|
|
(26 intermediate revisions by the same user not shown) |
Line 1: |
Line 1: |
| {{howto_header}} | | {{howto_header}} |
|
| |
|
| This covers setup and maintenance of <span class="code">Shorewall 4.4</span> on Red Hat Enterprise Linux 5.x, 6.x, [[RHEL]] derivatives and several recent Fedora releases. | | This covers setup and maintenance of <span class="code">Shorewall 4.5</span> on Red Hat Enterprise Linux 5.x, 6.x, [[RHEL]] derivatives and several recent Fedora releases. |
|
| |
|
| = Install = | | = Install = |
|
| |
|
| {{note|1=Previously, RPMs where available but they seem to no longer we maintained. Thus, this section has changed to install from the tarball.}} | | {{note|1=Updated on <span class="code">2015-05-05</span> for Shorewall release 4.6.8.}} |
|
| |
|
| First, download the latest version of Shorewall. You can find the [http://shorewall.net/download.htm latest version here].
| | Install is trivial, we just need to install dependencies and and the latest RPMs. |
|
| |
|
| <source lang="bash"> | | <syntaxhighlight lang="bash"> |
| wget -c http://canada.shorewall.net/pub/shorewall/CURRENT_STABLE_VERSION_IS_4.4/shorewall-4.4.25/shorewall-4.4.25.2.tgz
| | yum install perl perl-Digest-SHA perl-Digest-SHA1 |
| </source> | | </syntaxhighlight> |
| <source lang="bash">
| |
| --2011-11-06 08:30:21-- http://canada.shorewall.net/pub/shorewall/CURRENT_STABLE_VERSION_IS_4.4/shorewall-4.4.25/shorewall-4.4.25.2.tgz
| |
| Resolving canada.shorewall.net... 174.142.92.243
| |
| Connecting to canada.shorewall.net|174.142.92.243|:80... connected.
| |
| HTTP request sent, awaiting response... 200 OK
| |
| Length: 651265 (636K) [application/x-gzip]
| |
| Saving to: “shorewall-4.4.25.2.tgz”
| |
|
| |
|
| 100%[=========================================================================>] 651,265 391K/s in 1.6s
| | You can check for the [http://shorewall.net/download.htm latest version here]. |
|
| |
|
| 2011-11-06 08:30:22 (391 KB/s) - “shorewall-4.4.25.2.tgz” saved [651265/651265]
| | <syntaxhighlight lang="bash"> |
| </source>
| | rpm -Uvh http://canada.shorewall.net/pub/shorewall/4.6/shorewall-4.6.8/shorewall-core-4.6.8-0base.noarch.rpm \ |
| | | http://canada.shorewall.net/pub/shorewall/4.6/shorewall-4.6.8/shorewall-4.6.8-0base.noarch.rpm |
| Untar it, change into the created directory and run the <span class="code">install.sh</span> script.
| | </syntaxhighlight> |
| | |
| <source lang="bash"> | |
| tar -xvzf shorewall-4.4.25.2.tgz
| |
| </source>
| |
| <source lang="bash">
| |
| shorewall-4.4.25.2/
| |
| shorewall-4.4.25.2/shorewall.service
| |
| shorewall-4.4.25.2/uninstall.sh | |
| shorewall-4.4.25.2/action.Broadcast
| |
| shorewall-4.4.25.2/action.Drop | |
| shorewall-4.4.25.2/lib.base
| |
| shorewall-4.4.25.2/modules.tc | |
| shorewall-4.4.25.2/changelog.txt
| |
| shorewall-4.4.25.2/logrotate | |
| shorewall-4.4.25.2/modules.extensions
| |
| shorewall-4.4.25.2/action.Reject
| |
| shorewall-4.4.25.2/action.A_Drop
| |
| shorewall-4.4.25.2/Perl/
| |
| shorewall-4.4.25.2/Perl/compiler.pl
| |
| shorewall-4.4.25.2/Perl/prog.footer
| |
| shorewall-4.4.25.2/Perl/prog.header
| |
| shorewall-4.4.25.2/Perl/getparams
| |
| shorewall-4.4.25.2/Perl/Shorewall/
| |
| shorewall-4.4.25.2/Perl/Shorewall/Misc.pm
| |
| shorewall-4.4.25.2/Perl/Shorewall/Chains.pm
| |
| shorewall-4.4.25.2/Perl/Shorewall/Accounting.pm
| |
| shorewall-4.4.25.2/Perl/Shorewall/Config.pm
| |
| shorewall-4.4.25.2/Perl/Shorewall/Tunnels.pm
| |
| shorewall-4.4.25.2/Perl/Shorewall/Compiler.pm
| |
| shorewall-4.4.25.2/Perl/Shorewall/Raw.pm
| |
| shorewall-4.4.25.2/Perl/Shorewall/Providers.pm
| |
| shorewall-4.4.25.2/Perl/Shorewall/Proxyarp.pm
| |
| shorewall-4.4.25.2/Perl/Shorewall/Proc.pm
| |
| shorewall-4.4.25.2/Perl/Shorewall/Zones.pm
| |
| shorewall-4.4.25.2/Perl/Shorewall/IPAddrs.pm
| |
| shorewall-4.4.25.2/Perl/Shorewall/Nat.pm
| |
| shorewall-4.4.25.2/Perl/Shorewall/Tc.pm
| |
| shorewall-4.4.25.2/Perl/Shorewall/Rules.pm
| |
| shorewall-4.4.25.2/Perl/.includepath
| |
| shorewall-4.4.25.2/Perl/.project
| |
| shorewall-4.4.25.2/Perl/prog.footer6
| |
| shorewall-4.4.25.2/Perl/prog.header6
| |
| shorewall-4.4.25.2/shorewall
| |
| shorewall-4.4.25.2/default.debian
| |
| shorewall-4.4.25.2/action.template
| |
| shorewall-4.4.25.2/Contrib/
| |
| shorewall-4.4.25.2/Contrib/swping.init
| |
| shorewall-4.4.25.2/Contrib/tunnel
| |
| shorewall-4.4.25.2/Contrib/ipsecvpn
| |
| shorewall-4.4.25.2/Contrib/swping
| |
| shorewall-4.4.25.2/action.TCPFlags
| |
| shorewall-4.4.25.2/INSTALL
| |
| shorewall-4.4.25.2/modules.xtables
| |
| shorewall-4.4.25.2/install.sh
| |
| shorewall-4.4.25.2/releasenotes.txt
| |
| shorewall-4.4.25.2/init.debian.sh
| |
| shorewall-4.4.25.2/Macros/
| |
| shorewall-4.4.25.2/Macros/macro.SixXS
| |
| shorewall-4.4.25.2/Macros/macro.SMBswat
| |
| shorewall-4.4.25.2/Macros/macro.L2TP
| |
| shorewall-4.4.25.2/Macros/macro.BitTorrent32
| |
| shorewall-4.4.25.2/Macros/macro.ICQ
| |
| shorewall-4.4.25.2/Macros/macro.PPtP
| |
| shorewall-4.4.25.2/Macros/macro.Citrix
| |
| shorewall-4.4.25.2/Macros/macro.OSPF
| |
| shorewall-4.4.25.2/Macros/macro.Time
| |
| shorewall-4.4.25.2/Macros/macro.Razor
| |
| shorewall-4.4.25.2/Macros/macro.DropUPnP
| |
| shorewall-4.4.25.2/Macros/macro.mDNS
| |
| shorewall-4.4.25.2/Macros/macro.IPsecnat
| |
| shorewall-4.4.25.2/Macros/macro.IPsec
| |
| shorewall-4.4.25.2/Macros/macro.VNCL
| |
| shorewall-4.4.25.2/Macros/macro.Syslog
| |
| shorewall-4.4.25.2/Macros/macro.RDP
| |
| shorewall-4.4.25.2/Macros/macro.HTTPS
| |
| shorewall-4.4.25.2/Macros/macro.Gnutella
| |
| shorewall-4.4.25.2/Macros/macro.JabberSecure
| |
| shorewall-4.4.25.2/Macros/macro.DNS
| |
| shorewall-4.4.25.2/Macros/macro.SMBBI
| |
| shorewall-4.4.25.2/Macros/macro.Webcache
| |
| shorewall-4.4.25.2/Macros/macro.Edonkey
| |
| shorewall-4.4.25.2/Macros/macro.HTTP
| |
| shorewall-4.4.25.2/Macros/macro.Jabberd
| |
| shorewall-4.4.25.2/Macros/macro.JAP
| |
| shorewall-4.4.25.2/Macros/macro.NTPbrd
| |
| shorewall-4.4.25.2/Macros/macro.Webmin
| |
| shorewall-4.4.25.2/Macros/macro.Amanda
| |
| shorewall-4.4.25.2/Macros/macro.Munin
| |
| shorewall-4.4.25.2/Macros/macro.IPP
| |
| shorewall-4.4.25.2/Macros/macro.SVN
| |
| shorewall-4.4.25.2/Macros/macro.AllowICMPs
| |
| shorewall-4.4.25.2/Macros/macro.PCA
| |
| shorewall-4.4.25.2/Macros/macro.NNTP
| |
| shorewall-4.4.25.2/Macros/macro.BGP
| |
| shorewall-4.4.25.2/Macros/macro.VNC
| |
| shorewall-4.4.25.2/Macros/macro.DropDNSrep
| |
| shorewall-4.4.25.2/Macros/macro.SMTP
| |
| shorewall-4.4.25.2/Macros/macro.Ping
| |
| shorewall-4.4.25.2/Macros/macro.Rfc1918
| |
| shorewall-4.4.25.2/Macros/macro.TFTP
| |
| shorewall-4.4.25.2/Macros/macro.OpenVPN
| |
| shorewall-4.4.25.2/Macros/macro.IMAP
| |
| shorewall-4.4.25.2/Macros/macro.Distcc
| |
| shorewall-4.4.25.2/Macros/macro.GNUnet
| |
| shorewall-4.4.25.2/Macros/macro.MySQL
| |
| shorewall-4.4.25.2/Macros/macro.Rsync
| |
| shorewall-4.4.25.2/Macros/macro.IPPbrd
| |
| shorewall-4.4.25.2/Macros/macro.LDAP
| |
| shorewall-4.4.25.2/Macros/macro.Whois
| |
| shorewall-4.4.25.2/Macros/macro.RIPbi
| |
| shorewall-4.4.25.2/Macros/macro.Git
| |
| shorewall-4.4.25.2/Macros/macro.BitTorrent
| |
| shorewall-4.4.25.2/Macros/macro.IPPserver
| |
| shorewall-4.4.25.2/Macros/macro.NTP
| |
| shorewall-4.4.25.2/Macros/macro.SMB
| |
| shorewall-4.4.25.2/Macros/macro.NNTPS
| |
| shorewall-4.4.25.2/Macros/macro.JabberPlain
| |
| shorewall-4.4.25.2/Macros/macro.A_AllowICMPs
| |
| shorewall-4.4.25.2/Macros/macro.POP3S
| |
| shorewall-4.4.25.2/Macros/macro.IPsecah
| |
| shorewall-4.4.25.2/Macros/macro.NTPbi
| |
| shorewall-4.4.25.2/Macros/macro.SSH
| |
| shorewall-4.4.25.2/Macros/macro.Reject
| |
| shorewall-4.4.25.2/Macros/macro.SMTPS
| |
| shorewall-4.4.25.2/Macros/macro.DHCPfwd
| |
| shorewall-4.4.25.2/Macros/macro.SANE
| |
| shorewall-4.4.25.2/Macros/macro.IRC
| |
| shorewall-4.4.25.2/Macros/macro.HKP
| |
| shorewall-4.4.25.2/Macros/macro.FTP
| |
| shorewall-4.4.25.2/Macros/macro.SPAMD
| |
| shorewall-4.4.25.2/Macros/macro.IMAPS
| |
| shorewall-4.4.25.2/Macros/macro.DAAP
| |
| shorewall-4.4.25.2/Macros/macro.Squid
| |
| shorewall-4.4.25.2/Macros/macro.Web
| |
| shorewall-4.4.25.2/Macros/macro.Jetdirect
| |
| shorewall-4.4.25.2/Macros/macro.SNMP
| |
| shorewall-4.4.25.2/Macros/macro.template
| |
| shorewall-4.4.25.2/Macros/macro.A_DropUPnP
| |
| shorewall-4.4.25.2/Macros/macro.GRE
| |
| shorewall-4.4.25.2/Macros/macro.Telnets
| |
| shorewall-4.4.25.2/Macros/macro.DCC
| |
| shorewall-4.4.25.2/Macros/macro.Submission
| |
| shorewall-4.4.25.2/Macros/macro.Drop
| |
| shorewall-4.4.25.2/Macros/macro.Auth
| |
| shorewall-4.4.25.2/Macros/macro.Printer
| |
| shorewall-4.4.25.2/Macros/macro.CVS
| |
| shorewall-4.4.25.2/Macros/macro.POP3
| |
| shorewall-4.4.25.2/Macros/macro.ICPV2
| |
| shorewall-4.4.25.2/Macros/macro.Trcrt
| |
| shorewall-4.4.25.2/Macros/macro.LDAPS
| |
| shorewall-4.4.25.2/Macros/macro.PostgreSQL
| |
| shorewall-4.4.25.2/Macros/macro.Rdate
| |
| shorewall-4.4.25.2/Macros/macro.Telnet
| |
| shorewall-4.4.25.2/Macros/macro.IPIP
| |
| shorewall-4.4.25.2/Macros/macro.Finger
| |
| shorewall-4.4.25.2/Macros/macro.Mail
| |
| shorewall-4.4.25.2/Macros/macro.RNDC
| |
| shorewall-4.4.25.2/Macros/macro.A_DropDNSrep
| |
| shorewall-4.4.25.2/configfiles/
| |
| shorewall-4.4.25.2/configfiles/params.annotated
| |
| shorewall-4.4.25.2/configfiles/providers.annotated
| |
| shorewall-4.4.25.2/configfiles/actions.annotated
| |
| shorewall-4.4.25.2/configfiles/shorewall.conf.annotated
| |
| shorewall-4.4.25.2/configfiles/accounting.annotated
| |
| shorewall-4.4.25.2/configfiles/netmap.annotated
| |
| shorewall-4.4.25.2/configfiles/zones
| |
| shorewall-4.4.25.2/configfiles/init
| |
| shorewall-4.4.25.2/configfiles/zones.annotated
| |
| shorewall-4.4.25.2/configfiles/nat
| |
| shorewall-4.4.25.2/configfiles/tcclasses.annotated
| |
| shorewall-4.4.25.2/configfiles/tcpri
| |
| shorewall-4.4.25.2/configfiles/tcfilters
| |
| shorewall-4.4.25.2/configfiles/routestopped
| |
| shorewall-4.4.25.2/configfiles/notrack
| |
| shorewall-4.4.25.2/configfiles/hosts
| |
| shorewall-4.4.25.2/configfiles/tcrules
| |
| shorewall-4.4.25.2/configfiles/proxyarp
| |
| shorewall-4.4.25.2/configfiles/tos.annotated
| |
| shorewall-4.4.25.2/configfiles/start
| |
| shorewall-4.4.25.2/configfiles/isusable
| |
| shorewall-4.4.25.2/configfiles/tunnels.annotated
| |
| shorewall-4.4.25.2/configfiles/accounting
| |
| shorewall-4.4.25.2/configfiles/tcinterfaces
| |
| shorewall-4.4.25.2/configfiles/tcpri.annotated
| |
| shorewall-4.4.25.2/configfiles/tcdevices
| |
| shorewall-4.4.25.2/configfiles/tcclear
| |
| shorewall-4.4.25.2/configfiles/shorewall.conf
| |
| shorewall-4.4.25.2/configfiles/policy
| |
| shorewall-4.4.25.2/configfiles/routes.annotated
| |
| shorewall-4.4.25.2/configfiles/netmap
| |
| shorewall-4.4.25.2/configfiles/refreshed
| |
| shorewall-4.4.25.2/configfiles/policy.annotated
| |
| shorewall-4.4.25.2/configfiles/restored
| |
| shorewall-4.4.25.2/configfiles/lib.private
| |
| shorewall-4.4.25.2/configfiles/blacklist
| |
| shorewall-4.4.25.2/configfiles/hosts.annotated
| |
| shorewall-4.4.25.2/configfiles/findgw
| |
| shorewall-4.4.25.2/configfiles/ecn.annotated
| |
| shorewall-4.4.25.2/configfiles/route_rules.annotated
| |
| shorewall-4.4.25.2/configfiles/proxyarp.annotated
| |
| shorewall-4.4.25.2/configfiles/masq
| |
| shorewall-4.4.25.2/configfiles/nat.annotated
| |
| shorewall-4.4.25.2/configfiles/ecn
| |
| shorewall-4.4.25.2/configfiles/rules.annotated
| |
| shorewall-4.4.25.2/configfiles/blacklist.annotated
| |
| shorewall-4.4.25.2/configfiles/providers
| |
| shorewall-4.4.25.2/configfiles/tos
| |
| shorewall-4.4.25.2/configfiles/tcclasses
| |
| shorewall-4.4.25.2/configfiles/stopped
| |
| shorewall-4.4.25.2/configfiles/masq.annotated
| |
| shorewall-4.4.25.2/configfiles/interfaces.annotated
| |
| shorewall-4.4.25.2/configfiles/tcinterfaces.annotated
| |
| shorewall-4.4.25.2/configfiles/tcdevices.annotated
| |
| shorewall-4.4.25.2/configfiles/notrack.annotated
| |
| shorewall-4.4.25.2/configfiles/routes
| |
| shorewall-4.4.25.2/configfiles/refresh
| |
| shorewall-4.4.25.2/configfiles/secmarks
| |
| shorewall-4.4.25.2/configfiles/routestopped.annotated
| |
| shorewall-4.4.25.2/configfiles/rules
| |
| shorewall-4.4.25.2/configfiles/route_rules
| |
| shorewall-4.4.25.2/configfiles/started
| |
| shorewall-4.4.25.2/configfiles/params
| |
| shorewall-4.4.25.2/configfiles/init.annotated
| |
| shorewall-4.4.25.2/configfiles/clear
| |
| shorewall-4.4.25.2/configfiles/initdone
| |
| shorewall-4.4.25.2/configfiles/tunnels
| |
| shorewall-4.4.25.2/configfiles/secmarks.annotated
| |
| shorewall-4.4.25.2/configfiles/actions
| |
| shorewall-4.4.25.2/configfiles/maclist.annotated
| |
| shorewall-4.4.25.2/configfiles/tcrules.annotated
| |
| shorewall-4.4.25.2/configfiles/stop
| |
| shorewall-4.4.25.2/configfiles/maclist
| |
| shorewall-4.4.25.2/configfiles/interfaces
| |
| shorewall-4.4.25.2/configfiles/tcfilters.annotated
| |
| shorewall-4.4.25.2/configfiles/scfilter
| |
| shorewall-4.4.25.2/configpath
| |
| shorewall-4.4.25.2/init.slackware.firewall.sh
| |
| shorewall-4.4.25.2/Samples/
| |
| shorewall-4.4.25.2/Samples/LICENSE
| |
| shorewall-4.4.25.2/Samples/one-interface/
| |
| shorewall-4.4.25.2/Samples/one-interface/shorewall.conf.annotated
| |
| shorewall-4.4.25.2/Samples/one-interface/zones
| |
| shorewall-4.4.25.2/Samples/one-interface/zones.annotated
| |
| shorewall-4.4.25.2/Samples/one-interface/shorewall.conf
| |
| shorewall-4.4.25.2/Samples/one-interface/policy
| |
| shorewall-4.4.25.2/Samples/one-interface/policy.annotated
| |
| shorewall-4.4.25.2/Samples/one-interface/rules.annotated
| |
| shorewall-4.4.25.2/Samples/one-interface/interfaces.annotated
| |
| shorewall-4.4.25.2/Samples/one-interface/rules
| |
| shorewall-4.4.25.2/Samples/one-interface/README.txt
| |
| shorewall-4.4.25.2/Samples/one-interface/interfaces
| |
| shorewall-4.4.25.2/Samples/Universal/
| |
| shorewall-4.4.25.2/Samples/Universal/shorewall.conf.annotated
| |
| shorewall-4.4.25.2/Samples/Universal/zones
| |
| shorewall-4.4.25.2/Samples/Universal/zones.annotated
| |
| shorewall-4.4.25.2/Samples/Universal/shorewall.conf
| |
| shorewall-4.4.25.2/Samples/Universal/policy
| |
| shorewall-4.4.25.2/Samples/Universal/policy.annotated
| |
| shorewall-4.4.25.2/Samples/Universal/rules.annotated
| |
| shorewall-4.4.25.2/Samples/Universal/interfaces.annotated
| |
| shorewall-4.4.25.2/Samples/Universal/rules
| |
| shorewall-4.4.25.2/Samples/Universal/interfaces
| |
| shorewall-4.4.25.2/Samples/two-interfaces/
| |
| shorewall-4.4.25.2/Samples/two-interfaces/shorewall.conf.annotated
| |
| shorewall-4.4.25.2/Samples/two-interfaces/zones
| |
| shorewall-4.4.25.2/Samples/two-interfaces/zones.annotated
| |
| shorewall-4.4.25.2/Samples/two-interfaces/routestopped
| |
| shorewall-4.4.25.2/Samples/two-interfaces/shorewall.conf
| |
| shorewall-4.4.25.2/Samples/two-interfaces/policy
| |
| shorewall-4.4.25.2/Samples/two-interfaces/policy.annotated
| |
| shorewall-4.4.25.2/Samples/two-interfaces/masq
| |
| shorewall-4.4.25.2/Samples/two-interfaces/rules.annotated
| |
| shorewall-4.4.25.2/Samples/two-interfaces/masq.annotated
| |
| shorewall-4.4.25.2/Samples/two-interfaces/interfaces.annotated
| |
| shorewall-4.4.25.2/Samples/two-interfaces/routestopped.annotated
| |
| shorewall-4.4.25.2/Samples/two-interfaces/rules
| |
| shorewall-4.4.25.2/Samples/two-interfaces/README.txt
| |
| shorewall-4.4.25.2/Samples/two-interfaces/interfaces
| |
| shorewall-4.4.25.2/Samples/three-interfaces/
| |
| shorewall-4.4.25.2/Samples/three-interfaces/shorewall.conf.annotated
| |
| shorewall-4.4.25.2/Samples/three-interfaces/zones
| |
| shorewall-4.4.25.2/Samples/three-interfaces/zones.annotated
| |
| shorewall-4.4.25.2/Samples/three-interfaces/routestopped
| |
| shorewall-4.4.25.2/Samples/three-interfaces/shorewall.conf
| |
| shorewall-4.4.25.2/Samples/three-interfaces/policy
| |
| shorewall-4.4.25.2/Samples/three-interfaces/policy.annotated
| |
| shorewall-4.4.25.2/Samples/three-interfaces/masq
| |
| shorewall-4.4.25.2/Samples/three-interfaces/rules.annotated
| |
| shorewall-4.4.25.2/Samples/three-interfaces/masq.annotated
| |
| shorewall-4.4.25.2/Samples/three-interfaces/interfaces.annotated
| |
| shorewall-4.4.25.2/Samples/three-interfaces/routestopped.annotated
| |
| shorewall-4.4.25.2/Samples/three-interfaces/rules
| |
| shorewall-4.4.25.2/Samples/three-interfaces/README.txt
| |
| shorewall-4.4.25.2/Samples/three-interfaces/interfaces
| |
| shorewall-4.4.25.2/Samples/README.txt
| |
| shorewall-4.4.25.2/known_problems.txt
| |
| shorewall-4.4.25.2/Makefile
| |
| shorewall-4.4.25.2/lib.common
| |
| shorewall-4.4.25.2/lib.cli
| |
| shorewall-4.4.25.2/init.fedora.sh
| |
| shorewall-4.4.25.2/init.slackware.shorewall.sh
| |
| shorewall-4.4.25.2/helpers
| |
| shorewall-4.4.25.2/action.DropSmurfs
| |
| shorewall-4.4.25.2/wait4ifup
| |
| shorewall-4.4.25.2/COPYING
| |
| shorewall-4.4.25.2/action.Invalid
| |
| shorewall-4.4.25.2/action.NotSyn
| |
| shorewall-4.4.25.2/shorewall.spec
| |
| shorewall-4.4.25.2/README.txt
| |
| shorewall-4.4.25.2/modules.essential
| |
| shorewall-4.4.25.2/modules
| |
| shorewall-4.4.25.2/Makefile-lite
| |
| shorewall-4.4.25.2/manpages/
| |
| shorewall-4.4.25.2/manpages/shorewall-hosts.5
| |
| shorewall-4.4.25.2/manpages/shorewall-ecn.5
| |
| shorewall-4.4.25.2/manpages/shorewall-providers.5
| |
| shorewall-4.4.25.2/manpages/shorewall-notrack.5
| |
| shorewall-4.4.25.2/manpages/shorewall-route_rules.5
| |
| shorewall-4.4.25.2/manpages/shorewall-vardir.5
| |
| shorewall-4.4.25.2/manpages/shorewall-routestopped.5
| |
| shorewall-4.4.25.2/manpages/shorewall-ipsets.5
| |
| shorewall-4.4.25.2/manpages/shorewall-tcclasses.5
| |
| shorewall-4.4.25.2/manpages/shorewall-tcfilters.5
| |
| shorewall-4.4.25.2/manpages/shorewall-tcdevices.5
| |
| shorewall-4.4.25.2/manpages/shorewall-zones.5
| |
| shorewall-4.4.25.2/manpages/shorewall-blacklist.5
| |
| shorewall-4.4.25.2/manpages/shorewall-tcrules.5
| |
| shorewall-4.4.25.2/manpages/shorewall-interfaces.5
| |
| shorewall-4.4.25.2/manpages/shorewall-init.8
| |
| shorewall-4.4.25.2/manpages/shorewall-secmarks.5
| |
| shorewall-4.4.25.2/manpages/shorewall-masq.5
| |
| shorewall-4.4.25.2/manpages/shorewall-netmap.5
| |
| shorewall-4.4.25.2/manpages/shorewall-maclist.5 | |
| shorewall-4.4.25.2/manpages/shorewall-tcpri.5
| |
| shorewall-4.4.25.2/manpages/shorewall-proxyarp.5
| |
| shorewall-4.4.25.2/manpages/shorewall-tcinterfaces.5
| |
| shorewall-4.4.25.2/manpages/shorewall.8 | |
| shorewall-4.4.25.2/manpages/shorewall-tunnels.5
| |
| shorewall-4.4.25.2/manpages/shorewall-nesting.5 | |
| shorewall-4.4.25.2/manpages/shorewall-routes.5
| |
| shorewall-4.4.25.2/manpages/shorewall-nat.5
| |
| shorewall-4.4.25.2/manpages/shorewall-rules.5
| |
| shorewall-4.4.25.2/manpages/shorewall-tos.5
| |
| shorewall-4.4.25.2/manpages/shorewall-actions.5
| |
| shorewall-4.4.25.2/manpages/shorewall-accounting.5
| |
| shorewall-4.4.25.2/manpages/shorewall-modules.5
| |
| shorewall-4.4.25.2/manpages/shorewall.conf.5
| |
| shorewall-4.4.25.2/manpages/shorewall-params.5
| |
| shorewall-4.4.25.2/manpages/shorewall-policy.5
| |
| shorewall-4.4.25.2/manpages/shorewall-exclusion.5
| |
| shorewall-4.4.25.2/modules.ipset
| |
| shorewall-4.4.25.2/init.archlinux.sh
| |
| shorewall-4.4.25.2/init.sh
| |
| shorewall-4.4.25.2/actions.std
| |
| shorewall-4.4.25.2/action.A_Reject
| |
| </source>
| |
| | |
| <source lang="bash">
| |
| cd shorewall-4.4.25.2
| |
| ./install.sh
| |
| </source>
| |
| <source lang="bash">
| |
| Perl/compiler.pl syntax OK
| |
| Installing Redhat/Fedora-specific configuration...
| |
| Installing Shorewall Version 4.4.25.2
| |
| shorewall control program installed in /sbin/shorewall
| |
| Shorewall script installed in /etc/init.d/shorewall
| |
| Config file installed as /etc/shorewall/shorewall.conf
| |
| Zones file installed as /etc/shorewall/zones
| |
| | |
| wait4ifup installed in /usr/share/shorewall/wait4ifup
| |
| Policy file installed as /etc/shorewall/policy
| |
| Interfaces file installed as /etc/shorewall/interfaces
| |
| Hosts file installed as /etc/shorewall/hosts
| |
| Rules file installed as /etc/shorewall/rules
| |
| NAT file installed as /etc/shorewall/nat
| |
| NETMAP file installed as /etc/shorewall/netmap
| |
| Parameter file installed as /etc/shorewall/params
| |
| Proxy ARP file installed as /etc/shorewall/proxyarp
| |
| Stopped Routing file installed as /etc/shorewall/routestopped
| |
| MAC list file installed as /etc/shorewall/maclist
| |
| Masquerade file installed as /etc/shorewall/masq
| |
| Notrack file installed as /etc/shorewall/notrack
| |
| Modules file installed as /usr/share/shorewall/modules
| |
| Module file modules.essential installed as /usr/share/shorewall/modules.essential
| |
| Module file modules.extensions installed as /usr/share/shorewall/modules.extensions
| |
| Module file modules.ipset installed as /usr/share/shorewall/modules.ipset
| |
| Module file modules.tc installed as /usr/share/shorewall/modules.tc
| |
| Module file modules.xtables installed as /usr/share/shorewall/modules.xtables
| |
| Helper modules file installed as /usr/share/shorewall/helpers
| |
| TC Rules file installed as /etc/shorewall/tcrules
| |
| TC Interfaces file installed as /etc/shorewall/tcinterfaces
| |
| TC Priority file installed as /etc/shorewall/tcpri
| |
| TOS file installed as /etc/shorewall/tos
| |
| Tunnels file installed as /etc/shorewall/tunnels
| |
| Blacklist file installed as /etc/shorewall/blacklist
| |
| Find GW file installed as /etc/shorewall/findgw
| |
| Providers file installed as /etc/shorewall/providers
| |
| Routing rules file installed as /etc/shorewall/route_rules
| |
| TC Classes file installed as /etc/shorewall/tcclasses
| |
| TC Devices file installed as /etc/shorewall/tcdevices
| |
| TC Filters file installed as /etc/shorewall/tcfilters
| |
| Secmarks file installed as /etc/shorewall/secmarks
| |
| Default config path file installed as /usr/share/shorewall/configpath
| |
| Init file installed as /etc/shorewall/init
| |
| Initdone file installed as /etc/shorewall/initdone
| |
| Start file installed as /etc/shorewall/start
| |
| Stop file installed as /etc/shorewall/stop
| |
| Stopped file installed as /etc/shorewall/stopped
| |
| ECN file installed as /etc/shorewall/ecn
| |
| Accounting file installed as /etc/shorewall/accounting
| |
| Private library file installed as /etc/shorewall/lib.private
| |
| Started file installed as /etc/shorewall/started
| |
| Restored file installed as /etc/shorewall/restored
| |
| Clear file installed as /etc/shorewall/clear
| |
| Isusable file installed as /etc/shorewall/isusable
| |
| Refresh file installed as /etc/shorewall/refresh
| |
| Refreshed file installed as /etc/shorewall/refreshed
| |
| Tcclear file installed as /etc/shorewall/tcclear
| |
| Scfilter file installed as /etc/shorewall/scfilter
| |
| Standard actions file installed as /usr/shared/shorewall/actions.std
| |
| Actions file installed as /etc/shorewall/actions
| |
| Makefile installed as /etc/shorewall/Makefile
| |
| Action A_Drop file installed as /usr/share/shorewall/action.A_Drop
| |
| Action A_Reject file installed as /usr/share/shorewall/action.A_Reject
| |
| Action Broadcast file installed as /usr/share/shorewall/action.Broadcast
| |
| Action Drop file installed as /usr/share/shorewall/action.Drop
| |
| Action DropSmurfs file installed as /usr/share/shorewall/action.DropSmurfs
| |
| Action Invalid file installed as /usr/share/shorewall/action.Invalid
| |
| Action NotSyn file installed as /usr/share/shorewall/action.NotSyn
| |
| Action Reject file installed as /usr/share/shorewall/action.Reject
| |
| Action TCPFlags file installed as /usr/share/shorewall/action.TCPFlags
| |
| Action template file installed as /usr/share/shorewall/action.template
| |
| Macro A_AllowICMPs file installed as /usr/share/shorewall/macro.A_AllowICMPs
| |
| Macro A_DropDNSrep file installed as /usr/share/shorewall/macro.A_DropDNSrep
| |
| Macro A_DropUPnP file installed as /usr/share/shorewall/macro.A_DropUPnP
| |
| Macro AllowICMPs file installed as /usr/share/shorewall/macro.AllowICMPs
| |
| Macro Amanda file installed as /usr/share/shorewall/macro.Amanda
| |
| Macro Auth file installed as /usr/share/shorewall/macro.Auth
| |
| Macro BGP file installed as /usr/share/shorewall/macro.BGP
| |
| Macro BitTorrent file installed as /usr/share/shorewall/macro.BitTorrent
| |
| Macro BitTorrent32 file installed as /usr/share/shorewall/macro.BitTorrent32
| |
| Macro Citrix file installed as /usr/share/shorewall/macro.Citrix
| |
| Macro CVS file installed as /usr/share/shorewall/macro.CVS
| |
| Macro DAAP file installed as /usr/share/shorewall/macro.DAAP
| |
| Macro DCC file installed as /usr/share/shorewall/macro.DCC
| |
| Macro DHCPfwd file installed as /usr/share/shorewall/macro.DHCPfwd
| |
| Macro Distcc file installed as /usr/share/shorewall/macro.Distcc
| |
| Macro DNS file installed as /usr/share/shorewall/macro.DNS
| |
| Macro Drop file installed as /usr/share/shorewall/macro.Drop
| |
| Macro DropDNSrep file installed as /usr/share/shorewall/macro.DropDNSrep
| |
| Macro DropUPnP file installed as /usr/share/shorewall/macro.DropUPnP
| |
| Macro Edonkey file installed as /usr/share/shorewall/macro.Edonkey
| |
| Macro Finger file installed as /usr/share/shorewall/macro.Finger
| |
| Macro FTP file installed as /usr/share/shorewall/macro.FTP
| |
| Macro Git file installed as /usr/share/shorewall/macro.Git
| |
| Macro GNUnet file installed as /usr/share/shorewall/macro.GNUnet
| |
| Macro Gnutella file installed as /usr/share/shorewall/macro.Gnutella
| |
| Macro GRE file installed as /usr/share/shorewall/macro.GRE
| |
| Macro HKP file installed as /usr/share/shorewall/macro.HKP
| |
| Macro HTTP file installed as /usr/share/shorewall/macro.HTTP
| |
| Macro HTTPS file installed as /usr/share/shorewall/macro.HTTPS
| |
| Macro ICPV2 file installed as /usr/share/shorewall/macro.ICPV2
| |
| Macro ICQ file installed as /usr/share/shorewall/macro.ICQ
| |
| Macro IMAP file installed as /usr/share/shorewall/macro.IMAP
| |
| Macro IMAPS file installed as /usr/share/shorewall/macro.IMAPS
| |
| Macro IPIP file installed as /usr/share/shorewall/macro.IPIP
| |
| Macro IPP file installed as /usr/share/shorewall/macro.IPP
| |
| Macro IPPbrd file installed as /usr/share/shorewall/macro.IPPbrd
| |
| Macro IPPserver file installed as /usr/share/shorewall/macro.IPPserver
| |
| Macro IPsec file installed as /usr/share/shorewall/macro.IPsec
| |
| Macro IPsecah file installed as /usr/share/shorewall/macro.IPsecah
| |
| Macro IPsecnat file installed as /usr/share/shorewall/macro.IPsecnat
| |
| Macro IRC file installed as /usr/share/shorewall/macro.IRC
| |
| Macro Jabberd file installed as /usr/share/shorewall/macro.Jabberd
| |
| Macro JabberPlain file installed as /usr/share/shorewall/macro.JabberPlain
| |
| Macro JabberSecure file installed as /usr/share/shorewall/macro.JabberSecure
| |
| Macro JAP file installed as /usr/share/shorewall/macro.JAP
| |
| Macro Jetdirect file installed as /usr/share/shorewall/macro.Jetdirect
| |
| Macro L2TP file installed as /usr/share/shorewall/macro.L2TP
| |
| Macro LDAP file installed as /usr/share/shorewall/macro.LDAP
| |
| Macro LDAPS file installed as /usr/share/shorewall/macro.LDAPS
| |
| Macro Mail file installed as /usr/share/shorewall/macro.Mail
| |
| Macro mDNS file installed as /usr/share/shorewall/macro.mDNS
| |
| Macro Munin file installed as /usr/share/shorewall/macro.Munin
| |
| Macro MySQL file installed as /usr/share/shorewall/macro.MySQL
| |
| Macro NNTP file installed as /usr/share/shorewall/macro.NNTP
| |
| Macro NNTPS file installed as /usr/share/shorewall/macro.NNTPS
| |
| Macro NTP file installed as /usr/share/shorewall/macro.NTP
| |
| Macro NTPbi file installed as /usr/share/shorewall/macro.NTPbi
| |
| Macro NTPbrd file installed as /usr/share/shorewall/macro.NTPbrd
| |
| Macro OpenVPN file installed as /usr/share/shorewall/macro.OpenVPN
| |
| Macro OSPF file installed as /usr/share/shorewall/macro.OSPF
| |
| Macro PCA file installed as /usr/share/shorewall/macro.PCA
| |
| Macro Ping file installed as /usr/share/shorewall/macro.Ping
| |
| Macro POP3 file installed as /usr/share/shorewall/macro.POP3
| |
| Macro POP3S file installed as /usr/share/shorewall/macro.POP3S
| |
| Macro PostgreSQL file installed as /usr/share/shorewall/macro.PostgreSQL
| |
| Macro PPtP file installed as /usr/share/shorewall/macro.PPtP
| |
| Macro Printer file installed as /usr/share/shorewall/macro.Printer
| |
| Macro Razor file installed as /usr/share/shorewall/macro.Razor
| |
| Macro Rdate file installed as /usr/share/shorewall/macro.Rdate
| |
| Macro RDP file installed as /usr/share/shorewall/macro.RDP
| |
| Macro Reject file installed as /usr/share/shorewall/macro.Reject
| |
| Macro Rfc1918 file installed as /usr/share/shorewall/macro.Rfc1918
| |
| Macro RIPbi file installed as /usr/share/shorewall/macro.RIPbi
| |
| Macro RNDC file installed as /usr/share/shorewall/macro.RNDC
| |
| Macro Rsync file installed as /usr/share/shorewall/macro.Rsync
| |
| Macro SANE file installed as /usr/share/shorewall/macro.SANE
| |
| Macro SixXS file installed as /usr/share/shorewall/macro.SixXS
| |
| Macro SMB file installed as /usr/share/shorewall/macro.SMB
| |
| Macro SMBBI file installed as /usr/share/shorewall/macro.SMBBI
| |
| Macro SMBswat file installed as /usr/share/shorewall/macro.SMBswat
| |
| Macro SMTP file installed as /usr/share/shorewall/macro.SMTP
| |
| Macro SMTPS file installed as /usr/share/shorewall/macro.SMTPS
| |
| Macro SNMP file installed as /usr/share/shorewall/macro.SNMP
| |
| Macro SPAMD file installed as /usr/share/shorewall/macro.SPAMD
| |
| Macro Squid file installed as /usr/share/shorewall/macro.Squid
| |
| Macro SSH file installed as /usr/share/shorewall/macro.SSH
| |
| Macro Submission file installed as /usr/share/shorewall/macro.Submission
| |
| Macro SVN file installed as /usr/share/shorewall/macro.SVN
| |
| Macro Syslog file installed as /usr/share/shorewall/macro.Syslog
| |
| Macro Telnet file installed as /usr/share/shorewall/macro.Telnet
| |
| Macro Telnets file installed as /usr/share/shorewall/macro.Telnets
| |
| Macro template file installed as /usr/share/shorewall/macro.template
| |
| Macro TFTP file installed as /usr/share/shorewall/macro.TFTP
| |
| Macro Time file installed as /usr/share/shorewall/macro.Time
| |
| Macro Trcrt file installed as /usr/share/shorewall/macro.Trcrt
| |
| Macro VNC file installed as /usr/share/shorewall/macro.VNC
| |
| Macro VNCL file installed as /usr/share/shorewall/macro.VNCL
| |
| Macro Web file installed as /usr/share/shorewall/macro.Web
| |
| Macro Webcache file installed as /usr/share/shorewall/macro.Webcache
| |
| Macro Webmin file installed as /usr/share/shorewall/macro.Webmin
| |
| Macro Whois file installed as /usr/share/shorewall/macro.Whois
| |
| Library base file installed as /usr/share/shorewall/lib.base
| |
| Library cli file installed as /usr/share/shorewall/lib.cli
| |
| Library common file installed as /usr/share/shorewall/lib.common
| |
| | |
| Compiler installed in /usr/share/shorewall/compiler.pl
| |
| | |
| Params file helper installed in /usr/share/shorewall/getparams
| |
| Module Shorewall/Accounting installed as /usr/share/shorewall/Shorewall/Accounting.pm
| |
| Module Shorewall/Chains installed as /usr/share/shorewall/Shorewall/Chains.pm
| |
| Module Shorewall/Compiler installed as /usr/share/shorewall/Shorewall/Compiler.pm
| |
| Module Shorewall/Config installed as /usr/share/shorewall/Shorewall/Config.pm
| |
| Module Shorewall/IPAddrs installed as /usr/share/shorewall/Shorewall/IPAddrs.pm
| |
| Module Shorewall/Misc installed as /usr/share/shorewall/Shorewall/Misc.pm
| |
| Module Shorewall/Nat installed as /usr/share/shorewall/Shorewall/Nat.pm
| |
| Module Shorewall/Proc installed as /usr/share/shorewall/Shorewall/Proc.pm
| |
| Module Shorewall/Providers installed as /usr/share/shorewall/Shorewall/Providers.pm
| |
| Module Shorewall/Proxyarp installed as /usr/share/shorewall/Shorewall/Proxyarp.pm
| |
| Module Shorewall/Raw installed as /usr/share/shorewall/Shorewall/Raw.pm
| |
| Module Shorewall/Rules installed as /usr/share/shorewall/Shorewall/Rules.pm
| |
| Module Shorewall/Tc installed as /usr/share/shorewall/Shorewall/Tc.pm
| |
| Module Shorewall/Tunnels installed as /usr/share/shorewall/Shorewall/Tunnels.pm
| |
| Module Shorewall/Zones installed as /usr/share/shorewall/Shorewall/Zones.pm
| |
| Program skeleton file footer installed as /usr/share/shorewall/prog.footer
| |
| Program skeleton file footer6 installed as /usr/share/shorewall/prog.footer6
| |
| Program skeleton file header installed as /usr/share/shorewall/prog.header
| |
| Program skeleton file header6 installed as /usr/share/shorewall/prog.header6
| |
| Man page shorewall-accounting.5.gz installed to /usr/share/man/man5/shorewall-accounting.5.gz
| |
| Man page shorewall-actions.5.gz installed to /usr/share/man/man5/shorewall-actions.5.gz
| |
| Man page shorewall-blacklist.5.gz installed to /usr/share/man/man5/shorewall-blacklist.5.gz
| |
| Man page shorewall.conf.5.gz installed to /usr/share/man/man5/shorewall.conf.5.gz
| |
| Man page shorewall-ecn.5.gz installed to /usr/share/man/man5/shorewall-ecn.5.gz
| |
| Man page shorewall-exclusion.5.gz installed to /usr/share/man/man5/shorewall-exclusion.5.gz
| |
| Man page shorewall-hosts.5.gz installed to /usr/share/man/man5/shorewall-hosts.5.gz
| |
| Man page shorewall-interfaces.5.gz installed to /usr/share/man/man5/shorewall-interfaces.5.gz
| |
| Man page shorewall-ipsets.5.gz installed to /usr/share/man/man5/shorewall-ipsets.5.gz
| |
| Man page shorewall-maclist.5.gz installed to /usr/share/man/man5/shorewall-maclist.5.gz
| |
| Man page shorewall-masq.5.gz installed to /usr/share/man/man5/shorewall-masq.5.gz
| |
| Man page shorewall-modules.5.gz installed to /usr/share/man/man5/shorewall-modules.5.gz
| |
| Man page shorewall-nat.5.gz installed to /usr/share/man/man5/shorewall-nat.5.gz
| |
| Man page shorewall-nesting.5.gz installed to /usr/share/man/man5/shorewall-nesting.5.gz
| |
| Man page shorewall-netmap.5.gz installed to /usr/share/man/man5/shorewall-netmap.5.gz
| |
| Man page shorewall-notrack.5.gz installed to /usr/share/man/man5/shorewall-notrack.5.gz
| |
| Man page shorewall-params.5.gz installed to /usr/share/man/man5/shorewall-params.5.gz
| |
| Man page shorewall-policy.5.gz installed to /usr/share/man/man5/shorewall-policy.5.gz
| |
| Man page shorewall-providers.5.gz installed to /usr/share/man/man5/shorewall-providers.5.gz
| |
| Man page shorewall-proxyarp.5.gz installed to /usr/share/man/man5/shorewall-proxyarp.5.gz
| |
| Man page shorewall-route_rules.5.gz installed to /usr/share/man/man5/shorewall-route_rules.5.gz
| |
| Man page shorewall-routes.5.gz installed to /usr/share/man/man5/shorewall-routes.5.gz
| |
| Man page shorewall-routestopped.5.gz installed to /usr/share/man/man5/shorewall-routestopped.5.gz
| |
| Man page shorewall-rules.5.gz installed to /usr/share/man/man5/shorewall-rules.5.gz
| |
| Man page shorewall-secmarks.5.gz installed to /usr/share/man/man5/shorewall-secmarks.5.gz
| |
| Man page shorewall-tcclasses.5.gz installed to /usr/share/man/man5/shorewall-tcclasses.5.gz
| |
| Man page shorewall-tcdevices.5.gz installed to /usr/share/man/man5/shorewall-tcdevices.5.gz
| |
| Man page shorewall-tcfilters.5.gz installed to /usr/share/man/man5/shorewall-tcfilters.5.gz
| |
| Man page shorewall-tcinterfaces.5.gz installed to /usr/share/man/man5/shorewall-tcinterfaces.5.gz
| |
| Man page shorewall-tcpri.5.gz installed to /usr/share/man/man5/shorewall-tcpri.5.gz
| |
| Man page shorewall-tcrules.5.gz installed to /usr/share/man/man5/shorewall-tcrules.5.gz
| |
| Man page shorewall-tos.5.gz installed to /usr/share/man/man5/shorewall-tos.5.gz
| |
| Man page shorewall-tunnels.5.gz installed to /usr/share/man/man5/shorewall-tunnels.5.gz
| |
| Man page shorewall-vardir.5.gz installed to /usr/share/man/man5/shorewall-vardir.5.gz
| |
| Man page shorewall-zones.5.gz installed to /usr/share/man/man5/shorewall-zones.5.gz
| |
| Man page shorewall.8.gz installed to /usr/share/man/man8/shorewall.8.gz
| |
| Man page shorewall-init.8.gz installed to /usr/share/man/man8/shorewall-init.8.gz
| |
| Man Pages Installed
| |
| Logrotate file installed as /etc/logrotate.d/shorewall
| |
| shorewall will start automatically in run levels as follows:
| |
| Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable
| |
| shorewall 0:off 1:off 2:off 3:off 4:off 5:off 6:off
| |
| shorewall Version 4.4.25.2 Installed
| |
| </source> | |
|
| |
|
| Done! | | Done! |
Line 635: |
Line 24: |
| = Setup = | | = Setup = |
|
| |
|
| == Public IP Address Range ==
| | You need to decide which interface will have your internet connection on it and which will connect to your internal network. For this tutorial; |
| | |
| If you have multiple public IP addresses, make sure your Internet facing ethernet device, <span class="code">eth1</span> in our case, has all of those public IPs assigned to it. Do this by:
| |
| # Copying the <span class="code">ifcfg-eth0</span> to <span class="code">ifcfg-eth0:x</span> where <span class="code">x</span> is a number, starting at 0, with the next public IP in the pool.
| |
| # In each <span class="code">ifcfg-eth0:x</span> file:
| |
| ## Add <span class="code">:x</span> to <span class="code">DEVICE=eth1</span>, for example <span class="code">DEVICE=eth1:0</span> in the <span class="code">ifcfg-eth0:0</span> file.
| |
| ## Change the IP address in the <span class="code">IPADDR=</span> line. For example, <span class="code">208.67.144.34</span>.
| |
| ## Comment out the <span class="code">GATEWAY=</span> line.
| |
| | |
| Here is an example showing what an <span class="code">ifcfg-eth0</span> and it's corresponding <span class="code">ifcfg-eth0:0</span> alias might look like:
| |
| | |
| <source lang="bash">
| |
| vim /etc/sysconfig/network-scripts/ifcfg-eth0
| |
| </source>
| |
| <source lang="bash">
| |
| DEVICE=eth0
| |
| BOOTPROTO=static
| |
| HWADDR=00:16:36:71:84:2F
| |
| ONBOOT=yes
| |
| IPADDR=192.168.1.253
| |
| NETMASK=255.255.255.0
| |
| GATEWAY=192.168.1.254
| |
| DNS1=192.139.81.117
| |
| DNS2=192.139.81.1
| |
| </source>
| |
| | |
| <source lang="bash">
| |
| vim /etc/sysconfig/network-scripts/ifcfg-eth0:0
| |
| </source>
| |
| <source lang="bash">
| |
| DEVICE=eth0:0
| |
| BOOTPROTO=static
| |
| HWADDR=00:16:36:71:84:2F
| |
| ONBOOT=yes
| |
| IPADDR=206.108.5.129
| |
| NETMASK=255.255.255.255
| |
| </source>
| |
| | |
| When done, simply restart networking:
| |
| | |
| <source lang="bash">
| |
| /etc/init.d/network restart
| |
| </source>
| |
| | |
| Or manually bring up each device with:
| |
|
| |
|
| <source lang="bash"> | | * <span class="code">eth0</span>; Faces the internal network, has the IP <span class="code">10.255.255.254/16</span> and provides DHCP services to the LAN. |
| ifup eth0:x
| | * <span class="code">eth1</span>; Faces the Internet. |
| </source> | |
| | |
| Setting <span class="code">x</span> to the number of each alias device you are starting. If you are connected over ssh, using <span class="code">ifup</span> is recommended as you are less likely to lose your ssh session.
| |
|
| |
|
| == Configuring Shorewall == | | == Configuring Shorewall == |
|
| |
|
| All configuration files are in the following directory, unless explicitly defined: | | All configuration files are in the <span class="code">/etc/shorewall</span> directory, unless explicitly defined. The main Shorewall configuration file, which we will edit last is <span class="code">/etc/shorewall/shorewall.conf</span>. |
| | |
| <source lang="bash"> | |
| /etc/shorewall | |
| </source> | |
| | |
| The main Shorewall configuration file, which we will edit last is <span class="code">/etc/shorewall/shorewall.conf</span>. | |
| </source>
| |
|
| |
|
| The files to edit are listed in the order we will edit them in the following subsections. | | The files to edit are listed in the order we will edit them in the following subsections. |
Line 702: |
Line 37: |
| === zones === | | === zones === |
|
| |
|
| This controls the main "zones" used by Shorewall. The <span class="code">fw</span> is special in that it defines the firewall itself. The <span class="code">net</span> zone is the Internet-facing network (eth1 on the firewall). The <span class="code">loc</span> is the local network, the virtual machine network on eth0. | | This controls the main "zones" used by Shorewall. The <span class="code">fw</span> is special in that it defines the firewall itself. The <span class="code">net</span> zone is the Internet-facing network (<span class="code">eth1</span> in this tutorial). The <span class="code">loc</span> is the local network, the internal network of machines the firewall is protecting, which is <span class="code">eth0</span> in this tutorial. Both <span class="code">eth0</span> and <span class="code">eth1</span> are <span class="code">[[ipv4]]</span> networks. |
|
| |
|
| Add:
| | Append two new lines telling shorewall that we have two new <span class="code">ipv4</span> networks that it will use: |
|
| |
|
| <source lang="bash"> | | <syntaxhighlight lang="bash"> |
| vim /etc/shorewall/zones | | vim /etc/shorewall/zones |
| </source> | | </syntaxhighlight> |
| <source lang="text"> | | <syntaxhighlight lang="text"> |
| fw firewall
| |
| net ipv4 | | net ipv4 |
| loc ipv4 | | loc ipv4 |
| </source> | | </syntaxhighlight> |
|
| |
|
| So that the 'zones' file looks like: | | So that the <span class="code">zones</span> file looks like: |
|
| |
|
| <source lang="text"> | | <syntaxhighlight lang="text"> |
| ############################################################################### | | ############################################################################### |
| #ZONE TYPE OPTIONS IN OUT | | #ZONE TYPE OPTIONS IN OUT |
Line 724: |
Line 58: |
| net ipv4 | | net ipv4 |
| loc ipv4 | | loc ipv4 |
| </source> | | </syntaxhighlight> |
|
| |
|
| === interfaces === | | === interfaces === |
|
| |
|
| Here you tell Shorewall which network [[#zones|zones]] are on which interfaces.
| | Just above, we told shorewall that we had two new <span class="code">ipv4</span> networks. In the <span class="code">interfaces</span> configuration file, we link these networks to physical interfaces. |
| | |
| | {{note|1=If you plan to [[DHCP on an RPM-based OS|setup a DHCP]] server on your firewall, you will need to specify the <span class="code">dhcp</span> option, as shown here. You can see a full list of options and their uses on Shorewall's <span class="code">[http://www.shorewall.net/manpages/shorewall-interfaces.html interfaces]</span> page.}} |
|
| |
|
| Add:
| | To link the new networks to the physical interfaces, append the following entries; |
|
| |
|
| <source lang="bash"> | | <syntaxhighlight lang="bash"> |
| vim /etc/shorewall/interfaces | | vim /etc/shorewall/interfaces |
| </source> | | </syntaxhighlight> |
| <source lang="text"> | | <syntaxhighlight lang="text"> |
| net eth1 detect
| | loc eth0 dhcp |
| loc eth0 detect dhcp | | net eth1 |
| </source> | | </syntaxhighlight> |
|
| |
|
| So that the <span class="code">interfaces</span> file looks like: | | So that the <span class="code">interfaces</span> file looks like: |
|
| |
|
| <source lang="text"> | | <syntaxhighlight lang="text"> |
| | ############################################################################### |
| | ?FORMAT 2 |
| ############################################################################### | | ############################################################################### |
| #ZONE INTERFACE BROADCAST OPTIONS | | #ZONE INTERFACE OPTIONS |
| net eth1 detect
| | loc eth0 dhcp |
| loc eth0 detect dhcp | | net eth1 |
| </source> | | </syntaxhighlight> |
|
| |
|
| === policy === | | === policy === |
|
| |
|
| Here you tell Shorewall what the default policy is for each network when receiving new connection requests. You don't need to worry about ESTABLISHED and RELATED connections as Shorewall handles these rules. The choices are: | | Here you tell shorewall what the default policy is for each network when receiving new connection requests. You don't need to worry about <span class="code">ESTABLISHED</span> and <span class="code">RELATED</span> connections as shorewall handles these rules. The choices are: |
|
| |
|
| * ACCEPT | | * <span class="code">ACCEPT</span>; Accept the connection. |
| ** Accept the connection.
| | * <span class="code">DROP</span>; Ignore the connection request. |
| * DROP | | * <span class="code">REJECT</span>; Return an appropriate error to the connection request. |
| ** Ignore the connection request.
| |
| * REJECT | |
| ** Return an appropriate error to the connection request.
| |
|
| |
|
| You can also set the log level for connection requests that fall off the chain and hit these policies. It's a good idea to log <span class="code">info</span> level so you can see twits trying to do "bad things(tm)". | | You can also set the log level for connection requests that fall off the chain and hit these policies. It's a good idea to log <span class="code">info</span> level so you can see twits trying to do "bad things(tm)". The one downside to using <span class="code">info</span> is that it pushes a lot of data into the log files, which might make debugging other issues on the firewall. It's really up to you in the end. |
|
| |
|
| <source lang="bash"> | | Append the following default policies; |
| | |
| | <syntaxhighlight lang="bash"> |
| vim /etc/shorewall/policy | | vim /etc/shorewall/policy |
| </source> | | </syntaxhighlight> |
| <source lang="text"> | | <syntaxhighlight lang="text"> |
| # This allows the firewall out onto the Internet | | # Let everything from the firewall machine out onto the net. |
| fw net ACCEPT | | fw net ACCEPT |
| # These are the default policies; All VMs are allowed out to the net, Anything | | |
| # from the Internet is DROPed and anything else to anything else is REJECTed
| | # Likewise, allow everything from the firewall out onto the local network. |
| # and logged.
| |
| # - Anything from the firewall to the VMs is allowed.
| |
| fw loc ACCEPT | | fw loc ACCEPT |
| # - Protect the firewall from compromised servers. | | |
| | # Don't allow incoming connections from the web into the fireall *or* into the |
| | # local network. Add 'info' here if you want to log failed connection attempts. |
| | net all DROP info |
| | |
| | # Don't allow incoming connections from the local network into the firewall. |
| loc fw DROP | | loc fw DROP |
| # - Let anything from the VMs out onto the Internet. | | |
| | # Let machines on the local network out onto the web |
| loc net ACCEPT | | loc net ACCEPT |
| # - Drop and log anything else.
| | </syntaxhighlight> |
| net all DROP info
| |
| </source> | |
|
| |
|
| So that the <span class="code">policy</span> file looks like: | | So that the <span class="code">policy</span> file looks like: |
|
| |
|
| <source lang="text"> | | <syntaxhighlight lang="text"> |
| ############################################################################### | | ############################################################################### |
| #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: | | #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: |
| # LEVEL BURST MASK | | # LEVEL BURST MASK |
| # This allows the firewall out onto the Internet | | |
| | # Let everything from the firewall machine out onto the net. |
| fw net ACCEPT | | fw net ACCEPT |
| # These are the default policies; All VMs are allowed out to the net, Anything | | |
| # from the Internet is DROPed and anything else to anything else is REJECTed
| | # Likewise, allow everything from the firewall out onto the local network. |
| # and logged.
| |
| # - Anything from the firewall to the VMs is allowed.
| |
| fw loc ACCEPT | | fw loc ACCEPT |
| # - Protect the firewall from compromised servers. | | |
| | # Don't allow incoming connections from the web into the fireall *or* into the |
| | # local network. Add 'info' here if you want to log failed connection attempts. |
| | net all DROP info |
| | |
| | # Don't allow incoming connections from the local network into the firewall. |
| loc fw DROP | | loc fw DROP |
| # - Let anything from the VMs out onto the Internet. | | |
| | # Let machines on the local network out onto the web |
| loc net ACCEPT | | loc net ACCEPT |
| # - Drop and log anything else.
| | </syntaxhighlight> |
| net all DROP info
| |
| </source> | |
|
| |
|
| === rules === | | === rules === |
|
| |
|
| Here you tell Shorewall what the exceptions are to the default policies. The first rule to match is used. This is really the heart of the firewall. | | This is really the heart of the firewall. |
| | |
| | Here you tell shorewall what the exceptions there are to the default policies. The first rule to match is used. |
|
| |
|
| The example below shows a setup where remote access in to the firewall itself is allowed only on port <span class="code">22869</span> (modified [[SSH]] port). Then two [[Microsoft]] Windows servers are setup. Both servers are internally set to listen for RDP connections on the same default port (<span class="code">3389</span>). To allow for this with just one external IP address, the firewall is told to route incoming connections on port <span class="code">3394</span> to the internal machine at IP <span class="code">192.168.1.11</span> on port <span class="code">3393</span>. Likewise, incoming connections on port <span class="code">3393</span> will be forwarded to <span class="code">192.168.1.10:3393</span>. A few other ports are opened for various services as further examples. | | The example below shows a setup where remote access in to the firewall itself is allowed only on port <span class="code">22000</span> (modified [[SSH]] port). Then two [[Microsoft]] Windows servers are setup. Both servers are internally set to listen for RDP connections on the same default port (<span class="code">3389</span>). To allow for this with just one external IP address, the firewall is told to route incoming connections on port <span class="code">3390</span> to the internal machine at IP <span class="code">10.255.0.11</span> on port <span class="code">3393</span>. Likewise, incoming connections on port <span class="code">3389</span> will be forwarded to directly to <span class="code">10.255.0.10:3389</span>. |
|
| |
|
| Edit <span class="code">rules</span> so that the it file looks like.
| | We'll also add a couple special rules that tells shorewall to respond to [[ICMP]] ping requests. Some people don't like this as ping sweeps are a quick way for malicious people to find servers on the net. Personally, I find the usefulness of being able to ping my firewall more beneficial. |
|
| |
|
| <source lang="bash"> | | Append <span class="code">rules</span> so that the it file looks like. |
| | |
| | <syntaxhighlight lang="bash"> |
| vim /etc/shorewall/rules | | vim /etc/shorewall/rules |
| </source> | | </syntaxhighlight> |
| <source lang="text"> | | <syntaxhighlight lang="text"> |
| ############################################################################################################################################################
| |
| #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME
| |
| # PORT PORT(S) DEST LIMIT GROUP
| |
| #SECTION ESTABLISHED
| |
| #SECTION RELATED
| |
| SECTION NEW
| |
| | |
| ### Rules for data going into the firewall. Consult /etc/services or your local | | ### Rules for data going into the firewall. Consult /etc/services or your local |
| ### search engine for ports and protocols used by your favourite programs. | | ### search engine for ports and protocols used by your favourite programs. |
| # Allow SSH connections to the firewall itself. | | # Answer ICMP queries |
| ACCEPT net fw tcp 22 | | Ping(ACCEPT) net fw |
| # Allow SSH and DHCP requests from the VMs into the firewall.
| | Ping(ACCEPT) loc fw |
| | |
| | # Allow incoming SSH connections to the firewall itself from the web on port |
| | # 22000. Allow incoming SSH connections to the firewall on port 22 and 22000 |
| | # from the local network. |
| | ACCEPT net fw tcp 22000 |
| ACCEPT loc fw tcp 22 | | ACCEPT loc fw tcp 22 |
| ACCEPT loc fw udp 67,68 | | ACCEPT loc fw tcp 22000 |
|
| |
|
| ### Forwards using DNAT | | # Allow incoming connections from the internet to two windows servers listening |
| ## Internet into 'vm0002_c6_ws1' (webserver) | | # for RDP connections on the same port. This will be handled using different |
| #DNAT <src> loc:<ip>:<srv_port> tcp <ext_port>
| | # external ports using destination network address translation. |
| # FTP
| | ACCEPT net loc:10.255.0.10:3389 tcp 3389 |
| DNAT net loc:10.0.0.1:20 tcp 20
| | ACCEPT net loc:10.255.0.11:3389 tcp 3390 |
| DNAT net loc:10.0.0.1:21 tcp 21
| | </syntaxhighlight> |
| # SMTP
| | |
| DNAT net loc:10.0.0.1:25 tcp 25
| | This is a spartan example of what you can do. It's meant to show how you can do matching and non-matching TCP port forwards. With this simple format, you should be able to create all the rules you need to setup your network. |
| # DNS
| |
| DNAT net loc:10.0.0.1:53 tcp 53
| |
| # HTTP
| |
| DNAT net loc:10.0.0.1:80 tcp 80
| |
| </source>
| |
|
| |
|
| === masq === | | === masq === |
|
| |
|
| This is the file that handles [[MASQ]]erading the virtual machine LAN (the <span class="code">loc</span> zone). Even though there may be several public IP addresses, they are not [[SNAT]]ed to hosts but instead used as a pool of addresses to do Port Forward/[[DNAT]]ing on. | | This is the file that handles [[MASQ]]erading the machines on the local LAN (the <span class="code">loc</span> zone). This is how shorewall provides internet access to an entire [[subnet]] of machines on a given network. |
|
| |
|
| So to enable Internet access from your servers, you need to add a line with the Internet facing interface followed by the subnet that you will be MASQing. | | So to enable Internet access from your machines, you need to add a line with the '''Internet facing interface''' followed by the subnet of the '''local''' network that you will be masquerading. |
|
| |
|
| <source lang="bash"> | | <syntaxhighlight lang="bash"> |
| vim /etc/shorewall/masq | | vim /etc/shorewall/masq |
| </source> | | </syntaxhighlight> |
| <source lang="text"> | | <syntaxhighlight lang="text"> |
| eth1 192.168.1.0/24 | | eth1 10.255.0.0/16 |
| </source> | | </syntaxhighlight> |
|
| |
|
| So that the 'rules' file looks like: | | So that the <span class="code">masq</span> file looks like: |
|
| |
|
| <source lang="text"> | | <syntaxhighlight lang="text"> |
| ############################################################################### | | ################################################################################################################ |
| #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ | | #INTERFACE:DEST SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ SWITCH ORIGINAL |
| # GROUP | | # GROUP DEST |
| eth1 192.168.1.0/24 | | eth1 10.255.0.0/16 |
| </source> | | </syntaxhighlight> |
|
| |
|
| === shorewall.conf === | | === shorewall.conf === |
Line 871: |
Line 210: |
| Edit <span class="code">/etc/shorewall/shorewall.conf</span> and change the following lines: | | Edit <span class="code">/etc/shorewall/shorewall.conf</span> and change the following lines: |
|
| |
|
| <source lang="bash"> | | <syntaxhighlight lang="bash"> |
| vim /etc/shorewall/shorewall.conf | | vim /etc/shorewall/shorewall.conf |
| </source> | | </syntaxhighlight> |
| <source lang="text"> | | <syntaxhighlight lang="bash"> |
| STARTUP_ENABLED=No | | STARTUP_ENABLED=No |
| LOGFILE=/var/log/messages
| | </syntaxhighlight> |
| </source> | |
|
| |
|
| To: | | To: |
|
| |
|
| <source lang="text"> | | <syntaxhighlight lang="bash"> |
| STARTUP_ENABLED=Yes | | STARTUP_ENABLED=Yes |
| LOGFILE=/var/log/shorewall
| | </syntaxhighlight> |
| </source> | |
|
| |
|
| = Starting the Firewall = | | = Starting the Firewall = |
Line 890: |
Line 227: |
| To start the firewall, simply run: | | To start the firewall, simply run: |
|
| |
|
| <source lang="bash"> | | <syntaxhighlight lang="bash"> |
| /etc/init.d/shorewall restart | | /etc/init.d/shorewall restart |
| </source> | | </syntaxhighlight> |
|
| |
|
| The firewall should now be running. To see the new rules, simply run: | | The firewall should now be running. To see the new rules, simply run: |
|
| |
|
| <source lang="bash"> | | <syntaxhighlight lang="bash"> |
| iptables-save | | iptables-save |
| </source> | | </syntaxhighlight> |
|
| |
|
| This will print out the actual firewall rules. You will need some experience with <span class="code">iptables</span> to understand all their meaning, but the general flow should be understandable. | | This will print out the actual firewall rules. You will need some experience with <span class="code">[[TLUG Talk: Netfilter|iptables]]</span> to understand all their meaning, but the general flow should be understandable. |
|
| |
|
| Lastly, make sure the firewall starts on boot by running: | | Lastly, make sure the firewall starts on boot by running: |
|
| |
|
| <source lang="bash"> | | <syntaxhighlight lang="bash"> |
| chkconfig shorewall on | | chkconfig shorewall on |
| </source> | | </syntaxhighlight> |
| | |
| | == Fixing SELinux Problems == |
| | |
| | If you get an error like: |
| | |
| | <syntaxhighlight lang="bash"> |
| | /etc/init.d/shorewall start |
| | </syntaxhighlight> |
| | <syntaxhighlight lang="text"> |
| | Compiling... |
| | Can't exec "/usr/lib/shorewall/getparams": Permission denied at /usr/share/perl5/Shorewall/Config.pm line 5041. |
| | ERROR: Processing of /etc/shorewall/params failed |
| | </syntaxhighlight> |
| | |
| | If we check <span class="code">/var/log/audit/audit.log</span>, we see: |
| | |
| | <syntaxhighlight lang="text"> |
| | type=AVC msg=audit(1403851868.309:165): avc: denied { execute_no_trans } for pid=11114 comm="perl" path="/usr/lib/shorewall/getparams" dev=sda3 ino=1705335 scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file |
| | </syntaxhighlight> |
| | |
| | To fix this, run: |
| | |
| | <syntaxhighlight lang="text"> |
| | semanage fcontext -a -t bin_t /usr/lib/shorewall/getparams |
| | restorecon -vF /usr/lib/shorewall/getparams |
| | </syntaxhighlight> |
| | |
| | Now <span class="code">shorewall</span> should start properly. |
| | |
| | <syntaxhighlight lang="bash"> |
| | /etc/init.d/shorewall start |
| | </syntaxhighlight> |
| | <syntaxhighlight lang="text"> |
| | Compiling... |
| | Shorewall configuration compiled to /var/lib/shorewall/.start |
| | Starting Shorewall.... |
| | done. |
| | </syntaxhighlight> |
|
| |
|
| {{footer}} | | {{footer}} |