Shorewall and Ipsets

Tom Eastep

Copyright © 2005, 2008, 2010 Thomas M. Eastep

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.

2010/07/18

Table of Contents

What are Ipsets?
Shorewall Support for Ipsets

Caution

This article applies to Shorewall 4.4 and later. If you are running a version of Shorewall earlier than Shorewall 4.3.5 then please see the documentation appropriate for your version.

What are Ipsets?

Ipsets are an extension to Netfilter/iptables that are currently available in xtables-addons. Instructions for installing xtables-addons may be found in the Dynamic Zones article.

Ipset allows you to create one or more named sets of addresses then use those sets to define Netfilter/iptables rules. Possible uses of ipsets include:

  1. Blacklists. Ipsets provide an efficient way to represent large sets of addresses and you can maintain the lists without the need to restart or even refresh your Shorewall configuration.

  2. Zone definition. Using the /etc/shorewall/hosts file, you can define a zone based on the (dynamic) contents of an ipset. Again, you can then add or delete addresses to the ipset without restarting Shorewall.

  3. Triggers. Using an iptree ipset with a timeout together with the ADD and DEL commands in shorewall-rules (5) allows you to implement triggers.

See the ipsets site (URL above) for additional information about ipsets.

Shorewall Support for Ipsets

Support for ipsets was introduced in Shorewall version 2.3.0. In most places where a host or network address may be used, you may also use the name of an ipset prefaced by "+".

Example: "+Mirrors"

When using Shorewall, the names of ipsets are restricted as follows:

  • They must begin with a letter (after the '+').

  • They must be composed of letters, digits or underscores ("_").

To generate a negative match, prefix the "+" with "!" as in "!+Mirrors".

Example 1: Blacklist all hosts in an ipset named "blacklist"

/etc/shorewall/blacklist

#ADDRESS/SUBNET         PROTOCOL        PORT
+blacklist

Example 2: Allow SSH from all hosts in an ipset named "sshok:

/etc/shorewall/rules

#ACTION      SOURCE      DEST     PROTO    DEST PORT(S)
ACCEPT       net:+sshok  $FW      tcp      22

Shorewall can save/restore your ipset contents with certain restrictions:

  1. You must set SAVE_IPSETS=Yes in shorewall.conf (5).

  2. You cannot use an ipset in shorewall-routestopped (5).

  3. The restore command cannot restore ipset contents saved by the save command unless the firewall is first stopped.