mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-11 08:51:13 +01:00
1f72beecc8
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@684 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
1073 lines
49 KiB
HTML
1073 lines
49 KiB
HTML
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||
<html>
|
||
<head>
|
||
|
||
<meta http-equiv="Content-Language" content="en-us">
|
||
|
||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||
|
||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||
|
||
<meta http-equiv="Content-Type"
|
||
content="text/html; charset=windows-1252">
|
||
<title>Two-Interface Firewall</title>
|
||
|
||
<meta name="Microsoft Theme" content="none">
|
||
</head>
|
||
<body>
|
||
|
||
<table border="0" cellpadding="0" cellspacing="0"
|
||
style="border-collapse: collapse;" width="100%" id="AutoNumber5"
|
||
bgcolor="#3366ff" height="90">
|
||
<tbody>
|
||
<tr>
|
||
<td width="100%">
|
||
|
||
<h1 align="center"><font color="#ffffff">Basic Two-Interface Firewall</font></h1>
|
||
</td>
|
||
</tr>
|
||
|
||
</tbody>
|
||
</table>
|
||
|
||
<p align="left">Setting up a Linux system as a firewall for a small network
|
||
is a fairly straight-forward task if you understand the basics
|
||
and follow the documentation.</p>
|
||
|
||
<p>This guide doesn't attempt to acquaint you with all of the features of
|
||
Shorewall. It rather focuses on what is required to configure
|
||
Shorewall in its most common configuration:</p>
|
||
|
||
<ul>
|
||
<li>Linux system used as a firewall/router for a
|
||
small local network.</li>
|
||
<li>Single public IP address.</li>
|
||
<li>Internet connection through cable modem, DSL,
|
||
ISDN, Frame Relay, dial-up ...</li>
|
||
|
||
</ul>
|
||
|
||
<p align="left">Here is a schematic of a typical installation.</p>
|
||
|
||
<p align="center"> <img border="0" src="images/basics.png" width="444"
|
||
height="635">
|
||
</p>
|
||
|
||
<p><b>If you are running Shorewall under Mandrake 9.0 or later, you can easily
|
||
configure the above setup using the Mandrake "Internet Connection
|
||
Sharing" applet. From the Mandrake Control Center, select "Network
|
||
& Internet" then "Connection Sharing".<br>
|
||
</b></p>
|
||
|
||
<p><b>Note however, that the Shorewall configuration produced by Mandrake
|
||
Internet Connection Sharing is strange and is apt to confuse you if you
|
||
use the rest of this documentation (it has two local zones; "loc" and "masq"
|
||
where "loc" is empty; this conflicts with this documentation which assumes
|
||
a single local zone "loc"). We therefore recommend that once you have set
|
||
up this sharing that you uninstall the Mandrake Shorewall RPM and install
|
||
the one from the <a href="download.htm">download page</a> then follow the
|
||
instructions in this Guide.</b><br>
|
||
</p>
|
||
|
||
<p>Shorewall requires that you have the iproute/iproute2 package installed
|
||
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You
|
||
can tell if this package is installed by the presence of an <b>ip</b>
|
||
program on your firewall system. As root, you can use the 'which'
|
||
command to check for this program:</p>
|
||
|
||
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
|
||
|
||
<p>I recommend that you first read through the guide to familiarize yourself
|
||
with what's involved then go back through it again making your
|
||
configuration changes. Points at which configuration changes are
|
||
recommended are flagged with <img border="0"
|
||
src="images/BD21298_.gif" width="13" height="13">
|
||
. Configuration notes that are unique to LEAF/Bering
|
||
are marked with<74><img src="images/leaflogo.gif" alt="(LEAF Logo)"
|
||
width="49" height="36">
|
||
</p>
|
||
|
||
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
|
||
<20><><EFBFBD> If you edit your configuration files on a Windows
|
||
system, you must save them as Unix files if your editor supports
|
||
that option or you must run them through dos2unix before trying
|
||
to use them. Similarly, if you copy a configuration file from your
|
||
Windows hard drive to a floppy disk, you must run dos2unix against the
|
||
copy before using it with Shorewall.</p>
|
||
|
||
<ul>
|
||
<li><a
|
||
href="http://www.simtel.net/pub/pd/51438.html">Windows Version of
|
||
dos2unix</a></li>
|
||
<li><a
|
||
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
|
||
of dos2unix</a></li>
|
||
|
||
</ul>
|
||
|
||
<h2 align="left">Shorewall Concepts</h2>
|
||
|
||
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
|
||
alt="">
|
||
<20><><EFBFBD> The configuration files for Shorewall are contained in
|
||
the directory /etc/shorewall -- for simple setups, you will only need
|
||
to deal with a few of these as described in this guide. After you have
|
||
<a href="Install.htm">installed Shorewall</a>, <b>download the <a
|
||
href="http://www1.shorewall.net/pub/shorewall/Samples/">two-interface sample</a>,
|
||
un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files
|
||
to /etc/shorewall (these files will replace files with the same
|
||
name).</b></p>
|
||
|
||
<p>As each file is introduced, I suggest that you look through the actual
|
||
file on your system -- each file contains detailed configuration
|
||
instructions and default entries.</p>
|
||
|
||
<p>Shorewall views the network where it is running as being composed of a
|
||
set of <i>zones.</i> In the two-interface sample configuration,
|
||
the following zone names are used:</p>
|
||
|
||
<table border="0" style="border-collapse: collapse;" cellpadding="3"
|
||
cellspacing="0" id="AutoNumber2">
|
||
<tbody>
|
||
<tr>
|
||
<td><u><b>Name</b></u></td>
|
||
<td><u><b>Description</b></u></td>
|
||
</tr>
|
||
<tr>
|
||
<td><b>net</b></td>
|
||
<td><b>The Internet</b></td>
|
||
</tr>
|
||
<tr>
|
||
<td><b>loc</b></td>
|
||
<td><b>Your Local Network</b></td>
|
||
</tr>
|
||
|
||
</tbody>
|
||
</table>
|
||
|
||
<p>Zones are defined in the <a href="Documentation.htm#Zones"> /etc/shorewall/zones</a>
|
||
file.</p>
|
||
|
||
<p>Shorewall also recognizes the firewall system as its own zone - by default,
|
||
the firewall itself is known as <b>fw.</b></p>
|
||
|
||
<p>Rules about what traffic to allow and what traffic to deny are expressed
|
||
in terms of zones.</p>
|
||
|
||
<ul>
|
||
<li>You express your default policy for connections
|
||
from one zone to another zone in the<a
|
||
href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.</li>
|
||
<li>You define exceptions to those default policies
|
||
in the <a href="Documentation.htm#Rules">/etc/shorewall/rules
|
||
</a>file.</li>
|
||
|
||
</ul>
|
||
|
||
<p>For each connection request entering the firewall, the request is first
|
||
checked against the /etc/shorewall/rules file. If no rule in
|
||
that file matches the connection request then the first policy
|
||
in /etc/shorewall/policy that matches the request is applied.
|
||
If that policy is REJECT or DROP<4F> the request is first checked against
|
||
the rules in /etc/shorewall/common (the samples provide that file
|
||
for you).</p>
|
||
|
||
<p>The /etc/shorewall/policy file included with the two-interface sample
|
||
has the following policies:</p>
|
||
|
||
<blockquote>
|
||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||
id="AutoNumber3">
|
||
<tbody>
|
||
<tr>
|
||
<td><u><b>Source Zone</b></u></td>
|
||
<td><u><b>Destination Zone</b></u></td>
|
||
<td><u><b>Policy</b></u></td>
|
||
<td><u><b>Log Level</b></u></td>
|
||
<td><u><b>Limit:Burst</b></u></td>
|
||
</tr>
|
||
<tr>
|
||
<td>loc</td>
|
||
<td>net</td>
|
||
<td>ACCEPT</td>
|
||
<td><EFBFBD></td>
|
||
<td><EFBFBD></td>
|
||
</tr>
|
||
<tr>
|
||
<td>net</td>
|
||
<td>all</td>
|
||
<td>DROP</td>
|
||
<td>info</td>
|
||
<td><EFBFBD></td>
|
||
</tr>
|
||
<tr>
|
||
<td>all</td>
|
||
<td>all</td>
|
||
<td>REJECT</td>
|
||
<td>info</td>
|
||
<td><EFBFBD></td>
|
||
</tr>
|
||
|
||
</tbody>
|
||
</table>
|
||
</blockquote>
|
||
|
||
<blockquote>
|
||
<p>In the two-interface sample, the line below is included but commented
|
||
out. If you want your firewall system to have full access to
|
||
servers on the internet, uncomment that line.</p>
|
||
|
||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||
id="AutoNumber3">
|
||
<tbody>
|
||
<tr>
|
||
<td><u><b>Source Zone</b></u></td>
|
||
<td><u><b>Destination Zone</b></u></td>
|
||
<td><u><b>Policy</b></u></td>
|
||
<td><u><b>Log Level</b></u></td>
|
||
<td><u><b>Limit:Burst</b></u></td>
|
||
</tr>
|
||
<tr>
|
||
<td>fw</td>
|
||
<td>net</td>
|
||
<td>ACCEPT</td>
|
||
<td><EFBFBD></td>
|
||
<td><EFBFBD></td>
|
||
</tr>
|
||
|
||
</tbody>
|
||
</table>
|
||
</blockquote>
|
||
|
||
<p>The above policy will:</p>
|
||
|
||
<ol>
|
||
<li>allow all connection requests from your local
|
||
network to the internet</li>
|
||
<li>drop (ignore) all connection requests from the
|
||
internet to your firewall or local network</li>
|
||
<li>optionally accept all connection requests from
|
||
the firewall to the internet (if you uncomment the additional policy)</li>
|
||
<li>reject all other connection requests.</li>
|
||
|
||
</ol>
|
||
|
||
<p><img border="0" src="images/BD21298_.gif" width="13" height="13">
|
||
<20><><EFBFBD> At this point, edit your /etc/shorewall/policy
|
||
and make any changes that you wish.</p>
|
||
|
||
<h2 align="left">Network Interfaces</h2>
|
||
|
||
<p align="center"> <img border="0" src="images/basics.png" width="444"
|
||
height="635">
|
||
</p>
|
||
|
||
<p align="left">The firewall has two network interfaces. Where Internet connectivity
|
||
is through a cable or DSL "Modem", the <i>External Interface</i> will be
|
||
the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>)<29>
|
||
<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
|
||
<u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
|
||
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External
|
||
Interface will be a ppp interface (e.g., <b>ppp0</b>). If you connect
|
||
via a regular modem, your External Interface will also be <b>ppp0</b>.
|
||
If you connect via ISDN, your external interface will be <b>ippp0.</b></p>
|
||
|
||
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
|
||
height="13">
|
||
<20><><EFBFBD> If your external interface is <b>ppp0</b> or<b>
|
||
ippp0</b><EFBFBD> then you will want to set CLAMPMSS=yes in <a
|
||
href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
|
||
|
||
<p align="left">Your <i>Internal Interface</i> will be an ethernet adapter
|
||
(eth1 or eth0) and will be connected to a hub or switch. Your
|
||
other computers will be connected to the same hub/switch (note:
|
||
If you have only a single internal system, you can connect the firewall
|
||
directly to the computer using a <i>cross-over </i> cable).</p>
|
||
|
||
<p align="left"><u><b> <img border="0" src="images/j0213519.gif"
|
||
width="60" height="60">
|
||
</b></u>Do not connect the internal and external interface
|
||
to the same hub or switch (even for testing). It won't work the
|
||
way that you think that it will and you will end up confused and
|
||
believing that Shorewall doesn't work at all.</p>
|
||
|
||
<p align="left"><img border="0" src="images/BD21298_.gif" align="left"
|
||
width="13" height="13">
|
||
<20><><EFBFBD> The Shorewall two-interface sample configuration
|
||
assumes that the external interface is <b>eth0</b> and the internal
|
||
interface is <b>eth1</b>. If your configuration is different, you
|
||
will have to modify the sample <a
|
||
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file
|
||
accordingly. While you are there, you may wish to review the list
|
||
of options that are specified for the interfaces. Some hints:</p>
|
||
|
||
<ul>
|
||
<li>
|
||
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>,
|
||
you can replace the "detect" in the second column with "-".
|
||
</p>
|
||
</li>
|
||
<li>
|
||
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
|
||
or if you have a static IP address, you can remove "dhcp" from
|
||
the option list. </p>
|
||
</li>
|
||
|
||
</ul>
|
||
|
||
<h2 align="left">IP Addresses</h2>
|
||
|
||
<p align="left">Before going further, we should say a few words about Internet
|
||
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign
|
||
you a single <i> Public</i> IP address. This address may be assigned
|
||
via the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part
|
||
of establishing your connection when you dial in (standard modem) or
|
||
establish your PPP connection. In rare cases, your ISP may assign you
|
||
a<i> static</i> IP address; that means that you configure your firewall's
|
||
external interface to use that address permanently.<i> </i>However
|
||
your external address is assigned, it will be shared by all of your systems
|
||
when you access the Internet. You will have to assign your own addresses
|
||
in your internal network (the Internal Interface on your firewall plus
|
||
your other computers). RFC 1918 reserves several <i>Private </i>IP address
|
||
ranges for this purpose:</p>
|
||
|
||
<div align="left">
|
||
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
|
||
</div>
|
||
|
||
<div align="left">
|
||
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
|
||
height="13">
|
||
<20><><EFBFBD> Before starting Shorewall, you should look at
|
||
the IP address of your external interface and if it is one of
|
||
the above ranges, you should remove the 'norfc1918' option from
|
||
the external interface's entry in /etc/shorewall/interfaces.</p>
|
||
</div>
|
||
|
||
<div align="left">
|
||
<p align="left">You will want to assign your addresses from the same <i>
|
||
sub-network </i>(<i>subnet)</i>.<2E> For our purposes, we can consider a subnet
|
||
to consists of a range of addresses x.y.z.0 - x.y.z.255. Such
|
||
a subnet will have a <i>Subnet Mask </i>of 255.255.255.0. The
|
||
address x.y.z.0 is reserved as the <i>Subnet Address</i> and x.y.z.255
|
||
is reserved as the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall,
|
||
a subnet is described using<6E><a
|
||
href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain Routing
|
||
</i>(CIDR) notation</a> with consists of the subnet address followed
|
||
by "/24". The "24" refers to the number of consecutive leading
|
||
"1" bits from the left of the subnet mask. </p>
|
||
</div>
|
||
|
||
<div align="left">
|
||
<p align="left">Example sub-network:</p>
|
||
</div>
|
||
|
||
<div align="left">
|
||
<blockquote>
|
||
<table border="1" style="border-collapse: collapse;" id="AutoNumber1"
|
||
cellpadding="2">
|
||
<tbody>
|
||
<tr>
|
||
<td><b>Range:</b></td>
|
||
<td>10.10.10.0 - 10.10.10.255</td>
|
||
</tr>
|
||
<tr>
|
||
<td><b>Subnet Address:</b></td>
|
||
<td>10.10.10.0</td>
|
||
</tr>
|
||
<tr>
|
||
<td><b>Broadcast Address:</b></td>
|
||
<td>10.10.10.255</td>
|
||
</tr>
|
||
<tr>
|
||
<td><b>CIDR<EFBFBD>Notation:</b></td>
|
||
<td>10.10.10.0/24</td>
|
||
</tr>
|
||
|
||
</tbody>
|
||
</table>
|
||
</blockquote>
|
||
</div>
|
||
|
||
<div align="left">
|
||
<p align="left">It is conventional to assign the internal interface either
|
||
the first usable address in the subnet (10.10.10.1 in the above
|
||
example) or the last usable address (10.10.10.254).</p>
|
||
</div>
|
||
|
||
<div align="left">
|
||
<p align="left">One of the purposes of subnetting is to allow all computers
|
||
in the subnet to understand which other computers can be communicated
|
||
with directly. To communicate with systems outside of the subnetwork,
|
||
systems send packets through a<i><EFBFBD> gateway</i><EFBFBD> (router).</p>
|
||
</div>
|
||
|
||
<div align="left">
|
||
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
|
||
height="13">
|
||
<20><><EFBFBD> Your local computers (computer 1 and computer
|
||
2 in the above diagram) should be configured with their<i> default
|
||
gateway</i> to be the IP address of the firewall's internal interface.<i><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
</i> </p>
|
||
</div>
|
||
|
||
<p align="left">The foregoing short discussion barely scratches the surface
|
||
regarding subnetting and routing. If you are interested in learning
|
||
more about IP addressing and routing, I highly recommend <i>"IP
|
||
Fundamentals: What Everyone Needs to Know about Addressing &
|
||
Routing",</i> Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
|
||
|
||
<p align="left">The remainder of this quide will assume that you have configured
|
||
your network as shown here:</p>
|
||
|
||
<p align="center"> <img border="0" src="images/basics1.png" width="444"
|
||
height="635">
|
||
</p>
|
||
|
||
<p align="left">The default gateway for computer's 1 & 2 would be 10.10.10.254.<br>
|
||
</p>
|
||
|
||
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
|
||
height="13" alt="">
|
||
<20><><EFBFBD> <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP might
|
||
assign your external interface an RFC 1918 address. If that address
|
||
is in the 10.10.10.0/24 subnet then you will need to select a DIFFERENT
|
||
RFC 1918 subnet for your local network.</b><br>
|
||
</p>
|
||
|
||
<h2 align="left">IP Masquerading (SNAT)</h2>
|
||
|
||
<p align="left">The addresses reserved by RFC 1918 are sometimes referred
|
||
to as <i>non-routable</i> because the Internet backbone routers
|
||
don't forward packets which have an RFC-1918 destination address.
|
||
When one of your local systems (let's assume computer 1) sends a
|
||
connection request to an internet host, the firewall must perform
|
||
<i>Network Address Translation </i>(NAT). The firewall rewrites
|
||
the source address in the packet to be the address of the firewall's
|
||
external interface; in other words, the firewall makes it look as
|
||
if the firewall itself is initiating the connection.<2E> This is necessary
|
||
so that the destination host will be able to route return packets
|
||
back to the firewall (remember that packets whose destination address
|
||
is reserved by RFC 1918 can't be routed across the internet so the
|
||
remote host can't address its response to computer 1). When the firewall
|
||
receives a return packet, it rewrites the destination address back to
|
||
10.10.10.1 and forwards the packet on to computer 1. </p>
|
||
|
||
<p align="left">On Linux systems, the above process is often referred to
|
||
as<i> IP Masquerading</i> but you will also see the term <i>Source Network
|
||
Address Translation </i>(SNAT) used. Shorewall follows the convention used
|
||
with Netfilter:</p>
|
||
|
||
<ul>
|
||
<li>
|
||
<p align="left"><i>Masquerade</i> describes the case where you let your
|
||
firewall system automatically detect the external interface
|
||
address. </p>
|
||
</li>
|
||
<li>
|
||
<p align="left"><i>SNAT</i> refers to the case when you explicitly specify
|
||
the source address that you want outbound packets from your
|
||
local network to use. </p>
|
||
</li>
|
||
|
||
</ul>
|
||
|
||
<p align="left">In Shorewall, both Masquerading and SNAT are configured with
|
||
entries in the /etc/shorewall/masq file. You will normally use
|
||
Masquerading if your external IP is dynamic and SNAT if the IP
|
||
is static.</p>
|
||
|
||
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
|
||
height="13">
|
||
<20><><EFBFBD> If your external firewall interface is <b>eth0</b>,
|
||
you do not need to modify the file provided with the sample. Otherwise,
|
||
edit /etc/shorewall/masq and change the first column to the name
|
||
of your external interface and the second column to the name of your
|
||
internal interface.</p>
|
||
|
||
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
|
||
height="13">
|
||
<20><><EFBFBD> If your external IP is static, you can enter it
|
||
in the third column in the /etc/shorewall/masq entry if you like
|
||
although your firewall will work fine if you leave that column
|
||
empty. Entering your static IP in column 3 makes processing outgoing
|
||
packets a little more efficient.<br>
|
||
<br>
|
||
<img border="0" src="images/BD21298_.gif" width="13"
|
||
height="13" alt="">
|
||
<20><><EFBFBD> If you are using the Debian package, please check your
|
||
shorewall.conf file to ensure that the following are set correctly;
|
||
if they are not, change them appropriately:<br>
|
||
</p>
|
||
|
||
<ul>
|
||
<li>NAT_ENABLED=Yes (Shorewall versions earlier than 1.4.6)</li>
|
||
<li>IP_FORWARDING=On<br>
|
||
</li>
|
||
|
||
</ul>
|
||
|
||
<h2 align="left">Port Forwarding (DNAT)</h2>
|
||
|
||
<p align="left">One of your goals may be to run one or more servers on your
|
||
local computers. Because these computers have RFC-1918 addresses,
|
||
it is not possible for clients on the internet to connect directly
|
||
to them. It is rather necessary for those clients to address their
|
||
connection requests to the firewall who rewrites the destination
|
||
address to the address of your server and forwards the packet to
|
||
that server. When your server responds, the firewall automatically
|
||
performs SNAT to rewrite the source address in the response.</p>
|
||
|
||
<p align="left">The above process is called<i> Port Forwarding</i> or <i>
|
||
Destination Network Address Translation</i> (DNAT). You configure
|
||
port forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
|
||
|
||
<p>The general form of a simple port forwarding rule in /etc/shorewall/rules
|
||
is:</p>
|
||
|
||
<blockquote>
|
||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||
id="AutoNumber4">
|
||
<tbody>
|
||
<tr>
|
||
<td><u><b>ACTION</b></u></td>
|
||
<td><u><b>SOURCE</b></u></td>
|
||
<td><u><b>DESTINATION</b></u></td>
|
||
<td><u><b>PROTOCOL</b></u></td>
|
||
<td><u><b>PORT</b></u></td>
|
||
<td><u><b>SOURCE PORT</b></u></td>
|
||
<td><u><b>ORIGINAL ADDRESS</b></u></td>
|
||
</tr>
|
||
<tr>
|
||
<td>DNAT</td>
|
||
<td>net</td>
|
||
<td>loc:<i><server local ip address> </i>[:<i><server
|
||
port></i>]</td>
|
||
<td><i><protocol></i></td>
|
||
<td><i><port></i></td>
|
||
<td><EFBFBD></td>
|
||
<td><EFBFBD></td>
|
||
</tr>
|
||
|
||
</tbody>
|
||
</table>
|
||
</blockquote>
|
||
|
||
<p>Example 1 - you run a Web Server on computer 2 and you want to forward
|
||
incoming TCP port 80 to that system:</p>
|
||
|
||
<blockquote>
|
||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||
id="AutoNumber4">
|
||
<tbody>
|
||
<tr>
|
||
<td><u><b>ACTION</b></u></td>
|
||
<td><u><b>SOURCE</b></u></td>
|
||
<td><u><b>DESTINATION</b></u></td>
|
||
<td><u><b>PROTOCOL</b></u></td>
|
||
<td><u><b>PORT</b></u></td>
|
||
<td><u><b>SOURCE PORT</b></u></td>
|
||
<td><u><b>ORIGINAL ADDRESS</b></u></td>
|
||
</tr>
|
||
<tr>
|
||
<td>DNAT</td>
|
||
<td>net</td>
|
||
<td>loc:10.10.10.2</td>
|
||
<td>tcp</td>
|
||
<td>80</td>
|
||
<td><EFBFBD></td>
|
||
<td><EFBFBD></td>
|
||
</tr>
|
||
|
||
</tbody>
|
||
</table>
|
||
</blockquote>
|
||
|
||
<p>Example 2 - you run an FTP Server on computer 1 so you want to forward
|
||
incoming TCP port 21 to that system:</p>
|
||
<blockquote>
|
||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||
id="AutoNumber4">
|
||
<tbody>
|
||
<tr>
|
||
<td><u><b>ACTION</b></u></td>
|
||
<td><u><b>SOURCE</b></u></td>
|
||
<td><u><b>DESTINATION</b></u></td>
|
||
<td><u><b>PROTOCOL</b></u></td>
|
||
<td><u><b>PORT</b></u></td>
|
||
<td><u><b>SOURCE PORT</b></u></td>
|
||
<td><u><b>ORIGINAL ADDRESS</b></u></td>
|
||
</tr>
|
||
<tr>
|
||
<td>DNAT</td>
|
||
<td>net</td>
|
||
<td>loc:10.10.10.1</td>
|
||
<td>tcp</td>
|
||
<td>21<br>
|
||
</td>
|
||
<td><EFBFBD></td>
|
||
<td><EFBFBD></td>
|
||
</tr>
|
||
|
||
</tbody>
|
||
</table>
|
||
</blockquote>
|
||
<p>For FTP, you will also need to have FTP connection tracking and NAT support
|
||
in your kernel. For vendor-supplied kernels, this means that the ip_conntrack_ftp
|
||
and ip_nat_ftp modules must be loaded. Shorewall will automatically load
|
||
these modules if they are available and located in the standard place under
|
||
/lib/modules/<<i>kernel version</i>>/kernel/net/ipv4/netfilter.<br>
|
||
</p>
|
||
<p>A couple of important points to keep in mind:</p>
|
||
|
||
<ul>
|
||
<li>You must test the above rule from a client outside
|
||
of your local network (i.e., don't test from a browser running
|
||
on computers 1 or 2 or on the firewall). If you want to be able
|
||
to access your web server and/or FTP server from inside your firewall
|
||
using the IP address of your external interface, see <a
|
||
href="FAQ.htm#faq2">Shorewall FAQ #2</a>.</li>
|
||
<li>Many ISPs block incoming connection requests
|
||
to port 80. If you have problems connecting to your web server,
|
||
try the following rule and try connecting to port 5000.</li>
|
||
|
||
</ul>
|
||
|
||
<blockquote>
|
||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||
id="AutoNumber4">
|
||
<tbody>
|
||
<tr>
|
||
<td><u><b>ACTION</b></u></td>
|
||
<td><u><b>SOURCE</b></u></td>
|
||
<td><u><b>DESTINATION</b></u></td>
|
||
<td><u><b>PROTOCOL</b></u></td>
|
||
<td><u><b>PORT</b></u></td>
|
||
<td><u><b>SOURCE PORT</b></u></td>
|
||
<td><u><b>ORIGINAL ADDRESS</b></u></td>
|
||
</tr>
|
||
<tr>
|
||
<td>DNAT</td>
|
||
<td>net</td>
|
||
<td>loc:10.10.10.2:80</td>
|
||
<td>tcp</td>
|
||
<td>5000</td>
|
||
<td><EFBFBD></td>
|
||
<td><EFBFBD></td>
|
||
</tr>
|
||
|
||
</tbody>
|
||
</table>
|
||
</blockquote>
|
||
|
||
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13">
|
||
<20><><EFBFBD> At this point, modify /etc/shorewall/rules to
|
||
add any DNAT rules that you require.</p>
|
||
|
||
<h2 align="left">Domain Name Server (DNS)</h2>
|
||
|
||
<p align="left">Normally, when you connect to your ISP, as part of getting
|
||
an IP address your firewall's <i>Domain Name Service </i>(DNS)
|
||
resolver will be automatically configured (e.g., the /etc/resolv.conf
|
||
file will be written). Alternatively, your ISP may have given you
|
||
the IP address of a pair of DNS <i> name servers</i> for you to manually
|
||
configure as your primary and secondary name servers. Regardless
|
||
of how DNS gets configured on your firewall, it is <u>your</u> responsibility
|
||
to configure the resolver in your internal systems. You can take
|
||
one of two approaches:</p>
|
||
|
||
<ul>
|
||
<li>
|
||
<p align="left">You can configure your internal systems to use your ISP's
|
||
name servers. If you ISP gave you the addresses of their servers
|
||
or if those addresses are available on their web site, you can
|
||
configure your internal systems to use those addresses. If that
|
||
information isn't available, look in /etc/resolv.conf on your
|
||
firewall system -- the name servers are given in "nameserver" records
|
||
in that file. </p>
|
||
</li>
|
||
<li>
|
||
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
|
||
height="13">
|
||
<20><><EFBFBD> You can configure a<i> Caching Name Server </i>on
|
||
your firewall.<i> </i>Red Hat has an RPM for a caching name
|
||
server (the RPM also requires the 'bind' RPM) and for Bering users,
|
||
there is dnscache.lrp. If you take this approach, you configure your
|
||
internal systems to use the firewall itself as their primary (and
|
||
only) name server. You use the internal IP address of the firewall
|
||
(10.10.10.254 in the example above) for the name server address.
|
||
To allow your local systems to talk to your caching name server, you
|
||
must open port 53 (both UDP and TCP) from the local network to the
|
||
firewall; you do that by adding the following rules in /etc/shorewall/rules.
|
||
</p>
|
||
</li>
|
||
|
||
</ul>
|
||
|
||
<blockquote>
|
||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||
id="AutoNumber4">
|
||
<tbody>
|
||
<tr>
|
||
<td><u><b>ACTION</b></u></td>
|
||
<td><u><b>SOURCE</b></u></td>
|
||
<td><u><b>DESTINATION</b></u></td>
|
||
<td><u><b>PROTOCOL</b></u></td>
|
||
<td><u><b>PORT</b></u></td>
|
||
<td><u><b>SOURCE PORT</b></u></td>
|
||
<td><u><b>ORIGINAL ADDRESS</b></u></td>
|
||
</tr>
|
||
<tr>
|
||
<td>ACCEPT</td>
|
||
<td>loc</td>
|
||
<td>fw</td>
|
||
<td>tcp</td>
|
||
<td>53</td>
|
||
<td><EFBFBD></td>
|
||
<td><EFBFBD></td>
|
||
</tr>
|
||
<tr>
|
||
<td>ACCEPT</td>
|
||
<td>loc</td>
|
||
<td>fw</td>
|
||
<td>udp</td>
|
||
<td>53</td>
|
||
<td><EFBFBD></td>
|
||
<td><EFBFBD></td>
|
||
</tr>
|
||
|
||
</tbody>
|
||
</table>
|
||
</blockquote>
|
||
|
||
<div align="left">
|
||
<h2 align="left">Other Connections</h2>
|
||
</div>
|
||
|
||
<div align="left">
|
||
<p align="left">The two-interface sample includes the following rules:</p>
|
||
</div>
|
||
|
||
<div align="left">
|
||
<blockquote>
|
||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||
id="AutoNumber4">
|
||
<tbody>
|
||
<tr>
|
||
<td><u><b>ACTION</b></u></td>
|
||
<td><u><b>SOURCE</b></u></td>
|
||
<td><u><b>DESTINATION</b></u></td>
|
||
<td><u><b>PROTOCOL</b></u></td>
|
||
<td><u><b>PORT</b></u></td>
|
||
<td><u><b>SOURCE PORT</b></u></td>
|
||
<td><u><b>ORIGINAL ADDRESS</b></u></td>
|
||
</tr>
|
||
<tr>
|
||
<td>ACCEPT</td>
|
||
<td>fw</td>
|
||
<td>net</td>
|
||
<td>tcp</td>
|
||
<td>53</td>
|
||
<td><EFBFBD></td>
|
||
<td><EFBFBD></td>
|
||
</tr>
|
||
<tr>
|
||
<td>ACCEPT</td>
|
||
<td>fw</td>
|
||
<td>net</td>
|
||
<td>udp</td>
|
||
<td>53</td>
|
||
<td><EFBFBD></td>
|
||
<td><EFBFBD></td>
|
||
</tr>
|
||
|
||
</tbody>
|
||
</table>
|
||
</blockquote>
|
||
</div>
|
||
|
||
<div align="left">
|
||
<p align="left">Those rules allow DNS access from your firewall and may be
|
||
removed if you uncommented the line in /etc/shorewall/policy
|
||
allowing all connections from the firewall to the internet.</p>
|
||
</div>
|
||
|
||
<div align="left">
|
||
<p align="left">The sample also includes:</p>
|
||
</div>
|
||
|
||
<div align="left">
|
||
<blockquote>
|
||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||
id="AutoNumber4">
|
||
<tbody>
|
||
<tr>
|
||
<td><u><b>ACTION</b></u></td>
|
||
<td><u><b>SOURCE</b></u></td>
|
||
<td><u><b>DESTINATION</b></u></td>
|
||
<td><u><b>PROTOCOL</b></u></td>
|
||
<td><u><b>PORT</b></u></td>
|
||
<td><u><b>SOURCE PORT</b></u></td>
|
||
<td><u><b>ORIGINAL ADDRESS</b></u></td>
|
||
</tr>
|
||
<tr>
|
||
<td>ACCEPT</td>
|
||
<td>loc</td>
|
||
<td>fw</td>
|
||
<td>tcp</td>
|
||
<td>22</td>
|
||
<td><EFBFBD></td>
|
||
<td><EFBFBD></td>
|
||
</tr>
|
||
|
||
</tbody>
|
||
</table>
|
||
</blockquote>
|
||
</div>
|
||
|
||
<div align="left">
|
||
<p align="left">That rule allows you to run an SSH server on your firewall
|
||
and connect to that server from your local systems.</p>
|
||
</div>
|
||
|
||
<div align="left">
|
||
<p align="left">If you wish to enable other connections between your firewall
|
||
and other systems, the general format is:</p>
|
||
</div>
|
||
|
||
<div align="left">
|
||
<blockquote>
|
||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||
id="AutoNumber4">
|
||
<tbody>
|
||
<tr>
|
||
<td><u><b>ACTION</b></u></td>
|
||
<td><u><b>SOURCE</b></u></td>
|
||
<td><u><b>DESTINATION</b></u></td>
|
||
<td><u><b>PROTOCOL</b></u></td>
|
||
<td><u><b>PORT</b></u></td>
|
||
<td><u><b>SOURCE PORT</b></u></td>
|
||
<td><u><b>ORIGINAL ADDRESS</b></u></td>
|
||
</tr>
|
||
<tr>
|
||
<td>ACCEPT</td>
|
||
<td><i><source zone></i></td>
|
||
<td><i><destination zone></i></td>
|
||
<td><i><protocol></i></td>
|
||
<td><i><port></i></td>
|
||
<td><EFBFBD></td>
|
||
<td><EFBFBD></td>
|
||
</tr>
|
||
|
||
</tbody>
|
||
</table>
|
||
</blockquote>
|
||
</div>
|
||
|
||
<div align="left">
|
||
<p align="left">Example - You want to run a Web Server on your firewall system:</p>
|
||
</div>
|
||
|
||
<div align="left">
|
||
<blockquote>
|
||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||
id="AutoNumber4">
|
||
<tbody>
|
||
<tr>
|
||
<td><u><b>ACTION</b></u></td>
|
||
<td><u><b>SOURCE</b></u></td>
|
||
<td><u><b>DESTINATION</b></u></td>
|
||
<td><u><b>PROTOCOL</b></u></td>
|
||
<td><u><b>PORT</b></u></td>
|
||
<td><u><b>SOURCE PORT</b></u></td>
|
||
<td><u><b>ORIGINAL ADDRESS</b></u></td>
|
||
</tr>
|
||
<tr>
|
||
<td>ACCEPT</td>
|
||
<td>net</td>
|
||
<td>fw</td>
|
||
<td>tcp</td>
|
||
<td>80</td>
|
||
<td>#Allow web access</td>
|
||
<td>from the internet</td>
|
||
</tr>
|
||
<tr>
|
||
<td>ACCEPT</td>
|
||
<td>loc</td>
|
||
<td>fw</td>
|
||
<td>tcp</td>
|
||
<td>80</td>
|
||
<td>#Allow web access</td>
|
||
<td>from the local network</td>
|
||
</tr>
|
||
|
||
</tbody>
|
||
</table>
|
||
</blockquote>
|
||
</div>
|
||
|
||
<div align="left">
|
||
<p align="left">Those two rules would of course be in addition to the rules
|
||
listed above under "You can configure a Caching Name Server
|
||
on your firewall"</p>
|
||
</div>
|
||
|
||
<div align="left">
|
||
<p align="left">If you don't know what port and protocol a particular application
|
||
uses, look <a href="ports.htm">here</a>.</p>
|
||
</div>
|
||
|
||
<div align="left">
|
||
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
|
||
the internet because it uses clear text (even for login!).
|
||
If you want shell access to your firewall from the internet,
|
||
use SSH:</p>
|
||
</div>
|
||
|
||
<div align="left">
|
||
<blockquote>
|
||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||
id="AutoNumber4">
|
||
<tbody>
|
||
<tr>
|
||
<td><u><b>ACTION</b></u></td>
|
||
<td><u><b>SOURCE</b></u></td>
|
||
<td><u><b>DESTINATION</b></u></td>
|
||
<td><u><b>PROTOCOL</b></u></td>
|
||
<td><u><b>PORT</b></u></td>
|
||
<td><u><b>SOURCE PORT</b></u></td>
|
||
<td><u><b>ORIGINAL ADDRESS</b></u></td>
|
||
</tr>
|
||
<tr>
|
||
<td>ACCEPT</td>
|
||
<td>net</td>
|
||
<td>fw</td>
|
||
<td>tcp</td>
|
||
<td>22</td>
|
||
<td><EFBFBD></td>
|
||
<td><EFBFBD></td>
|
||
</tr>
|
||
|
||
</tbody>
|
||
</table>
|
||
</blockquote>
|
||
</div>
|
||
|
||
<div align="left">
|
||
<p align="left"><img src="images/leaflogo.gif" alt="(LEAF Logo)"
|
||
width="49" height="36">
|
||
<20><><EFBFBD> Bering users will want to add the following two rules to be
|
||
compatible with Jacques's Shorewall configuration.</p>
|
||
|
||
<div align="left">
|
||
<blockquote>
|
||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||
id="AutoNumber4">
|
||
<tbody>
|
||
<tr>
|
||
<td><u><b>ACTION</b></u></td>
|
||
<td><u><b>SOURCE</b></u></td>
|
||
<td><u><b>DESTINATION</b></u></td>
|
||
<td><u><b>PROTOCOL</b></u></td>
|
||
<td><u><b>PORT</b></u></td>
|
||
<td><u><b>SOURCE PORT</b></u></td>
|
||
<td><u><b>ORIGINAL ADDRESS</b></u></td>
|
||
</tr>
|
||
<tr>
|
||
<td>ACCEPT</td>
|
||
<td>loc<br>
|
||
</td>
|
||
<td>fw</td>
|
||
<td>udp<br>
|
||
</td>
|
||
<td>53<br>
|
||
</td>
|
||
<td>#Allow DNS Cache to</td>
|
||
<td>work<br>
|
||
</td>
|
||
</tr>
|
||
<tr>
|
||
<td>ACCEPT</td>
|
||
<td>loc</td>
|
||
<td>fw</td>
|
||
<td>tcp</td>
|
||
<td>80</td>
|
||
<td>#Allow weblet to work</td>
|
||
<td><br>
|
||
</td>
|
||
</tr>
|
||
|
||
</tbody>
|
||
</table>
|
||
</blockquote>
|
||
</div>
|
||
|
||
<p align="left"><br>
|
||
<img border="0" src="images/BD21298_.gif" width="13"
|
||
height="13">
|
||
<20><><EFBFBD> Now edit your /etc/shorewall/rules file to add
|
||
or delete other connections as required.</p>
|
||
</div>
|
||
|
||
<div align="left">
|
||
<h2 align="left">Starting and Stopping Your Firewall</h2>
|
||
</div>
|
||
|
||
<div align="left">
|
||
<p align="left"> <img border="0" src="images/BD21298_2.gif"
|
||
width="13" height="13" alt="Arrow">
|
||
<20><><EFBFBD> The <a href="Install.htm">installation procedure
|
||
</a> configures your system to start Shorewall at system boot<6F> but
|
||
beginning with Shorewall version 1.3.9 startup is disabled so that
|
||
your system won't try to start Shorewall before configuration is complete.
|
||
Once you have completed configuration of your firewall, you can enable
|
||
Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
|
||
</p>
|
||
|
||
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: </font><font
|
||
color="#ff0000">Users of the .deb package must edit /etc/default/shorewall
|
||
and set 'startup=1'.</font><br>
|
||
</p>
|
||
</div>
|
||
|
||
<div align="left">
|
||
<p align="left">The firewall is started using the "shorewall start" command
|
||
and stopped using "shorewall stop". When the firewall is stopped,
|
||
routing is enabled on those hosts that have an entry in <a
|
||
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
|
||
running firewall may be restarted using the "shorewall restart"
|
||
command. If you want to totally remove any trace of Shorewall
|
||
from your Netfilter configuration, use "shorewall clear".</p>
|
||
</div>
|
||
|
||
<div align="left">
|
||
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
|
||
height="13">
|
||
<20><><EFBFBD> The two-interface sample assumes that you want
|
||
to enable routing to/from <b>eth1 </b>(the local network) when
|
||
Shorewall is stopped. If your local network isn't connected to <b>eth1</b>
|
||
or if you wish to enable access to/from other hosts, change /etc/shorewall/routestopped
|
||
accordingly.</p>
|
||
</div>
|
||
|
||
<div align="left">
|
||
<p align="left"><b>WARNING: </b>If you are connected to your firewall from
|
||
the internet, do not issue a "shorewall stop" command unless
|
||
you have added an entry for the IP address that you are connected
|
||
from to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
|
||
Also, I don't recommend using "shorewall restart"; it is better
|
||
to create an <i><a
|
||
href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
|
||
and test it using the <a
|
||
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
|
||
</div>
|
||
|
||
<p align="left"><font size="2">Last updated 7/28/2003 - <a
|
||
href="support.htm">Tom Eastep</a></font></p>
|
||
|
||
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003
|
||
Thomas M. Eastep</font></a><br>
|
||
</p>
|
||
</body>
|
||
</html>
|