Good day, i''m having problems with trying to port forward from the DMZ
zone to the Local network. What i have been able to do with great
success so far is that from the Local network i have been able to access
resources on the DMZ server with no problems at all. But when i attempt
to either ping or try to port forward something like SMTP port 25 to an
internal email server on the private Lan i am unable to. One of the ways
that i have been testing weather data packets have or are being routed
successfully is by utilizing PC Anywhere to connect to a Server running
in a Windows environment in the DMZ and vice versa from DMZ to the
Private network. I can''t get from the DMZ to the Private Lan, this is
the only thing keeping me from successfully implementing Shorewall as
our Firewall. Help !
Linux Redhat 7.2
shorewall version - 1.4.1a
Linux kernel - 2.4.7-10smp #1 SMP
IP addr show -
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:c0:df:e7:87:c7 brd ff:ff:ff:ff:ff:ff
inet 65.115.171.251/29 brd 65.115.171.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:50:ba:ad:69:8c brd ff:ff:ff:ff:ff:ff
inet 192.168.5.199/24 brd 192.168.5.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:10:4b:c6:f2:8a brd ff:ff:ff:ff:ff:ff
inet 192.168.5.184/24 brd 192.168.5.255 scope global eth2
IP route show -
65.115.171.253 dev eth1 scope link
65.115.171.248/29 dev eth0 scope link
192.168.5.0/24 dev eth2 scope link
192.168.5.0/24 dev eth2 proto kernel scope link src 192.168.5.184
127.0.0.0/8 dev lo scope link
default via 65.115.171.249 dev eth0
lsmod -
Module Size Used by
ide-cd 35360 0 (autoclean)
cdrom 35360 0 (autoclean) [ide-cd]
soundcore 8100 0 (autoclean)
ipt_MASQUERADE 2816 3 (autoclean)
ipt_LOG 5632 5 (autoclean)
ipt_REJECT 4320 6 (autoclean)
ipt_state 1728 36 (autoclean)
iptable_mangle 3008 0 (autoclean) (unused)
ip_nat_irc 5728 0 (unused)
ip_nat_ftp 4864 0 (unused)
iptable_nat 23572 2 [ipt_MASQUERADE ip_nat_irc ip_nat_ftp]
ip_conntrack_irc 4000 0 [ip_nat_irc]
ip_conntrack_ftp 5472 0 [ip_nat_ftp]
ip_conntrack 24268 4 [ipt_MASQUERADE ipt_state ip_nat_irc
ip_nat_ft
p iptable_nat ip_conntrack_irc ip_conntrack_ftp]
iptable_filter 3008 0 (autoclean) (unused)
ip_tables 14752 9 [ipt_MASQUERADE ipt_LOG ipt_REJECT
ipt_state i
ptable_mangle iptable_nat iptable_filter]
3c59x 32136 1
via-rhine 14404 1
ne2k-pci 7424 1
8390 9252 0 [ne2k-pci]
usb-uhci 26884 0 (unused)
usbcore 69120 1 [usb-uhci]
ext3 67728 4
jbd 44480 4 [ext3]
I am using the Shorewall Quickstart Guide version 4.0
-------------- next part --------------
[H[2JShorewall-1.4.1a Status at firewall.ecof.com - Wed Jun 25 17:04:45 EDT 2003
Counters reset Wed Jun 25 16:36:23 EDT 2003
Chain INPUT (policy DROP 52743 packets, 13M bytes)
pkts bytes target prot opt in out source destination
9 360 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:53
4 144 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state ESTABLISHED
9 657 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:53
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
16 12949 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:53
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
Chain all2all (9 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:''
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain common (2 references)
pkts bytes target prot opt in out source destination
0 0 icmpdef icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:137:139 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:445 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:139 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:445 reject-with icmp-port-unreachable
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:135
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1900
0 0 DROP all -- * * 0.0.0.0/0
255.255.255.255
0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/4
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:113
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:53 state NEW
0 0 DROP all -- * * 0.0.0.0/0
65.115.171.255
0 0 DROP all -- * * 0.0.0.0/0
192.168.5.255
0 0 DROP all -- * * 0.0.0.0/0
192.168.5.255
Chain dmz2fw (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain dmz2loc (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 ACCEPT tcp -- * * 65.115.171.253 192.168.5.13
state NEW tcp spt:1034 dpt:5632
0 0 ACCEPT tcp -- * * 65.115.171.253 192.168.5.13
state NEW tcp spt:1034 dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:53
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain dmz2net (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:53
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain dynamic (6 references)
pkts bytes target prot opt in out source destination
Chain eth0_fwd (0 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
Chain eth0_in (0 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
Chain eth1_fwd (0 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
Chain eth1_in (0 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
Chain eth2_fwd (0 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
Chain eth2_in (0 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2dmz (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2loc (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2net (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:53
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain icmpdef (1 references)
pkts bytes target prot opt in out source destination
Chain loc2dmz (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:22
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 ACCEPT all -- * * 192.168.5.13
65.115.171.253 state NEW
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2fw (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:10000
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2loc (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state NEW
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2net (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2all (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:''
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain newnotsyn (12 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain reject (3 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with tcp-reset
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
Jun 25 16:45:15 all2all:ACCEPT:IN=eth2 OUT= SRC=192.168.5.178 DST=192.168.5.255
LEN=532 TOS=0x00 PREC=0x00 TTL=9 ID=5304 PROTO=UDP SPT=520 DPT=520 LEN=512
Jun 25 16:45:15 all2all:ACCEPT:IN=eth2 OUT= SRC=192.168.5.178 DST=192.168.5.255
LEN=152 TOS=0x00 PREC=0x00 TTL=9 ID=5560 PROTO=UDP SPT=520 DPT=520 LEN=132
Jun 25 16:45:15 all2all:ACCEPT:IN=eth2 OUT= SRC=192.168.5.178 DST=192.168.5.255
LEN=532 TOS=0x00 PREC=0x00 TTL=8 ID=5304 PROTO=UDP SPT=520 DPT=520 LEN=512
Jun 25 16:45:15 all2all:ACCEPT:IN=eth2 OUT= SRC=192.168.5.178 DST=192.168.5.255
LEN=152 TOS=0x00 PREC=0x00 TTL=8 ID=5560 PROTO=UDP SPT=520 DPT=520 LEN=132
Jun 25 16:45:15 all2all:ACCEPT:IN=eth2 OUT= SRC=192.168.5.178 DST=192.168.5.255
LEN=532 TOS=0x00 PREC=0x00 TTL=7 ID=5304 PROTO=UDP SPT=520 DPT=520 LEN=512
Jun 25 16:45:15 all2all:ACCEPT:IN=eth2 OUT= SRC=192.168.5.178 DST=192.168.5.255
LEN=152 TOS=0x00 PREC=0x00 TTL=7 ID=5560 PROTO=UDP SPT=520 DPT=520 LEN=132
Jun 25 16:45:15 all2all:ACCEPT:IN=eth2 OUT= SRC=192.168.5.178 DST=192.168.5.255
LEN=532 TOS=0x00 PREC=0x00 TTL=6 ID=5304 PROTO=UDP SPT=520 DPT=520 LEN=512
Jun 25 16:45:15 all2all:ACCEPT:IN=eth2 OUT= SRC=192.168.5.178 DST=192.168.5.255
LEN=152 TOS=0x00 PREC=0x00 TTL=6 ID=5560 PROTO=UDP SPT=520 DPT=520 LEN=132
Jun 25 16:45:15 all2all:ACCEPT:IN=eth2 OUT= SRC=192.168.5.178 DST=192.168.5.255
LEN=532 TOS=0x00 PREC=0x00 TTL=5 ID=5304 PROTO=UDP SPT=520 DPT=520 LEN=512
Jun 25 16:45:15 all2all:ACCEPT:IN=eth2 OUT= SRC=192.168.5.178 DST=192.168.5.255
LEN=152 TOS=0x00 PREC=0x00 TTL=5 ID=5560 PROTO=UDP SPT=520 DPT=520 LEN=132
Jun 25 16:45:15 all2all:ACCEPT:IN=eth2 OUT= SRC=192.168.5.178 DST=192.168.5.255
LEN=532 TOS=0x00 PREC=0x00 TTL=4 ID=5304 PROTO=UDP SPT=520 DPT=520 LEN=512
Jun 25 16:45:15 all2all:ACCEPT:IN=eth2 OUT= SRC=192.168.5.178 DST=192.168.5.255
LEN=152 TOS=0x00 PREC=0x00 TTL=4 ID=5560 PROTO=UDP SPT=520 DPT=520 LEN=132
Jun 25 16:45:15 all2all:ACCEPT:IN=eth2 OUT= SRC=192.168.5.178 DST=192.168.5.255
LEN=532 TOS=0x00 PREC=0x00 TTL=3 ID=5304 PROTO=UDP SPT=520 DPT=520 LEN=512
Jun 25 16:45:15 all2all:ACCEPT:IN=eth2 OUT= SRC=192.168.5.178 DST=192.168.5.255
LEN=152 TOS=0x00 PREC=0x00 TTL=3 ID=5560 PROTO=UDP SPT=520 DPT=520 LEN=132
Jun 25 16:45:15 all2all:ACCEPT:IN=eth2 OUT= SRC=192.168.5.178 DST=192.168.5.255
LEN=532 TOS=0x00 PREC=0x00 TTL=2 ID=5304 PROTO=UDP SPT=520 DPT=520 LEN=512
Jun 25 16:45:15 all2all:ACCEPT:IN=eth2 OUT= SRC=192.168.5.178 DST=192.168.5.255
LEN=152 TOS=0x00 PREC=0x00 TTL=2 ID=5560 PROTO=UDP SPT=520 DPT=520 LEN=132
Jun 25 16:45:15 all2all:ACCEPT:IN=eth2 OUT= SRC=192.168.5.178 DST=192.168.5.255
LEN=532 TOS=0x00 PREC=0x00 TTL=1 ID=5304 PROTO=UDP SPT=520 DPT=520 LEN=512
Jun 25 16:45:15 all2all:ACCEPT:IN=eth2 OUT= SRC=192.168.5.178 DST=192.168.5.255
LEN=152 TOS=0x00 PREC=0x00 TTL=1 ID=5560 PROTO=UDP SPT=520 DPT=520 LEN=132
Jun 25 16:45:15 all2all:ACCEPT:IN= OUT=eth2 SRC=192.168.5.184 DST=192.168.5.11
LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=1970 DF PROTO=UDP SPT=32995 DPT=53 LEN=52
Jun 25 16:45:20 all2all:ACCEPT:IN= OUT=eth2 SRC=192.168.5.184 DST=192.168.5.11
LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=2471 DF PROTO=UDP SPT=32996 DPT=53 LEN=52
NAT Table
Chain PREROUTING (policy ACCEPT 55471 packets, 14M bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 385 packets, 27502 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 377 packets, 27072 bytes)
pkts bytes target prot opt in out source destination
Chain dmz_dnat (0 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 65.115.171.253
192.168.5.199 tcp spt:1034 dpt:5632 to:192.168.5.13
0 0 DNAT tcp -- * * 65.115.171.253
192.168.5.199 tcp spt:1034 dpt:22 to:192.168.5.13
Chain loc_dnat (0 references)
pkts bytes target prot opt in out source destination
0 0 DNAT all -- * * 192.168.5.13
192.168.5.199 to:65.115.171.253
Mangle Table
Chain PREROUTING (policy ACCEPT 110K packets, 27M bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3020 packets, 584K bytes)
pkts bytes target prot opt in out source destination
-------------- next part --------------
#
# Shorewall 1.4 -- Sample Interface File For Three Interfaces
#
# /etc/shorewall/interfaces
#
# You must add an entry in this file for each network interface on your
# firewall system.
#
# Columns are:
#
# ZONE
# Zone for this interface. Must match the short name
# of a zone defined in /etc/shorewall/zones.
#
# If the interface serves multiple zones that will be
# defined in the /etc/shorewall/hosts file, you should
# place "-" in this column.
#
# INTERFACE
# Name of interface. Each interface may be listed only
# once in this file. You may NOT specify the name of
# an alias (e.g., eth0:0) here; see
# http://www.shorewall.net/FAQ.htm#faq18
#
# DO NOT DEFINE THE LOOPBACK INTERFACE (lo) IN THIS FILE.
#
# BROADCAST
# The broadcast address for the subnetwork to which the
# interface belongs. For P-T-P interfaces, this
# column is left blank.If the interface has multiple
# addresses on multiple subnets then list the broadcast
# addresses as a comma-separated list.
#
# If you use the special value "detect", the firewall
# will detect the broadcast address for you. If you
# select this option, the interface must be up before
# the firewall is started, you must have iproute
# installed and the interface must only be associated
# with a single subnet.
#
# If you don''t want to give a value for this column but
# you want to enter a value in the OPTIONS column, enter
# "-" in this column.
#
# OPTIONS
# A comma-separated list of options including the
# following:
#
# dhcp
# Interface is managed by DHCP or used by
# a DHCP server running on the firewall or
# you have a static IP but are on a LAN
# segment with lots of Laptop DHCP clients.
# norfc1918
# This interface should not receive
# any packets whose source is in one
# of the ranges reserved by RFC 1918
# (i.e., private or "non-routable"
# addresses. If packet mangling is
# enabled in shorewall.conf, packets
# whose destination addresses are
# reserved by RFC 1918 are also rejected.
# routefilter
# Turn on kernel route filtering for this
# interface (anti-spoofing measure). This
# option can also be enabled globally in
# the /etc/shorewall/shorewall.conf file.
# dropunclean
# Logs and drops mangled/invalid packets
# logunclean
# Logs mangled/invalid packets but does
# not drop them.
# blacklist
# Check packets arriving on this interface
# against the /etc/shorewall/blacklist
# file.
# maclist
# Connection requests from this interface
# are compared against the contents of
# /etc/shorewall/maclist. If this option
# is specified, the interface must be
# an ethernet NIC and must be up before
# Shorewall is started.
# tcpflags
# Packets arriving on this interface are
# checked for certain illegal combinations
# of TCP flags. Packets found to have
# such a combination of flags are handled
# according to the setting of
# TCP_FLAGS_DISPOSITION after having been
# logged according to the setting of
# TCP_FLAGS_LOG_LEVEL.
# proxyarp
# Sets /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
# Do NOT use this option if you are
# employing Proxy ARP through entries in
# /etc/shorewall/proxyarp. This option is
# intended soley for use with Proxy ARP
# sub-networking as described at:
# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
#
# The order in which you list the options is not
# significant but the list should have no embedded white
# space.
#
# Example 1:
# Suppose you have eth0 connected to a DSL modem,
# eth1 connected to your local network and eth2
# connected to your dmz. Assuming that your local
# subnet is 192.168.1.0/24 and your dmz subnet is
# 192.168.2.0/24 . The eth0 interface gets
# it''s IP address via DHCP from subnet
# 206.191.149.192/27.
#
# Your entries for this setup would look like:
#
# #ZONE INTERFACE BROADCAST OPTIONS
# net eth0 206.191.149.223 dhcp
# local eth1 192.168.1.255
# dmz eth2 192.168.2.255
#
# Example 2:
# The same configuration without specifying broadcast
# addresses is:
#
# #ZONE INTERFACE BROADCAST OPTIONS
# net eth0 detect dhcp
# loc eth1 detect
# dmz eth2 detect
#
##############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect
dmz eth1 detect
loc eth2 detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-------------- next part --------------
#
# Shorewall 1.4 -- Sample Policy File For Three Interfaces
#
# /etc/shorewall/policy
#
# This file determines what to do with a new connection request if we
# don''t get a match from the /etc/shorewall/rules file or from the
# /etc/shorewall/common[.def] file. For each source/destination pair, the
# file is processed in order until a match is found ("all" will match
# any client or server).
#
# Columns are:
#
# SOURCE Source zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all".
#
# DEST Destination zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all"
#
# WARNING: Firewall->Firewall policies are not allowed; if
# you have a policy where both SOURCE and DEST are $FW,
# Shorewall will not start!
#
# POLICY Policy if no match from the rules file is found. Must
# be "ACCEPT", "DROP", "REJECT" or
"CONTINUE"
#
# LOG LEVEL If supplied, each connection handled under the default
# POLICY is logged at that level. If not supplied, no
# log message is generated. See syslog.conf(5) for a
# description of log levels.
#
# Beginning with Shorewall version 1.3.12, you may
# also specify ULOG (must be in upper case). This will
# log to the ULOG target and sent to a separate log
# through use of ulogd (http://www.gnumonks.org/projects/ulogd).
#
# If you don''t want to log but need to specify the
# following column, place "_" here.
#
# LIMIT:BURST If passed, specifies the maximum TCP connection rate
# and the size of an acceptable burst. If not specified,
# TCP connections are not limited.
#
# As shipped, the default policies are:
#
# a) All connections from the local network to the Internet are allowed
# b) All connections from the Internet are ignored but logged at syslog
# level KERNEL.INFO.
# d) All other connection requests are rejected and logged at level
# KERNEL.INFO.
###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
# If you want open access to the Internet from your Firewall
# remove the comment from the following line.
#fw net ACCEPT
# Also If You Wish To Open Up DMZ Access To The Internet
# remove the comment from the following line.
#dmz net ACCEPT
net all DROP info
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-------------- next part --------------
#
# Shorewall version 1.4 - Sample Rules File For Three Interfaces
#
# /etc/shorewall/rules
#
# Rules in this file govern connection establishment. Requests and
# responses are automatically allowed using connection tracking.
#
# In most places where an IP address or subnet is allowed, you
# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
# indicate that the rule matches all addresses except the address/subnet
# given. Notice that no white space is permitted between "!" and the
# address/subnet.
#
# Columns are:
#
#
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT- or REDIRECT
#
# ACCEPT
# Allow the connection request
# DROP
# Ignore the request
# REJECT
# Disallow the request and return an
# icmp-unreachable or an RST packet.
# DNAT
# Forward the request to another
# system (and optionally another
# port).
# DNAT-
# Advanced users only.
# Like DNAT but only generates the
# DNAT iptables rule and not
# the companion ACCEPT rule.
# REDIRECT
# Redirect the request to a local
# port on the firewall.
# CONTINUE
# (For experts only). Do Not Process
# any of the following rules for this
# (source zone,destination zone). If
# the source and/or destination IP
# address falls into a zone defined
# later in /etc/shorewall/zones, this
# connection request will be passed
# to the rules defined for that
# (those) zones(s).
#
# May optionally be followed by ":" and a syslog log
# level (e.g, REJECT:info). This causes the packet to be
# logged at the specified level.
#
# You may also specify ULOG (must be in upper case) as a
# log level. This will log to the ULOG target for routing
# to a separate log through use of ulogd.
# (http://www.gnumonks.org/projects/ulogd).
#
# SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself, or "all" If the ACTION is DNAT or
# REDIRECT, sub-zones of the specified zone may be
# excluded from the rule by following the zone name with
# "!'' and a comma-separated list of sub-zone names.
#
# Except when "all" is specified, clients may be further
# restricted to a list of subnets and/or hosts by
# appending ":" and a comma-separated list of subnets
# and/or hosts. Hosts may be specified by IP or MAC
# address; mac addresses must begin with "~" and must use
# "-" as a separator.
#
# Some Examples:
#
# net:155.186.235.1
# Host 155.186.235.1 on the Internet
#
# loc:192.168.1.0/24
# Subnet 192.168.1.0/24 on the
# Local Network
#
# net:155.186.235.1,155.186.235.2
# Hosts 155.186.235.1 and
# 155.186.235.2 on the Internet.
#
# loc:~00-A0-C9-15-39-78
# Host on the Local Network with
# MAC address 00:A0:C9:15:39:78.
#
# Alternatively, clients may be specified by interface
# by appending ":" to the zone name followed by the
# interface name. For example, net:eth0 specifies a
# client that communicates with the firewall system
# through eth0. This may be optionally followed by
# another colon (":") and an IP/MAC/subnet address
# as described above (e.g., net:eth0:192.168.1.5).
#
# DEST Location of Server. May be a zone defined in
# /etc/shorewall/zones, $FW to indicate the firewall
# itself or "all"
#
# Except when "all" is specified, the server may be
# further restricted to a particular subnet, host or
# interface by appending ":" and the subnet, host or
# interface. See above.
#
# Restrictions:
#
# 1. MAC addresses are not allowed.
# 2. In DNAT rules, only IP addresses are
# allowed; no FQDNs or subnet addresses
# are permitted.
#
# The port that the server is listening on may be
# included and separated from the server''s IP address by
# ":". If omitted, the firewall will not modifiy the
# destination port. A destination port may only be
# included if the ACTION is DNAT or REDIRECT.
#
# Example: net:155.186.235.1:25 specifies a Internet
# server at IP address 155.186.235.1 and listening on port
# 25. The port number MUST be specified as an integer
# and not as a name from /etc/services.
#
# If the ACTION is REDIRECT, this column needs only to
# contain the port number on the firewall that the
# request should be redirected to.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp",
a number,
# "all".
#
# DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s).
#
# A port range is expressed as <low port>:<high port>.
#
# This column is ignored if PROTOCOL = all but must be
# entered if any of the following ields are supplied.
# In that case, it is suggested that this field contain
# "-"
#
# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then
# only a single Netfilter rule will be generated if in
# this list and the CLIENT PORT(S) list below:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
# any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port
# ranges.
#
# If you don''t want to restrict client ports but need to
# specify an ADDRESS in the next column, then place "-"
# in this column.
#
# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then
# only a single Netfilter rule will be generated if in
# this list and the DEST PORT(S) list above:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or
# REDIRECT) If included and different from the IP
# address given in the SERVER column, this is an address
# on some interface on the firewall and connections to
# that address will be forwarded to the IP and port
# specified in the DEST column.
#
# The address may optionally be followed by
# a colon (":") and a second IP address. This causes
# Shorewall to use the second IP address as the source
# address in forwarded packets. See the Shorewall
# documentation for restrictions concerning this feature.
# If no source IP address is given, the original source
# address is not altered.
#
# Also by default all outbound loc -> net communications are allowed.
# You can change this behavior in the sample policy file.
#
# Example: Accept www requests to the firewall.
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# ACCEPT net fw tcp http
#
# Example: Accept SMTP requests from the Local Network to the Internet
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# ACCEPT loc net tcp smtp
#
# Example: Forward all ssh and http connection requests from the Internet
# to dmz system 192.168.2.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net dmz:192.168.2.3 tcp ssh,http
#
# Example: Redirect all locally-originating www connection requests to
# port 3128 on the firewall (Squid running on the firewall
# system) except when the destination address is 192.168.2.2
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# REDIRECT loc 3128 tcp www - !192.168.2.2
#
# Example: All http requests from the Internet to address
# 130.252.100.69 are to be forwarded to 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
##############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
#
# Accept DNS connections from the firewall to the Internet
#
ACCEPT fw net tcp 53
ACCEPT fw net udp 53
#
#
# Accept SSH connections from the local network to the firewall and DMZ
#
ACCEPT loc fw tcp 22,10000,23,21 -
ACCEPT loc dmz tcp 22 -
#
# DMZ DNS access to the Internet
#
ACCEPT loc fw icmp 8 -
ACCEPT loc dmz icmp 8
#
# Make ping work bi-directionally between the dmz, net, Firewall and local zone
# (assumes that the loc-> net policy is ACCEPT).
#
ACCEPT dmz net tcp 53
ACCEPT dmz net udp 53
ACCEPT dmz fw icmp 8
ACCEPT dmz net icmp 8
ACCEPT dmz loc icmp 8
ACCEPT dmz:65.115.171.253 loc:192.168.5.13 icmp 8 -
ACCEPT fw loc icmp 8
ACCEPT fw dmz icmp 8
DNAT loc:192.168.5.13 dmz:65.115.171.253 all - - 192.168.5.199
DNAT dmz loc:192.168.5.13 all - - 192.168.5.199
ACCEPT $FW loc tcp 21 -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-------------- next part --------------
#
# Shorewall 1.4 - /etc/shorewall/hosts
#
# THERE ARE TWO CASES WHERE YOU NEED THIS FILE:
#
# 1) YOU HAVE MULTIPLE NETWORKS IN THE SAME ZONE CONNECTED TO
# A SINGLE INTERFACE AND YOU WANT THE SHOREWALL BOX TO ROUTE
# BETWEEN THESE NETWORKS.
#
# 2) YOU HAVE MORE THAN ONE ZONE CONNECTED THROUGH A SINGLE
# INTERFACE.
#
# IF YOU DON''T HAVE EITHER OF THESE SITUATIONS THEN DON''T
TOUCH
# THIS FILE.
#
# This file is used to define zones in terms of subnets and/or
# individual IP addresses. Most simple setups don''t need to
# (should not) place anything in this file.
#
# ZONE - The name of a zone defined in /etc/shorewall/zones
#
# HOST(S) - The name of an interface followed by a colon (":") and
# either:
#
# a) The IP address of a host
# b) A subnetwork in the form
# <subnet-address>/<mask width>
#
# The interface must be defined in the
# /etc/shorewall/interfaces file.
#
# Examples:
#
# eth1:192.168.1.3
# eth2:192.168.2.0/24
#
# OPTIONS - A comma-separated list of options. Currently-defined
# options are:
#
# maclist - Connection requests from these hosts
# are compared against the contents of
# /etc/shorewall/maclist. If this option
# is specified, the interface must be
# an ethernet NIC and must be up before
# Shorewall is started.
#
#
#ZONE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE