基本資訊
shorewall version
4.4.26.1
shorewall show config
Default CONFIG_PATH is /etc/shorewall:/usr/share/shorewall Default VARDIR is /var/lib/shorewall LIBEXEC is /usr/share
shorewall status
Shorewall-4.4.26.1 Status at ubuntu - Wed Jun 6 11:02:27 HKT 2012 Shorewall is running State:Started (Wed Jun 6 10:59:33 HKT 2012) from /etc/shorewall/
Show Command:
- shorewall show policies
Shorewall 4.4.26.1 Policies at ubuntu - Wed Jun 6 15:54:37 HKT 2012 fw => wan ACCEPT fw => vps ACCEPT wan => fw REJECT using chain wan2fw wan => vps ACCEPT vps => fw REJECT using chain vps2fw vps => wan ACCEPT
- show zones
- show dynamic <zone>
fw (firewall) wan (ipv4) eth0:0.0.0.0/0 vps (ipv4) lxcbr0:0.0.0.0/0
- shorewall show connection
icmp 1 29 src=192.168.123.200 dst=192.168.123.61 type=8 code=0 id=1 src=192.168.123.61 dst=192.168.123.200 type=0 code=0 id=1 mark=0 use=2
- show tc
支援的 action
- show actions
- show macros
- shorewall show capabilities
有關的 Chain 及 table
- show [ -x ] mangle|nat|raw|rawpost|routing
- show [ -x ] [ -t {filter|mangle|nat|raw|rawpost} ] [ {chain [<chain> [ <chain> ... ]
show ipa <------ iptaccount
shorewall show log
safe-restart
safe-start
shorewall stop
The shorewall stop command does not remove all Netfilter rules and open your firewall for all traffic to pass. It rather places your firewall in a safe state defined by the contents of your /etc/shorewall/routestopped file
shorewall clear
If you want to remove all Netfilter rules and open your firewall for all traffic to pass, use the shorewall clear command.
Debian:
running /etc/init.d/shorewall stop will actually execute the command /sbin/shorewall clear
shorewall trace start 2> /tmp/trace
To trace the execution of shorewall start and write the trace to the file /tmp/trace
shorewall debug restart
/var/lib/shorewall/<filename> <--- For Example: /var/lib/shorewall/restore
shorewall save [filename]
shorewall restore [filename]
shorewall forget [filename]
dynamic zone
shorewall add
shorewall delete
blacklist
shorewall allow
shorewall delete
Provider
shorewall disable
shorewall enable
export
shorewall refresh [chains] <--- Reloads rules dealing (Default: blacklisting) <--( Defalut all chains in filter table)
(All steps performed by restart are performed by refresh)
Example:
shorewall refresh net2fw nat:net_dnat
shorewall reset <--- Resets traffic counters
shorewall reload [DIR]
相當於
/sbin/shorewall compile -e directory directory/firewall &&\
scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall-lite/ &&\
ssh root@system '/sbin/shorewall-lite restart'
shorewall logwatch
shorewall show log
shorewall dump
(/var/log/kern.log)
hits
shorewall show filters
Shorewall 4.4.26.1 Classifiers at lxc - Thu Oct 31 09:48:00 HKT 2013
Device eth0:
Device vethgWuKzY:
Device vethwPXz66:
Device veth5UsOEE:
Device vethAIKLQb:
Device vethBnePej:
shorewall restart
不會解除 DROP 的 IP.
allow
Re-enables receipt of packets from hosts previously blacklisted by a drop, logdrop(BLACKLIST_LOGLEVEL), reject, or
logreject command.
# 查看
shorewall show dynamic
two different types of blackliisting
* static
* dynamic
BLACKLISTNEWONLY=No -- All incoming packets are checked against the blacklist. New blacklist entries can be used to terminate existing connections.
BLACKLISTNEWONLY=Yes -- The blacklists are only consulted for new connection requests. Blacklists may not be used to terminate existing connections.
# drop [to|from] <ip address list>
shorewall[-lite] drop 192.0.2.124 192.0.2.125
ERROR: BLACKLISTNEWONLY=No may not be specified with FASTACCEPT=Yes
# BLACKLISTNEWONLY
# no:
* slow down your firewall noticably if you have large blacklists
# FASTACCEPT
# Yes
ESTABLISHED/RELEATED packets are accepted early in the INPUT, FORWARD and OUTPUT chains.
( not include rules in the ESTABLISHED or RELATED sections)
當 BLACKLISTNEWONLY=Yes 時, 那 Drop 是不會即刻生效
詳見:
man shorewall