Skip to main content

IPsets with Shorewall

This is an example that lets you use Shorewall https://shorewall.org/index.html and IPsets to dynamically allowlist IPs.

You can achieve great power with these simple steps:

  1. Install the Knocknoc Agent on the Shorewall host and enrol it into the Knocknoc server. Follow these steps.
  2. Edit the IPSet names, as you will likely want others (knoc_ssh/knoc_https are created by default). Do this by editing /opt/knocknoc-agent/etc/ipset.list and then restarting with systemctl restart create-ipsets
  3. Edit your Shorewall rules files to make use of the IPSets (/etc/shorewall/rules).
  4. You're done!

Integrating the IPSets with Shorewall

Shorewall integration with IPSets is quite mature. The official documentation is here.

Here is a sample rules file that uses the 'video_allowed' and 'video_blocked' IPset to allow and then "cut off" an RTMP stream user:

  1. Edit your Shorewall rules file (/etc/shorewall/rules)
  2. Add the Knocknoc managed IPSets by name (eg: knoc_ssh)
  3. Restart Shorewall
  4. Login to Knocknoc as a user, validate access. To troubleshoot, follow the IPSet guide, inspect the logs or engage support.
# Shorewall - rules File
#
# For information on the settings in this file, type "man shorewall-rules"
#
# The manpage is also online at
# https://shorewall.org/manpages/shorewall-rules.html
#
###################################################################################################################
#ACTION  SOURCE  DEST  PROTO  DEST  SOURCE   ORIGINAL  RATE   USER/  MARK  CONNLIMIT  TIME  HEADERS  SWITCH  HELPER
#                             PORT  PORT(S)  DEST      LIMIT  GROUP

?SECTION ALL
DROP net:+video_blocked fw tcp 1935

?SECTION NEW

# RTMP video traffic on port 1935
ACCEPT net:+video_allowed fw tcp 1935

#LAST LINE -- DO NOT REMOVE

Note the use of SECTION in the above rules file. This assumes you are using the 'ipset_block.sh' script included with knocknoc-agent.

You can also filter these in the DNAT chain

# /etc/shorewall/rules

#controlled by knocknoc
DNAT net:+knoc_ssh lan:10.0.1.10 tcp 22