<\/a> <\/h2>\nAccounting rules exist simply to count packets and bytes in categories that you define in this file. You may display these rules and their packet and byte counters using the shorewall show accounting<\/b> command.<\/p>\n
Beginning with Shorewall 4.4.18, the accounting structure can be created with three root chains:<\/p>\n
\u2022 accountin<\/b>: Rules that are valid in the INPUT<\/b> chain (may not specify an output interface).<\/p>\n
\u2022 accountout<\/b>: Rules that are valid in the OUTPUT chain (may not specify an input interface or a MAC address).<\/p>\n
\u2022 accounting<\/b>: Other rules.<\/p>\n
The new structure is enabled by sectioning the accounting file in a manner similar to the rules file<\/font><\/b> [1]<\/font><\/small> . The sections are INPUT<\/b>, OUTPUT<\/b> and FORWARD<\/b> and must appear in that order (although any of them may be omitted). The first non\u2212commentary record in the accounting file must be a section header when sectioning is used.<\/font><\/p>\nWarning<\/big><\/b>
If sections are not used, the Shorewall rules compiler cannot detect certain violations of netfilter restrictions. These violations can result in run\u2212time errors such as the following:<\/font><\/p>\niptables\u2212restore v1.4.13: Can’t use \u2212o with INPUT<\/b><\/font><\/p>\nBeginning with Shorewall 4.4.20, the ACCOUNTING_TABLE setting was added to shorewall.conf and shorewall6.conf. That setting determines the Netfilter table (filter or mangle) where the accounting rules are added. When ACCOUNTING_TABLE=mangle is specified, the available sections are PREROUTING<\/b>, INPUT<\/b>, OUTPUT<\/b>, FORWARD<\/b> and POSTROUTING<\/b>.<\/font><\/p>\nSection headers have the form:<\/font><\/p>\n?SECTION<\/b> section\u2212name<\/i><\/font><\/p>\nWhen sections are enabled:<\/font><\/p>\n\u2022 A jump to a user\u2212defined accounting chain must appear before entries that add rules to that chain. This eliminates loops and unreferenced chains.<\/font><\/p>\n\u2022 An output interface may not be specified in the PREROUTING<\/b> and INPUT<\/b> sections.<\/font><\/p>\n\u2022 In the OUTPUT<\/b> and POSTROUTING<\/b> sections:<\/font><\/p>\n\u2022 An input interface may not be specified<\/font><\/p>\n\u2022 Jumps to a chain defined in the INPUT<\/b> or PREROUTING<\/b> sections that specifies an input interface are prohibited<\/font><\/p>\n\u2022 MAC addresses may not be used<\/font><\/p>\n\u2022 Jump to a chain defined in the INPUT<\/b> or PREROUTING<\/b> section that specifies a MAC address are prohibited.<\/font><\/p>\n\u2022 The default value of the CHAIN column is:<\/font><\/p>\n\u2022 accountin<\/b> in the INPUT<\/b> section<\/font><\/p>\n\u2022 accountout<\/b> in the OUTPUT<\/b> section<\/font><\/p>\n\u2022 accountfwd<\/b> in the FORWARD<\/b> section<\/font><\/p>\n\u2022 accountpre<\/b> in the PREROUTING<\/b> section<\/font><\/p>\n\u2022 accountpost<\/b> in the POSTROUTING<\/b> section<\/font><\/p>\n\u2022 Traffic addressed to the firewall goes through the rules defined in the INPUT section.<\/font><\/p>\n\u2022 Traffic originating on the firewall goes through the rules defined in the OUTPUT section.<\/font><\/p>\n\u2022 Traffic being forwarded through the firewall goes through the rules from the FORWARD sections.<\/font><\/p>\nThe columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax):<\/font><\/p>\nACTION<\/b> \u2212 {COUNT<\/b>|DONE<\/b>|chain<\/i>[:{COUNT<\/b>|JUMP}]|ACCOUNT(table<\/i>,network<\/i>)|[?]COMMENT comment<\/i>}<\/font><\/p>\nWhat to do when a matching packet is found.<\/font><\/p>\nCOUNT<\/b><\/font><\/p>\nSimply count the match and continue with the next rule<\/font><\/p>\nDONE<\/b><\/font><\/p>\nCount the match and don’t attempt to match any other accounting rules in the chain specified in the CHAIN<\/b> column.<\/font><\/p>\nchain<\/i>[:COUNT<\/b>]<\/font><\/p>\nWhere chain<\/i> is the name of a chain; shorewall will create the chain automatically if it doesn’t already exist. If a second chain is mentioned in the CHAIN column, then a jump from this second chain to chain<\/i> is created. If no chain is named in the CHAIN column, then a jump from the default chain to chain<\/i> is created. If :COUNT<\/b> is included, a counting rule matching this entry will be added to chain<\/i>. The chain<\/i> may not exceed 29 characters in length and may be composed of letters, digits, dash (‘\u2212’) and underscore (‘_’).<\/font><\/p>\nchain<\/i>:JUMP<\/font><\/p>\nLike the previous option without the :COUNT<\/b> part.<\/font><\/p>\nACCOUNT(<\/b>table<\/i>,network<\/i>)<\/b><\/font><\/p>\nThis action implements per\u2212IP accounting and was added in Shorewall 4.4.17. Requires the ACCOUNT Target<\/i> capability in your iptables and kernel (see the output of shorewall show capabilities<\/b>).<\/font><\/p>\ntable<\/i><\/font><\/p>\nis the name of an accounting table (you choose the name). All rules specifying the same name will have their per\u2212IP counters accumulated in the same table.<\/font><\/p>\nnetwork<\/i><\/font><\/p>\nis an IPv4 network<\/b> in CIDR notation (e.g., 192.168.1.0\/24). The network can be as large as a \/8 (class A).<\/font><\/p>\nOne nice feature of per\u2212IP accounting is that the counters survive shorewall restart<\/b>. This has a downside, however. If you change the network associated with an accounting table, then you must shorewall stop; shorewall start<\/b> to have a successful restart (counters will be cleared).<\/font><\/p>\nThe counters in a table<\/i> are printed using the iptaccount<\/b> utility. For a command synopsis, type:<\/font><\/p>\niptaccount \u2212\u2212help<\/b><\/font><\/p>\nAs of February 2011, the ACCOUNT Target capability and the iptaccount utility are only available when<\/font> xtables\u2212addons<\/font><\/b> [2]<\/font><\/small> is installed. See<\/font> https:\/\/shorewall.org\/Accounting.html#perIP<\/font><\/b> [3]<\/font><\/small> for additional information.<\/font><\/p>\nINLINE<\/b><\/font><\/p>\nAdded in Shorewall 4.5.16. Allows free form iptables matches to be specified following a ‘;’. In the generated iptables rule(s), the free form matches will follow any matches that are generated by the column contents.<\/font><\/p>\nNFACCT<\/b>({object<\/i>[!]}[,…])<\/font><\/p>\nAdded in Shorewall 4.5.7. Provides a form of accounting that survives shorewall stop\/shorewall<\/b> start and shorewall restart<\/b>. Requires the NFaccnt Match capability in your kernel and iptables. object<\/i> names an nfacct object (see man nfaccnt(8)). Multiple rules can specify the same object<\/i>; all packets that match any of the rules increment the packet and bytes count of the object.<\/font><\/p>\nPrior to Shorewall 4.5.16, only one object<\/i> could be specified. Beginning with Shorewall 4.5.16, an arbitrary number of objects may be given.<\/font><\/p>\nWith Shorewall 4.5.16 or later, an nfacct object<\/i> in the list may optionally be followed by !<\/b> to indicate that the nfacct object<\/i> will be incremented unconditionally for each packet. When !<\/b> is omitted, the object<\/i> will be incremented only if all of the matches in the rule succeed.<\/font><\/p>\nNFLOG<\/b>[(nflog\u2212parameters)] \u2212 Added in Shorewall\u22124.4.20.<\/font><\/p>\nCauses each matching packet to be sent via the currently loaded logging back\u2212end (usually nfnetlink_log) where it is available to accounting daemons through a netlink socket.<\/font><\/p>\n?COMMENT<\/b><\/font><\/p>\nThe remainder of the line is treated as a comment which is attached to subsequent rules until another COMMENT line is found or until the end of the file is reached. To stop adding comments to rules, use a line with only the word ?COMMENT.<\/font><\/p>\nCHAIN<\/b> \u2212 {\u2212<\/b>|chain<\/i>}<\/font><\/p>\nThe name of a chain<\/i>. If specified as \u2212<\/b> the accounting<\/b> chain is assumed when the file is un\u2212sectioned. When the file is sectioned, the default is one of accountin, accountout, etc. depending on the section. This is the chain where the accounting rule is added. The chain<\/i> will be created if it doesn’t already exist. The chain<\/i> may not exceed 29 characters in length.<\/font><\/p>\nSOURCE<\/b> \u2212 {\u2212<\/b>|any<\/b>|all<\/b>|interface<\/i>|interface<\/i>:<\/b>address<\/i>|address<\/i>}<\/font><\/p>\nPacket Source.<\/font><\/p>\nThe name of an interface<\/i>, an address<\/i> (host or net) or an interface<\/i> name followed by “:” and a host or net address<\/i>. An ipset name is also accepted as an address<\/i>.<\/font><\/p>\nDEST<\/b> \u2212 {\u2212<\/b>|any<\/b>|all<\/b>|interface<\/i>|interface<\/i>:<\/b>address<\/i>|address<\/i>}<\/font><\/p>\nThis column was formerly named DESTINATION.<\/font><\/p>\nPacket Destination.<\/font><\/p>\nFormat same as SOURCE<\/b> column.<\/font><\/p>\nPROTO<\/b> \u2212 {\u2212<\/b>|{any<\/b>|all<\/b>|protocol\u2212name<\/i>|protocol\u2212number<\/i>|ipp2p<\/b>[:<\/b>{udp<\/b>|all<\/b>}]}[,…]}<\/font><\/p>\nThis column was formerly named PROTOCOL<\/font><\/p>\nA protocol\u2212name<\/i> (from protocols(5)), a protocol\u2212number<\/i>, ipp2p<\/b>, ipp2p:udp<\/b> or ipp2p:all<\/b><\/font><\/p>\nBeginning with Shorewall 4.5.12, this column can accept a comma\u2212separated list of protocols.<\/font><\/p>\nDPORT<\/b> \u2212 {\u2212<\/b>|any<\/b>|all<\/b>|ipp2p\u2212option<\/i>|port\u2212name\u2212or\u2212number<\/i>[,port\u2212name\u2212or\u2212number<\/i>]…}<\/font><\/p>\nDestination Port number. Service name from services(5) or port number<\/i>. May only be specified if the protocol is TCP (6), UDP (17), DCCP (33), SCTP (132) or UDPLITE (136).<\/font><\/p>\nYou may place a comma\u2212separated list of port names or numbers in this column if your kernel and iptables include multi\u2212port match support.<\/font><\/p>\nIf the PROTOCOL is ipp2p<\/b> then this column must contain an ipp2p\u2212option<\/i> (“iptables \u2212m ipp2p \u2212\u2212help”) without the leading “\u2212\u2212”. If no option is given in this column, ipp2p<\/b> is assumed.<\/font><\/p>\nThis column was formerly named DEST PORT(S).<\/font><\/p>\nSPORT<\/b> \u2212 {\u2212<\/b>|any<\/b>|all<\/b>|port\u2212name\u2212or\u2212number<\/i>[,port\u2212name\u2212or\u2212number<\/i>]…}<\/font><\/p>\nService name from services(5) or port number<\/i>. May only be specified if the protocol is TCP (6), UDP (17), DCCP (33), SCTP (132) or UDPLITE (136).<\/font><\/p>\nYou may place a comma\u2212separated list of port numbers in this column if your kernel and iptables include multi\u2212port match support.<\/font><\/p>\nBeginning with Shorewall 4.5.15, you may place ‘=’ in this column, provided that the DEST PORT(S) column is non\u2212empty. This causes the rule to match when either the source port or the destination port in a packet matches one of the ports specified in DPORT. Use of ‘=’ requires multi\u2212port match in your iptables and kernel.<\/font><\/p>\nThis column was formerly labelled SOURCE PORT(S).<\/font><\/p>\nUSER<\/b> \u2212 [!<\/b>][user\u2212name\u2212or\u2212number<\/i>][:<\/b>group\u2212name\u2212or\u2212number<\/i>][+<\/b>program\u2212name<\/i>]<\/font><\/p>\nThis column was formerly named USER\/GROUP and may only be non\u2212empty if the CHAIN<\/b> is OUTPUT<\/b>.<\/font><\/p>\nWhen this column is non\u2212empty, the rule applies only if the program generating the output is running under the effective user<\/i> and\/or group<\/i> specified (or is NOT running under that id if “!” is given).<\/font><\/p>\nExamples:<\/font><\/p>\njoe<\/font><\/p>\nprogram must be run by joe<\/font><\/p>\n:kids<\/font><\/p>\nprogram must be run by a member of the ‘kids’ group<\/font><\/p>\n!:kids<\/font><\/p>\nprogram must not be run by a member of the ‘kids’ group<\/font><\/p>\n+upnpd<\/font><\/p>\n#program named upnpd<\/font><\/p>\nImportant<\/big><\/b>
The ability to specify a program name was removed from Netfilter in kernel version 2.6.14.<\/font><\/p>\nMARK<\/big><\/b> \u2212 [!<\/b>]value<\/i>[\/mask<\/i>][:C<\/b>]<\/big><\/font><\/p>\nDefines a test on the existing packet or connection mark. The rule will match only if the test returns true.<\/big><\/font><\/p>\nIf you don’t want to define a test but need to specify anything in the following columns, place a “\u2212” in this field.<\/big><\/font><\/p>\n!<\/big><\/font><\/p>\nInverts the test (not equal)<\/big><\/font><\/p>\nvalue<\/i><\/big><\/font><\/p>\nValue of the packet or connection mark.<\/big><\/font><\/p>\nmask<\/i><\/big><\/font><\/p>\nA mask to be applied to the mark before testing.<\/big><\/font><\/p>\n:C<\/b><\/big><\/font><\/p>\nDesignates a connection mark. If omitted, the packet mark’s value is tested.<\/big><\/font><\/p>\nIPSEC \u2212<\/b> option\u2212list<\/i> (Optional \u2212 Added in Shorewall 4.4.13 but broken until 4.5.4.1 )<\/b><\/big><\/font><\/p>\nThe option\u2212list consists of a comma\u2212separated list of options from the following list. Only packets that will be encrypted or have been decrypted via an SA that matches these options will have their source address changed.<\/big><\/font><\/p>\nreqid=<\/b>number<\/i><\/big><\/font><\/p>\nwhere number<\/i> is specified using setkey(8) using the ‘unique:number<\/i> option for the SPD level.<\/big><\/font><\/p>\nspi=<\/b><\/big><\/font><\/p>\nwhere number<\/i> is the SPI of the SA used to encrypt\/decrypt packets.<\/big><\/font><\/p>\nproto=ah<\/b>|esp<\/b>|ipcomp<\/b><\/big><\/font><\/p>\nIPSEC Encapsulation Protocol<\/big><\/font><\/p>\nmss=<\/b>number<\/i><\/big><\/font><\/p>\nsets the MSS field in TCP packets<\/big><\/font><\/p>\nmode=transport<\/b>|tunnel<\/b><\/big><\/font><\/p>\nIPSEC mode<\/big><\/font><\/p>\ntunnel\u2212src=<\/b>address<\/i>[\/mask<\/i>]<\/big><\/font><\/p>\nonly available with mode=tunnel<\/big><\/font><\/p>\n