Académique Documents
Professionnel Documents
Culture Documents
How to install :-
nano /etc/default/shorewall
#Now simply change the line below from 0 to 1
startup = 0 to startup = 1
#save, and exit. Shorewall configuration files are stored in two separate places /etc/shorewall stores all the program configuration files. /usr/share/shorewall stores supporting files and action files. Configuring shorewall :We need to copy all samples configuration file from /usr/share/doc/shorewall/default-config to /etc/shorewall
$ nano /etc/shorewall/zones
# add 2 lines below into your zones file
$ nano /etc/shorewall/interfaces
# add 2 lines below into interfaces file
$nano /etc/shorewall/policy
# add few lines below into policy files
fw net ACCEPT fw loc ACCEPT net all DROP info # The FOLLOWING POLICY MUST BE LAST all all REJECT info
# save and exit This policy says: by default accept any traffic originating from the machine (fw) to the internet and to the local network. Anything that comes in from the internet destined to either the machine or the local network should be dropped and logged to the syslog level info. The last line closes everything else off, and probably wont ever be touched. Note: DROP rules are dropped quietly, and REJECTs send something back letting the originator know theyve been rejected. Rules Configuration :The most important file is the rules. This is where you set what is allowed or not. Any new connection that comes into your firewall passes over these rules, if none of these apply, then the default policy will apply. Note: This is only for new connections, existing connections are automatically accepted. The comments in the file give you a good idea of how things work, but the following will provided an example that can give you a head-start:
$nano /etc/shorewall/rules
# add few lines below into rules file
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP ACCEPT net fw icmp 8 ACCEPT fw net icmp ACCEPT net fw tcp ssh,www,https,smtp,pop3,pop3s,imap2,imaps,submission ACCEPT net fw udp https # ACCEPT net:10.1.1.1 fw tcp ssh
# save and exit This example can be written in long-hand as, Accept any pings (icmp) from the internet to the machine, accept any tcp connections from the internet that are on any of the ports referenced in /etc/services for the services ssh(22),www(80),https(443), etc. Also accept from the internet the udp connections to https(443).
While you are at it, accept only tcp connections from the IP 10.1.1.1 coming from the internet to the ssh port (22). Final step is start shorewall firewall