split compile to compile_iptables_filter

[pve-firewall.git] / debian / example / 100.fw

diff --git a/debian/example/100.fw b/debian/example/100.fw
index 5ccdcaed40b0eef61b32c25bd523eb75e23a26e8..88690232785fe8c1bf66db54fd89001999439faa 100644 (file)
--- a/debian/example/100.fw
+++ b/debian/example/100.fw
@@ -29,26 +29,34 @@ ips: 1
 #ips_queues: 0
 ips_queues: 0:3
 
 #ips_queues: 0
 ips_queues: 0:3
 

+[IPSET ipfilter-net0] # only allow specified IPs on net0
+192.168.2.10

 
 [RULES]
 
 
 [RULES]
 

-#TYPE ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT
+#TYPE ACTION [OPTIONS]
+# -i      <INTERFACE>
+# -source <SOURCE>
+# -dest   <DEST>
+# -p      <PROTOCOL>
+# -dport  <DESTINATION_PORT>
+# -sport  <SOURCE_PORT>

 
 

-IN SSH(ACCEPT) net0
-IN SSH(ACCEPT) net0 # a comment
-IN SSH(ACCEPT) net0 192.168.2.192  # only allow SSH from  192.168.2.192
-IN SSH(ACCEPT) net0 10.0.0.1-10.0.0.10 #accept SSH for ip in range 10.0.0.1 to 10.0.0.10
-IN SSH(ACCEPT) net0 10.0.0.1,10.0.0.2,10.0.0.3 #accept ssh for 10.0.0.1 or 10.0.0.2 or 10.0.0.3
-IN SSH(ACCEPT) net0 +mynetgroup   #accept ssh for netgroup mynetgroup
-IN SSH(ACCEPT) net0 myserveralias   #accept ssh for alias myserveralias
+IN SSH(ACCEPT) -i net0
+IN SSH(ACCEPT) -i net0 # a comment
+IN SSH(ACCEPT) -i net0 -source 192.168.2.192  # only allow SSH from  192.168.2.192
+IN SSH(ACCEPT) -i net0 -source 10.0.0.1-10.0.0.10 #accept SSH for ip in range 10.0.0.1 to 10.0.0.10
+IN SSH(ACCEPT) -i net0 -source 10.0.0.1,10.0.0.2,10.0.0.3 #accept ssh for 10.0.0.1 or 10.0.0.2 or 10.0.0.3
+IN SSH(ACCEPT) -i net0 -source +mynetgroup   #accept ssh for ipset mynetgroup
+IN SSH(ACCEPT) -i net0 -source myserveralias   #accept ssh for alias myserveralias

 
 

-|IN SSH(ACCEPT) net0 # disabled rule
+|IN SSH(ACCEPT) -i net0 # disabled rule

 
 # add a security group
 
 # add a security group

-GROUP group1 net0
+GROUP group1 -i net0

 
 

-OUT DNS(ACCEPT) net0
-OUT Ping(ACCEPT) net0
+OUT DNS(ACCEPT) -i net0
+OUT Ping(ACCEPT) -i net0

 OUT SSH(ACCEPT)
 
 
 OUT SSH(ACCEPT)