mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 14:20:40 +01:00
A little editing
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2605 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
8574996c61
commit
1db8dfa54b
@ -33,6 +33,13 @@
|
|||||||
</legalnotice>
|
</legalnotice>
|
||||||
</articleinfo>
|
</articleinfo>
|
||||||
|
|
||||||
|
<caution>
|
||||||
|
<para><emphasis role="bold">This article applies to Shorewall 3.0 and
|
||||||
|
later. If you are running a version of Shorewall earlier than Shorewall
|
||||||
|
3.0.0 then please see the documentation for that
|
||||||
|
release.</emphasis></para>
|
||||||
|
</caution>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>Introduction</title>
|
<title>Introduction</title>
|
||||||
|
|
||||||
@ -596,28 +603,33 @@ fw net ACCEPT</programlisting> The above policy will:
|
|||||||
<para>The general form of a simple port forwarding rule in <filename
|
<para>The general form of a simple port forwarding rule in <filename
|
||||||
class="directory">/etc/shorewall/</filename><filename>rules</filename> is:
|
class="directory">/etc/shorewall/</filename><filename>rules</filename> is:
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||||
DNAT net loc:<emphasis><server local ip address></emphasis>[:<emphasis><server port></emphasis>] <emphasis><protocol></emphasis> <emphasis><port></emphasis></programlisting>
|
DNAT net loc:<emphasis><server local ip address></emphasis>[:<emphasis><server port></emphasis>] <emphasis><protocol></emphasis> <emphasis><port></emphasis></programlisting>Shorewall
|
||||||
<example label="1">
|
has macros for many popular applications. Look at
|
||||||
|
/usr/share/shorewall/macro.* to see what is available in your release.
|
||||||
|
Macros simplify creating DNAT rules by supplying the protocol and port(s)
|
||||||
|
as shown in the following examples.</para>
|
||||||
|
|
||||||
|
<para><example label="1">
|
||||||
<title>Web Server</title>
|
<title>Web Server</title>
|
||||||
|
|
||||||
<para>You run a Web Server on computer 2 and you want to forward
|
<para>You run a Web Server on computer 2 and you want to forward
|
||||||
incoming <acronym>TCP</acronym> port 80 to that system:
|
incoming <acronym>TCP</acronym> port 80 to that system:
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||||
Web/DNAT net 192.168.1.5</programlisting></para>
|
Web/DNAT net loc:192.168.1.5</programlisting></para>
|
||||||
</example> <example label="2">
|
</example> <example label="2">
|
||||||
<title>FTP Server</title>
|
<title>FTP Server</title>
|
||||||
|
|
||||||
<para>You run an <acronym>FTP</acronym> Server on computer 1 so you
|
<para>You run an <acronym>FTP</acronym> Server on computer 1 so you
|
||||||
want to forward incoming <acronym>TCP</acronym> port 21 to that
|
want to forward incoming <acronym>TCP</acronym> port 21 to that
|
||||||
system: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
system: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||||
FTP/DNAT net 10.10.10.1</programlisting> For <acronym>FTP</acronym>,
|
FTP/DNAT net loc:10.10.10.1</programlisting> For
|
||||||
you will also need to have <acronym>FTP</acronym> connection tracking
|
<acronym>FTP</acronym>, you will also need to have
|
||||||
and <acronym>NAT</acronym> support in your kernel. For vendor-supplied
|
<acronym>FTP</acronym> connection tracking and <acronym>NAT</acronym>
|
||||||
kernels, this means that the <filename
|
support in your kernel. For vendor-supplied kernels, this means that
|
||||||
class="libraryfile">ip_conntrack_ftp</filename> and <filename
|
the <filename class="libraryfile">ip_conntrack_ftp</filename> and
|
||||||
class="libraryfile">ip_nat_ftp</filename> modules must be loaded.
|
<filename class="libraryfile">ip_nat_ftp</filename> modules must be
|
||||||
Shorewall will automatically load these modules if they are available
|
loaded. Shorewall will automatically load these modules if they are
|
||||||
and located in the standard place under <filename
|
available and located in the standard place under <filename
|
||||||
class="directory">/lib/modules/<kernel
|
class="directory">/lib/modules/<kernel
|
||||||
version>/kernel/net/ipv4/netfilter</filename>.</para>
|
version>/kernel/net/ipv4/netfilter</filename>.</para>
|
||||||
</example> A couple of important points to keep in mind: <itemizedlist>
|
</example> A couple of important points to keep in mind: <itemizedlist>
|
||||||
@ -691,7 +703,7 @@ DNAT net loc:10.10.10.2:80 tcp 5000</programlisting>
|
|||||||
in <filename
|
in <filename
|
||||||
class="directory">/etc/shorewall/</filename><filename>rules</filename>.
|
class="directory">/etc/shorewall/</filename><filename>rules</filename>.
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||||
DNS/ACCEPT loc fw</programlisting></para>
|
DNS/ACCEPT loc fw</programlisting></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist></para>
|
</itemizedlist></para>
|
||||||
</section>
|
</section>
|
||||||
@ -701,7 +713,7 @@ DNS/ACCEPT loc fw</programlisting></para>
|
|||||||
|
|
||||||
<para>The two-interface sample includes the following rules:
|
<para>The two-interface sample includes the following rules:
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||||
DNS/ACCEPT fw net</programlisting>This rule allows
|
DNS/ACCEPT fw net</programlisting>This rule allows
|
||||||
<acronym>DNS</acronym> access from your firewall and may be removed if you
|
<acronym>DNS</acronym> access from your firewall and may be removed if you
|
||||||
uncommented the line in <filename
|
uncommented the line in <filename
|
||||||
class="directory">/etc/shorewall/</filename><filename>policy</filename>
|
class="directory">/etc/shorewall/</filename><filename>policy</filename>
|
||||||
@ -716,11 +728,10 @@ DNS/ACCEPT fw net</programlisting>This rule allows
|
|||||||
accept connection requests have names that begin with
|
accept connection requests have names that begin with
|
||||||
<quote>Allow</quote>.</para>
|
<quote>Allow</quote>.</para>
|
||||||
|
|
||||||
<para>You don't have to use defined actions when coding a rule in
|
<para>You don't have to use defined macros when coding a rule in
|
||||||
<filename>/etc/shorewall/rules</filename>; the generated Netfilter ruleset
|
<filename>/etc/shorewall/rules</filename>; Shorewall will start slightly
|
||||||
is slightly more efficient if you code your rules directly rather than
|
faster if you code your rules directly rather than using macros. The the
|
||||||
using defined actions. The the rule shown above could also have been coded
|
rule shown above could also have been coded as follows:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||||
as follows:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
|
||||||
ACCEPT fw net udp 53
|
ACCEPT fw net udp 53
|
||||||
ACCEPT fw net tcp 53</programlisting></para>
|
ACCEPT fw net tcp 53</programlisting></para>
|
||||||
|
|
||||||
@ -728,23 +739,22 @@ ACCEPT fw net tcp 53</programlisting></para>
|
|||||||
your needs, you can either define the action yourself or you can simply
|
your needs, you can either define the action yourself or you can simply
|
||||||
code the appropriate rules directly.</para>
|
code the appropriate rules directly.</para>
|
||||||
|
|
||||||
<para>The sample also includes: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
<para>The sample also includes: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||||
SSH/ACCEPT loc fw</programlisting> That rule allows you to run an
|
SSH/ACCEPT loc fw</programlisting> That rule allows you to run an
|
||||||
<acronym>SSH</acronym> server on your firewall and connect to that server
|
<acronym>SSH</acronym> server on your firewall and connect to that server
|
||||||
from your local systems.</para>
|
from your local systems.</para>
|
||||||
|
|
||||||
<para>If you wish to enable other connections from your firewall to other
|
<para>If you wish to enable other connections from your firewall to other
|
||||||
systems, the general format using an <quote>Allow</quote> action is:
|
systems, the general format using a macro is: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
<macro>/ACCEPT fw <emphasis><destination zone></emphasis></programlisting>The
|
||||||
<action> fw <emphasis><destination zone></emphasis></programlisting>The
|
|
||||||
general format when not using defined actions is:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
general format when not using defined actions is:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||||
ACCEPT fw <emphasis><destination zone> <protocol> <port></emphasis></programlisting><example>
|
ACCEPT fw <emphasis><destination zone> <protocol> <port></emphasis></programlisting><example>
|
||||||
<title>Web Server on Firewall</title>
|
<title>Web Server on Firewall</title>
|
||||||
|
|
||||||
<para>You want to run a Web Server on your firewall system:
|
<para>You want to run a Web Server on your firewall system:
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||||
Web/ACCEPT net fw
|
Web/ACCEPT net fw
|
||||||
Web/ACCEPT loc fw</programlisting> Those two rules would of course be
|
Web/ACCEPT loc fw</programlisting> Those two rules would of course be
|
||||||
in addition to the rules listed above under <quote><link
|
in addition to the rules listed above under <quote><link
|
||||||
linkend="cachingdns">You can configure a Caching Name Server on your
|
linkend="cachingdns">You can configure a Caching Name Server on your
|
||||||
firewall</link></quote>.</para>
|
firewall</link></quote>.</para>
|
||||||
@ -755,7 +765,7 @@ Web/ACCEPT loc fw</programlisting> Those two rules would of course be
|
|||||||
shell access to your firewall from the internet, use
|
shell access to your firewall from the internet, use
|
||||||
<acronym>SSH</acronym>:</para>
|
<acronym>SSH</acronym>:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||||
SSH/ACCEPT net fw</programlisting>
|
SSH/ACCEPT net fw</programlisting>
|
||||||
</important> <inlinegraphic fileref="images/leaflogo.gif"
|
</important> <inlinegraphic fileref="images/leaflogo.gif"
|
||||||
format="GIF" />Bering users will want to add the following two rules to be
|
format="GIF" />Bering users will want to add the following two rules to be
|
||||||
|
Loading…
Reference in New Issue
Block a user