Adam D wrote: > Seweryn Kokot wrote: >> Inspired by last posts about iptables/firewall I would like to convert from >> /etc/init.d/firewall rules to shorewall. I have an external internet >> connection (ppp0, dynamic ip) and want to forward that net connection >> by eth0 (192.168.0.1) to another computer. Here are the rules >> in /etc/init.d/firewall: >> ----- >> iptables -F >> iptables -t nat -F >> iptables -t mangle -F >> iptables -t filter -F >> echo 1 > /proc/sys/net/ipv4/ip_forward >> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE >> iptables -I FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS >> --clamp-mss-to-pmtu >> ifconfig ppp0 mtu 1400 >> ---- >> How to represent it in shorewall? > > > Actually quite easy. Do you have shorewall installed? > > All your shorewall configs are kept in /etc/shorewall. > > /etc/shorewall/zones > #ZONE DISPLAY COMMENTS > net Internet Internet > loc Local-LAN Local Network > > > Set up your /etc/shorewall/interfaces as > #ZONE INTERFACE BROADCAST OPTIONS (these are extra options for > the interface i.e.) > net ppp0 detect routefilter,tcpflags,detectnets,nosmurfs > loc eth0 detect routefilter,tcpflags,detectnets,nosmurfs > > > /etc/shorewall/policy (these policies tells netfilter who gets what access) > #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST > loc net ACCEPT #$LOG > > > /etc/shorewall/rules (this is where you will tell shorwall to build what > ports accept connections and what zone. > #ACTION SOURCE DEST PROTO DEST SOURCE > ORIGINAL RATE USER/ > # PORT PORT(S) DEST > LIMIT GROUP > ACCEPT net fw tcp http > > > Once you configure your config files and start shorwall, all it does is build > the iptables for you and quits. It does not run as a dameon. It configs > iptables/netfilter for you. > > Shorewall does all the dirty work. I hope this helps.. again this is just > the tip. Read up on the shorewall page for bigger in depth. > > -Adam >
The last line in the rules config was just a sample from the config file it self. Not knowing what your actual settings for ports this was a good way to at lease for you to see what that does. Once setting up the configs all you need to do is start shorewall with /etc/init.d/shorewall start It will do all the rule writing. That is it in a nut shell. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
