mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 06:10:42 +01:00
Initial revision
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@21 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
f1c2d8967b
commit
db26ed00d2
81
Lrp/etc/shorewall/masq
Normal file
81
Lrp/etc/shorewall/masq
Normal file
@ -0,0 +1,81 @@
|
||||
#
|
||||
# Shorewall 1.3 - Masquerade file
|
||||
#
|
||||
# /etc/shorewall/masq
|
||||
#
|
||||
# Use this file to define dynamic NAT (Masquerading) and to define Source NAT
|
||||
# (SNAT).
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# INTERFACE -- Outgoing interface. This is usually your internet
|
||||
# interface. This may be qualified by adding the character
|
||||
# ":" followed by a destination host or subnet.
|
||||
#
|
||||
#
|
||||
# SUBNET -- Subnet that you wish to masquerade. You can specify this as
|
||||
# a subnet or as an interface. If you give the name of an
|
||||
# interface, you must have iproute installed and the interface
|
||||
# must be up before you start the firewall.
|
||||
#
|
||||
# In order to exclude a subset of the specified SUBNET, you
|
||||
# may append "!" and a comma-separated list of IP addresses
|
||||
# and/or subnets that you wish to exclude.
|
||||
#
|
||||
# Example: eth1!192.168.1.4,192.168.32.0/27
|
||||
#
|
||||
# In that example traffic from eth1 would be masqueraded unless
|
||||
# it came from 192.168.1.4 or 196.168.32.0/27
|
||||
#
|
||||
# ADDRESS -- (Optional). If you specify an address here, SNAT will be
|
||||
# used and this will be the source address. If
|
||||
# ADD_SNAT_ALIASES is set to Yes or yes in
|
||||
# /etc/shorewall/shorewall.conf then Shorewall
|
||||
# will automatically add this address to the
|
||||
# INTERFACE named in the first column.
|
||||
#
|
||||
# WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if
|
||||
# the address given in this column is the primary
|
||||
# IP address for the interface in the INTERFACE
|
||||
# column.
|
||||
#
|
||||
# Example 1:
|
||||
#
|
||||
# You have a simple masquerading setup where eth0 connects to
|
||||
# a DSL or cable modem and eth1 connects to your local network
|
||||
# with subnet 192.168.0.0/24.
|
||||
#
|
||||
# Your entry in the file can be either:
|
||||
#
|
||||
# eth0 eth1
|
||||
#
|
||||
# or
|
||||
#
|
||||
# eth0 192.168.0.0/24
|
||||
#
|
||||
# Example 2:
|
||||
#
|
||||
# You add a router to your local network to connect subnet
|
||||
# 192.168.1.0/24 which you also want to masquerade. You then
|
||||
# add the following entry to this file:
|
||||
#
|
||||
# eth0 192.168.1.0/24
|
||||
#
|
||||
# Example 3:
|
||||
#
|
||||
# You have an IPSEC tunnel through ipsec0 and you want to
|
||||
# masquerade packets coming from 192.168.1.0/24 but only if
|
||||
# these packets are destined for hosts in 10.1.1.0/24:
|
||||
#
|
||||
# ipsec0:10.1.1.0/24 196.168.1.0/24
|
||||
#
|
||||
# Example 4:
|
||||
#
|
||||
# You want all outgoing traffic from 192.168.1.0/24 through
|
||||
# eth0 to use source address 206.124.146.176.
|
||||
#
|
||||
# eth0 192.168.1.0/24 206.124.146.176
|
||||
#
|
||||
##############################################################################
|
||||
#INTERFACE SUBNET ADDRESS
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
14
Lrp/etc/shorewall/modules
Normal file
14
Lrp/etc/shorewall/modules
Normal file
@ -0,0 +1,14 @@
|
||||
##############################################################################
|
||||
# Shorewall 1.3 /etc/shorewall/modules
|
||||
#
|
||||
# This file loads the modules needed by the firewall.
|
||||
|
||||
loadmodule ip_tables
|
||||
loadmodule iptable_filter
|
||||
loadmodule ip_conntrack
|
||||
loadmodule ip_conntrack_ftp
|
||||
loadmodule ip_conntrack_irc
|
||||
loadmodule iptable_nat
|
||||
loadmodule ip_nat_ftp
|
||||
loadmodule ip_nat_irc
|
||||
|
30
Lrp/etc/shorewall/nat
Normal file
30
Lrp/etc/shorewall/nat
Normal file
@ -0,0 +1,30 @@
|
||||
##############################################################################
|
||||
#
|
||||
# Shorewall 1.3 -- Network Address Translation Table
|
||||
#
|
||||
# /etc/shorewall/nat
|
||||
#
|
||||
# This file is used to define static Network Address Translation (NAT).
|
||||
#
|
||||
# WARNING: If all you want to do is simple port forwarding, do NOT use this
|
||||
# file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in most
|
||||
# cases, Proxy ARP is a better solution that static NAT.
|
||||
#
|
||||
# Columns must be separated by white space and are:
|
||||
#
|
||||
# EXTERNAL External IP Address - this should NOT be the primary
|
||||
# IP address of the interface named in the next
|
||||
# column.
|
||||
# INTERFACE Interface that we want to EXTERNAL address to appear
|
||||
# on
|
||||
# INTERNAL Internal Address
|
||||
# ALL INTERFACES If Yes or yes (or left empty), NAT will be effective
|
||||
# from all hosts. If No or no then NAT will be effective
|
||||
# only through the interface named in the INTERFACE
|
||||
# column
|
||||
# LOCAL If Yes or yes and the ALL INTERFACES column contains
|
||||
# Yes or yes, NAT will be effective from the firewall
|
||||
# system
|
||||
##############################################################################
|
||||
#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
43
Lrp/etc/shorewall/params
Normal file
43
Lrp/etc/shorewall/params
Normal file
@ -0,0 +1,43 @@
|
||||
#
|
||||
# Shorewall 1.3 /etc/shorewall/params
|
||||
#
|
||||
# Assign any variables that you need here.
|
||||
#
|
||||
# It is suggested that variable names begin with an upper case letter
|
||||
# to distinguish them from variables used internally within the
|
||||
# Shorewall programs
|
||||
#
|
||||
# Example:
|
||||
#
|
||||
# NET_IF=eth0
|
||||
# NET_BCAST=130.252.100.255
|
||||
# NET_OPTIONS=noping,norfc1918
|
||||
#
|
||||
# Example (/etc/shorewall/interfaces record):
|
||||
#
|
||||
# net $NET_IF $NET_BCAST $NET_OPTIONS
|
||||
#
|
||||
# The result will be the same as if the record had been written
|
||||
#
|
||||
# net eth0 130.252.100.255 noping,norfc1918
|
||||
#
|
||||
# Variables can be used in the following places in the other configuration
|
||||
# files:
|
||||
#
|
||||
# /etc/shorewall/interfaces:
|
||||
# /etc/shorewall/hosts
|
||||
#
|
||||
# All except the first column.
|
||||
#
|
||||
# /etc/shorewall/rules
|
||||
#
|
||||
# First column after ":".
|
||||
# All remaining columns
|
||||
#
|
||||
# /etc/shorewall/tunnels
|
||||
# /etc/shorewall/proxyarp
|
||||
# /etc/shorewall/nat
|
||||
#
|
||||
# All columns
|
||||
##############################################################################
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
30
Lrp/etc/shorewall/proxyarp
Normal file
30
Lrp/etc/shorewall/proxyarp
Normal file
@ -0,0 +1,30 @@
|
||||
##############################################################################
|
||||
#
|
||||
# Shorewall 1.3 -- Proxy ARP
|
||||
#
|
||||
# /etc/shorewall/proxyarp
|
||||
#
|
||||
# This file is used to define Proxy ARP.
|
||||
#
|
||||
# Columns must be separated by white space and are:
|
||||
#
|
||||
# ADDRESS IP Address
|
||||
# INTERFACE Local interface where system is connected. If the
|
||||
# local interface is obvious from the subnetting,
|
||||
# you may enter "-" in this column.
|
||||
# EXTERNAL External Interface to be used to access this system
|
||||
#
|
||||
# HAVEROUTE If there is already a route from the firewall to
|
||||
# the host whose address is given, enter "Yes" or "yes"
|
||||
# in this column. Otherwise, entry "no", "No" or leave
|
||||
# the column empty.
|
||||
#
|
||||
# Example: Host with IP 155.186.235.6 is connected to
|
||||
# interface eth1 and we want hosts attached via eth0
|
||||
# to be able to access it using that address.
|
||||
#
|
||||
# #ADDRESS INTERFACE EXTERNAL HAVEROUTE
|
||||
# 155.186.235.6 eth1 eth0 No
|
||||
##############################################################################
|
||||
#ADDRESS INTERFACE EXTERNAL HAVEROUTE
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
47
Lrp/etc/shorewall/tcrules
Normal file
47
Lrp/etc/shorewall/tcrules
Normal file
@ -0,0 +1,47 @@
|
||||
#
|
||||
# Shorewall version 1.3 - Traffic Control Rules File
|
||||
#
|
||||
# /etc/shorewall/tcrules
|
||||
#
|
||||
# Entries in this file cause packets to be marked as a means of
|
||||
# classifying them for traffic control.
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
#
|
||||
# MARK The mark value which is an
|
||||
# integer in the range 1-255
|
||||
#
|
||||
# SOURCE Source of the packet. A comma-separated list of
|
||||
# interface names, IP addresses, MAC addresses
|
||||
# and/or subnets. Use $FW if the packet originates on
|
||||
# the firewall.
|
||||
#
|
||||
# MAC addresses must be prefixed with "~" and use
|
||||
# "-" as a separator.
|
||||
#
|
||||
# Example: ~00-A0-C9-15-39-78
|
||||
#
|
||||
# DEST Destination of the packet. Comma separated list of
|
||||
# IP addresses and/or subnets.
|
||||
#
|
||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number,
|
||||
# or "all".
|
||||
#
|
||||
# PORT(S) Destination Ports. A comma-separated list of Port
|
||||
# names (from /etc/services), port numbers or port
|
||||
# ranges; if the protocol is "icmp", this column is
|
||||
# interpreted as the destination icmp-type(s).
|
||||
#
|
||||
# This column is ignored if PROTOCOL = all but must be
|
||||
# entered if any of the following field is supplied.
|
||||
# In that case, it is suggested that this field contain
|
||||
# "-"
|
||||
#
|
||||
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
|
||||
# any source port is acceptable. Specified as a comma-
|
||||
# separated list of port names, port numbers or port
|
||||
# ranges.
|
||||
##############################################################################
|
||||
#MARK SOURCE DEST PROTO PORT(S) CLIENT PORT(S)
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
52
Lrp/etc/shorewall/tos
Normal file
52
Lrp/etc/shorewall/tos
Normal file
@ -0,0 +1,52 @@
|
||||
#
|
||||
# Shorewall 1.3 -- /etc/shorewall/tos
|
||||
#
|
||||
# This file defines rules for setting Type Of Service (TOS)
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# SOURCE Name of a zone declared in /etc/shorewall/zones, "all"
|
||||
# or $FW.
|
||||
#
|
||||
# If not "all" or $FW, may optionally be followed by
|
||||
# ":" and an IP address, a MAC address, a subnet
|
||||
# specification or the name of an interface.
|
||||
#
|
||||
# Example: loc:192.168.2.3
|
||||
#
|
||||
# MAC addresses must be prefixed with "~" and use
|
||||
# "-" as a separator.
|
||||
#
|
||||
# Example: ~00-A0-C9-15-39-78
|
||||
#
|
||||
# DEST Name of a zone declared in /etc/shorewall/zones, "all"
|
||||
# or $FW.
|
||||
#
|
||||
# If not "all" or $FW, may optionally be followed by
|
||||
# ":" and an IP address or a subnet specification
|
||||
#
|
||||
# Example: loc:192.168.2.3
|
||||
#
|
||||
# PROTOCOL Protocol.
|
||||
#
|
||||
# SOURCE PORTS Source port or port range. If all ports, use "-".
|
||||
#
|
||||
# DEST PORTS Destination port or port range. If all ports, use "-"
|
||||
#
|
||||
# TOS Type of service. Must be one of the following:
|
||||
#
|
||||
# Minimize-Delay (16)
|
||||
# Maximize-Throughput (8)
|
||||
# Maximize-Reliability (4)
|
||||
# Minimize-Cost (2)
|
||||
# Normal-Service (0)
|
||||
#
|
||||
##############################################################################
|
||||
#SOURCE DEST PROTOCOL SOURCE PORTS DEST PORTS TOS
|
||||
all all tcp - ssh 16
|
||||
all all tcp ssh - 16
|
||||
all all tcp - ftp 16
|
||||
all all tcp ftp - 16
|
||||
all all tcp ftp-data - 8
|
||||
all all tcp - ftp-data 8
|
||||
#LAST LINE -- Add your entries above -- DO NOT REMOVE
|
51
Lrp/etc/shorewall/tunnels
Normal file
51
Lrp/etc/shorewall/tunnels
Normal file
@ -0,0 +1,51 @@
|
||||
#
|
||||
# Shorewall 1.3 - /etc/shorewall/tunnels
|
||||
#
|
||||
# This file defines IPSEC, GRE and IPIP tunnels.
|
||||
#
|
||||
# IPIP and GRE tunnels must be configured on the firewall/gateway itself.
|
||||
# IPSEC endpoints may be defined on the firewall/gateway or on an
|
||||
# internal system.
|
||||
#
|
||||
# The columns are:
|
||||
#
|
||||
# TYPE -- must start in column 1 and be "ipsec", "ip" or "gre"
|
||||
#
|
||||
# ZONE -- The zone of the physical interface through which
|
||||
# tunnel traffic passes. This is normally your internet
|
||||
# zone.
|
||||
#
|
||||
# GATEWAY -- The IP address of the remote tunnel gateway. If the
|
||||
# remote getway has no fixed address (Road Warrior)
|
||||
# then specify the gateway as 0.0.0.0/0.
|
||||
#
|
||||
# GATEWAY ZONE-- Optional. If the gateway system specified in the third
|
||||
# column is a standalone host then this column should
|
||||
# contain the name of the zone that the host is in. This
|
||||
# column only applies to IPSEC tunnels.
|
||||
#
|
||||
# Example 1:
|
||||
#
|
||||
# IPSec tunnel. The remote gateway is 4.33.99.124 and
|
||||
# the remote subnet is 192.168.9.0/24
|
||||
#
|
||||
# ipsec net 4.33.99.124
|
||||
#
|
||||
# Example 2:
|
||||
#
|
||||
# Road Warrior (LapTop that may connect from anywhere)
|
||||
# where the "gw" zone is used to represent the remote
|
||||
# LapTop.
|
||||
#
|
||||
# ipsec net 0.0.0.0/0 gw
|
||||
#
|
||||
# Example 3:
|
||||
#
|
||||
# Host 4.33.99.124 is a standalone system connected
|
||||
# via an ipsec tunnel to the firewall system. The host
|
||||
# is in zone gw.
|
||||
#
|
||||
# ipsec net 4.33.99.124 gw
|
||||
#
|
||||
# TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
Loading…
Reference in New Issue
Block a user