shorewall_code/Samples/three-interfaces/rules

331 lines
12 KiB
Plaintext
Raw Normal View History

#
# Shorewall version 1.4.8 - Sample Rules File For Three Interfaces
#
# /etc/shorewall/rules
#
# Rules in this file govern connection establishment. Requests and
# responses are automatically allowed using connection tracking.
#
# In most places where an IP address or subnet is allowed, you
# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
# indicate that the rule matches all addresses except the address/subnet
# given. Notice that no white space is permitted between "!" and the
# address/subnet.
#
# Columns are:
#
#
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT,
# REDIRECT-, CONTINUE, LOG Or QUEUE.
#
# ACCEPT
# Allow the connection request.
# DROP
# Ignore the request.
# REJECT
# Disallow the request and return an
# icmp-unreachable or an RST packet.
# DNAT
# Forward the request to another
# system (and optionally another
# port).
# DNAT-
# Advanced users only.
# Like DNAT but only generates the
# DNAT iptables rule and not
# the companion ACCEPT rule.
# REDIRECT
# Redirect the request to a local
# port on the firewall.
# REDIRECT-
# Advanced users only.
# Like REDIRECT but only generates the
# REDIRECT iptables rules and not the
# companion ACCEPT rule.
# CONTINUE
# (For experts only). Do Not Process
# any of the following rules for this
# (source zone,destination zone). If
# the source and/or destination IP
# address falls into a zone defined
# later in /etc/shorewall/zones, this
# connection request will be passed
# to the rules defined for that
# (those) zones(s).
# LOG
# Simply log the packet and continue.
# QUEUE
# Queue the packet to a user-space
# application such as p2pwall.
#
# You may rate-limit the rule by optionally following
# ACCEPT, DNAT[-], REDIRECT[-] or LOG with
#
# < <rate>/<interval>[:<burst>] >
#
# Where <rate> is the number of connections per
# <interval> ("sec" or "min") and <burst> is the largest
# burst permitted. If no <burst> is given, a value of 5
# is assumed. There may be no whitespace embedded in the
# specification.
#
# Example:
# ACCEPT<10/sec:20>
#
# The ACTION (and rate limit) may optionally be followed by ":"
# and a syslog log level (e.g, REJECT:info or DNAT<4/sec:8>:debugging)
# This causes the packet to be logged at the specified level.
#
# NOTE: For those of you who prefer to place the rate limit in a separate column,
# see the RATE LIMIT column below. If you specify a value in that column you must include
# a rate limit in the action column.
#
# You may also specify ULOG (must be in upper case) as a
# log level. This will log to the ULOG target for routing
# to a separate log through use of ulogd.
# (http://www.gnumonks.org/projects/ulogd).
#
# SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself, or "all" If the ACTION is DNAT or
# REDIRECT, sub-zones of the specified zone may be
# excluded from the rule by following the zone name with
# "!' and a comma-separated list of sub-zone names.
#
# Except when "all" is specified, clients may be further
# restricted to a list of subnets and/or hosts by
# appending ":" and a comma-separated list of subnets
# and/or hosts. Hosts may be specified by IP or MAC
# address; mac addresses must begin with "~" and must use
# "-" as a separator.
#
# Some Examples:
#
# net:155.186.235.1
# Host 155.186.235.1 on the Internet
#
# loc:192.168.1.0/24
# Subnet 192.168.1.0/24 on the
# Local Network
#
# net:155.186.235.1,155.186.235.2
# Hosts 155.186.235.1 and
# 155.186.235.2 on the Internet.
#
# loc:~00-A0-C9-15-39-78
# Host on the Local Network with
# MAC address 00:A0:C9:15:39:78.
#
# Alternatively, clients may be specified by interface
# by appending ":" to the zone name followed by the
# interface name. For example, net:eth0 specifies a
# client that communicates with the firewall system
# through eth0. This may be optionally followed by
# another colon (":") and an IP/MAC/subnet address
# as described above (e.g., net:eth0:192.168.1.5).
#
# DEST Location of Server. May be a zone defined in
# /etc/shorewall/zones, $FW to indicate the firewall
# itself or "all"
#
# Except when "all" is specified, the server may be
# further restricted to a particular subnet, host or
# interface by appending ":" and the subnet, host or
# interface. See above.
#
# Restrictions:
#
# 1. MAC addresses are not allowed.
# 2. In DNAT rules, only IP addresses are
# allowed; no FQDNs or subnet addresses
# are permitted.
# 3. You may not specify both an interface and
# an address.
#
# Unlike in the SOURCE column, you may specify a range of
# up to 256 IP addresses using the syntax
# <first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
# the connections will be assigned to addresses in the
# range in a round-robin fashion.
#
# The port that the server is listening on may be
# included and separated from the server's IP address by
# ":". If omitted, the firewall will not modifiy the
# destination port. A destination port may only be
# included if the ACTION is DNAT or REDIRECT.
#
# Example: net:155.186.235.1:25 specifies a Internet
# server at IP address 155.186.235.1 and listening on port
# 25. The port number MUST be specified as an integer
# and not as a name from /etc/services.
#
# If the ACTION is REDIRECT, this column needs only to
# contain the port number on the firewall that the
# request should be redirected to.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number,
# "all".
#
# DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s).
#
# A port range is expressed as <low port>:<high port>.
#
# This column is ignored if PROTOCOL = all but must be
# entered if any of the following fields are supplied.
# In that case, it is suggested that this field contain
# "-"
#
# If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in
# this list and the CLIENT PORT(S) list below:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
# any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port
# ranges.
#
# If you don't want to restrict client ports but need to
# specify an ADDRESS in the next column, then place "-"
# in this column.
#
# If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in
# this list and the DEST PORT(S) list above:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT[-] or
# REDIRECT[-]) If included and different from the IP
# address given in the SERVER column, this is an address
# on some interface on the firewall and connections to
# that address will be forwarded to the IP and port
# specified in the DEST column.
#
# A comma separated list of addresses may also be used.
# This is usually most useful with the REDIRECT target
# where you want to redirect traffic destined for
# a particular set of hosts.
#
# Finally, if the list of addresses begines with "!" then
# the rule will be followed only if the original
# destination address in the connection request does not
# match any of the addresses listed.
#
# The address may optionally be followed by
# a colon (":") and a second IP address. This causes
# Shorewall to use the second IP address as the source
# address in forwarded packets. See the Shorewall
# documentation for restrictions concerning this feature.
# If no source IP address is given, the original source
# address is not altered.
#
# RATE LIMIT You may rate-limit the rule by placing a value in this column:
#
# <rate>/<interval>[:<burst>]
#
# Where <rate> is the number of connections per <interval> ("sec"
# or "min") and <burst> is the largest burst permitted. If no
# <burst> is given, a value of 5 is assummed. There may be no
# whitespace embedded in the specification.
#
# Example:
# 10/sec:20
#
# If you place a rate limit in this column, you may not place
# a similiar limit in the ACTION column.
#
# USER SET This Column may only be non-empty if the SOURCE is the firewall
# itself and the ACTION is ACCEPT, DROP or REJECT.
#
# The column may contain a user set name defined in the
# /etc/shorewall/usersets file or it may contain:
#
# [<user name or number>]:[<group name or number>]
#
# When this column is non-empty, the rule applies only if the
# program generating the output is running under the effective
# <user>(s) and/or <group>(s) specified. When a user set name is
# given, a log level may not be present in the ACTION column;
# logging for such rules is controlled by user set's entry in
# /etc/shorewall/usersets.
#
# Also by default all outbound loc -> net communications are allowed.
# You can change this behavior in the sample policy file.
#
# Example: Accept www requests to the firewall.
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# # PORT PORT(S) DEST LIMIT SET
# ACCEPT net fw tcp http
#
# Example: Accept SMTP requests from the Local Network to the Internet
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# # PORT PORT(S) DEST LIMIT SET
# ACCEPT loc net tcp smtp
#
# Example: Forward all ssh and http connection requests from the Internet
# to dmz system 192.168.2.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# # PORT PORT(S) DEST LIMIT SET
# DNAT net dmz:192.168.2.3 tcp ssh,http
#
# Example: Redirect all locally-originating www connection requests to
# port 3128 on the firewall (Squid running on the firewall
# system) except when the destination address is 192.168.2.2
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# # PORT PORT(S) DEST LIMIT SET
# REDIRECT loc 3128 tcp www - !192.168.2.2
#
# Example: All http requests from the Internet to address
# 130.252.100.69 are to be forwarded to 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# # PORT PORT(S) DEST LIMIT SET
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
##############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# PORT PORT(S) DEST LIMIT SET
#
# Accept DNS connections from the firewall to the Internet
#
ACCEPT fw net tcp 53
ACCEPT fw net udp 53
#
#
# Accept SSH connections from the local network to the firewall and DMZ
#
ACCEPT loc fw tcp 22
ACCEPT loc dmz tcp 22
#
# DMZ DNS access to the Internet
#
ACCEPT dmz net tcp 53
ACCEPT dmz net udp 53
#
# Make ping work bi-directionally between the dmz, net, Firewall and local zone
# (assumes that the loc-> net policy is ACCEPT).
#
ACCEPT net fw icmp 8
ACCEPT loc fw icmp 8
ACCEPT dmz fw icmp 8
ACCEPT loc dmz icmp 8
ACCEPT dmz loc icmp 8
ACCEPT dmz net icmp 8
ACCEPT fw loc icmp 8
ACCEPT fw dmz icmp 8
ACCEPT net dmz icmp 8 # Only with Proxy ARP and
ACCEPT net loc icmp 8 # static NAT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE