IPsets with Shorewall

This is an example that lets you use Shorewall https://shorewall.org/index.html and IPsets to dynamically allowlist IPs.

You can achieve great power with these simple steps:

Install the Knocknoc Agent on the Shorewall host and enrol it into the Knocknoc server. Follow these steps.
Edit the IPSet names, as you will likely want others (knoc_ssh/knoc_https are created by default). Do this by editing /opt/knocknoc-agent/etc/ipset.list and then restarting with systemctl restart create-ipsets
Edit your Shorewall rules files to make use of the IPSets (/etc/shorewall/rules).
You're done!

Integrating the IPSets with Shorewall

Shorewall integration with IPSets is quite mature. The official documentation is here.

Here is a sample rules file that uses the 'video_allowed' and 'video_blocked' IPset to allow and then "cut off" an RTMP stream user:

Edit your Shorewall rules file (/etc/shorewall/rules)
Add the Knocknoc managed IPSets by name (eg: knoc_ssh)
Restart Shorewall
Login to Knocknoc as a user, validate access. To troubleshoot, follow the IPSet guide, inspect the logs or engage support.

# Shorewall - rules File
#
# For information on the settings in this file, type "man shorewall-rules"
#
# The manpage is also online at
# https://shorewall.org/manpages/shorewall-rules.html
#
###################################################################################################################
#ACTION  SOURCE  DEST  PROTO  DEST  SOURCE   ORIGINAL  RATE   USER/  MARK  CONNLIMIT  TIME  HEADERS  SWITCH  HELPER
#                             PORT  PORT(S)  DEST      LIMIT  GROUP

?SECTION ALL
DROP net:+video_blocked fw tcp 1935

?SECTION NEW

# RTMP video traffic on port 1935
ACCEPT net:+video_allowed fw tcp 1935

#LAST LINE -- DO NOT REMOVE

Note the use of SECTION in the above rules file. This assumes you are using the 'ipset_block.sh' script included with knocknoc-agent.

You can also filter these in the DNAT chain

# /etc/shorewall/rules

#controlled by knocknoc
DNAT net:+knoc_ssh lan:10.0.1.10 tcp 22

Use cases (overview)

SSH

FortiOS, FortiProxy, Palo Alto, or SSL VPN

VPN and ransomware

High security subnets and JIT network access

Financial services data partner, secure web upload

Web applications (layer-7 filtering)

Remote desktop, simple small business example

Firewall Manager access (IT MSP)

Ivanti Connect Secure

Video

VOIP

AWS infrastructure

Azure Portal

Licensing Knocknoc

SaaS deployment

Server installation (on premise)

Agent installation

Knocker - a cli utility for agents

Create users

Create groups

Admins

Settings

Updates and upgrades

Agent as a Reverse Proxy

BYO PostgreSQL

Knocknoc client (scriptable login)

Allowlist (EDLs)

IPSet (Linux Netfilter/IPTables)

Palo Alto

Fortigate Address Groups (Fortinet)

FortiManager

Cisco (SFMC/Firepower)

Sophos (UTM)

Sophos (SFOS/XGS)

Juniper SRX

HAProxy

HAProxy + KAT

Microsoft Entra

Microsoft Azure NSG

AWS (EC2) Security Groups

AWS WAF Ipset

IPsets with UFW

IPsets with Shorewall

Mikrotik RouterOS

Nginx

Apache Webserver

Custom Script

Local Authentication (MFA included)

SAML

SAML principles and terms

SAML with EntraID (Azure AD)

SAML with OKTA

SAML with Gsuite as IDP

SAML with Jumpcloud

SAML for the Admin Interface

SAML with Keycloak

SAML with CyberArk

SAML with Authentik

Knocknoc with ADFS

LDAP

Grant and revoke process

Click to grant/revoke

Grant duration (access period override)

Auto-browse Knocs

VPNs, internal addresses and access

Additional client IP addresses

LOOTOTL - Last One Out Turn Off The Lights

User authentication

Manage user sessions

Allowlist/EDL access

Agent registration

Time for NTP

LDAP troubleshooting tips

Knocknoc server behind HAProxy

HAProxy tips and tricks

Debugging & log levels

Package Repository Key expired

IPsets with Shorewall

Integrating the IPSets with Shorewall