shorewall
In this example we use shorewall as the firewall connecting to the internet, leading to an apache2 server in a DMZ. So we need masquerading NAT. We need a zone DMZ and the zone NET (the internet). Later we could add a zone LOC (local) leading to machines in a subnet never exposed to the internet.
- Enable ipv4 routing ( we need NAT)
If we want to make this configuration permanent the best way to do it is using the file/etc/sysctl.confwhere we can add a line containingnet.ipv4.ip_forward = 1
File/etc/sysctl.conf:net.ipv4.ip_forward = 1 - inventory
In the directory/etc/shorewall, we need the following files:conntrack.old interfaces masq params policy rules shorewall.conf zonesFirst, we should rename the obsolete file
conntracktocontrack.old...
Next we should configure the following files as needed ...
- file
/etc/shorewall/interfaces# # Shorewall version 4.0 - Sample Interfaces File for two-interface configuration. # Copyright (C) 2006 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #------------------------------------------------------------------------------ # For information about entries in this file, type "man shorewall-interfaces" ############################################################################### #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect dhcp, tcpflags, nosmurfs, routefilter, logmartians, sourceroute=0 dmz eth1 detect tcpflags, nosmurfs, routefilter, logmartians - file
/etc/shorewall/zones# # Shorewall version 4.0 - Sample Zones File for two-interface configuration. # Copyright (C) 2006 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # fw firewall (this machine) # net ipv4 (outside -- in fact the entire internet) # dmz ipv4 (inside 172.16.0.0/16 pointing to DMZ-servers # loc ipv4 (not used: 192.168.0.0/24 -- the machines beyond DMZ) # # See the file README.txt for further details. #------------------------------------------------------------------------------ # For information about entries in this file, type "man shorewall-zones" ############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 dmz ipv4 loc ipv4 - file
/etc/shorewall/masq#interface source # this is the interface pointing outside, and the network pointing to inside eth0 172.16.0.0/16 - file
/etc/shorewall/policy# # Shorewall version 4.0 - Sample Policy File for two-interface configuration. # Copyright (C) 2006 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #------------------------------------------------------------------------------ # For information about entries in this file, type "man shorewall-policy" ############################################################################### #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST #there is no trafic from LAN to INTERNET via this firewall #loc net ACCEPT #from DMZ-machines to outside dmz net ACCEPT #from INTERNET net all DROP info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info - file
/etc/shorewall/rules# Shorewall version 4.0 - Sample Rules File for two-interface configuration. # Copyright (C) 2006,2007 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #------------------------------------------------------------------------------ # For information about entries in this file, type "man shorewall-rules" ###################################################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT # TIME HEADERS SWITCH HELPER PORT PORT(S) DEST LIMIT GROUP #SECTION ALL #SECTION ESTABLISHED #SECTION RELATED #SECTION INVALID #SECTION UNTRACKED SECTION NEW ### Don't allow connection pickup from the net # Invalid(DROP) net all tcp ### Accept DNS connections from the firewall to the network # DNS(ACCEPT) $FW net # ############################################# ### SSH ##################################### # ### Accept SSH connections from the local network for administration ### To be commented out after SSH has changed port to 2222 # SSH(ACCEPT) loc $FW SSH(ACCEPT) dmz $FW # ### allow SSH via net @port 2222 # ACCEPT net $FW tcp 1022 ACCEPT dmz $FW tcp 1022 # ############################################# ### PING and ICMP ########################### # ### Allow Ping from the DMZ network # Ping(ACCEPT) dmz $FW # ### Drop Ping from the "bad" net zone.. and prevent your log from being flooded.. # Ping(DROP) net $FW # ### can we still ping to outside? # ACCEPT $FW loc icmp ACCEPT $FW dmz icmp # ############################################# ### reverse forwarding port 80 to web-server 172.16.10.100 # Web(DNAT) net dmz:172.16.10.100 # ##########