Shorewall6: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
(Die Seite wurde neu angelegt: „Kategorie:Netzwerk = Links = * http://shorewall.net/two-interface.htm Tutorial = Beschreibung = shorewall6 ist eine Firewall-Software. = Konfiguratio…“) |
|||
(2 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
Zeile 5: | Zeile 5: | ||
= Beschreibung = | = Beschreibung = | ||
shorewall6 ist eine Firewall-Software. | shorewall6 ist eine Firewall-Software. | ||
= Installation = | |||
<pre>apt install shorewall6 | |||
cd /etc/shorewall | |||
DEVNET=eno1 | |||
DEVLOC=virbr1 | |||
cat <<EOS >interfaces | |||
#ZONE INTERFACE BROADCAST OPTIONS | |||
net $DEVNET detect nosmurfs | |||
loc $DEVLOC detect routeback,bridge | |||
EOS | |||
cat <<EOS >zones | |||
#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS | |||
fw firewall | |||
net ipv4 | |||
loc ipv4 | |||
EOS | |||
cat <<EOS >masq | |||
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK | |||
eth0 10.0.0.0/8 | |||
EOS | |||
cat <<EOS >policy | |||
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: | |||
# From Firewall Policy | |||
fw fw ACCEPT | |||
fw net ACCEPT | |||
fw loc ACCEPT | |||
# From localnet Policy | |||
loc loc ACCEPT | |||
loc net ACCEPT | |||
loc fw ACCEPT | |||
# From Net Policy | |||
net fw DROP info | |||
net loc DROP info | |||
# THE FOLLOWING POLICY MUST BE LAST | |||
all all REJECT info | |||
EOS | |||
cat <<EOS >rules | |||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE | |||
SSH/ACCEPT net fw - - - - 12/min:8 | |||
ACCEPT net fw tcp 80,81,443,444 | |||
Ping/ACCEPT all all | |||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE | |||
DNAT net loc:10.10.10.100:22 tcp 10100 - | |||
EOS | |||
</pre> | |||
= Konfiguration = | = Konfiguration = | ||
Zeile 12: | Zeile 58: | ||
IP_FORWARDING=On | IP_FORWARDING=On | ||
</pre> | </pre> | ||
* komplette /etc/shorewall/policy | |||
** Ergänzt wurde die Zeile "fw net ACCEPT" | |||
<pre> | |||
#SOURCE DEST POLICY LOGLEVEL RATE CONNLIMIT | |||
loc net ACCEPT | |||
net all DROP $LOG_LEVEL | |||
# der VM-Host soll auch ins Internet: | |||
fw net ACCEPT | |||
# THE FOLOWING POLICY MUST BE LAST | |||
all all REJECT $LOG_LEVEL |
Aktuelle Version vom 11. Oktober 2019, 15:45 Uhr
Links[Bearbeiten]
- [Tutorial]
Beschreibung[Bearbeiten]
shorewall6 ist eine Firewall-Software.
Installation[Bearbeiten]
apt install shorewall6 cd /etc/shorewall DEVNET=eno1 DEVLOC=virbr1 cat <<EOS >interfaces #ZONE INTERFACE BROADCAST OPTIONS net $DEVNET detect nosmurfs loc $DEVLOC detect routeback,bridge EOS cat <<EOS >zones #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS fw firewall net ipv4 loc ipv4 EOS cat <<EOS >masq #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK eth0 10.0.0.0/8 EOS cat <<EOS >policy #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: # From Firewall Policy fw fw ACCEPT fw net ACCEPT fw loc ACCEPT # From localnet Policy loc loc ACCEPT loc net ACCEPT loc fw ACCEPT # From Net Policy net fw DROP info net loc DROP info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info EOS cat <<EOS >rules #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE SSH/ACCEPT net fw - - - - 12/min:8 ACCEPT net fw tcp 80,81,443,444 Ping/ACCEPT all all #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE DNAT net loc:10.10.10.100:22 tcp 10100 - EOS
Konfiguration[Bearbeiten]
- Beispiele in /usr/share/doc/shorewall/examples/two-interfaces
- /etc/shorewall/shorewall.conf
IP_FORWARDING=On
- komplette /etc/shorewall/policy
- Ergänzt wurde die Zeile "fw net ACCEPT"
#SOURCE DEST POLICY LOGLEVEL RATE CONNLIMIT loc net ACCEPT net all DROP $LOG_LEVEL # der VM-Host soll auch ins Internet: fw net ACCEPT # THE FOLOWING POLICY MUST BE LAST all all REJECT $LOG_LEVEL