forked from extern/shorewall_code
350 lines
26 KiB
HTML
350 lines
26 KiB
HTML
|
<html>
|
||
|
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Language" content="en-us">
|
||
|
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||
|
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
|
||
|
<title>Shorewall QuickStart Guide</title>
|
||
|
<meta name="Microsoft Theme" content="radial 011">
|
||
|
</head>
|
||
|
|
||
|
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
|
||
|
|
||
|
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Shorewall QuickStart Guide<br>
|
||
|
Version 1.3-2<!--mstheme--></font></h1>
|
||
|
|
||
|
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Introduction<!--mstheme--></font></h2>
|
||
|
<p>One of the design goals of Shorewall was that "it should be simple to do
|
||
|
simple things". With that in mind, I've written this QuickStart guide to
|
||
|
demonstrate how easy it is to configure common firewall setups.</p>
|
||
|
<p>This guide doesn't attempt to acquaint you with all of the features of
|
||
|
Shorewall. It rather focuses on what is required to configure Shorewall in three
|
||
|
common basic configurations. If you don't find what you are looking for in this
|
||
|
Guide, check the <a target="_top" href="Documentation_Index.htm">Shorewall Documentation</a>.</p>
|
||
|
<p>This guide assumes that you have the iproute/iproute2 package installed (on
|
||
|
RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if this
|
||
|
package is installed by the presence of an <b>ip</b> program on your firewall
|
||
|
system. As root, you can use the 'which' command to check for this program:</p>
|
||
|
<!--mstheme--></font><pre> [root@gateway root]# which ip
|
||
|
/sbin/ip
|
||
|
[root@gateway root]# </pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||
|
<p>After you have <a href="Install.htm">installed Shorewall</a>, simply pick the sample
|
||
|
configuration that best fits your needs and copy the files to
|
||
|
/etc/shorewall. Next modify /etc/shorewall/interfaces and /etc/shorewall/masq to
|
||
|
match your setup as described below. If you have servers, you will also need to
|
||
|
modify /etc/shorewall/rules.</p>
|
||
|
<p>Available samples include:</p>
|
||
|
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
|
||
|
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="/pub/shorewall/LATEST.samples/one-interface.tgz">Standalone System</a><!--mstheme--></font><!--msthemelist--></td></tr>
|
||
|
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="/pub/shorewall/LATEST.samples/two-interfaces.tgz">Two-interface Masquerading Firewall</a><!--mstheme--></font><!--msthemelist--></td></tr>
|
||
|
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="/pub/shorewall/LATEST.samples/three-interfaces.tgz">Three-interface Masquerading Firewall with DMZ</a><!--mstheme--></font><!--msthemelist--></td></tr>
|
||
|
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
|
||
|
<p>All of these samples assume that you have a single external IP address - it
|
||
|
may be static or dynamic. Configuring Shorewall with multiple external IP
|
||
|
addresses is outside of the scope of this guide; see the
|
||
|
<a target="_top" href="Documentation_Index.htm">Shorewall Documentation</a>.</p>
|
||
|
<p><font color="#FF0000"><b>Do <u>not</u> try to install Shorewall on a remote
|
||
|
system -- you will almost certainly end up not being able to communicate with
|
||
|
that system. </b></font></p>
|
||
|
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Shorewall Configuration Concepts<!--mstheme--></font></h2>
|
||
|
<p>The configuration files for Shorewall are contained in the directory
|
||
|
/etc/shorewall -- for simple setups, you will only need to deal with a few of
|
||
|
these as described in this guide. As each file is introduced, I suggest that you
|
||
|
look through the actual file on your system -- each file contains detailed
|
||
|
configuration instructions and default entries.</p>
|
||
|
<p>Shorewall views the network where it is running as being composed of a set of
|
||
|
<i>zones.</i> In the sample configurations, the following zone names are used:</p>
|
||
|
<!--mstheme--></font><table border="0" style="border-collapse: collapse" cellpadding="3" cellspacing="0" id="AutoNumber1">
|
||
|
<tr>
|
||
|
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Name</b></u><!--mstheme--></font></td>
|
||
|
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Description</b></u><!--mstheme--></font></td>
|
||
|
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>One Interface</b></u><!--mstheme--></font></td>
|
||
|
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Two Interfaces</b></u><!--mstheme--></font></td>
|
||
|
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Three Interfaces</b></u><!--mstheme--></font></td>
|
||
|
</tr>
|
||
|
<tr>
|
||
|
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>net</b><!--mstheme--></font></td>
|
||
|
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>The Internet</b><!--mstheme--></font></td>
|
||
|
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
|
||
|
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
|
||
|
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
|
||
|
</tr>
|
||
|
<tr>
|
||
|
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>loc</b><!--mstheme--></font></td>
|
||
|
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>Your Local Network</b><!--mstheme--></font></td>
|
||
|
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica"> <!--mstheme--></font></td>
|
||
|
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
|
||
|
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
|
||
|
</tr>
|
||
|
<tr>
|
||
|
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>dmz</b><!--mstheme--></font></td>
|
||
|
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>Your demilitarized Zone</b><!--mstheme--></font></td>
|
||
|
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica"> <!--mstheme--></font></td>
|
||
|
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica"> <!--mstheme--></font></td>
|
||
|
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
|
||
|
</tr>
|
||
|
</table><!--mstheme--><font face="arial, Arial, Helvetica">
|
||
|
<p>Shorewall also recognizes the firewall system as its own zone - by default,
|
||
|
the firewall itself is known as <b>fw</b> although you can change that name in the
|
||
|
<a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf </a>file. As
|
||
|
shown in the above table, not all zones are available with all sample
|
||
|
configurations.</p>
|
||
|
<p>The simplest way to define a zone is to associate the zone with a
|
||
|
network interface on your firewall system. You do that using the
|
||
|
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file. So
|
||
|
for a standalone system, you would associate your single network interface with
|
||
|
<b>net</b>; on a two-interface firewall, you would associate one interface with
|
||
|
<b>net</b> and one with <b>loc</b>; and on a three-interface firewall with DMZ,
|
||
|
you would associate one interface with <b>net</b>, a second with <b>loc</b> and
|
||
|
a third with <b>dmz</b>. The sample interfaces do this as follows:</p>
|
||
|
<!--mstheme--></font><table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber2">
|
||
|
<tr>
|
||
|
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Zone</b></u><!--mstheme--></font></td>
|
||
|
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Interface</b></u><!--mstheme--></font></td>
|
||
|
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>One Interface</b></u><!--mstheme--></font></td>
|
||
|
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Two Interfaces</b></u><!--mstheme--></font></td>
|
||
|
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Three Interfaces</b></u><!--mstheme--></font></td>
|
||
|
</tr>
|
||
|
<tr>
|
||
|
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
|
||
|
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth0<!--mstheme--></font></td>
|
||
|
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
|
||
|
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
|
||
|
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
|
||
|
</tr>
|
||
|
<tr>
|
||
|
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc<!--mstheme--></font></td>
|
||
|
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth1<!--mstheme--></font></td>
|
||
|
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica"> <!--mstheme--></font></td>
|
||
|
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
|
||
|
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
|
||
|
</tr>
|
||
|
<tr>
|
||
|
<td><!--mstheme--><font face="arial, Arial, Helvetica">dmz<!--mstheme--></font></td>
|
||
|
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth2<!--mstheme--></font></td>
|
||
|
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica"> <!--mstheme--></font></td>
|
||
|
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica"> <!--mstheme--></font></td>
|
||
|
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
|
||
|
</tr>
|
||
|
</table><!--mstheme--><font face="arial, Arial, Helvetica">
|
||
|
<p>If your configuration doesn't match the sample then you will need to modify
|
||
|
/etc/shorewall/interfaces.</p>
|
||
|
<p>Rules about what traffic to allow and what traffic to deny are expressed in
|
||
|
terms of zones.</p>
|
||
|
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
|
||
|
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">You express your default policy for connections from one zone to another
|
||
|
zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.<!--mstheme--></font><!--msthemelist--></td></tr>
|
||
|
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">You define exceptions to those default policies in the
|
||
|
<a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.<!--mstheme--></font><!--msthemelist--></td></tr>
|
||
|
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The /etc/shorewall/rules file is also used to define port forwarding.<!--mstheme--></font><!--msthemelist--></td></tr>
|
||
|
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
|
||
|
<p>For each connection request entering the firewall, the request is first checked against the
|
||
|
/etc/shorewall/rules file. If the connection request doesn't match any rule in
|
||
|
that file, the first policy in /etc/shorewall/policy that matches the
|
||
|
|
||
|
request is then applied. If the policy is DROP or REJECT then the connection
|
||
|
request is passed through the rules in /etc/shorewall/common (the samples supply
|
||
|
that file for you).</p>
|
||
|
<p>If you have more than one interface and you have a single external IP address you will need to use
|
||
|
either IP masquerade (if your IP address is dynamic) or Source Network Address
|
||
|
Translation (SNAT). Whichever applies, you will define it in <a href="Documentation.htm#Masq">/etc/shorewall/masq</a>
|
||
|
file. <b>Note:</b> This file is used to describe "many-to-one outbound NAT".
|
||
|
Shorewall also supports one-to-one NAT using the /etc/shorewall/nat file but I recommend <u>against</u>
|
||
|
one-to-one NAT in most applications unless you are willing to deal with the DNS
|
||
|
issues involved. The two- and three-interface samples assume that you will be
|
||
|
using IP masquerade as follows:</p>
|
||
|
<!--mstheme--></font><table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber3">
|
||
|
<tr>
|
||
|
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Traffic coming in on this interface</b></u><!--mstheme--></font></td>
|
||
|
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Will be masqueraded if it goes out this interface</b></u><!--mstheme--></font></td>
|
||
|
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Two Interfaces</b></u><!--mstheme--></font></td>
|
||
|
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b><u>Three Interfaces</u></b><!--mstheme--></font></td>
|
||
|
</tr>
|
||
|
<tr>
|
||
|
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth1<!--mstheme--></font></td>
|
||
|
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth0<!--mstheme--></font></td>
|
||
|
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
|
||
|
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
|
||
|
</tr>
|
||
|
<tr>
|
||
|
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth2<!--mstheme--></font></td>
|
||
|
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth0<!--mstheme--></font></td>
|
||
|
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica"> <!--mstheme--></font></td>
|
||
|
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
|
||
|
</tr>
|
||
|
</table><!--mstheme--><font face="arial, Arial, Helvetica">
|
||
|
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">/etc/shorewall/interfaces<!--mstheme--></font></h2>
|
||
|
<p>The detailed documentation for this file may be found
|
||
|
<a href="Documentation.htm#Interfaces">here.</a> Entries in this file have four
|
||
|
columns:</p>
|
||
|
<ol>
|
||
|
<li>The name of the zone that this interface connects to - this must be the
|
||
|
name of a zone defined in the /etc/shorewall/zones file.</li>
|
||
|
<li>The name of the interface.</li>
|
||
|
<li>The broadcast address for the subnet on this interface. If you want
|
||
|
Shorewall to detect this address for you, place 'detect' in that column.</li>
|
||
|
<li>A comma-separated list of <a href="Documentation.htm#Interfaces">options</a> that apply to this interface.</li>
|
||
|
</ol>
|
||
|
<p>Some examples:</p>
|
||
|
<p>Standalone system with ethernet interface to the internet.</p>
|
||
|
<!--mstheme--></font><pre> net eth0 detect norfc1918,routefilter</pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||
|
<p>Two interface system with eth0 connected to the local network and eth1
|
||
|
connected to the internet. eth1 gets its IP address via DHCP.</p>
|
||
|
<!--mstheme--></font><pre> loc eth0 detect routestopped
|
||
|
net eth1 detect norfc1918,dhcp,routefilter</pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||
|
<p>Three interface system with eth0 connected to the internet, eth1 connected to
|
||
|
the DMZ and eth2 connected to the local network. eth0 gets its IP address via
|
||
|
DHCP and the firewall runs a DHCP server for configuring local hosts (those
|
||
|
connected to eth2).</p>
|
||
|
<!--mstheme--></font><pre> net eth0 detect norfc1918,routefilter,dhcp
|
||
|
dmz eth1 detect routestopped
|
||
|
loc eth2 detect routestopped,dhcp</pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||
|
<p>At this point, please edit /etc/shorewall/interfaces to match your setup.</p>
|
||
|
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Some other considerations<!--mstheme--></font></h3>
|
||
|
<p>If your primary internet interface uses PPPoE, PPP or PPTP then you will want
|
||
|
to set CLAMPMSS=yes in <a href="Documentation.htm#Conf">
|
||
|
/etc/shorewall/shorewall.conf.</a></p>
|
||
|
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">/etc/shorewall/policy<!--mstheme--></font></h2>
|
||
|
<p>The /etc/shorewall/policy file documentation is
|
||
|
<a href="Documentation.htm#Policy">here</a>. I recommend the following (which
|
||
|
are
|
||
|
in the standalone sample):</p>
|
||
|
<p>Standalone system:</p>
|
||
|
<!--mstheme--></font><pre> fw net ACCEPT
|
||
|
all all DROP info</pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||
|
<p>So by default, all connection requests from your firewall to the internet are
|
||
|
accepted (allowed) and all other connection requests (i.e., those from the
|
||
|
internet to your firewall) are dropped (ignored).</p>
|
||
|
<p>Two and three interface firewalls:</p>
|
||
|
<!--mstheme--></font><pre> loc net ACCEPT
|
||
|
net all DROP info
|
||
|
all all REJECT info</pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||
|
<blockquote>
|
||
|
<p>If you want your firewall system to have full access to servers on the
|
||
|
internet, add the following rule before the last rule above (Note -- in the two-
|
||
|
and three-interface samples, the line below is included but commented out).</p>
|
||
|
</blockquote>
|
||
|
<!--mstheme--></font><pre> fw net ACCEPT</pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||
|
<p>The above policy will:</p>
|
||
|
<ol>
|
||
|
<li>allow all connection requests from your local network to the internet</li>
|
||
|
<li>drop (ignore) all connection requests from the internet to your firewall
|
||
|
or local network</li>
|
||
|
<li>optionally accept all connection requests from the firewall to the
|
||
|
internet (if you uncomment the additional policy)</li>
|
||
|
<li>reject all other connection requests.</li>
|
||
|
</ol>
|
||
|
<p>At this point, edit your /etc/shorewall/policy and make any changes that you
|
||
|
wish.</p>
|
||
|
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">/etc/shorewall/masq<!--mstheme--></font></h2>
|
||
|
<p>The /etc/shorewall/masq file (documentation <a href="Documentation.htm#Masq">
|
||
|
here</a>) describes output many-to-one source Network Address Translation.</p>
|
||
|
<p>If you have a static external IP address (assume 206.124.146.176 in these
|
||
|
examples), then:</p>
|
||
|
<blockquote>
|
||
|
<p>Two interface firewall with eth0 interfacing to the internet and eth1
|
||
|
interfacing to the local network:</p>
|
||
|
</blockquote>
|
||
|
<!--mstheme--></font><pre> eth0 eth1 206.124.146.176</pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||
|
<blockquote>
|
||
|
<p>Three interface firewall with eth0 interfacing to the internet, eth1
|
||
|
interfacing to the DMZ and eth2 interfacing to the local network:</p>
|
||
|
</blockquote>
|
||
|
<!--mstheme--></font><pre> eth0 eth1 206.124.146.176
|
||
|
eth0 eth2 206.124.146.176</pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||
|
<p>If you have a dynamic internet IP address, simply omit the third column! So
|
||
|
for the two interface firewall, your /etc/shorewall/masq file would have:</p>
|
||
|
<!--mstheme--></font><pre> eth0 eth1</pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||
|
<p>If you don't want to use IP masquerade or SNAT (two- and three-interface
|
||
|
samples), simple delete the entry/entries from /etc/shorewall/masq.</p><p>At
|
||
|
this point, edit your /etc/shorewall/masq file and change it to match your
|
||
|
configuration.</p>
|
||
|
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">/etc/shorewall/rules<!--mstheme--></font></h2>
|
||
|
<p>The rules file (documentation <a href="Documentation.htm#Rules">here</a>) is
|
||
|
probably the most important of the Shorewall configuration files.</p>
|
||
|
<p>The general simplified format for an ACCEPT rule that doesn't involve port forwarding
|
||
|
is:</p>
|
||
|
<!--mstheme--></font><pre> ACCEPT <i><source zone> <dest zone>[:<server IP address>] <protocol> <port(s)></i></pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||
|
<p>Here are some rules that I recommend that everyone use (and that I've
|
||
|
included in the samples):</p>
|
||
|
<!--mstheme--></font><pre> ACCEPT fw net udp 53 # Accept DNS queries from your firewall to the internet
|
||
|
ACCEPT fw net tcp 53 # " " " " " " " " "</pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||
|
<p>You can omit these rules if your firewall to net policy is
|
||
|
ACCEPT (In other words, if you uncommented the appropriate line in the policy
|
||
|
file as described above).</p>
|
||
|
<p>If you have three interfaces with a DMZ, you probably need DNS access to the
|
||
|
net from your DMZ. To permit that, I've included:</p>
|
||
|
<!--mstheme--></font><pre> ACCEPT dmz net udp 53
|
||
|
ACCEPT dmz net tcp 53</pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||
|
<p>If you run servers on your firewall system that you want to make accessible
|
||
|
to internet clients, you need to include rules to permit that access (note that
|
||
|
the default policy for net->fw in the policy file above is DROP which causes all
|
||
|
inbound traffic to be ignored by default). For example, if you have a web server
|
||
|
running on your firewall system, you would include the following rule:</p>
|
||
|
<!--mstheme--></font><pre> ACCEPT net fw tcp 80</pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||
|
<p>With multiple local zones, you will probably want to open some ports between
|
||
|
these zones.</p>
|
||
|
<p>Example - You have server system 192.168.2.2 in your DMZ and you want to be
|
||
|
able to access its FTP server from your local systems:</p>
|
||
|
<!--mstheme--></font><pre> ACCEPT loc dmz:192.168.2.2 tcp ftp</pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||
|
<p>For FTP to work properly, you will need kernel support for FTP connection
|
||
|
tracking and NAT but all commercial 2.4 kernel's have such support built in.</p>
|
||
|
<p>If you don't know which protocol and/or port that one of your applications
|
||
|
uses, try looking <a href="ports.htm">here</a>.</p>
|
||
|
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Port Forwarding<!--mstheme--></font></h3>
|
||
|
<p>When you are using many-to-one network address translation
|
||
|
outbound (IP masquerade or SNAT) and you want to allow connections from the internet to an
|
||
|
internal server (either in your local zone or in your DMZ), then you need to use
|
||
|
<i>port forwarding </i>(also known as Destination Network Address Translation or
|
||
|
<b>DNAT</b>). Inbound connection requests are selective forwarded to internal systems
|
||
|
based on rules that you supply.</p>
|
||
|
<p>The general form of a simple port forwarding rule in
|
||
|
/etc/shorewall/rules is:</p>
|
||
|
<!--mstheme--></font><pre> DNAT net <i><server zone>:<server local ip address> <protocol> <port></i></pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||
|
<p>Example - you run a Web Server on your local zone at 192.168.1.5 and you want
|
||
|
to forward incoming TCP port 80 to that system. You have a single external IP
|
||
|
address:</p>
|
||
|
<!--mstheme--></font><pre> DNAT net loc:192.168.1.5 tcp 80</pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||
|
<p>Example - you want to forward TCP port 80 to 192.168.2.4 in your DMZ and you
|
||
|
want to allow access to that server from your local zone:</p>
|
||
|
<!--mstheme--></font><pre> DNAT net dmz:192.168.2.4 tcp 80
|
||
|
ACCEPT loc dmz:192.168.2.4 tcp 80</pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||
|
<blockquote>
|
||
|
<p>If you have a static IP address (assume 206.124.146.176)
|
||
|
and you want your local clients to be able to access your web server using that
|
||
|
external address, you can use these entries instead:</p>
|
||
|
</blockquote>
|
||
|
<!--mstheme--></font><pre> DNAT net dmz:192.168.2.4 tcp 80
|
||
|
DNAT loc dmz:192.168.2.4 tcp 80 - 206.124.146.176</pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||
|
<p>Example - You have a static external IP address (206.124.146.176) and you
|
||
|
have DNS set up so that <a href="http://www.yourdomain.com">www.yourdomain.com</a>
|
||
|
resolves to that address. You want to run a web server in your local network (I
|
||
|
think that this is a BAD IDEA -- see <a href="FAQ.htm#faq2">FAQ 2</a>) on system
|
||
|
192.168.1.4 and you want internet users and your local users to be able to
|
||
|
access <a href="http://www.yourdomain.com">www.yourdomain.com</a>. Your
|
||
|
firewall's internal IP address is 192.168.1.254 and is on eth1.</p>
|
||
|
<!--mstheme--></font><pre> DNAT net loc:192.168.1.4 tcp 80
|
||
|
DNAT loc loc:192.168.2.4 tcp 80 - 206.124.146.176:192.168.1.254</pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||
|
<blockquote>
|
||
|
<p>In addition, you must specify the<b> multi</b> option on eth1<b> </b>in
|
||
|
/etc/shorewall/interfaces:</p>
|
||
|
</blockquote>
|
||
|
<!--mstheme--></font><pre> loc eth1 detect routestopped,multi</pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||
|
<p>If you have requirements for port forwarding beyond what is shown here (like
|
||
|
forwarding to a different port number or redirecting to a proxy), see the
|
||
|
<a href="Documentation.htm#Rules">rules file documentation</a>.</p>
|
||
|
<p>At this point, please edit the /etc/shorewall/rules file and make any
|
||
|
additions required by your setup.</p><p>You are now ready to start shorewall. If
|
||
|
you encounter problems, see the <a href="troubleshoot.htm">troubleshooting
|
||
|
information.</a></p>
|
||
|
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Starting and Stopping Your Firewall<!--mstheme--></font></h2><p>The firewall is started using the
|
||
|
"shorewall start" command and stopped using "shorewall stop". When the firewall
|
||
|
is stopped, routing is enabled on those interfaces that have the "routestopped"
|
||
|
option specified in /etc/shorewall/interfaces. If you want to totally remove any
|
||
|
trace of Shorewall from your Netfilter configuration, use "shorewall clear".</p>
|
||
|
<p><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a></p>
|
||
|
|
||
|
<!--mstheme--></font></body>
|
||
|
|
||
|
</html>
|