From 0fffc7c89a57a7adf16da1b52600e0d9ea73a420 Mon Sep 17 00:00:00 2001
From: test2 <test2@test2.gr>
Date: Tue, 10 Dec 2019 22:03:21 +0200
Subject: [PATCH] shorewall

---
 sec/ex-4_iptables.adoc | 101 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 101 insertions(+)

diff --git a/sec/ex-4_iptables.adoc b/sec/ex-4_iptables.adoc
index 663562a..5eeb4d6 100644
--- a/sec/ex-4_iptables.adoc
+++ b/sec/ex-4_iptables.adoc
@@ -151,8 +151,109 @@ The AUTOMAKE option in /etc/shorewall/shorewall.conf may be set to automatically
 
 
 
+== Three-Interface Firewall
 
 
+image::dmz1.png[Three-Interface Firewall]
+
+=== zones 
+
+./etc/shorewall/zones
+[source,bash]
+----
+#ZONE   TYPE   OPTIONS                 IN_OPTIONS              OUT_OPTIONS
+fw      firewall
+net     ipv4
+loc     ipv4
+dmz     ipv4				#new line
+----
+
+=== interfaces
+
+./etc/shorewall/interfaces
+[source,bash]
+----
+#ZONE       INTERFACE       BROADCAST      OPTIONS
+net         eth0                           dhcp,routefilter
+loc         eth1            detect
+dmz         eth2            detect		#new line
+----
+
+
+=== policy 
+
+./etc/shorewall/policy
+[source,bash]
+----
+#SOURCE    DEST        POLICY      LOGLEVEL    LIMIT
+loc        net         ACCEPT
+dmz        net         DROP                    #new line
+net        all         DROP        info
+all        all         REJECT      info
+----
+
+
+=== rules
+
+./etc/shorewall/rules
+[source,bash]
+----
+#ACTION    SOURCE    DEST               PROTO     DPORT
+ACCEPT     $FW       net                udp       53
+ACCEPT     net       $FW         	udp       53
+ACCEPT     $FW       net                tcp       80
+ACCEPT     net       $FW         	tcp       80
+----
+
+
+
+=== masq - Shorewall Masquerade/SNAT definition file
+
+/etc/shorewall/masq - directs the firewall where to use many-to-one (dynamic) Network Address Translation (a.k.a. Masquerading) and Source Network Address Translation (SNAT).
+
+
+./etc/shorewall/masq
+[source,bash]
+----
+#INTERFACE   SOURCE           ADDRESS         PROTO   DPORT
+eth0         eth1
+eth0         eth2
+----
+
+=== snat — Shorewall SNAT/Masquerade definition file
+
+This file is used to define dynamic NAT (Masquerading) and to define Source NAT (SNAT). It superseded shorewall-masq(5) in Shorewall 5.0.14.
+
+
+./etc/shorewall/masq
+[source,bash]
+----
+#ACTION    SOURCE              DEST
+MASQUERADE 192.168.0.0/24      eth0
+MASQUERADE 192.168.1.0/24      eth0
+----
+
+- You have a simple masquerading setup where eth0 connects to internet and eth1 connects to your local network with subnet 192.168.0.0/24.
+- You add a router to your local network to connect subnet 192.168.1.0/24 which you also want to masquerade. You then add a second entry for eth0 to this file
+
+
+[NOTE]
+====
+Beginning with that release, the Shorewall compiler will automatically convert existing masq files to the equivalent snat file, and rename the masq file to masq.bak.
+====
+
+
+=== Compile then Execute
+
+
+./sbin/shorewall
+[source,bash]
+----
+/sbin/shorewall start
+/sbin/shorewall stop
+/sbin/shorewall clear
+----
+
 
 
 :hardbreaks: