Rules
Examples
# Force All web traffic to the HTTPS
REDIRECT net www tcp 443
REDIRECT loc 3128 tcp 8080
Example 1:
Accept SMTP requests from the DMZ to the internet
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT PORT(S) DEST ACCEPT dmz net tcp smtp
Example 2:
Forward all ssh and http connection requests from the internet to local system 192.168.1.3
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT PORT(S) DEST DNAT net loc:192.168.1.3 tcp ssh,http
Example 3:
Forward all http connection requests from the internet to local system 192.168.1.3 with a limit of 3 per second and a maximum burst of 10
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE # PORT PORT(S) DEST LIMIT DNAT net loc:192.168.1.3 tcp http - - 3/sec:10
Example 4:
Redirect all locally-originating www connection requests to port 3128 on the firewall (Squid running on the firewall system) except when the destination address is 192.168.2.2
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT PORT(S) DEST REDIRECT loc 3128 tcp www - !192.168.2.2
Example 5:
All http requests from the internet to address 130.252.100.69 are to be forwarded to 192.168.1.3
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT PORT(S) DEST DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
Example 6:
You want to accept SSH connections to your firewall only from internet IP addresses 130.252.100.69 and 130.252.100.70
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT PORT(S) DEST ACCEPT net:130.252.100.69,130.252.100.70 $FW \ tcp 22
Example 7:
You wish to accept connections from the internet to your firewall on port 2222 and you want to forward them to local system 192.168.1.3, port 22
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT PORT(S) DEST DNAT net loc:192.168.1.3:22 tcp 2222
Example 8:
You want to redirect connection requests to port 80 randomly to the port range 81-90.
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT PORT(S) DEST REDIRECT net $FW::81-90:random tcp www
Example 9:
Shorewall does not impose as much structure on the Netfilter rules in the 'nat' table as it does on those in the filter table. As a consequence, when using Shorewall versions before 4.1.4, care must be exercised when using DNAT and REDIRECT rules with zones defined with wildcard interfaces (those ending with '+'. Here is an example:
shorewall-zones [3] (8):
#ZONE TYPE OPTIONS fw firewall net ipv4 dmz ipv4 loc ipv4
shorewall-interfaces [8] (8):
#ZONE INTERFACE BROADCAST OPTIONS net ppp0 loc eth1 detect dmz eth2 detect - ppp+ # Addresses are assigned from 192.168.3.0/24
shorewall-host [10] (8):
#ZONE HOST(S) OPTIONS loc ppp+:192.168.3.0/24
rules:
#ACTION SOURCE DEST PROTO DEST # PORT(S) REDIRECT loc 3128 tcp 80
Note that it would have been tempting to simply define the loc zone entirely in shorewall-interfaces(8):
#******************* INCORRECT ***************** #ZONE INTERFACE BROADCAST OPTIONS net ppp0 loc eth1 detect loc ppp+ dmz eth2
This would have made it impossible to run a internet-accessible web server in the DMZ because all traffic entering ppp+ interfaces would have been redirected to port 3128 on the firewall and there would have been no net->fw ACCEPT rule for that traffic.
Example 10:
Add the tupple (source IP, dest port, dest IP) of an incoming SSH connection to the ipset S:
#ACTION SOURCE DEST PROTO DEST # PORT(S) ADD(+S:dst,src,dst) net fw tcp 22
Example 11:
You wish to limit SSH connections from remote systems to 1/min with a burst of three (to allow for limited retry):
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE # PORT(S) PORT(S) DEST LIMIT SSH(ACCEPT) net all - - - - s:1/min:3
Example 12:
Forward port 80 to dmz host $BACKUP if switch 'primary_down' is on.
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH # PORT(S) PORT(S) DEST LIMIT GROUP DNAT net dmz:$BACKUP tcp 80 - - - - - - - - primary_down
Example 13:
Drop all email from the Anonymous Proxy and Satellite Provider address ranges:
#ACTION SOURCE DEST PROTO DEST # PORT(S) DROP net:^A1,A2 fw tcp 22
Files
/etc/shorewall/rules