<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Shorewall and Ipsets</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.73.2" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="id257523"></a>Shorewall and Ipsets</h2></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Tom</span> <span class="surname">Eastep</span></h3></div></div></div><div><p class="copyright">Copyright © 2005, 2008 Thomas M. Eastep</p></div><div><div class="legalnotice"><a id="id292638"></a><p>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_self">GNU Free Documentation
License</a></span>”.</p></div></div><div><p class="pubdate">2008/12/15</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#Ipsets">What are Ipsets?</a></span></dt><dt><span class="section"><a href="#Support">Shorewall Support for Ipsets</a></span></dt><dt><span class="section"><a href="#Dynamic">Defining Dynamic Zones using Ipsets</a></span></dt></dl></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Ipsets"></a>What are Ipsets?</h2></div></div></div><p>Ipsets are an extension to Netfilter/iptables that are currently
available in Patch-O-Matic-ng (<a class="ulink" href="http://www.netfilter.org" target="_self">http://www.netfilter.org</a>). Using
ipsets requires that you patch your kernel and iptables and that you build
and install the ipset utility from <a class="ulink" href="http://ipset.netfilter.org/" target="_self">http://ipset.netfilter.org/</a>.</p><p>Ipset allows you to create one or more named sets of addresses then
use those sets to define Netfilter/iptables rules. Possible uses of ipsets
include:</p><div class="orderedlist"><ol type="1"><li><p>Blacklists. Ipsets provide an efficient way to represent large
sets of addresses and you can maintain the lists without the need to
restart or even refresh your Shorewall configuration.</p></li><li><p>Zone definition. Using the /etc/shorewall/hosts file, you can
define a zone based on the (dynamic) contents of an ipset. Again, you
can then add or delete addresses to the ipset without restarting
Shorewall.</p></li></ol></div><p>See the ipsets site (URL above) for additional information about
ipsets.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Support"></a>Shorewall Support for Ipsets</h2></div></div></div><p>Support for ipsets was introduced in Shorewall version 2.3.0. In
most places where a host or network address may be used, you may also use
the name of an ipset prefaced by "+".</p><p>Example: "+Mirrors"</p><p>When using Shorewall-perl, the names of ipsets are restricted as
follows:</p><div class="itemizedlist"><ul type="disc"><li><p>They must begin with a letter (after the '+').</p></li><li><p>They must be composed of letters, digits or underscores
("_").</p></li></ul></div><p>The name of the set may optionally followed by:</p><div class="orderedlist"><ol type="a"><li><p>a number from 1 to 6 enclosed in square brackets ([]) -- this
number indicates the maximum number of ipset binding levels that are
to be matched. Depending on the context where the ipset name is used,
either all "src" or all "dst" matches will be used.</p><p>Example: "+Mirrors[4]"</p></li><li><p>a series of "src" and "dst" options separated by commas and
enclosed in square brackets ([]). These will be passed directly to
iptables in the generated --set clause. See the ipset documentation
for details.</p><p>Example: "+Mirrors[src,dst,src]"</p><p>Note that "+Mirrors[4]" used in the SOURCE column of the rules
file is equivalent to "+Mirrors[src,src,src,src]".</p></li></ol></div><p>To generate a negative match, prefix the "+" with "!" as in
"!+Mirrors".</p><p>Example 1: Blacklist all hosts in an ipset named "blacklist"</p><p><code class="filename">/etc/shorewall/blacklist</code></p><pre class="programlisting">#ADDRESS/SUBNET PROTOCOL PORT
+blacklist</pre><p>Example 2: Allow SSH from all hosts in an ipset named "sshok:</p><p><code class="filename">/etc/shorewall/rules</code></p><pre class="programlisting">#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT +sshok $FW tcp 22</pre><p>If you are running Shorewall-shell:</p><div class="blockquote"><blockquote class="blockquote"><p>Shorewall can automatically manage the contents of your ipsets for
you. If you specify SAVE_IPSETS=Yes in /etc/shorewall/shorewall.conf
then "shorewall save" will save the contents of your ipsets. The file
where the sets are saved is formed by taking the name where the
Shorewall configuration is stored and appending "-ipsets". So if you
enter the command "shorewall save standard" then Shorewall will save the
file as /var/lib/shorewall/standard-ipsets</p><p>Regardless of the setting of SAVE_IPSETS, the <span class="command"><strong>shorewall
-f start</strong></span> and <span class="command"><strong>shorewall restore</strong></span> commands
will restore the ipset contents corresponding to the Shorewall
configuration restored provided that the saved Shorewall configuration
specified exists.</p><p>For example, <span class="command"><strong>shorewall restore standard</strong></span> would
restore the ipset contents from
<code class="filename">/var/lib/shorewall/standard-ipsets</code> provided that
<code class="filename">/var/lib/shorewall/standard</code> exists and is
executable and that
<code class="filename">/var/lib/shorewall/standard-ipsets</code> exists and is
executable.</p><p>Also regardless of the setting of SAVE_IPSETS, the
<span class="command"><strong>shorewall forget</strong></span> command will purge the saved ipset
information (if any) associated with the saved shorewall configuration
being removed.</p><p>You can also associate ipset contents with Shorewall configuration
directories using the following command:</p><pre class="programlisting"><span class="command"><strong>ipset -S > <config directory>/ipsets</strong></span></pre><p>Example:</p><pre class="programlisting"><span class="command"><strong>ipset -S > /etc/shorewall/ipsets</strong></span></pre><p>When you start or restart Shorewall (including using the
<span class="command"><strong>try</strong></span> command) from the configuration directory, your
ipsets will be configured from the saved ipsets file. Once again, this
behavior is independent of the setting of SAVE_IPSETS.</p><p>As mentioned above, ipsets are well suited for large blacklists.
You can maintain your blacklist using the 'ipset' utility without ever
having to restart or refresh Shorewall. If you use the SAVE_IPSETS=Yes
feature just be sure to "shorewall save" after altering the blacklist
ipset(s).</p></blockquote></div><p>If you are running Shorewall-perl:</p><div class="blockquote"><blockquote class="blockquote"><p>Shorewall is now out of the ipset load/reload business. With
scripts generated by the Perl-based Compiler, the Netfilter rule set is
never cleared. That means that there is no opportunity for Shorewall to
load/reload your ipsets since that cannot be done while there are any
current rules using ipsets.</p><p>So:</p><div class="orderedlist"><ol type="I"><li><p>Your ipsets must be loaded before Shorewall starts. You are
free to try to do that with the following code in
<code class="filename">/etc/shorewall/init (it works for me; your mileage may
vary)</code>:</p><pre class="programlisting">if [ "$COMMAND" = start ]; then
ipset -U :all: :all:
ipset -U :all: :default:
ipset -F
ipset -X
ipset -R < /etc/shorewall/ipsets
fi</pre><p>The file <code class="filename">/etc/shorewall/ipsets</code> will
normally be produced using the <span class="command"><strong>ipset -S</strong></span>
command.</p><p>The above will work most of the time but will fail in a
<span class="command"><strong>shorewall stop</strong></span> - <span class="command"><strong>shorewall
start</strong></span> sequence if you use ipsets in your routestopped file
(see below).</p></li><li><p>Your ipsets may not be reloaded until Shorewall is stopped or
cleared.</p></li><li><p>If you specify ipsets in your routestopped file then Shorewall
must be cleared in order to reload your ipsets.</p></li></ol></div><p>As a consequence, scripts generated by the Perl-based compiler
will ignore <code class="filename">/etc/shorewall/ipsets</code> and will issue a
warning if you set SAVE_IPSETS=Yes in
<code class="filename">shorewall.conf</code>.</p></blockquote></div><p>Example (Note -- this example is applicable to ipset versions up to
and including 2.4. In 2.5, the binding feature of ipsets is scheduled for
removal in favor of different set types that include both IP addresses and
port numbers. Check your ipset documentation):</p><p><code class="filename">/etc/shorewall/blacklist</code>:</p><pre class="programlisting">#ADDRESS/SUBNET PROTOCOL PORT
+Blacklist[src,dst]
+Blacklistnets[src,dst]</pre><p>Create the blacklist ipsets using:</p><pre class="programlisting"><span class="command"><strong>ipset -N Blacklist iphash
ipset -N Blacklistnets nethash</strong></span></pre><p>Add entries:</p><pre class="programlisting"><span class="command"><strong>ipset -A Blacklist 206.124.146.177
ipset -A Blacklistnets 206.124.147.0/24</strong></span></pre><p>To allow entries for individual ports:</p><pre class="programlisting"><span class="command"><strong>ipset -N SMTP portmap --from 1 --to 31
ipset -A SMTP 25
ipset -A Blacklist 206.124.146.177
ipset -B Blacklist 206.124.146.177 -b SMTP</strong></span></pre><p>Now only port 25 will be blocked from 206.124.146.177.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Dynamic"></a>Defining Dynamic Zones using Ipsets</h2></div></div></div><p>The use of ipsets provides a much better way to define dynamic zones
than is provided by the native Shorewall implementation. To define a
dynamic zone of hosts <span class="bold"><strong>dyn</strong></span> that interface
through interface eth3, use:</p><p>/etc/shorewall/zones:</p><pre class="programlisting">#ZONE TYPE OPTIONS IN OPTIONS OUT OPTIONS
dyn ipv4</pre><p>/etc/shorewall/interfaces:</p><pre class="programlisting">#ZONE INTERFACE OPTIONS
- eth3 …</pre><p>/etc/shorewall/hosts:</p><pre class="programlisting">#ZONE HOSTS OPTIONS
dyn eth3:+Dyn</pre><p>Now create an ipmap named <span class="bold"><strong>Dyn</strong></span> and
you're all set. You can add and delete addresses from Dyn without having
to touch Shorewall.</p></div></div></body></html>
