Firewall
threaded view
Topic:
(Part of the detailed Step-by-Step Installation Guide for setting up the Server)We use Shorewall as it simplifies Firewall setup & has excellent documentation.sudo apt-get install shorewallsudo vi /etc/default/shorewallstartup=1NB We assume that there is a WAN router plugged into the LAN2 ethernet port (eth1). If using a USB ADSL modem then replace 'eth1' with 'ppp0'.
sudo cp /usr/share/doc/shorewall/examples/three-interfaces/* /etc/shorewall/sudo gunzip /etc/shorewall/interfaces.gz /etc/shorewall/masq.gz /etc/shorewall/rules.gz /etc/shorewall/policy.gz sudo vi /etc/shorewall/interfaces
net eth1 detect tcpflags,dhcp,routefilter,norfc1918,nosmurfs,logmartians
loc eth0 detect tcpflags,detectnets,nosmurfssudo vi /etc/shorewall/shorewall.conf
IP_FORWARDING=Onsudo vi /etc/shorewall/masq
eth1 eth0
eth1 eth2sudo vi /etc/shorewall/policy
$FW net ACCEPT
dmz net ACCEPT
dmz $FW ACCEPT
dmz loc ACCEPT
sudo vi /etc/shorewall/rules
#SSH/ACCEPT loc dmz
#DNS/ACCEPT dmz net
# Allow connections to the Server
DNS/ACCEPT loc $FW
ACCEPT loc $FW tcp 21
ACCEPT loc $FW tcp 25
ACCEPT loc $FW tcp 80
ACCEPT loc $FW tcp 8081
# Reject ICMP from LAN to Internet (we provide Smokeping instead)
REJECT loc net icmp
sudo /etc/init.d/shorewall restartProvide priority access via LAN3:
sudo vi /etc/network/interfaces# LAN3 (DMZ)
auto eth2
iface eth2 inet static
address 192.168.2.1
netmask 255.255.255.0
network 192.168.2.0
broadcast 192.168.2.255
sudo /etc/init.d/networking restartDownload Wondershaper & Tune:wget http://lartc.org/wondershaper/wondershaper-1.1a.tar.gztar zxvf wondershaper-1.1a.tar.gzsudo cp wondershaper-1.1a/wshaper /etc/shorewall/tcstartsudo vi /etc/shorewall/tcstartDOWNLINK=256
UPLINK=128
DEV=eth1
NOPRIOHOSTSRC= 192.168.1.0/24
#echo Please read the documentation in 'README' first :-\)
#exit
sudo vi /etc/shorewall/shorewall.conf
TC_ENABLED=Yessudo /etc/init.d/shorewall restartContinue with the rest of the detailed Step-by-Step Installation Guide
sudo cp /usr/share/doc/shorewall/examples/three-interfaces/* /etc/shorewall/sudo gunzip /etc/shorewall/interfaces.gz /etc/shorewall/masq.gz /etc/shorewall/rules.gz /etc/shorewall/policy.gz sudo vi /etc/shorewall/interfaces
net eth1 detect tcpflags,dhcp,routefilter,norfc1918,nosmurfs,logmartians
loc eth0 detect tcpflags,detectnets,nosmurfssudo vi /etc/shorewall/shorewall.conf
IP_FORWARDING=Onsudo vi /etc/shorewall/masq
eth1 eth0
eth1 eth2sudo vi /etc/shorewall/policy
$FW net ACCEPT
dmz net ACCEPT
dmz $FW ACCEPT
dmz loc ACCEPT
sudo vi /etc/shorewall/rules
#SSH/ACCEPT loc dmz
#DNS/ACCEPT dmz net
# Allow connections to the Server
DNS/ACCEPT loc $FW
ACCEPT loc $FW tcp 21
ACCEPT loc $FW tcp 25
ACCEPT loc $FW tcp 80
ACCEPT loc $FW tcp 8081
# Reject ICMP from LAN to Internet (we provide Smokeping instead)
REJECT loc net icmp
sudo /etc/init.d/shorewall restartProvide priority access via LAN3:
sudo vi /etc/network/interfaces# LAN3 (DMZ)
auto eth2
iface eth2 inet static
address 192.168.2.1
netmask 255.255.255.0
network 192.168.2.0
broadcast 192.168.2.255
sudo /etc/init.d/networking restartDownload Wondershaper & Tune:wget http://lartc.org/wondershaper/wondershaper-1.1a.tar.gztar zxvf wondershaper-1.1a.tar.gzsudo cp wondershaper-1.1a/wshaper /etc/shorewall/tcstartsudo vi /etc/shorewall/tcstartDOWNLINK=256
UPLINK=128
DEV=eth1
NOPRIOHOSTSRC= 192.168.1.0/24
#echo Please read the documentation in 'README' first :-\)
#exit
sudo vi /etc/shorewall/shorewall.conf
TC_ENABLED=Yessudo /etc/init.d/shorewall restartContinue with the rest of the detailed Step-by-Step Installation Guide
