Written by Max baudin
v1.0,21, April 2009
This tutorial has been cheked with Debian Lenny
apt-get install shorewall
debian:/usr/share/doc/shorewall-common/default-config# ls
accounting hosts ipsecvpn netmap route_rules stop tos actions init maclist params routestopped stopped tunnel blacklist initdone masq policy rules tcclasses tunnels continue interfaces modules providers start tcdevices zones ecn ipsec nat proxyarp started tcrules
debian:/usr/share/doc/shorewall-common/default-config# cp interfaces /etc/shorewall cp policy /etc/shorewall cp rules /etc/shorewall cp zones /etc/shorewall cd /etc/shorewall
debian:/etc/shorewall# ls
interfaces policy rules zones shorewall.conf Makefile
debian:/etc/shorewall#
# # Shorewall version 4 - Interfaces File # # For information about entries in this file, type "man shorewall-interfaces" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-interfaces.html # ############################################################################### #ZONE INTERFACE BROADCAST OPTIONS net eth1 detect dhcp #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
# # Shorewall version 4 - Zones File # # For information about this file, type "man shorewall-zones" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-zones.html # ############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 loc ipv4 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
# # Shorewall version 4 - Policy File # # For information about entries in this file, type "man shorewall-policy" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-policy.html # ############################################################################### #SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL loc net ACCEPT net all DROP # THE FOLLOWING POLICY MUST BE LAST all all REJECT info # LEVEL #LAST LINE -- DO NOT REMOVE
# # Shorewall version 4 - Rules File # # For information on the settings in this file, type "man shorewall-rules" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-rules.html # ########################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK # PORT PORT(S) DEST LIMIT GROUP # ICMP accepte le ping sortant, et sa réponse # et en entrée : destination unreachable et le time exceed # on n'autorise pas le ping en entrée ACCEPT fw net icmp 8 ACCEPT net fw icmp 0,32,11 # # DNS ACCEPT fw net udp 53 # # Navigateur ACCEPT fw net tcp 80,443,8080,110,25 # # FTP #ACCEPT fw net:212.27.63.3 tcp 21 # # Amule ACCEPT fw net tcp 6175 ACCEPT fw net udp 7175 ACCEPT net fw tcp 6175 ACCEPT net fw udp 7175 ACCEPT fw net udp 6178 #SECTION ESTABLISHED ACCEPT fw net:212.27.63.3 tcp #SECTION RELATED #SECTION NEW #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
debian:~# vim /etc/default/shorewall # prevent startup with default configuration # set the following varible to 1 in order to allow Shorewall to start startup=0 <-------------------- à 1 pour lancement automatique # if your Shorewall configuration requires detection of the ip address of a ppp # interface, you must list such interfaces in "wait_interface" to get Shorewall to # wait until the interface is configured. Otherwise the script will fail because # it won't be able to detect the IP address. # # Example: # wait_interface="ppp0" # or # wait_interface="ppp0 ppp1" # or, if you have defined in /etc/shorewall/params # wait_interface= # # Startup options # OPTIONS="" # EOFA french web page about SHOREWALL