# # Shorewall version 1.3 - Rules File # # /etc/shorewall/rules # # Rules in this file govern connection establishment. Requests and # responses are automatically allowed using connection tracking. # # In most places where an IP address or subnet is allowed, you # can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to # indicate that the rule matches all addresses except the address/subnet # given. Notice that no white space is permitted between "!" and the # address/subnet. # # Columns are: # # # ACTION ACCEPT, DROP, REJECT, DNAT or REDIRECT # # ACCEPT -- allow the connection request # DROP -- ignore the request # REJECT -- disallow the request and return an # icmp-unreachable or an RST packet. # DNAT -- Forward the request to another # system (and optionally another # port). # REDIRECT -- Redirect the request to a local # port on the firewall. # # May optionally be followed by ":" and a syslog log # level (e.g, REJECT:info). This causes the packet to be # logged at the specified level. # # SOURCE Source hosts to which the rule applies. May be a zone # defined in /etc/shorewall/zones or $FW to indicate the # firewall itself. If the ACTION is DNAT or REDIRECT, # sub-zones of the specified zone may be excluded from # the rule by following the zone name with "!' and a # comma-separated list of sub-zone names. # # Clients may be further restricted to a list of subnets # and/or hosts by appending ":" and a comma-separated # list of subnets and/or hosts. Hosts may be specified # by IP or MAC address; mac addresses must begin with # "~" and must use "-" as a separator. # # dmz:192.168.2.2 Host 192.168.2.2 in the DMZ # # net:155.186.235.0/24 Subnet 155.186.235.0/24 on the # Internet # # loc:192.168.1.1,192.168.1.2 # Hosts 192.168.1.1 and # 192.168.1.2 in the local zone. # loc:~00-A0-C9-15-39-78 Host in the local zone with # MAC address 00:A0:C9:15:39:78. # # Alternatively, clients may be specified by interface # by appending ":" followed by the interface name. For # example, loc:eth1 specifies a client that # communicates with the firewall system through eth1. # # DEST Location of Server. May be a zone defined in # /etc/shorewall/zones or $FW to indicate the firewall # itself. # # The server may be further restricted to a particular # subnet, host or interface by appending ":" and the # subnet, host or interface. See above. # # The port that the server is listening on may be # included and separated from the server's IP address by # ":". If omitted, the firewall will not modifiy the # destination port. A destination port may only be # included if the ACTION is DNAT or REDIRECT. # # Example: loc:192.168.1.3:3128 specifies a local # server at IP address 192.168.1.3 and listening on port # 3128. The port number MUST be specified as an integer # and not as a name from /etc/services. # # if the ACTION is REDIRECT, this column needs only to # contain the port number on the firewall that the # request should be redirected to. # # PROTO Protocol - Must be "tcp", "udp", "icmp", a number, # "all" or "related". If "related", the remainder of the # entry must be omitted and connection requests that are # related to existing requests will be accepted. # # DEST PORT(S) Destination Ports. A comma-separated list of Port # names (from /etc/services), port numbers or port # ranges; if the protocol is "icmp", this column is # interpreted as the destination icmp-type(s). # # A port range is expressed as :. # # This column is ignored if PROTOCOL = all but must be # entered if any of the following ields are supplied. # In that case, it is suggested that this field contain # "-" # # If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then # only a single Netfilter rule will be generated if in # this list and the CLIENT PORT(S) list below: # 1. There are 15 or less ports listed. # 2. No port ranges are included. # Otherwise, a separate rule will be generated for each # port. # # CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted, # any source port is acceptable. Specified as a comma- # separated list of port names, port numbers or port # ranges. # # If you don't want to restrict client ports but need to # specify an ADDRESS in the next column, then place "-" # in this column. # # If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then # only a single Netfilter rule will be generated if in # this list and the DEST PORT(S) list above: # 1. There are 15 or less ports listed. # 2. No port ranges are included. # Otherwise, a separate rule will be generated for each # port. # # ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or # REDIRECT) If included and different from the IP # address given in the SERVER column, this is an address # on some interface on the firewall and connections to # that address will be forwarded to the IP and port # specified in the DEST column. # # The address may optionally be followed by # a colon (":") and a second IP address. This causes # Shorewall to use the second IP address as the source # address in forwarded packets. See the Shorewall # documentation for restrictions concerning this feature. # If no source IP address is given, the original source # address is not altered. # # Example: Accept SMTP requests from the DMZ to the internet # # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # # PORT PORT(S) DEST # ACCEPT dmz net tcp smtp # # Example: Forward all ssh and http connection requests from the internet # to local system 192.168.1.3 # # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # # PORT PORT(S) DEST # DNAT net loc:192.168.1.3 tcp ssh,http # # Example: Redirect all locally-originating www connection requests to # port 3128 on the firewall (Squid running on the firewall # system) except when the destination address is 192.168.2.2 # # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # # PORT PORT(S) DEST # REDIRECT loc 3128 tcp www - !192.168.2.2 # # Example: All http requests from the internet to address # 130.252.100.69 are to be forwarded to 192.168.1.3 # # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # # PORT PORT(S) DEST # DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69 ############################################################################## #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT PORT(S) DEST # # Accept outgoing DNS connections from the firewall # ACCEPT fw net tcp 53 ACCEPT fw net udp 53 # # Accept SSH connections from the local network to the firewall and DMZ # ACCEPT loc fw tcp 22 ACCEPT loc dmz tcp 22 # # DMZ DNS access to the internet # ACCEPT dmz net tcp 53 ACCEPT dmz net udp 53 # # Make ping work between the DMZ, net and local zone (assumes that the loc-> # net policy is ACCEPT). # ACCEPT loc dmz icmp 8 ACCEPT dmz loc icmp 8 ACCEPT dmz net icmp 8 ACCEPT net dmz icmp 8 # Only with Proxy ARP and ACCEPT net loc icmp 8 # static NAT #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE