params
用來定義在 configure file 可用到的變數
/etc/shorewall/params:
NET_IF=eth0 ADMIN_IP= 192.168.123.10, 192.168.123.200
rules
- requests and responses are automatically allowed using connection tracking.
- All rules are terminating except LOG and COUNT rules.
COMMENT Allow SSH from admin SSH(ACCEPT) net:$ADMIN_IP $FW COMMENT
Shorewall show
/* Allow SSH from home */
以上的 rule 相當於:
#ACTION SOURCE DEST PROTO DEST
# PORT(S)
ACCEPT net:\
192.168.123.10,\
192.168.123.200\
lxc tcp 22
Sections:
* If you specify FASTACCEPT=Yes in shorewall.conf(5) then the ALL, ESTABLISHED and RELATED sections must be empty.
#SECTION ALL
regardless of the connection tracking state of the packet.
#SECTION ESTABLISHED
可用的 Action: ACCEPT, DROP, REJECT, LOG and QUEUE
There is an implicit ACCEPT rule inserted at the end of this section.
#SECTION NEW
Packets in the NEW, INVALID and UNTRACKED states are processed by rules in this section.
#SECTION RELATED
Packets in the RELATED state are processed by rules in this section.
place all of your non-blacklisting rules in the NEW section
#SECTION BLACKLIST
特別的 Rule
ACCEPT+
like ACCEPT but also excludes the connection from any subsequent matching DNAT[-] or REDIRECT[-] rules.
ACCEPT!
like ACCEPT but exempts the rule from being suppressed by OPTIMIZE=1 in shorewall.conf(5).
Port Forward:
#ACTION SOURCE DEST PROTO DEST PORT(S) DNAT net loc:<local ip address>[:<server port>] <protocol> <port>