Links[Bearbeiten]

• [Tutorial]

Beschreibung[Bearbeiten]

shorewall6 ist eine Firewall-Software.

Installation[Bearbeiten]

apt install shorewall6
cd /etc/shorewall
DEVNET=eno1
DEVLOC=virbr1
cat <<EOS >interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net   $DEVNET   detect    nosmurfs
loc   $DEVLOC   detect    routeback,bridge
EOS
cat <<EOS >zones
#ZONE   TYPE        OPTIONS IN_OPTIONS OUT_OPTIONS
fw      firewall
net     ipv4
loc     ipv4
EOS
cat <<EOS >masq
#INTERFACE      SOURCE          ADDRESS         PROTO   PORT(S) IPSEC   MARK
eth0            10.0.0.0/8
EOS
cat <<EOS >policy
#SOURCE DEST    POLICY          LOG     LIMIT:          CONNLIMIT:
# From Firewall Policy
fw      fw      ACCEPT
fw      net     ACCEPT
fw      loc     ACCEPT
# From localnet Policy
loc     loc     ACCEPT
loc     net     ACCEPT
loc     fw      ACCEPT
# From Net Policy
net     fw      DROP            info
net     loc     DROP            info 
# THE FOLLOWING POLICY MUST BE LAST
all     all     REJECT          info
EOS
cat <<EOS >rules
#ACTION        SOURCE DEST PROTO   DEST         SOURCE ORIGINAL RATE
SSH/ACCEPT     net    fw   -       -            -     -         12/min:8
ACCEPT         net    fw   tcp    80,81,443,444
Ping/ACCEPT    all    all
#ACTION SOURCE DEST                PROTO DEST   SOURCE ORIGINAL RATE
DNAT    net    loc:10.10.10.100:22 tcp   10100  -
EOS

Konfiguration[Bearbeiten]

• Beispiele in /usr/share/doc/shorewall/examples/two-interfaces
• /etc/shorewall/shorewall.conf

IP_FORWARDING=On

• komplette /etc/shorewall/policy
  • Ergänzt wurde die Zeile "fw net ACCEPT"

#SOURCE	DEST		POLICY		LOGLEVEL	RATE	CONNLIMIT

loc	net		ACCEPT
net	all		DROP		$LOG_LEVEL
# der VM-Host soll auch ins Internet:
fw	net		ACCEPT
# THE FOLOWING POLICY MUST BE LAST
all	all		REJECT		$LOG_LEVEL