Skip to main content

IPsets with Shorewall

This is an example that lets you use Shorewall https://shorewall.org/index.html and IPsets to dynamically whitelist IPs.

You can achieve great power with these simple steps:

  1. A systemd service script that creates and loads the ipset at startup.
  2. Allows the knocknoc-agent sudo to run the ipset command
  3. Refer to the IPset name in your shorewall rules.

1. Systemd Service for IPset

Create a systemd service that will run at startup to create and populate your ipset. Here's how you can create this service:

Step 1: Create the ipset Script

First, create a script that will define and load your ipset. Let's call this script create_ipsets.sh.

This script should already be in /opt/knocknoc-agent/scripts for recent knocknoc-agent releases, however you need to edit it to change the IPset name to suit your needs.

/opt/knocknoc-agent/scripts/create_ipsets.sh:

#!/bin/bash
# Name of the ipsets
IPSET_NAMES="knocknoc_blocked rdp_allowed rdp_blocked"

# Loop through each IPSET_NAME and apply commands
for IPSET_NAME in $IPSET_NAMES; do
    # Flush if exists
    ipset -exist flush $IPSET_NAME || true
    # Create the ipset
    ipset -exist create $IPSET_NAME hash:ip
done

Make sure to make it executable:

sudo chmod +x /usr/local/bin/create_ipset.sh 

Step 2: Create the Systemd Service File

Create a new systemd service file called create-ipset.service.

This script should already be in /opt/knocknoc-agent/scripts for recent knocknoc-agent releases, please copy it to /etc/systemd/system/:

cp /opt/knocknoc-agent/scripts/systemd_create-ipset.service /etc/systemd/system/create-ipset.service

Enable and start the service:

sudo systemctl daemon-reload
sudo systemctl enable create-ipset.service
sudo systemctl start create-ipset.service

/etc/systemd/system/ipset.service:

[Unit]
Description=Create ipset for Knocknoc
Before=network-pre.target
Wants=network-pre.target
After=network.target

[Service]
Type=oneshot
ExecStart=/opt/knocknoc-agent/scripts/create_ipset.sh

[Install]
WantedBy=multi-user.target

This script sets up the service to run before the firewall software is started.

2. Integrating IPset with Shorewall

Shorewall integration with IPsets is quite mature. The official documentation is here.

Here is a sample rules file that uses the 'video_allowed' and 'video_blocked' IPset to allow and then "cut off" an RTMP stream user:

# Shorewall - rules File
#
# For information on the settings in this file, type "man shorewall-rules"
#
# The manpage is also online at
# https://shorewall.org/manpages/shorewall-rules.html
#
###################################################################################################################
#ACTION  SOURCE  DEST  PROTO  DEST  SOURCE   ORIGINAL  RATE   USER/  MARK  CONNLIMIT  TIME  HEADERS  SWITCH  HELPER
#                             PORT  PORT(S)  DEST      LIMIT  GROUP

?SECTION ALL
DROP net:+video_blocked fw tcp 1935

?SECTION NEW

# RTMP video traffic on port 1935
ACCEPT net:+video_allowed fw tcp 1935

#LAST LINE -- DO NOT REMOVE

Note the use of SECTION in the above rules file. This assumes you are using the 'ipset_block.sh' script included with knocknoc-agent.