Shorewall (more appropriately the Shoreline Firewall) is an open source firewall tool for Linux that builds upon the Netfilter (iptables/ipchains) system built into the Linux kernel, making it easier to manage more complex configuration schemes.
Using an analogy understandable to programmers: Shorewall is to iptables, what C is to assembly language. It provides a higher level of abstraction for describing rules using text files.
II/INSTALL
2/Configure Shorewall
I Configure shorewall with 3 interface and 3 zone:net,DMZ,Local
2.1/in file /etc/shorewall/zone add all lines
fw firewall
net ipv4 #
loc ipv4 #
dmz ipv4 #
2.2/ In file /etc/shorewall/interfaces add all linesnet ipv4 #
loc ipv4 #
dmz ipv4 #
net eth1 #interface of zone net
loc eth0 # interface of Zone loc
dmz eth2 #interface of Zone dmz
2.3/In File /etc/shorewall/masq add all lines (This file use for NAT outbound)
eth1 192.168.100.0/24 172.21.1.16
eth1 192.168.111.0/24 172.21.1.16
192.168.100.0/24 subnet zone local.
192.168.111.0/24 subnet zone DMZ and ip:172.21.1.16 external address of firewall
2.4/In file etc/shorewall/policy add all lines
loc net REJECT info
net all DROP info
all all REJECT info
$FW net REJECT info
dmz net REJECT info
dmz loc REJECT info
loc dmz REJECT info
2.5/In file /etc/shorewall/rule add all lines
ACCEPT loc net tcp 80,443,25,110,53//(Permit access local->internet with protocol HTTP,HTTPS,SMTP,POP3,DNS)
ACCEPT loc net udp 53
ACCEPT loc net icmp echo-request //(Permit ping local->internet)
ACCEPT loc fw tcp 2822 //(permit access SSH to firewall for Security I change port of SSH)
DNAT net dmz:192.168.111.2 tcp 80,443,110,25,995,465//(Nat INBOUND from internet can access protocols: HTTP,HTTPS,POP3,SMTP,POP3S,SMTPS)
Change
STARTUP_ENABLED=No -> STARTUP_ENABLED=Yes trong /etc/shorewall/shorewall.conf
start shorewall by command :shorewall start
For configure easier you can use webmin for configure shorewall with web interface.
No comments:
Post a Comment