TEXT   15
shorewall rules
Guest on 15th March 2023 02:18:57 PM


  1. #
  2. # Shorewall version 1.4 - Rules File
  3. #
  4. # /etc/shorewall/rules
  5. #
  6. #       Rules in this file govern connection establishment. Requests and
  7. #       responses are automatically allowed using connection tracking.
  8. #
  9. #       In most places where an IP address or subnet is allowed, you
  10. #       can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
  11. #       indicate that the rule matches all addresses except the address/subnet
  12. #       given. Notice that no white space is permitted between "!" and the
  13. #       address/subnet.
  14. #
  15. # Columns are:
  16. #
  17. #
  18. #       ACTION          ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE
  19. #                       or LOG.
  20. #
  21. #                               ACCEPT   -- allow the connection request
  22. #                               DROP     -- ignore the request
  23. #                               REJECT   -- disallow the request and return an
  24. #                                           icmp-unreachable or an RST packet.
  25. #                               DNAT     -- Forward the request to another
  26. #                                           system (and optionally another
  27. #                                           port).
  28. #                               DNAT-    -- Advanced users only.
  29. #                                           Like DNAT but only generates the
  30. #                                           DNAT iptables rule and not
  31. #                                           the companion ACCEPT rule.
  32. #                               REDIRECT -- Redirect the request to a local
  33. #                                           port on the firewall.
  34. #                               REDIRECT-
  35. #                                        -- Advanced users only.
  36. #                                           Like REDIRET but only generates the
  37. #                                           REDIRECT iptables rule and not
  38. #                                           the companion ACCEPT rule.
  39. #                               CONTINUE -- (For experts only). Do not process
  40. #                                           any of the following rules for this
  41. #                                           (source zone,destination zone). If
  42. #                                           The source and/or destination IP
  43. #                                           address falls into a zone defined
  44. #                                           later in /etc/shorewall/zones, this
  45. #                                           connection request will be passed
  46. #                                           to the rules defined for that
  47. #                                           (those) zone(s).
  48. #                               LOG      -- Simply log the packet and continue.
  49. #
  50. #                       You may rate-limit the rule by optionally
  51. #                       following ACCEPT, DNAT[-], REDIRECT[-] or LOG with
  52. #
  53. #                               < <rate>/<interval>[:<burst>] >
  54. #
  55. #                       where <rate> is the number of connections per
  56. #                       <interval> ("sec" or "min") and <burst> is the
  57. #                       largest burst permitted. If no <burst> is given,
  58. #                       a value of 5 is assumed. There may be no
  59. #                       no whitespace embedded in the specification.
  60. #
  61. #                               Example: ACCEPT<10/sec:20>
  62. #
  63. #                       The ACTION (and rate limit) may optionally be followed
  64. #                       by ":" and a syslog log level (e.g, REJECT:info or
  65. #                       DNAT<4/sec:8>:debugging). This causes the packet to be
  66. #                       logged at the specified level.
  67. #
  68. #                       NOTE: For those of you who prefer to place the
  69. #                       rate limit in a separate column, see the RATE LIMIT
  70. #                       column below. If you specify a value in that column,
  71. #                       you must not include a rate limit in the ACTION column
  72. #
  73. #                       You may also specify ULOG (must be in upper case) as a
  74. #                       log level.This will log to the ULOG target for routing
  75. #                       to a separate log through use of ulogd
  76. #                       (http://www.gnumonks.org/projects/ulogd).
  77. #
  78. #       SOURCE          Source hosts to which the rule applies. May be a zone
  79. #                       defined in /etc/shorewall/zones, $FW to indicate the
  80. #                       firewall itself, or "all" If the ACTION is DNAT or
  81. #                       REDIRECT, sub-zones of the specified zone may be
  82. #                       excluded from the rule by following the zone name with
  83. #                       "!' and a comma-separated list of sub-zone names.
  84. #
  85. #                       Except when "all" is specified, clients may be further
  86. #                       restricted to a list of subnets and/or hosts by
  87. #                       appending ":" and a comma-separated list of subnets
  88. #                       and/or hosts. Hosts may be specified by IP or MAC
  89. #                       address; mac addresses must begin with "~" and must use
  90. #                       "-" as a separator.
  91. #
  92. #                       dmz:192.168.2.2         Host 192.168.2.2 in the DMZ
  93. #
  94. #                       net:155.186.235.0/24    Subnet 155.186.235.0/24 on the
  95. #                                               Internet
  96. #
  97. #                       loc:192.168.1.1,192.168.1.2
  98. #                                               Hosts 192.168.1.1 and
  99. #                                               192.168.1.2 in the local zone.
  100. #                       loc:~00-A0-C9-15-39-78  Host in the local zone with
  101. #                                               MAC address 00:A0:C9:15:39:78.
  102. #
  103. #                       Alternatively, clients may be specified by interface
  104. #                       by appending ":" to the zone name followed by the
  105. #                       interface name. For example, loc:eth1 specifies a
  106. #                       client that communicates with the firewall system
  107. #                       through eth1. This may be optionally followed by
  108. #                       another colon (":") and an IP/MAC/subnet address
  109. #                       as described above (e.g., loc:eth1:192.168.1.5).
  110. #
  111. #       DEST            Location of Server. May be a zone defined in
  112. #                       /etc/shorewall/zones, $FW to indicate the firewall
  113. #                       itself or "all"
  114. #
  115. #                       Except when "all" is specified, the server may be
  116. #                       further restricted to a particular subnet, host or
  117. #                       interface by appending ":" and the subnet, host or
  118. #                       interface. See above.
  119. #
  120. #                               Restrictions:
  121. #
  122. #                               1. MAC addresses are not allowed.
  123. #                               2. In DNAT rules, only IP addresses are
  124. #                                  allowed; no FQDNs or subnet addresses
  125. #                                  are permitted.
  126. #                               3. You may not specify both an interface and
  127. #                                  an address.
  128. #
  129. #                       Unlike in the SOURCE column, you may specify a range of
  130. #                       up to 256 IP addresses using the syntax
  131. #                       <first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
  132. #                       the connections will be assigned to addresses in the
  133. #                       range in a round-robin fashion.
  134. #
  135. #                       The port that the server is listening on may be
  136. #                       included and separated from the server's IP address by
  137. #                       ":". If omitted, the firewall will not modifiy the
  138. #                       destination port. A destination port may only be
  139. #                       included if the ACTION is DNAT or REDIRECT.
  140. #
  141. #                       Example: loc:192.168.1.3:3128 specifies a local
  142. #                       server at IP address 192.168.1.3 and listening on port
  143. #                       3128. The port number MUST be specified as an integer
  144. #                       and not as a name from /etc/services.
  145. #
  146. #                       if the ACTION is REDIRECT, this column needs only to
  147. #                       contain the port number on the firewall that the
  148. #                       request should be redirected to.
  149. #
  150. #       PROTO           Protocol - Must be "tcp", "udp", "icmp", a number, or
  151. #                       "all".
  152. #
  153. #       DEST PORT(S)    Destination Ports. A comma-separated list of Port
  154. #                       names (from /etc/services), port numbers or port
  155. #                       ranges; if the protocol is "icmp", this column is
  156. #                       interpreted as the destination icmp-type(s).
  157. #
  158. #                       A port range is expressed as <low port>:<high port>.
  159. #
  160. #                       This column is ignored if PROTOCOL = all but must be
  161. #                       entered if any of the following ields are supplied.
  162. #                       In that case, it is suggested that this field contain
  163. #                        "-"
  164. #
  165. #                       If your kernel contains multi-port match support, then
  166. #                       only a single Netfilter rule will be generated if in
  167. #                       this list and the CLIENT PORT(S) list below:
  168. #                       1. There are 15 or less ports listed.
  169. #                       2. No port ranges are included.
  170. #                       Otherwise, a separate rule will be generated for each
  171. #                       port.
  172. #
  173. #       CLIENT PORT(S)  (Optional) Port(s) used by the client. If omitted,
  174. #                       any source port is acceptable. Specified as a comma-
  175. #                       separated list of port names, port numbers or port
  176. #                       ranges.
  177. #
  178. #                       If you don't want to restrict client ports but need to
  179. #                       specify an ADDRESS in the next column, then place "-"
  180. #                       in this column.
  181. #
  182. #                       If your kernel contains multi-port match support, then
  183. #                       only a single Netfilter rule will be generated if in
  184. #                       this list and the DEST PORT(S) list above:
  185. #                       1. There are 15 or less ports listed.
  186. #                       2. No port ranges are included.
  187. #                       Otherwise, a separate rule will be generated for each
  188. #                       port.
  189. #
  190. #       ORIGINAL DEST   (0ptional -- only allowed if ACTION is DNAT[-] or
  191. #                       REDIRECT[-]) If included and different from the IP
  192. #                       address given in the SERVER column, this is an address
  193. #                       on some interface on the firewall and connections to
  194. #                       that address will be forwarded to the IP and port
  195. #                       specified in the DEST column.
  196. #
  197. #                       A comma-separated list of addresses may also be used.
  198. #                       This is usually most useful with the REDIRECT target
  199. #                       where you want to redirect traffic destined for
  200. #                       particular set of hosts.
  201. #
  202. #                       Finally, if the list of addresses begins with "!" then
  203. #                       the rule will be followed only if the original
  204. #                       destination address in the connection request does not
  205. #                       match any of the addresses listed.
  206. #
  207. #                       The address (list) may optionally be followed by
  208. #                       a colon (":") and a second IP address. This causes
  209. #                       Shorewall to use the second IP address as the source
  210. #                       address in forwarded packets. See the Shorewall
  211. #                       documentation for restrictions concerning this feature.
  212. #                       If no source IP address is given, the original source
  213. #                       address is not altered.
  214. #
  215. #       RATE LIMIT      You may rate-limit the rule by placing a value in
  216. #                       this colume:
  217. #
  218. #                               <rate>/<interval>[:<burst>]
  219. #
  220. #                       where <rate> is the number of connections per
  221. #                       <interval> ("sec" or "min") and <burst> is the
  222. #                       largest burst permitted. If no <burst> is given,
  223. #                       a value of 5 is assumed. There may be no
  224. #                       no whitespace embedded in the specification.
  225. #
  226. #                               Example: 10/sec:20
  227. #
  228. #                       If you place a rate limit in this column, you may not
  229. #                       place a similar limit in the ACTION column.
  230. #
  231. #       USER SET        This column may only be non-empty if the SOURCE is
  232. #                       the firewall itself and the ACTION is ACCEPT, DROP or
  233. #                       REJECT.
  234. #                      
  235. #                       The format of the column is a comma separated list of
  236. #                       user set names defined in the /etc/shorewall/usersets
  237. #                       file.
  238. #                      
  239. #                       When this column is non-empty, the rule applies only
  240. #                       if the program generating the output is running under
  241. #                       the effective <user> and/or <group> specified. A log
  242. #                       level may not be given in the ACTION column.
  243. #
  244. #       Example: Accept SMTP requests from the DMZ to the internet
  245. #
  246. #       #ACTION SOURCE  DEST PROTO      DEST    SOURCE  ORIGINAL
  247. #       #                               PORT    PORT(S) DEST
  248. #       ACCEPT  dmz     net       tcp   smtp
  249. #
  250. #       Example: Forward all ssh and http connection requests from the internet
  251. #                to local system 192.168.1.3
  252. #
  253. #       #ACTION SOURCE  DEST            PROTO   DEST    SOURCE  ORIGINAL
  254. #       #                                       PORT    PORT(S) DEST
  255. #       DNAT    net     loc:192.168.1.3 tcp     ssh,http
  256. #
  257. #       Example: Forward all http connection requests from the internet
  258. #                to local system 192.168.1.3 with a limit of 3 per second and
  259. #                a maximum burst of 10
  260. #
  261. #       #ACTION         SOURCE  DEST            PROTO   DEST    SOURCE  ORIGINAL
  262. #       #                                               PORT    PORT(S) DEST
  263. #       DNAT<3/sec:10>  net     loc:192.168.1.3 tcp     http
  264. #
  265. #       Example: Redirect all locally-originating www connection requests to
  266. #                port 3128 on the firewall (Squid running on the firewall
  267. #                system) except when the destination address is 192.168.2.2
  268. #
  269. #       #ACTION  SOURCE DEST      PROTO DEST    SOURCE  ORIGINAL
  270. #       #                               PORT    PORT(S) DEST
  271. #       REDIRECT loc    3128      tcp   www      -      !192.168.2.2
  272. #
  273. #       Example: All http requests from the internet to address
  274. #                130.252.100.69 are to be forwarded to 192.168.1.3
  275. #
  276. #       #ACTION  SOURCE DEST            PROTO   DEST    SOURCE  ORIGINAL
  277. #       #                                       PORT    PORT(S) DEST
  278. #       DNAT      net   loc:192.168.1.3 tcp     80      -       130.252.100.69
  279. #
  280. #       Example: You want to accept SSH connections to your firewall only
  281. #                from internet IP addresses 130.252.100.69 and 130.252.100.70
  282. #
  283. #       #ACTION  SOURCE DEST            PROTO   DEST    SOURCE  ORIGINAL
  284. #       #                                       PORT    PORT(S) DEST
  285. #       ACCEPT   net:130.252.100.69,130.252.100.70 fw \
  286. #                                       tcp     22
  287. ####################################################################################################
  288. #ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL     RATE            USER
  289. #                                               PORT    PORT(S)    DEST         LIMIT
  290. ####################################################################################################
  291. # Local Network to Firewall
  292. # Allow SSH from the local network
  293. #
  294. ACCEPT          loc       $FW           tcp     ssh,smtp,auth,9999
  295. ACCEPT          loc       $FW           tcp     imap2,imap3,imaps
  296. ACCEPT          loc       $FW            udp     snmp,ntp,445
  297. ACCEPT          loc       $FW            udp     137:139
  298. ACCEPT          loc       $FW            udp     1024:         137
  299. # Accept icmp packets -- make ping work
  300. ACCEPT          loc       $FW           icmp    8
  301. ########################################################################################################################################################################################################
  302. ACCEPT net:192.168.1.10/24 loc           tcp     9999
  303. ####################################################################################################
  304. ####################################################################################################
  305. # Internet to Firewall
  306. #
  307. # Allow SSH and Auth from the internet
  308. #
  309. ACCEPT          net       $FW           tcp     ssh,auth
  310. # Accept incoming mail
  311. ACCEPT          net       $FW           tcp     25,9999
  312. DROP            net       $FW           tcp     1433
  313. # Hmm. Nameservers we use
  314. ACCEPT  net:80.190.233.18 $FW           udp     1052
  315. ACCEPT  net:205.216.82.1  $FW           udp      -         53
  316. ACCEPT  net:204.70.128.1  $FW           udp      -         53
  317. ACCEPT  net:12.27.222.9   $FW           udp      -         53
  318. # Accept icmp packets -- make ping work
  319. ACCEPT          net       $FW           icmp    8
  320. ####################################################################################################
  321. ####################################################################################################
  322. # Firewall to the local network
  323. # Accept icmp packets -- make ping work
  324. ACCEPT          $FW       loc           icmp    8
  325. ####################################################################################################
  326. ####################################################################################################
  327. # Firewall to Internet
  328. #
  329. # Run an NTP daemon on the firewall that is synced with outside sources
  330. #
  331. ACCEPT          $FW       net           udp     ntp
  332. # Accept DNS queries from your firewall to the internet
  333. ACCEPT          $FW       net           udp     53,rsync,ipp
  334. ACCEPT          $FW       net           tcp     53,rsync,ircd,9999,2222
  335. ACCEPT          $FW       net           tcp     pop3,ldap,nntp,81
  336. ACCEPT          $FW       net           tcp     imap2,imap3,imaps
  337. ACCEPT          $FW       net           tcp     www,https,ssh,1723,whois,1863,smtp,ftp,2702,2703,7,cvspserver
  338. ACCEPT          $FW       net           udp     33435:33535
  339. ACCEPT          $FW       net           udp     imaps
  340. ACCEPT          $FW net:192.168.1.1     tcp     113
  341. ACCEPT          $FW net:192.168.1.10/24 tcp     9999,631,139,445,111
  342. ACCEPT          $FW net:192.168.1.10/24 udp     635,111
  343. ACCEPT          $FW net:192.168.1.10/24 udp     -       800
  344. ACCEPT          $FW   net:80.190.233.18 udp     1052            1025
  345. ACCEPT          $FW net:4.22.165.10
  346. ACCEPT          $FW net:10.1.1.100      tcp     515,631
  347. ACCEPT          $FW net:10.1.1.2        tcp     515,631
  348. ACCEPT          $FW       net           tcp     11371,8080
  349.  
  350. # Accept icmp packets -- make ping work
  351. ACCEPT          $FW       net           icmp    8
  352. ####################################################################################################
  353. ACCEPT          $FW       dmz           udp     500             500
  354. ACCEPT          $FW       dmz           tcp     22
  355. ACCEPT          $FW       dmz           icmp    8
  356.  
  357. ####################################################################################################
  358.  
  359. #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Raw Paste

Login or Register to edit or fork this paste. It's free.