zeus
/
SwarmLab-HowTos
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
246 Commits
1 Branch
0 Tags
124 MiB
Tree: ed4ff948e8
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'ed4ff948e8'
${ noResults }
SwarmLab-HowTos/labs/os2/ex-4_iptables.adoc.html

851 lines
103 KiB
Raw Normal View History

new site
4 years ago
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="generator" content="Asciidoctor 2.0.10">
<meta name="description" content="Intro and Install">
<meta name="keywords" content="sec, tcpdump">
<meta name="author" content="Apostolos rootApostolos@swarmlab.io">
<title>Iptables with shorewall!</title>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Open+Sans:300,300italic,400,400italic,600,600italic%7CNoto+Serif:400,400italic,700,700italic%7CDroid+Sans+Mono:400,700">
<style>
/* Asciidoctor default stylesheet | MIT License | https://asciidoctor.org */
/* Uncomment @import statement to use as custom stylesheet */
/*@import "https://fonts.googleapis.com/css?family=Open+Sans:300,300italic,400,400italic,600,600italic%7CNoto+Serif:400,400italic,700,700italic%7CDroid+Sans+Mono:400,700";*/
article,aside,details,figcaption,figure,footer,header,hgroup,main,nav,section{display:block}
audio,video{display:inline-block}
audio:not([controls]){display:none;height:0}
html{font-family:sans-serif;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}
a{background:none}
a:focus{outline:thin dotted}
a:active,a:hover{outline:0}
h1{font-size:2em;margin:.67em 0}
abbr[title]{border-bottom:1px dotted}
b,strong{font-weight:bold}
dfn{font-style:italic}
hr{-moz-box-sizing:content-box;box-sizing:content-box;height:0}
mark{background:#ff0;color:#000}
code,kbd,pre,samp{font-family:monospace;font-size:1em}
pre{white-space:pre-wrap}
q{quotes:"\201C" "\201D" "\2018" "\2019"}
small{font-size:80%}
sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline}
sup{top:-.5em}
sub{bottom:-.25em}
img{border:0}
svg:not(:root){overflow:hidden}
figure{margin:0}
fieldset{border:1px solid silver;margin:0 2px;padding:.35em .625em .75em}
legend{border:0;padding:0}
button,input,select,textarea{font-family:inherit;font-size:100%;margin:0}
button,input{line-height:normal}
button,select{text-transform:none}
button,html input[type="button"],input[type="reset"],input[type="submit"]{-webkit-appearance:button;cursor:pointer}
button[disabled],html input[disabled]{cursor:default}
input[type="checkbox"],input[type="radio"]{box-sizing:border-box;padding:0}
button::-moz-focus-inner,input::-moz-focus-inner{border:0;padding:0}
textarea{overflow:auto;vertical-align:top}
table{border-collapse:collapse;border-spacing:0}
*,*::before,*::after{-moz-box-sizing:border-box;-webkit-box-sizing:border-box;box-sizing:border-box}
html,body{font-size:100%}
body{background:#fff;color:rgba(0,0,0,.8);padding:0;margin:0;font-family:"Noto Serif","DejaVu Serif",serif;font-weight:400;font-style:normal;line-height:1;position:relative;cursor:auto;tab-size:4;-moz-osx-font-smoothing:grayscale;-webkit-font-smoothing:antialiased}
a:hover{cursor:pointer}
img,object,embed{max-width:100%;height:auto}
object,embed{height:100%}
img{-ms-interpolation-mode:bicubic}
.left{float:left!important}
.right{float:right!important}
.text-left{text-align:left!important}
.text-right{text-align:right!important}
.text-center{text-align:center!important}
.text-justify{text-align:justify!important}
.hide{display:none}
img,object,svg{display:inline-block;vertical-align:middle}
textarea{height:auto;min-height:50px}
select{width:100%}
.center{margin-left:auto;margin-right:auto}
.stretch{width:100%}
.subheader,.admonitionblock td.content>.title,.audioblock>.title,.exampleblock>.title,.imageblock>.title,.listingblock>.title,.literalblock>.title,.stemblock>.title,.openblock>.title,.paragraph>.title,.quoteblock>.title,table.tableblock>.title,.verseblock>.title,.videoblock>.title,.dlist>.title,.olist>.title,.ulist>.title,.qlist>.title,.hdlist>.title{line-height:1.45;color:#7a2518;font-weight:400;margin-top:0;margin-bottom:.25em}
div,dl,dt,dd,ul,ol,li,h1,h2,h3,#toctitle,.sidebarblock>.content>.title,h4,h5,h6,pre,form,p,blockquote,th,td{margin:0;padding:0;direction:ltr}
a{color:#2156a5;text-decoration:underline;line-height:inherit}
a:hover,a:focus{color:#1d4b8f}
a img{border:0}
p{font-family:inherit;font-weight:400;font-size:1em;line-height:1.6;margin-bottom:1.25em;text-rendering:optimizeLegibility}
p aside{font-size:.875em;line-height:1.35;font-style:italic}
h1,h2,h3,#toctitle,.sidebarblock>.content>.title,h4,h5,h6{font-family:"Open Sans","DejaVu Sans",sans-serif;font-weight:300;font-style:normal;color:#ba3925;text-rendering:optimizeLegibility;margin-top:1em;margin-bottom:.5em;line-height:1.0125em}
h1 small,h2 small,h3 small,#toctitle small,.sidebarblock>.content>.title small,h4 small,h5 small,h6 small{font-size:60%;color:#e99b8f;line-height:0}
h1{font-size:2.125em}
h2{font-size:1.6875em}
h3,#toctitle,.sidebarblock>.content>.title{font-size:1.375em}
h4,h5{font-size:1.125em}
h6{font-size:1em}
hr{border:solid #dddddf;border-width:1px 0 0;clear:both;margin:1.25em 0 1.1875em;height:0}
em,i{font-style:italic;line-height:inherit}
strong,b{font-weight:bold;line-height:inherit}
small{font-size:60%;line-height:inherit}
code{font-family:"Droid Sans Mono","DejaVu Sans Mono",monospace;font-weight:400;color:rgba(0,0,0,.9)}
ul,ol,dl{font-size:1em;line-height:1.6;margin-bottom:1.25em;list-style-position:outside;font-family:inherit}
ul,ol{margin-left:1.5em}
ul li ul,ul li ol{margin-left:1.25em;margin-bottom:0;font-size:1em}
ul.square li ul,ul.circle li ul,ul.disc li ul{list-style:inherit}
ul.square{list-style-type:square}
ul.circle{list-style-type:circle}
ul.disc{list-style-type:disc}
ol li ul,ol li ol{margin-left:1.25em;margin-bottom:0}
dl dt{margin-bottom:.3125em;font-weight:bold}
dl dd{margin-bottom:1.25em}
abbr,acronym{text-transform:uppercase;font-size:90%;color:rgba(0,0,0,.8);border-bottom:1px dotted #ddd;cursor:help}
abbr{text-transform:none}
blockquote{margin:0 0 1.25em;padding:.5625em 1.25em 0 1.1875em;border-left:1px solid #ddd}
blockquote cite{display:block;font-size:.9375em;color:rgba(0,0,0,.6)}
blockquote cite::before{content:"\2014 \0020"}
blockquote cite a,blockquote cite a:visited{color:rgba(0,0,0,.6)}
blockquote,blockquote p{line-height:1.6;color:rgba(0,0,0,.85)}
@media screen and (min-width:768px){h1,h2,h3,#toctitle,.sidebarblock>.content>.title,h4,h5,h6{line-height:1.2}
h1{font-size:2.75em}
h2{font-size:2.3125em}
h3,#toctitle,.sidebarblock>.content>.title{font-size:1.6875em}
h4{font-size:1.4375em}}
table{background:#fff;margin-bottom:1.25em;border:solid 1px #dedede}
table thead,table tfoot{background:#f7f8f7}
table thead tr th,table thead tr td,table tfoot tr th,table tfoot tr td{padding:.5em .625em .625em;font-size:inherit;color:rgba(0,0,0,.8);text-align:left}
table tr th,table tr td{padding:.5625em .625em;font-size:inherit;color:rgba(0,0,0,.8)}
table tr.even,table tr.alt{background:#f8f8f7}
table thead tr th,table tfoot tr th,table tbody tr td,table tr td,table tfoot tr td{display:table-cell;line-height:1.6}
h1,h2,h3,#toctitle,.sidebarblock>.content>.title,h4,h5,h6{line-height:1.2;word-spacing:-.05em}
h1 strong,h2 strong,h3 strong,#toctitle strong,.sidebarblock>.content>.title strong,h4 strong,h5 strong,h6 strong{font-weight:400}
.clearfix::before,.clearfix::after,.float-group::before,.float-group::after{content:" ";display:table}
.clearfix::after,.float-group::after{clear:both}
:not(pre):not([class^=L])>code{font-size:.9375em;font-style:normal!important;letter-spacing:0;padding:.1em .5ex;word-spacing:-.15em;background:#f7f7f8;-webkit-border-radius:4px;border-radius:4px;line-height:1.45;text-rendering:optimizeSpeed;word-wrap:break-word}
:not(pre)>code.nobreak{word-wrap:normal}
:not(pre)>code.nowrap{white-space:nowrap}
pre{color:rgba(0,0,0,.9);font-family:"Droid Sans Mono","DejaVu Sans Mono",monospace;line-height:1.45;text-rendering:optimizeSpeed}
pre code,pre pre{color:inherit;font-size:inherit;line-height:inherit}
pre>code{display:block}
pre.nowrap,pre.nowrap pre{white-space:pre;word-wrap:normal}
em em{font-style:normal}
strong strong{font-weight:400}
.keyseq{color:rgba(51,51,51,.8)}
kbd{font-family:"Droid Sans Mono","DejaVu Sans Mono",monospace;display:inline-block;color:rgba(0,0,0,.8);font-size:.65em;line-height:1.45;background:#f7f7f7;border:1px solid #ccc;-webkit-border-radius:3px;border-radius:3px;-webkit-box-shadow:0 1px 0 rgba(0,0,0,.2),0 0 0 .1em white inset;box-shadow:0 1px 0 rgba(0,0,0,.2),0 0 0 .1em #fff inset;margin:0 .15em;padding:.2em .5em;vertical-align:middle;position:relative;top:-.1em;white-space:nowrap}
.keyseq kbd:first-child{margin-left:0}
.keyseq kbd:last-child{margin-right:0}
.menuseq,.menuref{color:#000}
.menuseq b:not(.caret),.menuref{font-weight:inherit}
.menuseq{word-spacing:-.02em}
.menuseq b.caret{font-size:1.25em;line-height:.8}
.menuseq i.caret{font-weight:bold;text-align:center;width:.45em}
b.button::before,b.button::after{position:relative;top:-1px;font-weight:400}
b.button::before{content:"[";padding:0 3px 0 2px}
b.button::after{content:"]";padding:0 2px 0 3px}
p a>code:hover{color:rgba(0,0,0,.9)}
#header,#content,#footnotes,#footer{width:100%;margin-left:auto;margin-right:auto;margin-top:0;margin-bottom:0;max-width:62.5em;*zoom:1;position:relative;padding-left:.9375em;padding-right:.9375em}
#header::before,#header::after,#content::before,#content::after,#footnotes::before,#footnotes::after,#footer::before,#footer::after{content:" ";display:table}
#header::after,#content::after,#footnotes::after,#footer::after{clear:both}
#content{margin-top:1.25em}
#content::before{content:none}
#header>h1:first-child{color:rgba(0,0,0,.85);margin-top:2.25rem;margin-bottom:0}
#header>h1:first-child+#toc{margin-top:8px;border-top:1px solid #dddddf}
#header>h1:only-child,body.toc2 #header>h1:nth-last-child(2){border-bottom:1px solid #dddddf;padding-bottom:8px}
#header .details{border-bottom:1px solid #dddddf;line-height:1.45;padding-top:.25em;padding-bottom:.25em;padding-left:.25em;color:rgba(0,0,0,.6);display:-ms-flexbox;display:-webkit-flex;display:flex;-ms-flex-flow:row wrap;-webkit-flex-flow:row wrap;flex-flow:row wrap}
#header .details span:first-child{margin-left:-.125em}
#header .details span.email a{color:rgba(0,0,0,.85)}
#header .details br{display:none}
#header .details br+span::before{content:"\00a0\2013\00a0"}
#header .details br+span.author::before{content:"\00a0\22c5\00a0";color:rgba(0,0,0,.85)}
#header .details br+span#revremark::before{content:"\00a0|\00a0"}
#header #revnumber{text-transform:capitalize}
#header #revnumber::after{content:"\00a0"}
#content>h1:first-child:not([class]){color:rgba(0,0,0,.85);border-bottom:1px solid #dddddf;padding-bottom:8px;margin-top:0;padding-top:1rem;margin-bottom:1.25rem}
#toc{border-bottom:1px solid #e7e7e9;padding-bottom:.5em}
#toc>ul{margin-left:.125em}
#toc ul.sectlevel0>li>a{font-style:italic}
#toc ul.sectlevel0 ul.sectlevel1{margin:.5em 0}
#toc ul{font-family:"Open Sans","DejaVu Sans",sans-serif;list-style-type:none}
#toc li{line-height:1.3334;margin-top:.3334em}
#toc a{text-decoration:none}
#toc a:active{text-decoration:underline}
#toctitle{color:#7a2518;font-size:1.2em}
@media screen and (min-width:768px){#toctitle{font-size:1.375em}
body.toc2{padding-left:15em;padding-right:0}
#toc.toc2{margin-top:0!important;background:#f8f8f7;position:fixed;width:15em;left:0;top:0;border-right:1px solid #e7e7e9;border-top-width:0!important;border-bottom-width:0!important;z-index:1000;padding:1.25em 1em;height:100%;overflow:auto}
#toc.toc2 #toctitle{margin-top:0;margin-bottom:.8rem;font-size:1.2em}
#toc.toc2>ul{font-size:.9em;margin-bottom:0}
#toc.toc2 ul ul{margin-left:0;padding-left:1em}
#toc.toc2 ul.sectlevel0 ul.sectlevel1{padding-left:0;margin-top:.5em;margin-bottom:.5em}
body.toc2.toc-right{padding-left:0;padding-right:15em}
body.toc2.toc-right #toc.toc2{border-right-width:0;border-left:1px solid #e7e7e9;left:auto;right:0}}
@media screen and (min-width:1280px){body.toc2{padding-left:20em;padding-right:0}
#toc.toc2{width:20em}
#toc.toc2 #toctitle{font-size:1.375em}
#toc.toc2>ul{font-size:.95em}
#toc.toc2 ul ul{padding-left:1.25em}
body.toc2.toc-right{padding-left:0;padding-right:20em}}
#content #toc{border-style:solid;border-width:1px;border-color:#e0e0dc;margin-bottom:1.25em;padding:1.25em;background:#f8f8f7;-webkit-border-radius:4px;border-radius:4px}
#content #toc>:first-child{margin-top:0}
#content #toc>:last-child{margin-bottom:0}
#footer{max-width:100%;background:rgba(0,0,0,.8);padding:1.25em}
#footer-text{color:rgba(255,255,255,.8);line-height:1.44}
#content{margin-bottom:.625em}
.sect1{padding-bottom:.625em}
@media screen and (min-width:768px){#content{margin-bottom:1.25em}
.sect1{padding-bottom:1.25em}}
.sect1:last-child{padding-bottom:0}
.sect1+.sect1{border-top:1px solid #e7e7e9}
#content h1>a.anchor,h2>a.anchor,h3>a.anchor,#toctitle>a.anchor,.sidebarblock>.content>.title>a.anchor,h4>a.anchor,h5>a.anchor,h6>a.anchor{position:absolute;z-index:1001;width:1.5ex;margin-left:-1.5ex;display:block;text-decoration:none!important;visibility:hidden;text-align:center;font-weight:400}
#content h1>a.anchor::before,h2>a.anchor::before,h3>a.anchor::before,#toctitle>a.anchor::before,.sidebarblock>.content>.title>a.anchor::before,h4>a.anchor::before,h5>a.anchor::before,h6>a.anchor::before{content:"\00A7";font-size:.85em;display:block;padding-top:.1em}
#content h1:hover>a.anchor,#content h1>a.anchor:hover,h2:hover>a.anchor,h2>a.anchor:hover,h3:hover>a.anchor,#toctitle:hover>a.anchor,.sidebarblock>.content>.title:hover>a.anchor,h3>a.anchor:hover,#toctitle>a.anchor:hover,.sidebarblock>.content>.title>a.anchor:hover,h4:hover>a.anchor,h4>a.anchor:hover,h5:hover>a.anchor,h5>a.anchor:hover,h6:hover>a.anchor,h6>a.anchor:hover{visibility:visible}
#content h1>a.link,h2>a.link,h3>a.link,#toctitle>a.link,.sidebarblock>.content>.title>a.link,h4>a.link,h5>a.link,h6>a.link{color:#ba3925;text-decoration:none}
#content h1>a.link:hover,h2>a.link:hover,h3>a.link:hover,#toctitle>a.link:hover,.sidebarblock>.content>.title>a.link:hover,h4>a.link:hover,h5>a.link:hover,h6>a.link:hover{color:#a53221}
details,.audioblock,.imageblock,.literalblock,.listingblock,.stemblock,.videoblock{margin-bottom:1.25em}
details>summary:first-of-type{cursor:pointer;display:list-item;outline:none;margin-bottom:.75em}
.admonitionblock td.content>.title,.audioblock>.title,.exampleblock>.title,.imageblock>.title,.listingblock>.title,.literalblock>.title,.stemblock>.title,.openblock>.title,.paragraph>.title,.quoteblock>.title,table.tableblock>.title,.verseblock>.title,.videoblock>.title,.dlist>.title,.olist>.title,.ulist>.title,.qlist>.title,.hdlist>.title{text-rendering:optimizeLegibility;text-align:left;font-family:"Noto Serif","DejaVu Serif",serif;font-size:1rem;font-style:italic}
table.tableblock.fit-content>caption.title{white-space:nowrap;width:0}
.paragraph.lead>p,#preamble>.sectionbody>[class="paragraph"]:first-of-type p{font-size:1.21875em;line-height:1.6;color:rgba(0,0,0,.85)}
table.tableblock #preamble>.sectionbody>[class="paragraph"]:first-of-type p{font-size:inherit}
.admonitionblock>table{border-collapse:separate;border:0;background:none;width:100%}
.admonitionblock>table td.icon{text-align:center;width:80px}
.admonitionblock>table td.icon img{max-width:none}
.admonitionblock>table td.icon .title{font-weight:bold;font-family:"Open Sans","DejaVu Sans",sans-serif;text-transform:uppercase}
.admonitionblock>table td.content{padding-left:1.125em;padding-right:1.25em;border-left:1px solid #dddddf;color:rgba(0,0,0,.6)}
.admonitionblock>table td.content>:last-child>:last-child{margin-bottom:0}
.exampleblock>.content{border-style:solid;border-width:1px;border-color:#e6e6e6;margin-bottom:1.25em;padding:1.25em;background:#fff;-webkit-border-radius:4px;border-radius:4px}
.exampleblock>.content>:first-child{margin-top:0}
.exampleblock>.content>:last-child{margin-bottom:0}
.sidebarblock{border-style:solid;border-width:1px;border-color:#dbdbd6;margin-bottom:1.25em;padding:1.25em;background:#f3f3f2;-webkit-border-radius:4px;border-radius:4px}
.sidebarblock>:first-child{margin-top:0}
.sidebarblock>:last-child{margin-bottom:0}
.sidebarblock>.content>.title{color:#7a2518;margin-top:0;text-align:center}
.exampleblock>.content>:last-child>:last-child,.exampleblock>.content .olist>ol>li:last-child>:last-child,.exampleblock>.content .ulist>ul>li:last-child>:last-child,.exampleblock>.content .qlist>ol>li:last-child>:last-child,.sidebarblock>.content>:last-child>:last-child,.sidebarblock>.content .olist>ol>li:last-child>:last-child,.sidebarblock>.content .ulist>ul>li:last-child>:last-child,.sidebarblock>.content .qlist>ol>li:last-child>:last-child{margin-bottom:0}
.literalblock pre,.listingblock>.content>pre{-webkit-border-radius:4px;border-radius:4px;word-wrap:break-word;overflow-x:auto;padding:1em;font-size:.8125em}
@media screen and (min-width:768px){.literalblock pre,.listingblock>.content>pre{font-size:.90625em}}
@media screen and (min-width:1280px){.literalblock pre,.listingblock>.content>pre{font-size:1em}}
.literalblock pre,.listingblock>.content>pre:not(.highlight),.listingblock>.content>pre[class="highlight"],.listingblock>.content>pre[class^="highlight "]{background:#f7f7f8}
.literalblock.output pre{color:#f7f7f8;background:rgba(0,0,0,.9)}
.listingblock>.content{position:relative}
.listingblock code[data-lang]::before{display:none;content:attr(data-lang);position:absolute;font-size:.75em;top:.425rem;right:.5rem;line-height:1;text-transform:uppercase;color:inherit;opacity:.5}
.listingblock:hover code[data-lang]::before{display:block}
.listingblock.terminal pre .command::before{content:attr(data-prompt);padding-right:.5em;color:inherit;opacity:.5}
.listingblock.terminal pre .command:not([data-prompt])::before{content:"$"}
.listingblock pre.highlightjs{padding:0}
.listingblock pre.highlightjs>code{padding:1em;-webkit-border-radius:4px;border-radius:4px}
.listingblock pre.prettyprint{border-width:0}
.prettyprint{background:#f7f7f8}
pre.prettyprint .linenums{line-height:1.45;margin-left:2em}
pre.prettyprint li{background:none;list-style-type:inherit;padding-left:0}
pre.prettyprint li code[data-lang]::before{opacity:1}
pre.prettyprint li:not(:first-child) code[data-lang]::before{display:none}
table.linenotable{border-collapse:separate;border:0;margin-bottom:0;background:none}
table.linenotable td[class]{color:inherit;vertical-align:top;padding:0;line-height:inherit;white-space:normal}
table.linenotable td.code{padding-left:.75em}
table.linenotable td.linenos{border-right:1px solid currentColor;opacity:.35;padding-right:.5em}
pre.pygments .lineno{border-right:1px solid currentColor;opacity:.35;display:inline-block;margin-right:.75em}
pre.pygments .lineno::before{content:"";margin-right:-.125em}
.quoteblock{margin:0 1em 1.25em 1.5em;display:table}
.quoteblock:not(.excerpt)>.title{margin-left:-1.5em;margin-bottom:.75em}
.quoteblock blockquote,.quoteblock p{color:rgba(0,0,0,.85);font-size:1.15rem;line-height:1.75;word-spacing:.1em;letter-spacing:0;font-style:italic;text-align:justify}
.quoteblock blockquote{margin:0;padding:0;border:0}
.quoteblock blockquote::before{content:"\201c";float:left;font-size:2.75em;font-weight:bold;line-height:.6em;margin-left:-.6em;color:#7a2518;text-shadow:0 1px 2px rgba(0,0,0,.1)}
.quoteblock blockquote>.paragraph:last-child p{margin-bottom:0}
.quoteblock .attribution{margin-top:.75em;margin-right:.5ex;text-align:right}
.verseblock{margin:0 1em 1.25em}
.verseblock pre{font-family:"Open Sans","DejaVu Sans",sans;font-size:1.15rem;color:rgba(0,0,0,.85);font-weight:300;text-rendering:optimizeLegibility}
.verseblock pre strong{font-weight:400}
.verseblock .attribution{margin-top:1.25rem;margin-left:.5ex}
.quoteblock .attribution,.verseblock .attribution{font-size:.9375em;line-height:1.45;font-style:italic}
.quoteblock .attribution br,.verseblock .attribution br{display:none}
.quoteblock .attribution cite,.verseblock .attribution cite{display:block;letter-spacing:-.025em;color:rgba(0,0,0,.6)}
.quoteblock.abstract blockquote::before,.quoteblock.excerpt blockquote::before,.quoteblock .quoteblock blockquote::before{display:none}
.quoteblock.abstract blockquote,.quoteblock.abstract p,.quoteblock.excerpt blockquote,.quoteblock.excerpt p,.quoteblock .quoteblock blockquote,.quoteblock .quoteblock p{line-height:1.6;word-spacing:0}
.quoteblock.abstract{margin:0 1em 1.25em;display:block}
.quoteblock.abstract>.title{margin:0 0 .375em;font-size:1.15em;text-align:center}
.quoteblock.excerpt>blockquote,.quoteblock .quoteblock{padding:0 0 .25em 1em;border-left:.25em solid #dddddf}
.quoteblock.excerpt,.quoteblock .quoteblock{margin-left:0}
.quoteblock.excerpt blockquote,.quoteblock.excerpt p,.quoteblock .quoteblock blockquote,.quoteblock .quoteblock p{color:inherit;font-size:1.0625rem}
.quoteblock.excerpt .attribution,.quoteblock .quoteblock .attribution{color:inherit;text-align:left;margin-right:0}
table.tableblock{max-width:100%;border-collapse:separate}
p.tableblock:last-child{margin-bottom:0}
td.tableblock>.content>:last-child{margin-bottom:-1.25em}
td.tableblock>.content>:last-child.sidebarblock{margin-bottom:0}
table.tableblock,th.tableblock,td.tableblock{border:0 solid #dedede}
table.grid-all>thead>tr>.tableblock,table.grid-all>tbody>tr>.tableblock{border-width:0 1px 1px 0}
table.grid-all>tfoot>tr>.tableblock{border-width:1px 1px 0 0}
table.grid-cols>*>tr>.tableblock{border-width:0 1px 0 0}
table.grid-rows>thead>tr>.tableblock,table.grid-rows>tbody>tr>.tableblock{border-width:0 0 1px}
table.grid-rows>tfoot>tr>.tableblock{border-width:1px 0 0}
table.grid-all>*>tr>.tableblock:last-child,table.grid-cols>*>tr>.tableblock:last-child{border-right-width:0}
table.grid-all>tbody>tr:last-child>.tableblock,table.grid-all>thead:last-child>tr>.tableblock,table.grid-rows>tbody>tr:last-child>.tableblock,table.grid-rows>thead:last-child>tr>.tableblock{border-bottom-width:0}
table.frame-all{border-width:1px}
table.frame-sides{border-width:0 1px}
table.frame-topbot,table.frame-ends{border-width:1px 0}
table.stripes-all tr,table.stripes-odd tr:nth-of-type(odd),table.stripes-even tr:nth-of-type(even),table.stripes-hover tr:hover{background:#f8f8f7}
th.halign-left,td.halign-left{text-align:left}
th.halign-right,td.halign-right{text-align:right}
th.halign-center,td.halign-center{text-align:center}
th.valign-top,td.valign-top{vertical-align:top}
th.valign-bottom,td.valign-bottom{vertical-align:bottom}
th.valign-middle,td.valign-middle{vertical-align:middle}
table thead th,table tfoot th{font-weight:bold}
tbody tr th{display:table-cell;line-height:1.6;background:#f7f8f7}
tbody tr th,tbody tr th p,tfoot tr th,tfoot tr th p{color:rgba(0,0,0,.8);font-weight:bold}
p.tableblock>code:only-child{background:none;padding:0}
p.tableblock{font-size:1em}
ol{margin-left:1.75em}
ul li ol{margin-left:1.5em}
dl dd{margin-left:1.125em}
dl dd:last-child,dl dd:last-child>:last-child{margin-bottom:0}
ol>li p,ul>li p,ul dd,ol dd,.olist .olist,.ulist .ulist,.ulist .olist,.olist .ulist{margin-bottom:.625em}
ul.checklist,ul.none,ol.none,ul.no-bullet,ol.no-bullet,ol.unnumbered,ul.unstyled,ol.unstyled{list-style-type:none}
ul.no-bullet,ol.no-bullet,ol.unnumbered{margin-left:.625em}
ul.unstyled,ol.unstyled{margin-left:0}
ul.checklist{margin-left:.625em}
ul.checklist li>p:first-child>.fa-square-o:first-child,ul.checklist li>p:first-child>.fa-check-square-o:first-child{width:1.25em;font-size:.8em;position:relative;bottom:.125em}
ul.checklist li>p:first-child>input[type="checkbox"]:first-child{margin-right:.25em}
ul.inline{display:-ms-flexbox;display:-webkit-box;display:flex;-ms-flex-flow:row wrap;-webkit-flex-flow:row wrap;flex-flow:row wrap;list-style:none;margin:0 0 .625em -1.25em}
ul.inline>li{margin-left:1.25em}
.unstyled dl dt{font-weight:400;font-style:normal}
ol.arabic{list-style-type:decimal}
ol.decimal{list-style-type:decimal-leading-zero}
ol.loweralpha{list-style-type:lower-alpha}
ol.upperalpha{list-style-type:upper-alpha}
ol.lowerroman{list-style-type:lower-roman}
ol.upperroman{list-style-type:upper-roman}
ol.lowergreek{list-style-type:lower-greek}
.hdlist>table,.colist>table{border:0;background:none}
.hdlist>table>tbody>tr,.colist>table>tbody>tr{background:none}
td.hdlist1,td.hdlist2{vertical-align:top;padding:0 .625em}
td.hdlist1{font-weight:bold;padding-bottom:1.25em}
.literalblock+.colist,.listingblock+.colist{margin-top:-.5em}
.colist td:not([class]):first-child{padding:.4em .75em 0;line-height:1;vertical-align:top}
.colist td:not([class]):first-child img{max-width:none}
.colist td:not([class]):last-child{padding:.25em 0}
.thumb,.th{line-height:0;display:inline-block;border:solid 4px #fff;-webkit-box-shadow:0 0 0 1px #ddd;box-shadow:0 0 0 1px #ddd}
.imageblock.left{margin:.25em .625em 1.25em 0}
.imageblock.right{margin:.25em 0 1.25em .625em}
.imageblock>.title{margin-bottom:0}
.imageblock.thumb,.imageblock.th{border-width:6px}
.imageblock.thumb>.title,.imageblock.th>.title{padding:0 .125em}
.image.left,.image.right{margin-top:.25em;margin-bottom:.25em;display:inline-block;line-height:0}
.image.left{margin-right:.625em}
.image.right{margin-left:.625em}
a.image{text-decoration:none;display:inline-block}
a.image object{pointer-events:none}
sup.footnote,sup.footnoteref{font-size:.875em;position:static;vertical-align:super}
sup.footnote a,sup.footnoteref a{text-decoration:none}
sup.footnote a:active,sup.footnoteref a:active{text-decoration:underline}
#footnotes{padding-top:.75em;padding-bottom:.75em;margin-bottom:.625em}
#footnotes hr{width:20%;min-width:6.25em;margin:-.25em 0 .75em;border-width:1px 0 0}
#footnotes .footnote{padding:0 .375em 0 .225em;line-height:1.3334;font-size:.875em;margin-left:1.2em;margin-bottom:.2em}
#footnotes .footnote a:first-of-type{font-weight:bold;text-decoration:none;margin-left:-1.05em}
#footnotes .footnote:last-of-type{margin-bottom:0}
#content #footnotes{margin-top:-.625em;margin-bottom:0;padding:.75em 0}
.gist .file-data>table{border:0;background:#fff;width:100%;margin-bottom:0}
.gist .file-data>table td.line-data{width:99%}
div.unbreakable{page-break-inside:avoid}
.big{font-size:larger}
.small{font-size:smaller}
.underline{text-decoration:underline}
.overline{text-decoration:overline}
.line-through{text-decoration:line-through}
.aqua{color:#00bfbf}
.aqua-background{background:#00fafa}
.black{color:#000}
.black-background{background:#000}
.blue{color:#0000bf}
.blue-background{background:#0000fa}
.fuchsia{color:#bf00bf}
.fuchsia-background{background:#fa00fa}
.gray{color:#606060}
.gray-background{background:#7d7d7d}
.green{color:#006000}
.green-background{background:#007d00}
.lime{color:#00bf00}
.lime-background{background:#00fa00}
.maroon{color:#600000}
.maroon-background{background:#7d0000}
.navy{color:#000060}
.navy-background{background:#00007d}
.olive{color:#606000}
.olive-background{background:#7d7d00}
.purple{color:#600060}
.purple-background{background:#7d007d}
.red{color:#bf0000}
.red-background{background:#fa0000}
.silver{color:#909090}
.silver-background{background:#bcbcbc}
.teal{color:#006060}
.teal-background{background:#007d7d}
.white{color:#bfbfbf}
.white-background{background:#fafafa}
.yellow{color:#bfbf00}
.yellow-background{background:#fafa00}
span.icon>.fa{cursor:default}
a span.icon>.fa{cursor:inherit}
.admonitionblock td.icon [class^="fa icon-"]{font-size:2.5em;text-shadow:1px 1px 2px rgba(0,0,0,.5);cursor:default}
.admonitionblock td.icon .icon-note::before{content:"\f05a";color:#19407c}
.admonitionblock td.icon .icon-tip::before{content:"\f0eb";text-shadow:1px 1px 2px rgba(155,155,0,.8);color:#111}
.admonitionblock td.icon .icon-warning::before{content:"\f071";color:#bf6900}
.admonitionblock td.icon .icon-caution::before{content:"\f06d";color:#bf3400}
.admonitionblock td.icon .icon-important::before{content:"\f06a";color:#bf0000}
.conum[data-value]{display:inline-block;color:#fff!important;background:rgba(0,0,0,.8);-webkit-border-radius:100px;border-radius:100px;text-align:center;font-size:.75em;width:1.67em;height:1.67em;line-height:1.67em;font-family:"Open Sans","DejaVu Sans",sans-serif;font-style:normal;font-weight:bold}
.conum[data-value] *{color:#fff!important}
.conum[data-value]+b{display:none}
.conum[data-value]::after{content:attr(data-value)}
pre .conum[data-value]{position:relative;top:-.125em}
b.conum *{color:inherit!important}
.conum:not([data-value]):empty{display:none}
dt,th.tableblock,td.content,div.footnote{text-rendering:optimizeLegibility}
h1,h2,p,td.content,span.alt{letter-spacing:-.01em}
p strong,td.content strong,div.footnote strong{letter-spacing:-.005em}
p,blockquote,dt,td.content,span.alt{font-size:1.0625rem}
p{margin-bottom:1.25rem}
.sidebarblock p,.sidebarblock dt,.sidebarblock td.content,p.tableblock{font-size:1em}
.exampleblock>.content{background:#fffef7;border-color:#e0e0dc;-webkit-box-shadow:0 1px 4px #e0e0dc;box-shadow:0 1px 4px #e0e0dc}
.print-only{display:none!important}
@page{margin:1.25cm .75cm}
@media print{*{-webkit-box-shadow:none!important;box-shadow:none!important;text-shadow:none!important}
html{font-size:80%}
a{color:inherit!important;text-decoration:underline!important}
a.bare,a[href^="#"],a[href^="mailto:"]{text-decoration:none!important}
a[href^="http:"]:not(.bare)::after,a[href^="https:"]:not(.bare)::after{content:"(" attr(href) ")";display:inline-block;font-size:.875em;padding-left:.25em}
abbr[title]::after{content:" (" attr(title) ")"}
pre,blockquote,tr,img,object,svg{page-break-inside:avoid}
thead{display:table-header-group}
svg{max-width:100%}
p,blockquote,dt,td.content{font-size:1em;orphans:3;widows:3}
h2,h3,#toctitle,.sidebarblock>.content>.title{page-break-after:avoid}
#toc,.sidebarblock,.exampleblock>.content{background:none!important}
#toc{border-bottom:1px solid #dddddf!important;padding-bottom:0!important}
body.book #header{text-align:center}
body.book #header>h1:first-child{border:0!important;margin:2.5em 0 1em}
body.book #header .details{border:0!important;display:block;padding:0!important}
body.book #header .details span:first-child{margin-left:0!important}
body.book #header .details br{display:block}
body.book #header .details br+span::before{content:none!important}
body.book #toc{border:0!important;text-align:left!important;padding:0!important;margin:0!important}
body.book #toc,body.book #preamble,body.book h1.sect0,body.book .sect1>h2{page-break-before:always}
.listingblock code[data-lang]::before{display:block}
#footer{padding:0 .9375em}
.hide-on-print{display:none!important}
.print-only{display:block!important}
.hide-for-print{display:none!important}
.show-for-print{display:inherit!important}}
@media print,amzn-kf8{#header>h1:first-child{margin-top:1.25rem}
.sect1{padding:0!important}
.sect1+.sect1{border:0}
#footer{background:none}
#footer-text{color:rgba(0,0,0,.6);font-size:.9em}}
@media amzn-kf8{#header,#content,#footnotes,#footer{padding:0}}
</style>
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css">
</head>
<body class="article toc2 toc-right">
<div id="header">
<h1>Iptables with shorewall!</h1>
<div class="details">
<span id="author" class="author">Apostolos rootApostolos@swarmlab.io</span><br>
</div>
<div id="toc" class="toc2">
<div id="toctitle">Table of Contents</div>
<ul class="sectlevel1">
<li><a href="#cheat-Docker">1. Install swarmlab-sec (Home PC)</a></li>
<li><a href="#_shorewall">2. shorewall</a>
<ul class="sectlevel2">
<li><a href="#_installation">2.1. Installation</a></li>
</ul>
</li>
<li><a href="#_basic_two_interface_firewall">3. Basic Two-Interface Firewall</a></li>
<li><a href="#_shorewall_concepts">4. Shorewall Concepts</a>
<ul class="sectlevel2">
<li><a href="#_zones_shorewall_zone_declaration_file">4.1. zones — Shorewall zone declaration file</a></li>
<li><a href="#_interfaces_shorewall_interfaces_file">4.2. interfaces — Shorewall interfaces file</a></li>
<li><a href="#_policy_shorewall_policy_file">4.3. policy — Shorewall policy file</a></li>
<li><a href="#_rules_shorewall_rules_file">4.4. rules — Shorewall rules file</a></li>
<li><a href="#_compile_then_execute">4.5. Compile then Execute</a></li>
</ul>
</li>
<li><a href="#_three_interface_firewall">5. Three-Interface Firewall</a>
<ul class="sectlevel2">
<li><a href="#_zones">5.1. zones</a></li>
<li><a href="#_interfaces">5.2. interfaces</a></li>
<li><a href="#_policy">5.3. policy</a></li>
<li><a href="#_rules">5.4. rules</a></li>
<li><a href="#_masq_shorewall_masqueradesnat_definition_file">5.5. masq - Shorewall Masquerade/SNAT definition file</a></li>
<li><a href="#_snat_shorewall_snatmasquerade_definition_file">5.6. snat — Shorewall SNAT/Masquerade definition file</a></li>
<li><a href="#_compile_and_execute">5.7. Compile and Execute</a></li>
</ul>
</li>
</ul>
</div>
</div>
<div id="content">
<div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p><br></p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="cheat-Docker">1. Install swarmlab-sec (Home PC)</h2>
<div class="sectionbody">
<div class="paragraph">
<p>HowTo: See <a href="http://docs.swarmlab.io/lab/sec/sec.adoc.html" class="bare">http://docs.swarmlab.io/lab/sec/sec.adoc.html</a></p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
<div class="title">NOTE</div>
<div class="paragraph">
<p>Assuming you&#8217;re already logged in</p>
</div>
</td>
</tr>
</table>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_shorewall">2. shorewall</h2>
<div class="sectionbody">
<div class="paragraph">
<p><strong>Shorewall</strong> is an open source firewall tool for Linux that builds upon the Netfilter (iptables/ipchains) system built into the Linux kernel, making it easier to manage more complex configuration schemes by providing a higher level of abstraction for describing rules using text files.</p>
</div>
<div class="paragraph">
<p><a href="https://en.wikipedia.org/wiki/Shorewall">More: wikipedia</a></p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
<div class="title">NOTE</div>
<div class="paragraph">
<p>Our docker instances have only one nic</p>
</div>
<div class="paragraph">
<p>to add more nic&#8217;s:</p>
</div>
<div class="listingblock">
<div class="title">create netowrk frist</div>
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">docker network create --driver=bridge --subnet=192.168.0.0/16 net1
docker network create --driver=bridge --subnet=192.168.0.0/16 net2
docker network create --driver=bridge --subnet=192.168.0.0/16 net3</code></pre>
</div>
</div>
<div class="paragraph">
<p>then connect network to container</p>
</div>
<div class="listingblock">
<div class="title">connect network created to container</div>
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">docker network connect net1 master
docker network connect net1 worker1
docker network connect net2 master
docker network connect net2 worker2</code></pre>
</div>
</div>
<div class="paragraph">
<p>now let&#8217;s look at the following image</p>
</div>
</td>
</tr>
</table>
</div>
<div class="sect2">
<h3 id="_installation">2.1. Installation</h3>
<div class="paragraph">
<p>Shorewall is already installed on swarmlab-sec.</p>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_basic_two_interface_firewall">3. Basic Two-Interface Firewall</h2>
<div class="sectionbody">
<div class="imageblock">
<div class="content">
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAbwAAAJ7CAIAAAAX17MZAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAgY0hSTQAAeiYAAICEAAD6AAAAgOgAAHUwAADqYAAAOpgAABdwnLpRPAAASLxJREFUeF7tnTGoJUeWpnOZ1o66W62u7undFrvsoIEtkDNDmTJk1DDGNmOpQMsIFhYtxdJaY5iGLWjBGmUMhYw1BDsFWsYYwZRRrNWU1WaZ7RTIFGXJK5mCKUNm7f/eKZ2KF5k3b0ZkRGZG5pdcHvdmRp488ceJL09E5L3vX7148aLL3f7vP/zD//unf8o9m/NQAAVQoDEF3vmLv+gEzeztow8++KTrHvNCARRAgQMo8LDr3v7FL+ZC84uuU6bKCwVQAAV2r8DXQHP3bUwFUQAFCioANEmQUQAFUCBBAaCZIFbBmxWmUAAFGlUAaAJNFEABFEhQAGgmiNXojRG3UQAFCioANIEmCqAACiQoADQTxCp4s8IUCqBAowoATaCJAiiAAgkKAM0EsRq9MeI2CqBAQQWAJtBEARRAgQQFgGaCWAVvVphCARRoVAGgCTRRAAVQIEEBoJkgVqM3RtxGARQoqADQBJoogAIokKAA0EwQq+DNClMogAKNKgA0gSYKoAAKJCgANBPEavTGiNsogAIFFQCaQBMFUCBTAf/PPgWRVMNmQfdkCmhmhkvZZsAaCrSiQPgv0Pwfi13Zmf6fb2rYrKcn0JwEzeddd6/rnvai4X7X6WXNozcq0389vjw6eMh2ynjUwKcKhyWfXV7x1uVLb/QxNKKLykg/brTT/Blxqe9PvfjDckMKGNrO/gfGl8WmobOGzdqSAs1J0Hxy2bbv9eJAe3yn3mi73nsZvML9UTEZj5q5b8Riy0s++N6gOWDltdPt6KLabg9Zdpj2r2J7+v7UjkLsb1yBiWgLeXoWnTVsLiMj0EyAppr5zlUMRdDsU3WwFQWmwTTwVJOLYjrFCSg49oGoo9qcmwZNbY+uOhxeOtWNZSKSq2xNAUXR2ezyVIGLc4deNWwuphvQTICmBsLafHirRloAmhosi24hjkOAhoEi93TIh956b3vC4TbQXKxr7eNCc+hmJO1zs4bNJdUGmgnQVMYXUnIZaNro26dTbaIgBLeHi3Zqs8G1Mk07KyIs0Fyyd7V+rfl063Ozhs2FdQaaadA0DPkgPco0DUnRq7+uMn1cbIPuEJE27u4vSSlutBbklg2a2qk1onCQHkFTqWjf4YVDkMttU4FSdAu5WcPm8uoBzTRoWhLnIOtD0/aErz7gJkLT5i59dT4cd58KlD40VTIcpEfQtIF/+FLh5aOQK25NgbJ0e8XN7MnREyf2x/4LKAk0JzHCBsW+rOysrDenGS3+eCgYSQcXuEVnbbYW5JmmZ6C2jsTwfIFO1folahCzNC1f2Vuem0AzB5o+SK8Ezf7ij/dDG4NH6acd1U4dsgc2Q2j6IN0eVNIhKz8x4W0dAfifqgDQHFcMaOZA0wfpNrw1iaM1ohHdz9LKFn+i59XdoA23o6MGUx9cR9D0Qbr6A9BMhcihyrdFzFML9FWbDGhmQtMoqS2CpgbO0St1TlOrTJZL9k35mpJRVZmjWKmXP+vuJO1D06gaQVPXGrlK1cjD+AYVaJGYy3MTaE6FpogTzSTaIN2TO0sA+6/+0sp4pnnKTnSW5ijDa+ljuEzfh6aP38NMc9BhL7DBXo1LVRUAmlPkBZqToDlFylXKWJ64yqW56M4UaJeYCyebQBPioAAKXCgANCfeBYEmHQYFUKB5Yg5+X3MiBFOLAU06DAqgwB6guRg3gSYdBgWOqMDlcPzltoOxefRlzbBqqYnk2fJA84gd5mxYUGDHChhQot++rPeNnYUt96tW/CtDQBNoosCBFGh9tScPwWW5CTQP1GF2nD1RtSkKHJOYxR9IAppAEwUOocCRiVmWm0DzEB1mShpCmR0rADELchNoAk0U2LkCEDNe9Zr3JTqgufMOs+PsiapNVABoAk0whwIoMFWBVGLev9ymLFI/f/58SrENlpm5mE6mOTX4Jt7VKYYCm1IgFZrvXW5nSXfv3r1bt26dLVakgOisaz158qSItflfHAKaQBMFdqtAKjEFlInQnFisCOaES1UEaO42TDeVZeDMwRWYCU3j1LNnz5RXatMbg+DTp08NmiHItNOK6Y2zUu+VJz5+/Nj32ym2pz8PMGjkwYOL/4ylv6HlmTieM0In0wTfKLBbBWZC8/r163fu3NFf8VF/tQl2otXt27fto/YbyGyPkVQX1VkGNX30wnojYqqYFzYjjr9BIwZo2TRTM1nppwPN3Qb9wRMlqj9TgfnQFNR8wUfvfR4zHJ4rB9QhzzotMTS8Gm3tvTYbaDv7jKGWb44YKT48nzmtSaYJcFFgtwrMh6bnjJZO+hpRCM3+/KZnhdEhw58zVDYFTY3TB+dS3QjQ3G2AzkwKOB0FiiswH5pGNNv0fhCaAp8uZGNt22w03UdhH38qZpcYMQI0gSYKoMBCCiwGTZuvDDeb6xzMNMPloxCap4wAzYXCpfhNG4Mo0JwCy0BTE53Ro53C36NHj5KgOWKkBjTnTGsypwnEUWCfCmQQM8KcTzj2h+dinC/+aI4yXN7RNGi4EBTydGR4PmJESasMar2o4CNHQHOfQd9cXoPDW1Mgg5uioS+R96Hph5RI2vSljbVt7ds3fTTOhtZs9TxcZ7cCPm16yoihPFy792nWOW+ynzoi0wS4KLBbBTKgOQdDygTnJ4NFjJytRTYxdV8EmrvtMFvLevBneQUWhuZZVG2nANAEfCiAAgMKAM1TmAaadBgUQAGgmZDIAk06DAqgANAEmvN+kn75+SOuiAJbU4DhOcNzsgkUQIE0BeBmn5tzxuasnqfF39byCPxBgbMKAE2gCeZQAAUSFACaQDMhXM7ehCmAAkdQAG6G3Jw5Nmd4DoJRYP8KAE2guf8oP0L6Qx2XVABuGjfnp5lkmvAXBY6iANwsQkygeZQOs2RSw7U2q8CRuVmKmEATaKLAsRQ4JjcLEhNoHqvDbDYDwrElFRBBbPPlkT2RNKrXy5oW/XohPw0HN1HgoAq8oudVhiZ8hXtjRS2jDOtV424ENA/aYWoEEzbbVWAfyWbZYfip1gSaQBMFUODKaH1j6eNUd5YhJnOa9BYUQIGXCrSebAJNQhkFUGBRBZqG5mLEJNNcNCjbnfDC84Mo0C43gSYsQwEUWEGBRqG5JDHJNFeIy4PkLFSzUQVa5CbQBGQogAJrKtAWNxcmJpnmmqHZaCaC27tXoCFoLk9MoAk0UQAFBhSowc1aNot+RXLKHZGH2+kzKIAC1bnpX3Cc+qj6hHKrpJlkmvQWFECBkwqUyg1DutWwOSU9LFiGTJM+gwIoUJGb/XxwPjfXyjGNvECTDoMCKDCmwBzGnaJbtk37BaOCaWOGKaC5cgNktBmnoMDCCrxE1YR5xvA3Osfplmdz4YoPXg5oAk0UQIFJCkzEXFIyOMWmlVk9wXSAAs1J4bKF+xs+oMAWFHCEnXqT4eS4zQyDVU8BmkATBXaowFdd93Dtub+q5FrRONDcYYdZMZ649EYUePe17ndAs44CQBNoosDeFPj8te7GD/dWqY3cjXjkiMBCgb0p8E3XXfvXpJkVm5VMs6K427k34slxFPjwZ92NN4nqigoAzYriHqejUtONKPD7y3VoZjOrNgfQBJoosBMFvuu6t3/S3fjpTqpTFXxzjANNIgwFdqLAJz8mzVyiKYHmEirPua1xLgpMUUAPZr6uRXPSzDqPGYVNADSBJgrsQYGb17prP2E2c4mmBJpLqDwlU6AMCmQr8IVyzHdIMxfqy0BzIaGz+wMnosC4Anow88Zb3bt/Tpq5UF8GmgsJTc9HgUoKfPTT7sP/3P3qGpG8kAJAcyGhK3UYzB5cgcddd/NGd+PPui/rL4AcXGqvPtAEmijQqgJ6MPPGz7tPP+3eZ9F8wXsG0Gy1w3DbR4G7b3R3/ydp5tJdGGgurThdHQWKKKAHM2/8affwIWnm0l0YaC6teJEOgxEU0IOZjx+
</div>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
<div class="title">connect to master first</div>
<div class="paragraph">
<p>Assuming you&#8217;re already logged in master!</p>
</div>
<div class="paragraph">
<p>master is now our Firewall/Router</p>
</div>
<div class="paragraph">
<p>swarmlab-sec login</p>
</div>
</td>
</tr>
</table>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_shorewall_concepts">4. Shorewall Concepts</h2>
<div class="sectionbody">
<div class="paragraph">
<p>The configuration files for Shorewall are contained in the directory /etc/shorewall</p>
</div>
<div class="sect2">
<h3 id="_zones_shorewall_zone_declaration_file">4.1. zones — Shorewall zone declaration file</h3>
<div class="paragraph">
<p>The /etc/shorewall/zones file declares your network zones. You specify the hosts in each zone through entries in /etc/shorewall/interfaces</p>
</div>
<div class="listingblock">
<div class="title">/etc/shorewall/zones</div>
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
fw firewall
net ipv4
loc ipv4</code></pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_interfaces_shorewall_interfaces_file">4.2. interfaces — Shorewall interfaces file</h3>
<div class="paragraph">
<p>The interfaces file serves to define the firewall&#8217;s network interfaces to Shorewall.</p>
</div>
<div class="listingblock">
<div class="title">/etc/shorewall/interfaces</div>
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">#ZONE INTERFACE BROADCAST OPTIONS
net eth0 dhcp,routefilter
loc eth1 detect</code></pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_policy_shorewall_policy_file">4.3. policy — Shorewall policy file</h3>
<div class="paragraph">
<p>This file defines the high-level policy for connections between zone</p>
</div>
<div class="listingblock">
<div class="title">/etc/shorewall/policy</div>
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">#SOURCE DEST POLICY LOGLEVEL LIMIT
loc net ACCEPT
net all DROP info
all all REJECT info</code></pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_rules_shorewall_rules_file">4.4. rules — Shorewall rules file</h3>
<div class="paragraph">
<p>Entries in this file govern connection establishment by defining exceptions to the policies</p>
</div>
<div class="listingblock">
<div class="title">/etc/shorewall/rules</div>
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">#ACTION SOURCE DEST PROTO DPORT
ACCEPT $FW net udp 53
ACCEPT net $FW udp 53
ACCEPT $FW net tcp 80
ACCEPT net $FW tcp 80</code></pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_compile_then_execute">4.5. Compile then Execute</h3>
<div class="paragraph">
<p>Shorewall uses a "compile" then "execute" approach. The Shorewall configuration compiler reads the configuration files and generates a shell script. Errors in the compilation step cause the script to be discarded and the command to be aborted. If the compilation step doesn&#8217;t find any errors then the shell script is executed.</p>
</div>
<div class="listingblock">
<div class="title">/sbin/shorewall</div>
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">/sbin/shorewall start
/sbin/shorewall stop
/sbin/shorewall clear</code></pre>
</div>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
<div class="title">NOTE</div>
<div class="paragraph">
<p>The 'compiled' scripts are placed by default in the directory /var/lib/shorewall and are named to correspond to the command being executed. For example, the command /sbin/shorewall start will generate a script named /var/lib/shorewall/.start and, if the compilation is error free, that script will then be executed. If the script executes successfully, it then copies itself to /var/lib/shorewall/firewall. When an /sbin/shorewall stop or /sbin/shorewall clear command is subsequently executed, /var/lib/shorewall/firewall is run to perform the requested operation.</p>
</div>
<div class="paragraph">
<p>The AUTOMAKE option in /etc/shorewall/shorewall.conf may be set to automatically generate a new script when one of the configuration files is changed. When no file has changed since the last compilation, the /sbin/shorewall start, /sbin/shorewall reload and /sbin/shorewall restart commands will simply execute the current /var/lib/shorewall/firewall script.</p>
</div>
</td>
</tr>
</table>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_three_interface_firewall">5. Three-Interface Firewall</h2>
<div class="sectionbody">
<div class="imageblock">
<div class="content">
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAArQAAAJ7CAIAAACd4pXsAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAgY0hSTQAAeiYAAICEAAD6AAAAgOgAAHUwAADqYAAAOpgAABdwnLpRPAAAZjJJREFUeF7tnT2oZVd6pveMW1juru6+trsHRZ5q6GIU3lA0YrhObIUq8IDAYAuEsZIBQVfQWQVNocCBzCBoxolgKlAoKmoc3bATQYWNoopcAicCK2hnNd+5362lVWv/nLXWXr97PYfD5dxz1t9+99nf++xvrb3Pf3nx4sXEAwVQYF2B//zP//znf/5n+YtIKIACKDCCAnfv3p0EDnigAApsKHB9fX339dcfThNPFEABFBhBgRMA4QoogALbCggcXF1cSIaNJwqgAAqMoABwgC2iwHkFgIMRoiHbiAIoYBQADs4bAyVQADggaKIACgylAHCA8aHAeQWAg6HCIhuLAigAHJw3BkqgAHBArEQBFBhKAeAA40OB8woAB0OFRTYWBVAAODhvDJRAAeCAWIkCKDCUAsABxocC5xUADoYKi2wsCqAAcHDeGCiBAsABsRIFUGAoBYADjA8FzisAHAwVFtlYFEAB4OC8MVACBYADYiUKoMBQCgAHGB8KnFcAOBgqLLKxKIACwMF5Y6AECgAHxEoUQIGhFAAOMD4UOK8AcDBUWGRjUQAFgIPzxkAJFAAOiJUogAJDKQAcYHwocF4B4GCosMjGogAKAAfnjYESKAAcECtRAAWGUgA4wPhQ4LwCwMFQYZGNRQEUAA7OGwMlUAA4IFaiwJgKnDzy5pFw83O0mXB42hRwgPGhwHkFgIPkoYcGUaBZBYx5n5jg5eOVN8NZIUebWQUEDs4bAyVQYBA4+Gqa5DmPOF9ab8rrxafU+nblIyk/b3at8Lzk9TQ9mib5uz0w86m9Ff69ZI2zNN6LAp4nzEG5hBxtFtATOMD4UOC8AoPAwds3YcyxYbF2eSgf6Ov5497Np2Lhaw9p2Qlna4Xtkg+mSVq2n/KOaUcHc3/WsrRgGvHppUCcpYv2FfC0cDtYnEWEHG0WUxI4OG8MlECBoeDAMfI5HDxeyhA4mQP1dZNj8MkcSBV5SOMa/j64+fdTy/vltTzkfS1gSMUuI+87cGAPY2M8xWIuHTWogHyvoqPcqe7SM0ebJaUDDqK/ElQcSIFx4EBP0+cn6HbmwJ5lWItWcsqu6QTP55NXjV8QwQYF04jygQKEwoGggHT03OpoDgeeY6DYmArscXENgnM+yNFm4b0DHAzkcGxqtALjwIE4q6bizeTCPHOQHA4kryAGb2csZLJgjS3kfZ1K0IHJOM07Gj2Bg8Iu0nV3+118zgc52iwvMnAQ7RdUHEiBoeDA8VefaYX5rEFQ5sC2cw2CDivYkdFwgxmYZh3M5ILPtIIsVCwfbemxNQVSubjNBznarKIbcDCQw7Gp0QqMBgd6Kq+TC3M4cBYJOifuGsj84UDWEOiyADsCyjvSwmJMNC3bA9NGdHJhviBxPuC1xqtEYTqtokBaF/+OD6KjzErF+ZxFGbmAg9R7kvaOqMBocKDurkn7rNMK2otZhGii3iJw6KfKAQ61SCbAVGFaoYx5dN1LDjLIF/mq8AFwkG+H0vJxFBgQDswpuPCBPHIsSNTpAHvxo/Eb/zUHJuVgJheAg65tu8zggYOzOgMHxzEwtiSfAmPCgVknmAMOtPH5XQo0Zq1drWC/b6c07KSCvV7Bf3bjbKykwGEU6IsM1i6IyL07gIN8hkLLx1FgTDgwkws54EDP7zcWBur0gXOfA5sn5nCgkwvyMBc+AAe5LaS79nskgyp8ABwcx8DYknwKDAsHOrngwMF8fd98ReG2K6uvL7ZjX8Fo7pCoNzMwayTVkOZwIG/q5IINB2sddedqDDiJAsCBp4zAQT5DoeXjKDAIHCz+toL+PIEJKPJ68elEHKfWPB6tteNctiAXIMhUgqCG/LXvdGT4YLFlc2nlxs89eIZIih1JgX7JoHzyADg4joGxJfkUGAQOjmQDbAsKzBUADvy/FcBBPkOh5eMoABz4xxRKokCbCvROBhJPT5tQ6gkcHMfA2JJ8CgAHxUISHaFAJgUOAAcl+QA4yGcotHwcBYCDTPGaZlEgnwI3i1NvH6eT7h0/vdhOLNPkgbNpOTQ8iF7t7DlGckgFgIMc0Yc2USCTAuqddiw6Bhl8tyzR2rbbjU093QAcHNLL2KjECgAHmYI4zaJAcgWOxAH+gSz5cgTgwF98So6rAHCQPILTIArkUGBMMshxoSNwMK7hseX+CgAHOeI4baJAWgVGJoPkfAAc+BsEJcdVADhIG8RpDQWSKwAZpOUD4GBcw2PL/RUADpKHchpEgYQKQAbu6svd6xOBA3+DoOS4CgAHCeM4TaFAcgWAA+BgXH9iyysqABwkj+Y0iAKpFAglg69uHhXjSYGu91+8QOagwG6ii+4VAA5SxXHaQYHkCoTCwds3j7NR6fnz5x988MHZYqkKPH78+NNPP03VGnCQSknaQYEtBYCD5AGdBlEgiQKhZCDHuSccPHr06N69e8Uio/QlPabqDjhIpSTtoABwUO43XZK4Ao2ggCiQCg5kouHLL7+0o8AiHEgZp5ipMn9f3lmcv5j3JY2khQNpcCcfxCiLjaDAaAqQOcCHUKBNBXbCwf379x88eCB/xZv18eTJE4lvSgbSuPFsSfubMqaYlpTq8tDCAgTyVyYItLC8KR/ZACF5C9OOSRWYvhLmKoCD0XyK7a2gAHDQpjEwKhTYCQdq1TrZ/+2339ozDnbmQCKAdGTWBMhaBKklixIUDuQjeUewQIrJX/lX2tFPBSnkX/mrYUtqmXUM+pGyCJmDCmGdLlFgvwLAASaEAm0qkAQOTIjQM37914YDOft31jBKMUk5mGKKAvJQODA0YLu+3bgWFlAwzTKtsD9Q0wIKlFYAOGjTGBgVCuyHA9v1dVJgDgc6EaB5BX3ovw5DGDiw1x9IMZ0+EBTQpILdiOkOOCgd1ukPBfYrABxgQijQpgLF4ECSB+Lx9kNnGZx1i5o5WIQDXdngNGIvO0h4tYIMjDUH+yM/LaDAGQWAgzaNgVGhQBk4mF/9KBMHeiWCPxzML3+QBQcGI5JnDnbyAVcr4IsocF4B4AATQoEGFYggAznabad3XH8+rSCrFKWKs65QTN0sLPCHA1mXYC9IdP41ixjOxyPvEnuSB8CBt8wUHFgB4KBBY2BIKLD/PgcbcCCJAftSRnvFgF6eMF+asL3mQCHDLF8wqxa0HXMxZMJACxwkFJOmUGBBAeAAH0KBNhWISB7Yv60w/50Fe7mA3q1IkwfykH9lnYE87FsbyafO7Y+cf6WwaUEakYSBIILkGxZvmrR2h6WIuLyHDJS6poheqYICQykAHLRpDIwKBbCwtVAMHAxlUmxsHQWAA0wIBdpUADgADuq4Ar2igCgAHLRpDIwKBYAD4ACTQoFqCgAHmBAKtKkAcAAcVDMGOkYB4KBNY2BUKAAcAAc4FApUUwA4wIRQoFkF4IN5ZNy5GpGrFaqZDR33pQBw0KwxMDAUAA6Ag74MhdEeRwHgAAdCgWYVAA6Ag+OYDVvSlwLAQbPGwMBQQHPgfYWUrKPdP6fAtELWHUTjx1EAOMCBUKBlBYADO9oCB8fxHrakcQWAg5aNgbGhAMkDE0KTkAGZg8YtieG1ogBwgP2gQPsKkD9IRQbAQSvewzgaVwA4aN8YGCEKDJ4/SEgGwEHjlsTwWlEAOMB4UKAXBcbMH6QlA+CgFe9hHI0rABz0YgyMEwVuje3VSxiORAz2tuhPKycnA+CgcUtieK0oABxgOSjQowK2dx6DD5QD8jGB2ctcHtqK/TCOlhUADno0BsaMArYCR4KDAnsWOGjZkhhbKwoABwWCEV2gQFYFDgAHOaYP1jQHDlqxH8bRsgLAQdaoTeMoUEaB3vkAOGjZJhjbiAoAB2ViN72gQFYFuoaDkmTAgsQRfY5tjlAAOMgasmkcBYop0C8fAAcRoZsqKJBXAeCgWOymIxTIqkCncFCYDMgc5HUUWj+MAsB
</div>
</div>
<div class="sect2">
<h3 id="_zones">5.1. zones</h3>
<div class="listingblock">
<div class="title">/etc/shorewall/zones</div>
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
fw firewall
net ipv4
loc ipv4
dmz ipv4 #new line</code></pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_interfaces">5.2. interfaces</h3>
<div class="listingblock">
<div class="title">/etc/shorewall/interfaces</div>
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">#ZONE INTERFACE BROADCAST OPTIONS
net eth0 dhcp,routefilter
loc eth1 detect
dmz eth2 detect #new line</code></pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_policy">5.3. policy</h3>
<div class="listingblock">
<div class="title">/etc/shorewall/policy</div>
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">#SOURCE DEST POLICY LOGLEVEL LIMIT
loc net ACCEPT
dmz net DROP #new line
net all DROP info
all all REJECT info</code></pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_rules">5.4. rules</h3>
<div class="listingblock">
<div class="title">/etc/shorewall/rules</div>
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">#ACTION SOURCE DEST PROTO DPORT
ACCEPT $FW net udp 53
ACCEPT net $FW udp 53
ACCEPT $FW net tcp 80
ACCEPT net $FW tcp 80
#New lines
ACCEPT $FW dmz udp 53
ACCEPT dmz $FW udp 53
ACCEPT $FW dmz tcp 80
ACCEPT dmz $FW tcp 80
ACCEPT loc dmz tcp 80 # Add your rules for the zones you have defined.
ACCEPT dmz loc tcp 80 #
ACCEPT loc net tcp 80 # This here is an example
ACCEPT net loc tcp 80 # for communication
ACCEPT dmz net tcp 80 # over port 80
ACCEPT net dmz tcp 80 # aka the web</code></pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_masq_shorewall_masqueradesnat_definition_file">5.5. masq - Shorewall Masquerade/SNAT definition file</h3>
<div class="paragraph">
<p>/etc/shorewall/masq - directs the firewall where to use many-to-one (dynamic) Network Address Translation (a.k.a. Masquerading) and Source Network Address Translation (SNAT).</p>
</div>
<div class="listingblock">
<div class="title">/etc/shorewall/masq</div>
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">#INTERFACE SOURCE ADDRESS PROTO DPORT
eth0 eth1
eth0 eth2</code></pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_snat_shorewall_snatmasquerade_definition_file">5.6. snat — Shorewall SNAT/Masquerade definition file</h3>
<div class="paragraph">
<p>This file is used to define dynamic NAT (Masquerading) and to define Source NAT (SNAT). It superseded shorewall-masq(5) in Shorewall 5.0.14.</p>
</div>
<div class="listingblock">
<div class="title">/etc/shorewall/masq</div>
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">#ACTION SOURCE DEST
MASQUERADE 192.168.0.0/24 eth0
MASQUERADE 192.168.1.0/24 eth0</code></pre>
</div>
</div>
<div class="ulist">
<ul>
<li>
<p>You have a simple masquerading setup where eth0 connects to internet and eth1 connects to your local network with subnet 192.168.0.0/24.</p>
</li>
<li>
<p>You add a router to your local network to connect subnet 192.168.1.0/24 which you also want to masquerade. You then add a second entry for eth0 to this file</p>
</li>
</ul>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
<div class="paragraph">
<p>Beginning with that release, the Shorewall compiler will automatically convert existing masq files to the equivalent snat file, and rename the masq file to masq.bak.</p>
</div>
</td>
</tr>
</table>
</div>
</div>
<div class="sect2">
<h3 id="_compile_and_execute">5.7. Compile and Execute</h3>
<div class="listingblock">
<div class="title">/sbin/shorewall</div>
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">/sbin/shorewall start
/sbin/shorewall stop
/sbin/shorewall clear</code></pre>
</div>
</div>
<div class="paragraph">
<p><br>
<br>
</p>
</div>
<hr>
</div>
</div>
</div>
</div>
<div id="footer">
<div id="footer-text">
Last updated 2020-07-09 15:06:14 UTC
</div>
</div>
</body>
</html>