shorewall-rules.5

sharewall is very good

.sp
.\}
.RS 4
.BM yellow
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBImportant\fR
.ps -1
.br
The ability to specify a program name was removed from Netfilter in kernel version 2\&.6\&.14\&.
.sp .5v
.EM yellow
.RE
.RE
.RE
.PP
\fBMARK\fR \- [\fB!\fR]\fIvalue\fR[/\fImask\fR][\fB:C\fR]
.RS 4
Defines a test on the existing packet or connection mark\&. The rule will match only if the test returns true\&.
.sp
If you don\'t want to define a test but need to specify anything in the following columns, place a "\-" in this field\&.
.PP
!
.RS 4
Inverts the test (not equal)
.RE
.PP
\fIvalue\fR
.RS 4
Value of the packet or connection mark\&.
.RE
.PP
\fImask\fR
.RS 4
A mask to be applied to the mark before testing\&.
.RE
.PP
\fB:C\fR
.RS 4
Designates a connection mark\&. If omitted, the packet mark\'s value is tested\&. This option is only supported by Shorewall\-perl\&.
.RE
.RE
.PP
\fBCONNLIMIT\fR \- [\fB!\fR]\fIlimit\fR[:\fImask\fR]
.RS 4
Added in Shorewall\-perl 4\&.2\&.1\&. May be used to limit the number of simultaneous connections from each individual host to
\fIlimit\fR
connections\&. Requires connlimit match in your kernel and iptables\&. While the limit is only checked on rules specifying CONNLIMIT, the number of current connections is calculated over all current connections from the SOURCE host\&. By default, the limit is applied to each host but can be made to apply to networks of hosts by specifying a
\fImask\fR\&. The
\fImask\fR
specifies the width of a VLSM mask to be applied to the source address; the number of current connections is then taken over all hosts in the subnet
\fIsource\-address\fR/\fImask\fR\&. When\fB !\fR
is specified, the rule matches when the number of connection exceeds the
\fIlimit\fR\&.
.RE
.PP
\fBTIME\fR \- \fItimeelement\fR[,\fItimelement\fR\&.\&.\&.]
.RS 4
Added in Shorewall\-perl 4\&.2\&.1\&. May be used to limit the rule to a particular time period each day, to particular days of the week or month, or to a range defined by dates and times\&. Requires time match support in your kernel and iptables\&.
.sp
\fItimeelement\fR
may be:
.PP
timestart=\fIhh\fR:\fImm\fR[:\fIss\fR]
.RS 4
Defines the starting time of day\&.
.RE
.PP
timestop=\fIhh\fR:\fImm\fR[:\fIss\fR]
.RS 4
Defines the ending time of day\&.
.RE
.PP
utc
.RS 4
Times are expressed in Greenwich Mean Time\&.
.RE
.PP
localtz
.RS 4
Times are expressed in Local Civil Time (default)\&.
.RE
.PP
weekdays=ddd[,ddd]\&.\&.\&.
.RS 4
where
\fIddd\fR
is one of
\fBMon\fR,
\fBTue\fR,
\fBWed\fR,
\fBThu\fR,
\fBFri\fR,
\fBSat\fR
or
\fBSun\fR
.RE
.PP
monthdays=dd[,dd],\&.\&.\&.
.RS 4
where
\fIdd\fR
is an ordinal day of the month
.RE
.PP
datestart=\fIyyyy\fR[\-\fImm\fR[\-\fIdd\fR[\fBT\fR\fIhh\fR[:\fImm\fR[:\fIss\fR]]]]]
.RS 4
Defines the starting date and time\&.
.RE
.PP
datestop=\fIyyyy\fR[\-\fImm\fR[\-\fIdd\fR[\fBT\fR\fIhh\fR[:\fImm\fR[:\fIss\fR]]]]]
.RS 4
Defines the ending date and time\&.
.RE
.RE
.SH "Restrictions"
.PP
Unless you are using
\m[blue]\fBShorewall\-perl\fR\m[]\&\s-2\u[7]\d\s+2
and your iptables/kernel have
Repeat Match
support (see the output of
\fBshorewall show capabilities\fR), if you specify a list of DEST PORT(S), then you may not specify SOURCE PORT(S) and vice versa\&.
.SH "Example"
.PP
Example 1:
.RS 4
Accept SMTP requests from the DMZ to the internet
.sp
.if n \{\
.RS 4
.\}
.fam C
.ps -1
.nf
.BB lightgray
         #ACTION SOURCE  DEST PROTO      DEST    SOURCE  ORIGINAL
         #                               PORT    PORT(S) DEST
         ACCEPT  dmz     net       tcp   smtp
.EB lightgray
.fi
.fam
.ps +1
.if n \{\
.RE
.\}
.RE
.PP
Example 2:
.RS 4
Forward all ssh and http connection requests from the internet to local system 192\&.168\&.1\&.3
.sp
.if n \{\
.RS 4
.\}
.fam C
.ps -1
.nf
.BB lightgray
        #ACTION SOURCE  DEST            PROTO   DEST    SOURCE  ORIGINAL
        #                                       PORT    PORT(S) DEST
        DNAT    net     loc:192\&.168\&.1\&.3 tcp     ssh,http
.EB lightgray
.fi
.fam
.ps +1
.if n \{\
.RE
.\}
.RE
.PP
Example 3:
.RS 4
Forward all http connection requests from the internet to local system 192\&.168\&.1\&.3 with a limit of 3 per second and a maximum burst of 10
.sp
.if n \{\
.RS 4
.\}
.fam C
.ps -1
.nf
.BB lightgray
        #ACTION SOURCE DEST            PROTO  DEST  SOURCE  ORIGINAL RATE
        #                                     PORT  PORT(S) DEST     LIMIT
        DNAT    net    loc:192\&.168\&.1\&.3 tcp    http  \-       \-        3/sec:10
.EB lightgray
.fi
.fam
.ps +1
.if n \{\
.RE
.\}
.RE
.PP
Example 4:
.RS 4
Redirect all locally\-originating www connection requests to port 3128 on the firewall (Squid running on the firewall system) except when the destination address is 192\&.168\&.2\&.2
.sp
.if n \{\
.RS 4
.\}
.fam C
.ps -1
.nf
.BB lightgray
        #ACTION  SOURCE DEST      PROTO DEST    SOURCE  ORIGINAL
        #                               PORT    PORT(S) DEST
        REDIRECT loc    3128      tcp   www      \-      !192\&.168\&.2\&.2
.EB lightgray
.fi
.fam
.ps +1
.if n \{\
.RE
.\}
.RE
.PP
Example 5:
.RS 4
All http requests from the internet to address 130\&.252\&.100\&.69 are to be forwarded to 192\&.168\&.1\&.3
.sp
.if n \{\
.RS 4
.\}
.fam C
.ps -1
.nf
.BB lightgray
        #ACTION  SOURCE DEST            PROTO   DEST    SOURCE  ORIGINAL
        #                                       PORT    PORT(S) DEST
        DNAT      net   loc:192\&.168\&.1\&.3 tcp     80      \-       130\&.252\&.100\&.69
.EB lightgray
.fi
.fam
.ps +1
.if n \{\
.RE
.\}
.RE
.PP
Example 6:
.RS 4
You want to accept SSH connections to your firewall only from internet IP addresses 130\&.252\&.100\&.69 and 130\&.252\&.100\&.70
.sp
.if n \{\
.RS 4
.\}
.fam C
.ps -1
.nf
.BB lightgray
        #ACTION  SOURCE DEST            PROTO   DEST    SOURCE  ORIGINAL
        #                                       PORT    PORT(S) DEST
        ACCEPT   net:130\&.252\&.100\&.69,130\&.252\&.100\&.70 $FW \e
                                        tcp     22
.EB lightgray
.fi
.fam
.ps +1
.if n \{\
.RE
.\}
.RE
.PP
Example 7:
.RS 4
You wish to accept connections from the internet to your firewall on port 2222 and you want to forward them to local system 192\&.168\&.1\&.3, port 22
.sp
.if n \{\
.RS 4
.\}
.fam C
.ps -1
.nf
.BB lightgray
        #ACTION  SOURCE DEST                PROTO   DEST    SOURCE  ORIGINAL
        #                                           PORT    PORT(S) DEST
        DNAT     net    loc:192\&.168\&.1\&.3:22  tcp     2222
.EB lightgray
.fi
.fam
.ps +1
.if n \{\
.RE
.\}
.RE
.PP
Example 8:
.RS 4
You want to redirect connection requests to port 80 randomly to the port range 81\-90\&.
.sp
.if n \{\
.RS 4
.\}
.fam C
.ps -1
.nf
.BB lightgray
        #ACTION  SOURCE DEST                PROTO DEST    SOURCE  ORIGINAL
        #                                   PORT  PORT(S) DEST
        REDIRECT net    $FW::81\-90:random   tcp   www
.EB lightgray
.fi
.fam
.ps +1
.if n \{\
.RE
.\}
.RE
.PP
Example 9:
.RS 4
Shorewall does not impose as much structure on the Netfilter rules in the \'nat\' table as it does on those in the filter table\&. As a consequence, when using Shorewall versions before 4\&.1\&.4, care must be exercised when using DNAT and REDIRECT rules with zones defined with wildcard interfaces (those ending with \'+\'\&. Here is an example:
.sp
\m[blue]\fBshorewall\-zones\fR\m[]\&\s-2\u[3]\d\s+2(8):
.sp
.if n \{\
.RS 4
.\}
.fam C
.ps -1
.nf
.BB lightgray
        #ZONE       TYPE    OPTIONS
        fw          firewall
        net         ipv4
        dmz         ipv4
        loc         ipv4
.EB lightgray
.fi
.fam
.ps +1
.if n \{\
.RE
.\}
.sp
\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[9]\d\s+2(8):
.sp
.if n \{\
.RS 4
.\}
.fam C
.ps -1
.nf
.BB lightgray
        #ZONE       INTERFACE       BROADCAST      OPTIONS
        net         ppp0
        loc         eth1            detect
        dmz         eth2            detect
        \-           ppp+                           # Addresses are assigned from 192\&.168\&.3\&.0/24
.EB lightgray
.fi
.fam
.ps +1
.if n \{\
.RE
.\}
.sp
\m[blue]\fBshorewall\-host\fR\m[]\&\s-2\u[10]\d\s+2(8):
.sp
.if n \{\
.RS 4
.\}
.fam C
.ps -1
.nf
.BB lightgray
        #ZONE       HOST(S)              OPTIONS
        loc         ppp+:192\&.168\&.3\&.0/24
.EB lightgray
.fi
.fam
.ps +1
.if n \{\
.RE
.\}
.sp
rules:
.sp
.if n \{\
.RS 4
.\}
.fam C
.ps -1
.nf
.BB lightgray
        #ACTION     SOURCE          DEST       PROTO       DEST
        #                                                  PORT(S)
        REDIRECT    loc             3128       tcp         80                                                   
.EB lightgray
.fi
.fam
.ps +1
.if n \{\
.RE
.\}
.sp
Note that it would have been tempting to simply define the loc zone entirely in shorewall\-interfaces(8):
.sp
.if n \{\
.RS 4
.\}
.fam C
.ps -1
.nf
.BB lightgray
        #******************* INCORRECT *****************
        #ZONE       INTERFACE       BROADCAST      OPTIONS
        net         ppp0
        loc         eth1            detect
        loc         ppp+
        dmz         eth2
.EB lightgray
.fi
.fam
.ps +1
.if n \{\
.RE
.\}
.sp
This would have made it impossible to run a internet\-accessible web server in the DMZ because all traffic entering ppp+ interfaces would have been redirected to port 3128 on the firewall and there would have been no net\->fw ACCEPT rule for that traffic\&.
.RE
.SH "FILES"
.PP
/etc/shorewall/rules
.SH "See ALSO"
.PP
shorewall(8), shorewall\-accounting(5), shorewall\-actions(5), shorewall\-blacklist(5), shorewall\-hosts(5), shorewall\-interfaces(5), shorewall\-ipsec(5), shorewall\-maclist(5), shorewall\-masq(5), shorewall\-nat(5), shorewall\-netmap(5), shorewall\-params(5), shorewall\-policy(5), shorewall\-providers(5), shorewall\-proxyarp(5), shorewall\-route_rules(5), shorewall\-routestopped(5), shorewall\&.conf(5), shorewall\-tcclasses(5), shorewall\-tcdevices(5), shorewall\-tcrules(5), shorewall\-tos(5), shorewall\-tunnels(5), shorewall\-zones(5)
.SH "Notes"
.IP " 1." 4
shorewall-policy
.RS 4
\%http://www.shorewall.net/manpages/shorewall-policy.html
.RE
.IP " 2." 4
shorewall.conf
.RS 4
\%http://www.shorewall.net/manpages/shorewall.conf.html
.RE
.IP " 3." 4
shorewall-zones
.RS 4
\%http://www.shorewall.net/manpages/shorewall-zones.html
.RE
.IP " 4." 4
shorewall-nesting
.RS 4
\%http://www.shorewall.net/manpages/shorewall-nesting.html
.RE
.IP " 5." 4
shorewall-actions
.RS 4
\%http://www.shorewall.net/manpages/shorewall-actions.html
.RE
.IP " 6." 4
shorewall-exclusion
.RS 4
\%http://www.shorewall.net/manpages/shorewall-exclusion.html
.RE
.IP " 7." 4
Shorewall-perl
.RS 4
\%http://www.shorewall.net/Shorewall-perl.html
.RE
.IP " 8." 4
http://shorewall.net/PortKnocking.html
.RS 4
\%http://www.shorewall.net/PortKnocking.html
.RE
.IP " 9." 4
shorewall-interfaces
.RS 4
\%http://www.shorewall.net/manpages/shorewall-interfaces.html
.RE
.IP "10." 4
shorewall-host
.RS 4
\%http://www.shorewall.net/manpages/shorewall-hosts.html
.RE