zeus
/
lab
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
Browse Source

shorewall

master
test2 5 years ago
parent
6713e176cf
commit
0fffc7c89a
1 changed files with 101 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 101
      sec/ex-4_iptables.adoc

101
sec/ex-4_iptables.adoc
View File

@ -151,8 +151,109 @@ The AUTOMAKE option in /etc/shorewall/shorewall.conf may be set to automatically
== Three-Interface Firewall
image::dmz1.png[Three-Interface Firewall]
=== zones
./etc/shorewall/zones
[source,bash]
----
#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
fw firewall
net ipv4
loc ipv4
dmz ipv4 #new line
----
=== interfaces
./etc/shorewall/interfaces
[source,bash]
----
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 dhcp,routefilter
loc eth1 detect
dmz eth2 detect #new line
----
=== policy
./etc/shorewall/policy
[source,bash]
----
#SOURCE DEST POLICY LOGLEVEL LIMIT
loc net ACCEPT
dmz net DROP #new line
net all DROP info
all all REJECT info
----
=== rules
./etc/shorewall/rules
[source,bash]
----
#ACTION SOURCE DEST PROTO DPORT
ACCEPT $FW net udp 53
ACCEPT net $FW udp 53
ACCEPT $FW net tcp 80
ACCEPT net $FW tcp 80
----
=== masq - Shorewall Masquerade/SNAT definition file
/etc/shorewall/masq - directs the firewall where to use many-to-one (dynamic) Network Address Translation (a.k.a. Masquerading) and Source Network Address Translation (SNAT).
./etc/shorewall/masq
[source,bash]
----
#INTERFACE SOURCE ADDRESS PROTO DPORT
eth0 eth1
eth0 eth2
----
=== snat — Shorewall SNAT/Masquerade definition file
This file is used to define dynamic NAT (Masquerading) and to define Source NAT (SNAT). It superseded shorewall-masq(5) in Shorewall 5.0.14.
./etc/shorewall/masq
[source,bash]
----
#ACTION SOURCE DEST
MASQUERADE 192.168.0.0/24 eth0
MASQUERADE 192.168.1.0/24 eth0
----
- You have a simple masquerading setup where eth0 connects to internet and eth1 connects to your local network with subnet 192.168.0.0/24.
- You add a router to your local network to connect subnet 192.168.1.0/24 which you also want to masquerade. You then add a second entry for eth0 to this file
[NOTE]
====
Beginning with that release, the Shorewall compiler will automatically convert existing masq files to the equivalent snat file, and rename the masq file to masq.bak.
====
=== Compile then Execute
./sbin/shorewall
[source,bash]
----
/sbin/shorewall start
/sbin/shorewall stop
/sbin/shorewall clear
----
:hardbreaks:

Write Preview
Loading…
Cancel
Save