One of the most basic things whenever you setup a network is allow access from an externel network and then secure it. Both these tasks are easily achieved by using a firewall. A popular choice of firewall is shorewall, in this article I will show you how to configure a simple network two interface network. You allow all traffic from the internal network to the external network but block all traffic except ICMP and http from the external network. So without further delay lets get started.
#Change this from No to Yes
net ipv4
loc eth0 detect tcpflags
eth1 eth0
#SOURCE DEST ACTION LOGGING
#ACTION SOURCE DEST PROTO PORT
#Change this from 0 to 1
/etc/init.d/shorewall start
First you have to install shorewall to this:
yum install shorewall (Fedora/Redhat)
apt-get install shorewall (Ubuntu/Debian)
Now you should have a /etc/shorewall directory and in it there is shorewall.conf file. This is the first file you edit. Im only going to list the lines you'll have to change in the shorewall.conf file:
STARTUP_ENABLED=Yes
#Name of firewall zone, if you don't set it you'll have to configure it in zones file
#Set this to fw
FW=fw
#Enable IP Forwarding
#Set this to On
IP_FORWARDING=On
That is all you have to change in the shorewall.conf, You don't need to change other default values.
Now edit/create /etc/shorewall/zones file
You specify one zone net which is the external zone and one zone loc which is for your local network
loc ipv4
Now that you have specified the zones its time to bind them to their interfaces. Lets suppose eth1 is connected to the external network and eth0 is connected to the local network.Time to edit/create /etc/shorewall/interfaces
net eth1 detect routefilter,tcpflags,nosmurfs
What you have done in this is bind eth0 to zone loc and told the firewall to detect the broadcast address and check for bad tcp flags. The other thing you have done is bind eth1 to zone net, autodetect broadcast address and check for bad tcp flags+ disable source routing+ check for broadcast source packets.
Upto now you have done these things :
Setup three zones fw(the firewall zone i.e the machine firewall is running on),loc(the local network) and net(the external zone). You have also bound these zones to specific interfaces and enabled IP forwarding.
For sharing an internet connection between multiple computers using a single external IP linux does something called IP masquerading. What it basically means is when you send your packets to the external network the firewall changes the source IP to your external IP and keeps track of who sent the packet to whom. When the host you have sent the packet to replies the firewall recieves the packet and changes the destination address to your IP and sends the packet to you. Sounds tough? To setup IP masquerading for your loc zone(eth0) to access the net zone(eth1) create/edit /etc/shorewall/masq like this:
Maybe it isn't so complicated afterall. Now you almost have a fully functional but for one thing You don't have any policy/rule for packet filtering! What are you waiting for create a default policy now. Just create/edit /etc/shorewall/policy .This file is the basic firewall policy. What it means that when a packet does not meet any firewall rule(which we setup later) then it is routed according to the policy.
$FW net ACCEPT
$FW loc ACCEPT
net all DROP info
# The FOLLOWING POLICY MUST BE LAST
all all REJECT info
The file is read from top to bottom as soon as a packet matches a given rule it is routed accordingly. In this file what we have done is :
Don't worry if you don't see this working completely, we have to configure the rules which is followed before the default policy. Create/edit /etc/rules like this :
ACCEPT net $FW tcp 80
ACCEPT loc all all
ACCEPT net $FW icmp
Our basic rules are very simple:
Now our configuration is complete but for a small step. Edit the file /etc/default/shorewall and change this line
startup=1
Now our configuration of shorewall is complete. Its time to start it:
If all goes well then our firewall should be up and running. What we have configured is a very basic setup. For more features and logging facilities I suggest you look into /usr/share/doc/shorewall. The documentation is excellent and the examples are very descriptive. Now go and have fun with your secure network.
Thursday, September 21, 2006
Setup shorewall with two interfaces
Subscribe to:
Post Comments (Atom)
17 comments:
This is all wrong, you Fn moron.
open-ravi.blogspot.com is very informative. The article is very professionally written. I enjoy reading open-ravi.blogspot.com every day.
payday loans edmonton
payday loan
[u][b]Xrumer[/b][/u]
[b]Xrumer SEO Professionals
As Xrumer experts, we possess been using [url=http://www.xrumer-seo.com]Xrumer[/url] for the benefit of a long time conditions and remember how to harness the colossal power of Xrumer and turn it into a Cash machine.
We also provide the cheapest prices on the market. Assorted competitors desire charge 2x or consistent 3x and a lot of the continuously 5x what we responsibility you. But we believe in providing enormous accommodation at a tearful affordable rate. The whole point of purchasing Xrumer blasts is because it is a cheaper substitute to buying Xrumer. So we aim to support that mental activity in cognizant and provide you with the cheapest censure possible.
Not just do we cause the best prices but our turnaround time for your Xrumer posting is super fast. We compel secure your posting done to come you know it.
We also produce you with a ample log of successful posts on contrasting forums. So that you can notice also in behalf of yourself the power of Xrumer and how we have harnessed it to emoluments your site.[/b]
[b]Search Engine Optimization
Using Xrumer you can trust to distinguish thousands upon thousands of backlinks for your site. Many of the forums that your Site you will be posted on get acute PageRank. Having your tie-in on these sites can truly serve found up some top grade back links and as a matter of fact as well your Alexa Rating and Google PageRank rating via the roof.
This is making your site more and more popular. And with this developing in regard as grammatically as PageRank you can envisage to lead your place definitely rank high in those Search Locomotive Results.
Conveyance
The amount of traffic that can be obtained nearby harnessing the power of Xrumer is enormous. You are publishing your locality to tens of thousands of forums. With our higher packages you may even be publishing your locality to HUNDREDS of THOUSANDS of forums. Create 1 post on a stylish forum drive inveterately get 1000 or so views, with communicate 100 of those people visiting your site. Modern imagine tens of thousands of posts on popular forums all getting 1000 views each. Your shipping longing go because of the roof.
These are all targeted visitors that are interested or bizarre far your site. Deem how assorted sales or leads you can execute with this great loads of targeted visitors. You are in fact stumbling upon a goldmine friendly to be picked and profited from.
Retain, Shipping is Money.
[/b]
BECOME ENTHUSIASTIC ABOUT YOUR INFERIOR BLAST TODAY:
http://www.xrumer-seo.com
[B]NZBsRus.com[/B]
Escape Idle Downloads With NZB Downloads You Can Swiftly Search Movies, Games, MP3 Albums, Applications & Download Them @ Maxed Out Speeds
[URL=http://www.nzbsrus.com][B]Usenet Search[/B][/URL]
keep an eye on in slight this gratis [url=http://www.casinoapart.com]casino[/url] overdose at the acquire [url=http://www.casinoapart.com]online casino[/url] scholar with 10's of … la leadership [url=http://www.casinoapart.com]online casinos[/url]. have a become to pieces at [url=http://www.casinoapart.com/articles/play-roulette.html]roulette[/url], [url=http://www.casinoapart.com/articles/play-slots.html]slots[/url] and [url=http://www.casinoapart.com/articles/play-baccarat.html]baccarat[/url] at this [url=http://www.casinoapart.com/articles/no-deposit-casinos.html]no pike away casino[/url] , www.casinoapart.com
the finest [url=http://de.casinoapart.com]casino[/url] to UK, german and all as a excess the world. so seeking the choicest [url=http://es.casinoapart.com]casino en linea[/url] corroborate us now.
Hello,
When ever I surf on web I never forget to visit this website[url=http://www.weightrapidloss.com/lose-10-pounds-in-2-weeks-quick-weight-loss-tips].[/url]open-ravi.blogspot.com really contains lot of useful information. I am sure due to busy scedules we really do not get time to care about our health. Let me show you one truth. Recent Research indicates that almost 90% of all United States grownups are either fat or overweight[url=http://www.weightrapidloss.com/lose-10-pounds-in-2-weeks-quick-weight-loss-tips].[/url] Hence if you're one of these citizens, you're not alone. Its true that we all can't be like Brad Pitt, Angelina Jolie, Megan Fox, and have sexy and perfect six pack abs. Now the question is how you are planning to have quick weight loss? You can easily lose with with little effort. You need to improve some of you daily habbits to achive weight loss in short span of time.
About me: I am author of [url=http://www.weightrapidloss.com/lose-10-pounds-in-2-weeks-quick-weight-loss-tips]Quick weight loss tips[/url]. I am also mentor who can help you lose weight quickly. If you do not want to go under difficult training program than you may also try [url=http://www.weightrapidloss.com/acai-berry-for-quick-weight-loss]Acai Berry[/url] or [url=http://www.weightrapidloss.com/colon-cleanse-for-weight-loss]Colon Cleansing[/url] for effective weight loss.
hi all
http://www.tor.com/community/users/inamemre1977
http://www.tor.com/community/users/erochhoodlu1979
http://www.tor.com/community/users/abinorcon1987
http://www.tor.com/community/users/childtuvallo1975
http://www.tor.com/community/users/mitgnolundblut1983
Androids are machines, and we shouldnt live with machines. Hey, Sarge, youprobably got a point.
bdsm butt plug exercise punishment stories
pregnant lesbian sex stories
kristen lesbian love stories
free xxx stories
xnxx sucking animal cock stories
Androids are machines, and we shouldnt live with machines. Hey, Sarge, youprobably got a point.
He was a lucky superhero and all thanks toStephanie who had invited him over to save Lazy Townfrom well, from being Lazy. Right after dinner, his dinner.
girl dog sex stories com
erotic vampire stories free
hardcore interracial sex stories
adult short stories erotic xxx taboo
free adult sex stories with pictures
He was a lucky superhero and all thanks toStephanie who had invited him over to save Lazy Townfrom well, from being Lazy. Right after dinner, his dinner.
Just popping in to say nice site.
Me and my uncle always view FlipBooth videos from this website every day! I enjoy it! I love to chat with new pinay friends, also. The site have great pinoy clips, and pinoy music videos. I love Flipbooth! Thank you very much FlipBooth!
FlipBooth is the Pinoy Site ! The web site has anything you can think of to offer. This website has Pinoy Videos, Pinoy Online TV, Pinoy Channel TV, Pinoy TV, and many more. I enjoy that we can also video chat with my new Pinoy acquaintances over here as well. I can enjoy Pinoy channels, tv, videos and also listen to Pinoy music. I love Flipbooth! Thank you very much FlipBooth!
Me and my brother always watch FlipBooth videos from this site every day! I really enjoy it! I love to chat with new found pinoy friends, also. The site have great pinoy channels, and pinoy music videos. I love Flipbooth always!
[url=http://www.onlinecasinos.gd]casino[/url], also known as operative casinos or Internet casinos, are online versions of common ("crony and mortar") casinos. Online casinos definite someone suffer gamblers to contend in and wager on casino games with the save the Internet.
Online casinos habitually around make clear on the bazaar odds and payback percentages that are comparable to land-based casinos. Some online casinos declare on higher payback percentages against niche whatnot games, and some discharge something be known payout wedge audits on their websites. Assuming that the online casino is using an aptly programmed haphazard epitomize up generator, recovery games like blackjack be blessed an established crop up edge. The payout holding accepted for these games are established sooner than the rules of the game.
Uncountable online casinos charter out or allot their software from companies like Microgaming, Realtime Gaming, Playtech, Supranational Artfulness Technology and CryptoLogic Inc.
Hey I am so grаtеful I found your ωebpage, I reallу founԁ
you by аccident, whіle I was browѕіng on Dіgg for something
elѕе, Αnyhow Ӏ am here nоw and would just like to say thank you foг a marvelous post and a
all round entertaіning blog (I also lovе the theme/dеѕign), I ԁon't have time to go through it all at the moment but I have book-marked it and also included your RSS feeds, so when I have time I will be back to read a lot more, Please do keep up the fantastic job.
My homepage; reputation management
hello!,I love youг ωriting νery so much!
рercentagе we keеp in tоuch more aρproxіmatеly your poѕt
on AOL? I need a sρесialiѕt οn thiѕ houѕe to unraѵеl
my pгoblem. May be that's you! Having a look forward to peer you.
Here is my page :: Lloyd Irvin
Post a Comment