IPsets with Shorewall
This is an example that lets you use Shorewall https://shorewall.org/index.html and IPsets to dynamically allowlist IPs.
You can achieve great power with these simple steps:
- Install the Knocknoc Agent on the Shorewall host and enrol it into the Knocknoc server. Follow these steps.
- Edit the IPSet names, as you will likely want others (knoc_ssh/knoc_https are created by default). Do this by editing
/opt/knocknoc-agent/etc/ipset.list
and then restarting withsystemctl restart create-ipsets
- Edit your Shorewall rules files to make use of the IPSets (/etc/shorewall/rules).
- You're done!
Integrating the IPSets with Shorewall
Shorewall integration with IPSets is quite mature. The official documentation is here.
Here is a sample rules file that uses the 'video_allowed' and 'video_blocked' IPset to allow and then "cut off" an RTMP stream user:
- Edit your Shorewall rules file (
/etc/shorewall/rules
) - Add the Knocknoc managed IPSets by name (eg:
knoc_ssh
) - Restart Shorewall
- Login to Knocknoc as a user, validate access. To troubleshoot, follow the IPSet guide, inspect the logs or engage support.
# Shorewall - rules File
#
# For information on the settings in this file, type "man shorewall-rules"
#
# The manpage is also online at
# https://shorewall.org/manpages/shorewall-rules.html
#
###################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP
?SECTION ALL
DROP net:+video_blocked fw tcp 1935
?SECTION NEW
# RTMP video traffic on port 1935
ACCEPT net:+video_allowed fw tcp 1935
#LAST LINE -- DO NOT REMOVE
Note the use of SECTION in the above rules file. This assumes you are using the 'ipset_block.sh' script included with knocknoc-agent.
You can also filter these in the DNAT chain
# /etc/shorewall/rules
#controlled by knocknoc
DNAT net:+knoc_ssh lan:10.0.1.10 tcp 22