<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall QuickStart Guide</title>
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Shorewall QuickStart Guide<br>
Version 1.3-2<!--mstheme--></font></h1>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Introduction<!--mstheme--></font></h2>
<p>One of the design goals of Shorewall was that "it should be simple to do
simple things". With that in mind, I've written this QuickStart guide to
demonstrate how easy it is to configure common firewall setups.</p>
<p>This guide doesn't attempt to acquaint you with all of the features of
Shorewall. It rather focuses on what is required to configure Shorewall in three
common basic configurations. If you don't find what you are looking for in this
Guide, check the <a target="_top" href="Documentation_Index.htm">Shorewall Documentation</a>.</p>
<p>This guide assumes that you have the iproute/iproute2 package installed (on
RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if this
package is installed by the presence of an <b>ip</b> program on your firewall
system. As root, you can use the 'which' command to check for this program:</p>
<!--mstheme--></font><pre> [root@gateway root]# which ip
/sbin/ip
[root@gateway root]# </pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>After you have <a href="Install.htm">installed Shorewall</a>, simply pick the sample
configuration that best fits your needs and copy the files to
/etc/shorewall. Next modify /etc/shorewall/interfaces and /etc/shorewall/masq to
match your setup as described below. If you have servers, you will also need to
modify /etc/shorewall/rules.</p>
<p>Available samples include:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="/pub/shorewall/LATEST.samples/one-interface.tgz">Standalone System</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="/pub/shorewall/LATEST.samples/two-interfaces.tgz">Two-interface Masquerading Firewall</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="/pub/shorewall/LATEST.samples/three-interfaces.tgz">Three-interface Masquerading Firewall with DMZ</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p>All of these samples assume that you have a single external IP address - it
may be static or dynamic. Configuring Shorewall with multiple external IP
addresses is outside of the scope of this guide; see the
<a target="_top" href="Documentation_Index.htm">Shorewall Documentation</a>.</p>
<p><font color="#FF0000"><b>Do <u>not</u> try to install Shorewall on a remote
system -- you will almost certainly end up not being able to communicate with
that system. </b></font></p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Shorewall Configuration Concepts<!--mstheme--></font></h2>
<p>The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you will only need to deal with a few of
these as described in this guide. As each file is introduced, I suggest that you
look through the actual file on your system -- each file contains detailed
configuration instructions and default entries.</p>
<p>Shorewall views the network where it is running as being composed of a set of
<i>zones.</i> In the sample configurations, the following zone names are used:</p>
<!--mstheme--></font><table border="0" style="border-collapse: collapse" cellpadding="3" cellspacing="0" id="AutoNumber1">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Name</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Description</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>One Interface</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Two Interfaces</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Three Interfaces</b></u><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>net</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>The Internet</b><!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>loc</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>Your Local Network</b><!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica"> <!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>dmz</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>Your demilitarized Zone</b><!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica"> <!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica"> <!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
<p>Shorewall also recognizes the firewall system as its own zone - by default,
the firewall itself is known as <b>fw</b> although you can change that name in the
<a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf </a>file. As
shown in the above table, not all zones are available with all sample
configurations.</p>
<p>The simplest way to define a zone is to associate the zone with a
network interface on your firewall system. You do that using the
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file. So
for a standalone system, you would associate your single network interface with
<b>net</b>; on a two-interface firewall, you would associate one interface with
<b>net</b> and one with <b>loc</b>; and on a three-interface firewall with DMZ,
you would associate one interface with <b>net</b>, a second with <b>loc</b> and
a third with <b>dmz</b>. The sample interfaces do this as follows:</p>
<!--mstheme--></font><table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber2">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Zone</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Interface</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>One Interface</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Two Interfaces</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Three Interfaces</b></u><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth0<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth1<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica"> <!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">dmz<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth2<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica"> <!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica"> <!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
<p>If your configuration doesn't match the sample then you will need to modify
/etc/shorewall/interfaces.</p>
<p>Rules about what traffic to allow and what traffic to deny are expressed in
terms of zones.</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">You express your default policy for connections from one zone to another
zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">You define exceptions to those default policies in the
<a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The /etc/shorewall/rules file is also used to define port forwarding.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p>For each connection request entering the firewall, the request is first checked against the
/etc/shorewall/rules file. If the connection request doesn't match any rule in
that file, the first policy in /etc/shorewall/policy that matches the
request is then applied. If the policy is DROP or REJECT then the connection
request is passed through the rules in /etc/shorewall/common (the samples supply
that file for you).</p>
<p>If you have more than one interface and you have a single external IP address you will need to use
either IP masquerade (if your IP address is dynamic) or Source Network Address
Translation (SNAT). Whichever applies, you will define it in <a href="Documentation.htm#Masq">/etc/shorewall/masq</a>
file. <b>Note:</b> This file is used to describe "many-to-one outbound NAT".
Shorewall also supports one-to-one NAT using the /etc/shorewall/nat file but I recommend <u>against</u>
one-to-one NAT in most applications unless you are willing to deal with the DNS
issues involved. The two- and three-interface samples assume that you will be
using IP masquerade as follows:</p>
<!--mstheme--></font><table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber3">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Traffic coming in on this interface</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Will be masqueraded if it goes out this interface</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Two Interfaces</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b><u>Three Interfaces</u></b><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth1<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth0<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth2<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth0<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica"> <!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">/etc/shorewall/interfaces<!--mstheme--></font></h2>
<p>The detailed documentation for this file may be found
<a href="Documentation.htm#Interfaces">here.</a> Entries in this file have four
columns:</p>
<ol>
<li>The name of the zone that this interface connects to - this must be the
name of a zone defined in the /etc/shorewall/zones file.</li>
<li>The name of the interface.</li>
<li>The broadcast address for the subnet on this interface. If you want
Shorewall to detect this address for you, place 'detect' in that column.</li>
<li>A comma-separated list of <a href="Documentation.htm#Interfaces">options</a> that apply to this interface.</li>
</ol>
<p>Some examples:</p>
<p>Standalone system with ethernet interface to the internet.</p>
<!--mstheme--></font><pre> net eth0 detect norfc1918,routefilter</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>Two interface system with eth0 connected to the local network and eth1
connected to the internet. eth1 gets its IP address via DHCP.</p>
<!--mstheme--></font><pre> loc eth0 detect routestopped
net eth1 detect norfc1918,dhcp,routefilter</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>Three interface system with eth0 connected to the internet, eth1 connected to
the DMZ and eth2 connected to the local network. eth0 gets its IP address via
DHCP and the firewall runs a DHCP server for configuring local hosts (those
connected to eth2).</p>
<!--mstheme--></font><pre> net eth0 detect norfc1918,routefilter,dhcp
dmz eth1 detect routestopped
loc eth2 detect routestopped,dhcp</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>At this point, please edit /etc/shorewall/interfaces to match your setup.</p>
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Some other considerations<!--mstheme--></font></h3>
<p>If your primary internet interface uses PPPoE, PPP or PPTP then you will want
to set CLAMPMSS=yes in <a href="Documentation.htm#Conf">
/etc/shorewall/shorewall.conf.</a></p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">/etc/shorewall/policy<!--mstheme--></font></h2>
<p>The /etc/shorewall/policy file documentation is
<a href="Documentation.htm#Policy">here</a>. I recommend the following (which
are
in the standalone sample):</p>
<p>Standalone system:</p>
<!--mstheme--></font><pre> fw net ACCEPT
all all DROP info</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>So by default, all connection requests from your firewall to the internet are
accepted (allowed) and all other connection requests (i.e., those from the
internet to your firewall) are dropped (ignored).</p>
<p>Two and three interface firewalls:</p>
<!--mstheme--></font><pre> loc net ACCEPT
net all DROP info
all all REJECT info</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<blockquote>
<p>If you want your firewall system to have full access to servers on the
internet, add the following rule before the last rule above (Note -- in the two-
and three-interface samples, the line below is included but commented out).</p>
</blockquote>
<!--mstheme--></font><pre> fw net ACCEPT</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>The above policy will:</p>
<ol>
<li>allow all connection requests from your local network to the internet</li>
<li>drop (ignore) all connection requests from the internet to your firewall
or local network</li>
<li>optionally accept all connection requests from the firewall to the
internet (if you uncomment the additional policy)</li>
<li>reject all other connection requests.</li>
</ol>
<p>At this point, edit your /etc/shorewall/policy and make any changes that you
wish.</p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">/etc/shorewall/masq<!--mstheme--></font></h2>
<p>The /etc/shorewall/masq file (documentation <a href="Documentation.htm#Masq">
here</a>) describes output many-to-one source Network Address Translation.</p>
<p>If you have a static external IP address (assume 206.124.146.176 in these
examples), then:</p>
<blockquote>
<p>Two interface firewall with eth0 interfacing to the internet and eth1
interfacing to the local network:</p>
</blockquote>
<!--mstheme--></font><pre> eth0 eth1 206.124.146.176</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<blockquote>
<p>Three interface firewall with eth0 interfacing to the internet, eth1
interfacing to the DMZ and eth2 interfacing to the local network:</p>
</blockquote>
<!--mstheme--></font><pre> eth0 eth1 206.124.146.176
eth0 eth2 206.124.146.176</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>If you have a dynamic internet IP address, simply omit the third column! So
for the two interface firewall, your /etc/shorewall/masq file would have:</p>
<!--mstheme--></font><pre> eth0 eth1</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>If you don't want to use IP masquerade or SNAT (two- and three-interface
samples), simple delete the entry/entries from /etc/shorewall/masq.</p><p>At
this point, edit your /etc/shorewall/masq file and change it to match your
configuration.</p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">/etc/shorewall/rules<!--mstheme--></font></h2>
<p>The rules file (documentation <a href="Documentation.htm#Rules">here</a>) is
probably the most important of the Shorewall configuration files.</p>
<p>The general simplified format for an ACCEPT rule that doesn't involve port forwarding
is:</p>
<!--mstheme--></font><pre> ACCEPT <i><source zone> <dest zone>[:<server IP address>] <protocol> <port(s)></i></pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>Here are some rules that I recommend that everyone use (and that I've
included in the samples):</p>
<!--mstheme--></font><pre> ACCEPT fw net udp 53 # Accept DNS queries from your firewall to the internet
ACCEPT fw net tcp 53 # " " " " " " " " "</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>You can omit these rules if your firewall to net policy is
ACCEPT (In other words, if you uncommented the appropriate line in the policy
file as described above).</p>
<p>If you have three interfaces with a DMZ, you probably need DNS access to the
net from your DMZ. To permit that, I've included:</p>
<!--mstheme--></font><pre> ACCEPT dmz net udp 53
ACCEPT dmz net tcp 53</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>If you run servers on your firewall system that you want to make accessible
to internet clients, you need to include rules to permit that access (note that
the default policy for net->fw in the policy file above is DROP which causes all
inbound traffic to be ignored by default). For example, if you have a web server
running on your firewall system, you would include the following rule:</p>
<!--mstheme--></font><pre> ACCEPT net fw tcp 80</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>With multiple local zones, you will probably want to open some ports between
these zones.</p>
<p>Example - You have server system 192.168.2.2 in your DMZ and you want to be
able to access its FTP server from your local systems:</p>
<!--mstheme--></font><pre> ACCEPT loc dmz:192.168.2.2 tcp ftp</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>For FTP to work properly, you will need kernel support for FTP connection
tracking and NAT but all commercial 2.4 kernel's have such support built in.</p>
<p>If you don't know which protocol and/or port that one of your applications
uses, try looking <a href="ports.htm">here</a>.</p>
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Port Forwarding<!--mstheme--></font></h3>
<p>When you are using many-to-one network address translation
outbound (IP masquerade or SNAT) and you want to allow connections from the internet to an
internal server (either in your local zone or in your DMZ), then you need to use
<i>port forwarding </i>(also known as Destination Network Address Translation or
<b>DNAT</b>). Inbound connection requests are selective forwarded to internal systems
based on rules that you supply.</p>
<p>The general form of a simple port forwarding rule in
/etc/shorewall/rules is:</p>
<!--mstheme--></font><pre> DNAT net <i><server zone>:<server local ip address> <protocol> <port></i></pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>Example - you run a Web Server on your local zone at 192.168.1.5 and you want
to forward incoming TCP port 80 to that system. You have a single external IP
address:</p>
<!--mstheme--></font><pre> DNAT net loc:192.168.1.5 tcp 80</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>Example - you want to forward TCP port 80 to 192.168.2.4 in your DMZ and you
want to allow access to that server from your local zone:</p>
<!--mstheme--></font><pre> DNAT net dmz:192.168.2.4 tcp 80
ACCEPT loc dmz:192.168.2.4 tcp 80</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<blockquote>
<p>If you have a static IP address (assume 206.124.146.176)
and you want your local clients to be able to access your web server using that
external address, you can use these entries instead:</p>
</blockquote>
<!--mstheme--></font><pre> DNAT net dmz:192.168.2.4 tcp 80
DNAT loc dmz:192.168.2.4 tcp 80 - 206.124.146.176</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>Example - You have a static external IP address (206.124.146.176) and you
have DNS set up so that <a href="http://www.yourdomain.com">www.yourdomain.com</a>
resolves to that address. You want to run a web server in your local network (I
think that this is a BAD IDEA -- see <a href="FAQ.htm#faq2">FAQ 2</a>) on system
192.168.1.4 and you want internet users and your local users to be able to
access <a href="http://www.yourdomain.com">www.yourdomain.com</a>. Your
firewall's internal IP address is 192.168.1.254 and is on eth1.</p>
<!--mstheme--></font><pre> DNAT net loc:192.168.1.4 tcp 80
DNAT loc loc:192.168.2.4 tcp 80 - 206.124.146.176:192.168.1.254</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<blockquote>
<p>In addition, you must specify the<b> multi</b> option on eth1<b> </b>in
/etc/shorewall/interfaces:</p>
</blockquote>
<!--mstheme--></font><pre> loc eth1 detect routestopped,multi</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>If you have requirements for port forwarding beyond what is shown here (like
forwarding to a different port number or redirecting to a proxy), see the
<a href="Documentation.htm#Rules">rules file documentation</a>.</p>
<p>At this point, please edit the /etc/shorewall/rules file and make any
additions required by your setup.</p><p>You are now ready to start shorewall. If
you encounter problems, see the <a href="troubleshoot.htm">troubleshooting
information.</a></p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Starting and Stopping Your Firewall<!--mstheme--></font></h2><p>The firewall is started using the
"shorewall start" command and stopped using "shorewall stop". When the firewall
is stopped, routing is enabled on those interfaces that have the "routestopped"
option specified in /etc/shorewall/interfaces. If you want to totally remove any
trace of Shorewall from your Netfilter configuration, use "shorewall clear".</p>
<p><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a></p>
<!--mstheme--></font></body>
</html>