc/shorewall/actions or in # /usr/share/shorewall/actions.std. # # The ACTION may optionally be followed by ":" and a syslog log # level (e.g, REJECT:info or DNAT:debug). This causes the packet # to be logged at the specified level. # # # If the ACTION names an action defined in # /etc/shorewall/actions or in # /usr/share/shorewall/actions.std then: # # - If the log level is followed by "!' then all rules # in the action are logged at the log level. # # - If the log level is not followed by "!" then only # those rules in the action that do not specify # logging are logged at the specified level. # # - The special log level 'none!' suppresses logging # by the action. # # You may also specify ULOG (must be in upper case) as a # log level. This will log to the ULOG target for routing # to a separate log through use of ulogd. # (http://www.gnumonks.org/projects/ulogd). # # Actions specifying logging may be followed by a # log tag (a string of alphanumeric characters) # are appended to the string generated by the # LOGPREFIX (in /etc/shorewall/shorewall.conf). # # Example: ACCEPT:info:ftp would include 'ftp ' # at the end of the log prefix generated by the # LOGPREFIX setting. # # SOURCE Source hosts to which the rule applies. May be a zone # defined in /etc/shorewall/zones, $FW to indicate the # firewall itself, or "all" If the ACTION is DNAT or # REDIRECT, sub-zones of the specified zone may be # excluded from the rule by following the zone name with # "!' and a comma-separated list of sub-zone names. # # When "all" is used either in the SOURCE or DEST column # intra-zone traffic is not affected. You must add # separate rules to handle that traffic. # # Except when "all" is specified, clients may be further # restricted to a list of subnets and/or hosts by # appending ":" and a comma-separated list of subnets # and/or hosts. Hosts may be specified by IP or MAC # address; mac addresses must begin with "~" and must use # "-" as a separator. # # Hosts may be specified as an IP address range using the # syntax -. This requires that # your kernel and iptables contain iprange match support. # # Some Examples: # # net:155.186.235.1 # Host 155.186.235.1 on the Internet # # loc:192.168.1.0/24 # Subnet 192.168.1.0/24 on the # Local Network # # net:155.186.235.1,155.186.235.2 # Hosts 155.186.235.1 and # 155.186.235.2 on the Internet. # # loc:~00-A0-C9-15-39-78 # Host on the Local Network with # MAC address 00:A0:C9:15:39:78. # # net:192.0.2.11-192.0.2.17 # Hosts 192.0.2.11-192.0.2.17 in # the net zone. # # Alternatively, clients may be specified by interface # by appending ":" to the zone name followed by the # interface name. For example, net:eth0 specifies a # client that communicates with the firewall system # through eth0. This may be optionally followed by # another colon (":") and an IP/MAC/subnet address # as described above (e.g., net:eth0:192.168.1.5). # # DEST Location of Server. May be a zone defined in # /etc/shorewall/zones, $FW to indicate the firewall # itself or "all" # # Except when "all" is specified, the server may be # further restricted to a particular subnet, host or # interface by appending ":" and the subnet, host or # interface. See above. # # Restrictions: # # 1. MAC addresses are not allowed. # 2. In DNAT rules, only IP addresses are # allowed; no FQDNs or subnet addresses # are permitted. # 3. You may not specify both an interface and # an address. # # Unlike in the SOURCE column, you may specify a range of # up to 256 IP addresses using the syntax # -. When the ACTION is DNAT or DNAT-, # the connections will be assigned to addresses in the # range in a round-robin fashion. # # The port that the server is listening on may be # included and separated from the server's IP address by # ":". If omitted, the firewall will not modifiy the # destination port. A destination port may only be # included if the ACTION is DNAT or REDIRECT. # # Example: net:155.186.235.1:25 specifies a Internet # server at IP address 155.186.235.1 and listening on port # 25. The port number MUST be specified as an integer # and not as a name from /etc/services. # # If the ACTION is REDIRECT, this column needs only to # contain the port number on the firewall that the # request should be redirected to. # # PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p", # a number, or "all". "ipp2p" requires ipp2p match # support in your kernel and iptables. # # DEST PORT(S) Destination Ports. A comma-separated list of Port # names (from /etc/services), port numbers or port # ranges; if the protocol is "icmp", this column is # interpreted as the destination icmp-type(s). # # If the protocol is ipp2p, this column is interpreted # as an ipp2p option without the leading "--" (example "bit" # for bit-torrent). If no port is given, "ipp2p" is # assumed. # # A port range is expressed as :. # # This column is ignored if PROTOCOL = all but must be # entered if any of the following fields are supplied. # In that case, it is suggested that this field contain # "-" # # If your kernel contains multi-port match support, then # only a single Netfilter rule will be generated if in # this list and the CLIENT PORT(S) list below: # 1. There are 15 or less ports listed. # 2. No port ranges are included. # Otherwise, a separate rule will be generated for each # port. # # CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted, # any source port is acceptable. Specified as a comma- # separated list of port names, port numbers or port # ranges. # # If you don't want to restrict client ports but need to # specify an ORIGINAL DEST in the next column, then place # "-" in this column. # # If your kernel contains multi-port match support, then # only a single Netfilter rule will be generated if in # this list and the DEST PORT(S) list above: # 1. There are 15 or less ports listed. # 2. No port ranges are included. # Otherwise, a separate rule will be generated for each # port. # # ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT[-] or # REDIRECT[-]) If included and different from the IP # address given in the SERVER column, this is an address # on some interface on the firewall and connections to # that address will be forwarded to the IP and port # specified in the DEST column. # # A comma separated list of addresses may also be used. # This is usually most useful with the REDIRECT target # where you want to redirect traffic destined for # a particular set of hosts. # # Finally, if the list of addresses begines with "!" then # the rule will be followed only if the original # destination address in the connection request does not # match any of the addresses listed. # # RATE LIMIT You may rate-limit the rule by placing a value in this column: # # /[:] # # Where is the number of connections per ("sec" # or "min") and is the largest burst permitted. If no # is given, a value of 5 is assummed. There may be no # whitespace embedded in the specification. # # Example: # 10/sec:20 # # If you place a rate limit in this column, you may not place # a similiar limit in the ACTION column. # # USER/GROUP # This column may only be non-empty if the SOURCE is the firewall itself. # # The column may contain: # # [!][][:] # # When this column is non-empty, the rule applies only if the program # generating the output is running under the effective and/or # specified (or is NOT running under that id if "!" is given). # # Examples: # joe # program must be run by joe. # :kids # program must be run by a member of the 'kids' group. # !:kids # program must not be run by a member of the 'kids' group. # # Also by default all outbound loc -> net communications are allowed. # You can change this behavior in the sample policy file. # # Example: Accept www requests to the firewall. # # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # # PORT PORT(S) DEST LIMIT GROUP # ACCEPT net fw tcp http # # Example: Accept SMTP requests from the Local Network to the Internet # # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # # PORT PORT(S) DEST LIMIT GROUP # ACCEPT loc net tcp smtp # # Example: Forward all ssh and http connection requests from the Internet # to dmz system 192.168.2.3 # # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # # PORT PORT(S) DEST LIMIT GROUP # DNAT net dmz:192.168.2.3 tcp ssh,http # # Example: Redirect all locally-originating www connection requests to # port 3128 on the firewall (Squid running on the firewall # system) except when the destination address is 192.168.2.2 # # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # # PORT PORT(S) DEST LIMIT GROUP # REDIRECT loc 3128 tcp www - !192.168.2.2 # # Example: All http requests from the Internet to address # 130.252.100.69 are to be forwarded to 192.168.1.3 # # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # # PORT PORT(S) DEST LIMIT GROUP # DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69 ############################################################################## #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP # # Accept DNS connections from the firewall to the Internet # ACCEPT fw net tcp 53 ACCEPT fw net udp 53 # # # Accept SSH connections from the local network to the firewall and DMZ # ACCEPT loc fw tcp 22 ACCEPT loc dmz tcp 22 # # DMZ DNS access to the Internet # ACCEPT dmz net tcp 53 ACCEPT dmz net udp 53 # # Make ping work bi-directionally between the dmz, net, Firewall and local zone # (assumes that the loc-> net policy is ACCEPT). # ACCEPT net fw icmp 8 ACCEPT loc fw icmp 8 ACCEPT dmz fw icmp 8 ACCEPT loc dmz icmp 8 ACCEPT dmz loc icmp 8 ACCEPT dmz net icmp 8 ACCEPT fw net icmp ACCEPT fw loc icmp ACCEPT fw dmz icmp ACCEPT net dmz icmp 8 # Only with Proxy ARP and ACCEPT net loc icmp 8 # static NAT #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE