Tuesday, September 29, 2009

INSTALL SHOREWALL(Configure Iptables easier )

I/INTRO

Shorewall (more appropriately the Shoreline Firewall) is an open source firewall tool for Linux that builds upon the Netfilter (iptables/ipchains) system built into the Linux kernel, making it easier to manage more complex configuration schemes.

Using an analogy understandable to programmers: Shorewall is to iptables, what C is to assembly language. It provides a higher level of abstraction for describing rules using text files.


II/INSTALL

1/ download all packages *.rpm of shorewall(http://rpm.pbone.net/ if You use Fedora can use yum ) and install with command rpm -ivh *.rpm

2/Configure Shorewall

I Configure shorewall with 3 interface and 3 zone:net,DMZ,Local

2.1/in file /etc/shorewall/zone add all lines

fw firewall

net ipv4 #

loc ipv4 #

dmz ipv4 #
2.2/ In file /etc/shorewall/interfaces add all lines

net eth1 #interface of zone net

loc eth0 # interface of Zone loc

dmz eth2 #interface of Zone dmz

2.3/In File /etc/shorewall/masq add all lines (This file use for NAT outbound)

eth1 192.168.100.0/24 172.21.1.16
eth1 192.168.111.0/24 172.21.1.16


192.168.100.0/24 subnet zone local.
192.168.111.0/24 subnet zone DMZ and ip:172.21.1.16 external address of firewall

2.4/In file etc/shorewall/policy add all lines

loc net REJECT info

net all DROP info

all all REJECT info

$FW net REJECT info

dmz net REJECT info

dmz loc REJECT info

loc dmz REJECT info


2.5/In file /etc/shorewall/rule add all lines


ACCEPT loc net tcp 80,443,25,110,53//(Permit access local->internet with protocol HTTP,HTTPS,SMTP,POP3,DNS)

ACCEPT loc net udp 53

ACCEPT loc net icmp echo-request //(
Permit ping local->internet)

ACCEPT loc fw tcp 2822 //(permit access SSH to firewall for Security I change port of SSH)

DNAT net dmz:192.168.111.2 tcp 80,443,110,25,995,465//(Nat INBOUND from internet can access protocols: HTTP,HTTPS,POP3,SMTP,POP3S,SMTPS)


Change

STARTUP_ENABLED=No -> STARTUP_ENABLED=Yes trong /etc/shorewall/shorewall.conf

start shorewall by command :shorewall start


For configure easier you can use webmin for configure shorewall with web interface.


No comments:

Post a Comment