Commit bb7114b2 authored by Kaarle Ritvanen's avatar Kaarle Ritvanen

test: ipset

parent 8b793377
{
"ipset": {
"foo": { "type": "hash:net,iface", "family": "inet" },
"bar": { "type": "hash:net", "family": "inet6" }
},
"filter": [
{
"in": "A",
"ipset": [
{ "name": "foo", "args": [ "in", "out" ] },
{ "name": "bar", "args": "in" }
],
"service": "ssh",
"action": "drop"
}
]
}
This diff is collapsed.
# ipset awall-masquerade
hash:net family inet
# ipset bar
hash:net family inet6
# ipset foo
hash:net,iface family inet
# rules-save generated by awall
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
:logaccept-0 - [0:0]
:logaccept-1 - [0:0]
:logaccept-2 - [0:0]
:logaccept-3 - [0:0]
:logdrop-0 - [0:0]
:logdrop-1 - [0:0]
:logdrop-2 - [0:0]
:logdrop-3 - [0:0]
:logdrop-4 - [0:0]
:logdrop-ssh-0 - [0:0]
:logpass-0 - [0:0]
:logpass-1 - [0:0]
:logpass-2 - [0:0]
:logpass-3 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -m set --match-set foo src,dst -p tcp --dport 22 -j logdrop-ssh-0
-A FORWARD -j ACCEPT
-A FORWARD -j logdrop-0
-A FORWARD
-A FORWARD -j ACCEPT
-A FORWARD -j DROP
-A FORWARD
-A FORWARD -j logaccept-0
-A FORWARD -j logdrop-1
-A FORWARD -j logpass-0
-A FORWARD -j logaccept-1
-A FORWARD -j logdrop-2
-A FORWARD -j logpass-1
-A FORWARD -j logaccept-2
-A FORWARD -j logdrop-3
-A FORWARD -j logpass-2
-A FORWARD -j ACCEPT
-A FORWARD -j DROP
-A FORWARD
-A FORWARD -j logaccept-3
-A FORWARD -j logdrop-4
-A FORWARD -j logpass-3
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT
-A FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth0 -o eth4 -j ACCEPT
-A FORWARD -i eth0 -o eth5 -j ACCEPT
-A FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT
-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT
-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT
-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT
-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT
-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT
-A FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -i eth4 -o eth0 -j ACCEPT
-A FORWARD -i eth5 -o eth0 -j ACCEPT
-A FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT
-A FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT
-A FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth4 -o eth4 -j ACCEPT
-A FORWARD -i eth4 -o eth5 -j ACCEPT
-A FORWARD -i eth5 -o eth4 -j ACCEPT
-A FORWARD -i eth5 -o eth5 -j ACCEPT
-A FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmp -j icmp-routing
-A INPUT -m limit --limit 12/minute -j ULOG
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway 10.0.0.2
-A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m set --match-set foo src,dst -p tcp --dport 22 -j logdrop-ssh-0
-A INPUT -j ACCEPT
-A INPUT -j logdrop-0
-A INPUT
-A INPUT -j ACCEPT
-A INPUT -j DROP
-A INPUT
-A INPUT -j logaccept-0
-A INPUT -j logdrop-1
-A INPUT -j logpass-0
-A INPUT -j logaccept-1
-A INPUT -j logdrop-2
-A INPUT -j logpass-1
-A INPUT -j logaccept-2
-A INPUT -j logdrop-3
-A INPUT -j logpass-2
-A INPUT -j ACCEPT
-A INPUT -j DROP
-A INPUT
-A INPUT -j logaccept-3
-A INPUT -j logdrop-4
-A INPUT -j logpass-3
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmp -j icmp-routing
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
-A OUTPUT -j logdrop-0
-A OUTPUT
-A OUTPUT -j ACCEPT
-A OUTPUT -j DROP
-A OUTPUT
-A OUTPUT -j logaccept-0
-A OUTPUT -j logdrop-1
-A OUTPUT -j logpass-0
-A OUTPUT -j logaccept-1
-A OUTPUT -j logdrop-2
-A OUTPUT -j logpass-1
-A OUTPUT -j logaccept-2
-A OUTPUT -j logdrop-3
-A OUTPUT -j logpass-2
-A OUTPUT -j ACCEPT
-A OUTPUT -j DROP
-A OUTPUT
-A OUTPUT -j logaccept-3
-A OUTPUT -j logdrop-4
-A OUTPUT -j logpass-3
-A OUTPUT -m limit --limit 12/minute -j ULOG
-A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
-A OUTPUT -p icmp -j icmp-routing
-A icmp-routing -p icmp --icmp-type 3 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 11 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 12 -j ACCEPT
-A logaccept-0 -m limit --limit 1/second -j LOG
-A logaccept-0 -j ACCEPT
-A logaccept-1 -j LOG
-A logaccept-1 -j ACCEPT
-A logaccept-2 -j TEE --gateway 10.0.0.1
-A logaccept-2 -j TEE --gateway 10.0.0.2
-A logaccept-2 -j ACCEPT
-A logaccept-3 -m limit --limit 12/minute -j ULOG
-A logaccept-3 -j ACCEPT
-A logdrop-0 -m limit --limit 1/second -j LOG
-A logdrop-0 -j DROP
-A logdrop-1 -m limit --limit 1/second -j LOG
-A logdrop-1 -j DROP
-A logdrop-2 -j LOG
-A logdrop-2 -j DROP
-A logdrop-3 -j TEE --gateway 10.0.0.1
-A logdrop-3 -j TEE --gateway 10.0.0.2
-A logdrop-3 -j DROP
-A logdrop-4 -m limit --limit 12/minute -j ULOG
-A logdrop-4 -j DROP
-A logdrop-ssh-0 -m limit --limit 1/second -j LOG
-A logdrop-ssh-0 -j DROP
-A logpass-0 -m limit --limit 1/second -j LOG
-A logpass-1 -j LOG
-A logpass-2 -j TEE --gateway 10.0.0.1
-A logpass-2 -j TEE --gateway 10.0.0.2
-A logpass-3 -m limit --limit 12/minute -j ULOG
COMMIT
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j MARK --set-mark 2
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j MARK --set-mark 2
-A INPUT -j MARK --set-mark 3
-A OUTPUT -j MARK --set-mark 1
-A POSTROUTING -o eth1 -d 10.0.0.0/12 -j MARK --set-mark 3
-A PREROUTING -i eth0 -j MARK --set-mark 1
COMMIT
*nat
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:masquerade - [0:0]
-A INPUT -j MASQUERADE
-A OUTPUT -j REDIRECT
-A POSTROUTING -o eth1 -d 10.0.0.0/12 -j MASQUERADE
-A POSTROUTING -m set --match-set awall-masquerade src -j masquerade
-A PREROUTING -i eth0 -j REDIRECT
-A PREROUTING -i eth1 -s 10.0.0.0/12 -j REDIRECT
-A masquerade -m set ! --match-set awall-masquerade dst -j MASQUERADE
COMMIT
*raw
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
-A OUTPUT -j CT --notrack
-A PREROUTING -i eth0 -j CT --notrack
-A PREROUTING -i eth1 -s 10.0.0.0/12 -j CT --notrack
-A PREROUTING -m addrtype --dst-type LOCAL -j CT --notrack
COMMIT
# rules6-save generated by awall
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
:logaccept-0 - [0:0]
:logaccept-1 - [0:0]
:logaccept-2 - [0:0]
:logaccept-3 - [0:0]
:logdrop-0 - [0:0]
:logdrop-1 - [0:0]
:logdrop-2 - [0:0]
:logdrop-3 - [0:0]
:logdrop-4 - [0:0]
:logdrop-ssh-0 - [0:0]
:logpass-0 - [0:0]
:logpass-1 - [0:0]
:logpass-2 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -m set --match-set bar src -p tcp --dport 22 -j logdrop-ssh-0
-A FORWARD -j ACCEPT
-A FORWARD -j logdrop-0
-A FORWARD
-A FORWARD -j ACCEPT
-A FORWARD -j DROP
-A FORWARD
-A FORWARD -j logaccept-0
-A FORWARD -j logdrop-1
-A FORWARD -j logpass-0
-A FORWARD -j logaccept-1
-A FORWARD -j logdrop-2
-A FORWARD -j logpass-1
-A FORWARD -j logaccept-2
-A FORWARD -j logdrop-3
-A FORWARD -j logpass-2
-A FORWARD -j ACCEPT
-A FORWARD -j DROP
-A FORWARD
-A FORWARD -j logaccept-3
-A FORWARD -j logdrop-4
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -o eth1 -d fc00::/7 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
-A FORWARD -i eth0 -o eth4 -j ACCEPT
-A FORWARD -i eth0 -o eth5 -j ACCEPT
-A FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT
-A FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT
-A FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT
-A FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -i eth4 -o eth0 -j ACCEPT
-A FORWARD -i eth5 -o eth0 -j ACCEPT
-A FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT
-A FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT
-A FORWARD -i eth4 -o eth4 -j ACCEPT
-A FORWARD -i eth4 -o eth5 -j ACCEPT
-A FORWARD -i eth5 -o eth4 -j ACCEPT
-A FORWARD -i eth5 -o eth5 -j ACCEPT
-A FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmpv6 -j icmp-routing
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m set --match-set bar src -p tcp --dport 22 -j logdrop-ssh-0
-A INPUT -j ACCEPT
-A INPUT -j logdrop-0
-A INPUT
-A INPUT -j ACCEPT
-A INPUT -j DROP
-A INPUT
-A INPUT -j logaccept-0
-A INPUT -j logdrop-1
-A INPUT -j logpass-0
-A INPUT -j logaccept-1
-A INPUT -j logdrop-2
-A INPUT -j logpass-1
-A INPUT -j logaccept-2
-A INPUT -j logdrop-3
-A INPUT -j logpass-2
-A INPUT -j ACCEPT
-A INPUT -j DROP
-A INPUT
-A INPUT -j logaccept-3
-A INPUT -j logdrop-4
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmpv6 -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
-A OUTPUT -j logdrop-0
-A OUTPUT
-A OUTPUT -j ACCEPT
-A OUTPUT -j DROP
-A OUTPUT
-A OUTPUT -j logaccept-0
-A OUTPUT -j logdrop-1
-A OUTPUT -j logpass-0
-A OUTPUT -j logaccept-1
-A OUTPUT -j logdrop-2
-A OUTPUT -j logpass-1
-A OUTPUT -j logaccept-2
-A OUTPUT -j logdrop-3
-A OUTPUT -j logpass-2
-A OUTPUT -j ACCEPT
-A OUTPUT -j DROP
-A OUTPUT
-A OUTPUT -j logaccept-3
-A OUTPUT -j logdrop-4
-A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
-A OUTPUT -p icmpv6 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT
-A logaccept-0 -m limit --limit 1/second -j LOG
-A logaccept-0 -j ACCEPT
-A logaccept-1 -j LOG
-A logaccept-1 -j TEE --gateway fc00::1
-A logaccept-1 -j ACCEPT
-A logaccept-2 -j TEE --gateway fc00::2
-A logaccept-2 -j ACCEPT
-A logaccept-3 -j ACCEPT
-A logdrop-0 -m limit --limit 1/second -j LOG
-A logdrop-0 -j DROP
-A logdrop-1 -m limit --limit 1/second -j LOG
-A logdrop-1 -j DROP
-A logdrop-2 -j LOG
-A logdrop-2 -j TEE --gateway fc00::1
-A logdrop-2 -j DROP
-A logdrop-3 -j TEE --gateway fc00::2
-A logdrop-3 -j DROP
-A logdrop-4 -j DROP
-A logdrop-ssh-0 -m limit --limit 1/second -j LOG
-A logdrop-ssh-0 -j DROP
-A logpass-0 -m limit --limit 1/second -j LOG
-A logpass-1 -j LOG
-A logpass-1 -j TEE --gateway fc00::1
-A logpass-2 -j TEE --gateway fc00::2
COMMIT
*mangle
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
-A INPUT -j MARK --set-mark 3
-A OUTPUT -j MARK --set-mark 1
-A POSTROUTING -o eth1 -d fc00::/7 -j MARK --set-mark 3
-A PREROUTING -i eth0 -j MARK --set-mark 1
COMMIT
*raw
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
-A OUTPUT -j CT --notrack
-A PREROUTING -i eth0 -j CT --notrack
-A PREROUTING -i eth1 -s fc00::/7 -j CT --notrack
-A PREROUTING -m addrtype --dst-type LOCAL -j CT --notrack
COMMIT
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment