params

用來定義在 configure file 可用到的變數

/etc/shorewall/params:

NET_IF=eth0

ADMIN_IP= 192.168.123.10, 192.168.123.200

rules

• requests and responses are automatically allowed using connection tracking.
• All rules are terminating except LOG and COUNT rules.

COMMENT Allow SSH from admin
SSH(ACCEPT)    net:$ADMIN_IP      $FW
COMMENT

Shorewall show

/* Allow SSH from home */

以上的 rule 相當於:

#ACTION     SOURCE          DEST            PROTO           DEST
#                                                           PORT(S)
ACCEPT      net:\
            192.168.123.10,\
            192.168.123.200\
                            lxc             tcp             22

Sections:

* If you specify FASTACCEPT=Yes in shorewall.conf(5) then the ALL, ESTABLISHED and RELATED sections must be empty.

#SECTION ALL

regardless of the connection tracking state of the packet.

#SECTION ESTABLISHED

可用的 Action: ACCEPT, DROP, REJECT, LOG and QUEUE

There is an implicit ACCEPT rule inserted at the end of this section.

#SECTION NEW

Packets in the NEW, INVALID and UNTRACKED states are processed by rules in this section.

#SECTION RELATED

Packets in the RELATED state are processed by rules in this section.

place all of your non-blacklisting rules in the NEW section

#SECTION BLACKLIST

特別的 Rule

ACCEPT+
like ACCEPT but also excludes the connection from any subsequent matching DNAT[-] or REDIRECT[-] rules.

ACCEPT!
like ACCEPT but exempts the rule from being suppressed by OPTIMIZE=1 in shorewall.conf(5).

Port Forward:

#ACTION   SOURCE    DEST                                     PROTO         DEST PORT(S)
DNAT      net       loc:<local ip address>[:<server port>]   <protocol>    <port>