Seweryn Kokot wrote:
> Inspired by last posts about iptables/firewall I would like to convert from
> /etc/init.d/firewall rules to shorewall. I have an external internet
> connection (ppp0, dynamic ip) and want to forward that net connection
> by eth0 (192.168.0.1) to another computer. Here are the rules
> in /etc/init.d/firewall:
> -----
> iptables -F
> iptables -t nat -F
> iptables -t mangle -F
> iptables -t filter -F
> echo 1 > /proc/sys/net/ipv4/ip_forward
> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> iptables -I FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
> --clamp-mss-to-pmtu
> ifconfig ppp0 mtu 1400
> ----
> How to represent it in shorewall?
Actually quite easy. Do you have shorewall installed?
All your shorewall configs are kept in /etc/shorewall.
/etc/shorewall/zones
#ZONE DISPLAY COMMENTS
net Internet Internet
loc Local-LAN Local Network
Set up your /etc/shorewall/interfaces as
#ZONE INTERFACE BROADCAST OPTIONS (these are extra options for
the interface i.e.)
net ppp0 detect routefilter,tcpflags,detectnets,nosmurfs
loc eth0 detect routefilter,tcpflags,detectnets,nosmurfs
/etc/shorewall/policy (these policies tells netfilter who gets what access)
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT #$LOG
/etc/shorewall/rules (this is where you will tell shorwall to build what ports
accept connections and what zone.
#ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL RATE USER/
# PORT PORT(S) DEST
LIMIT GROUP
ACCEPT net fw tcp http
Once you configure your config files and start shorwall, all it does is build
the iptables for you and quits. It does not run as a dameon. It configs
iptables/netfilter for you.
Shorewall does all the dirty work. I hope this helps.. again this is just the
tip. Read up on the shorewall page for bigger in depth.
-Adam
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
