Category Archives: shorewal

SHOREWALL TWO INTERFACE


Setup firewall in LOCAL NETWORK

eth0  = LAN
eth1  = ISP
$FW   = FIREWALL

#
# Shorewall version 4 - Zones File
#
# For information about this file, type "man shorewall-zones"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-zones.html
#
###############################################################################
#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
loc     ipv4                            # interface ke LAN
===========================================================================================================
# http://www.shorewall.net/manpages/shorewall-interfaces.html
#
###############################################################################
#ZONE   INTERFACE       BROADCAST       OPTIONS
loc     eth0    detect  noping,norfc1918,routefilter,blacklist,tcpflags,logmartians,nosmurfs,routefilter=1,logmartians=1
net     eth1    detect  blacklist,logmartians=1,nosmurfs,routefilter=1,tcpflags

===========================================================================================================
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-policy.html
#
###############################################################################
#SOURCE DEST    POLICY          LOG     LIMIT:          CONNLIMIT:
#                               LEVEL   BURST           MASK
$FW     all     ACCEPT  info
loc     $FW     DROP    info
loc     net     DROP    info
net     $FW     DROP    info
net     loc     DROP    info
all     all     DROP    info
===========================================================================================================
# http://www.shorewall.net/manpages/shorewall-rules.html
#
####################################################################################################################################################################
#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK    CONNLIMIT       TIME         HEADERS
#                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
#SECTION ESTABLISHED
#SECTION RELATED
#SECTION NEW
ACCEPT:info     loc     $FW     tcp     21,22,25,53,110,143,443,10000
ACCEPT:info     loc     $FW     udp     53
ACCEPT:info     loc     net     tcp     21,22,25,53,110,143,443,10000
ACCEPT:info     loc     net     udp     53
ACCEPT:info     net     $FW     tcp     10000
ACCEPT:info     net     loc     tcp     10000
===========================================================================================================
# Please see http://shorewall.net/blacklisting_support.htm for additional
# information.
#
###############################################################################
#ADDRESS/SUBNET         PROTOCOL        PORT    OPTIONS
192.168.0.7     tcp     22
===========================================================================================================

SHOREWALL


Shorewall adalah firewall salah satu tools firewall pada linux  yang corenya menggunakan iptables. Shorewall ini memudahkan sysadmin untuk mensetup firewall sesuai dengan kebutuhannya.

 

#cd /home/installer/

# wget http://slovakia.shorewall.net/pub/shorewall/4.4/shorewall-4.4.21/shorewall-4.4.21-0base.noarch.rpm

# rpm -ivh shorewall-4.4.21-0base.noarch.rpm

# cd /etc/shorewall/

# vim /etc/shorewall/shorewall.conf

STARTUP_ENABLED=Yes

CLAMPMSS=Yes

 

Parameter dasar yang perlu di konfigurasi adalah (secara berurutan):

  1. zones
  2. interfaces
  3. policy
  4. rules
zones

$FW     firewall  -> firewall itu sendir
loc        ipv4 -> interface ke local LAN
net       ipv4 -> inteface ke ISP
intefaces
loc      eth0   tcpflag,nosmurfs
net     eth1   tcpflag,nosmurfs
Options:

dhcp,blacklist,logmartians=1,nets=(!$LOC_SUBNET),nosmurfs,routefilter=1,tcpflags
dhcp,nets=($LOC_SUBNET)

policy


$FW     all     ACCEPT    (ini yang paling penting diperhatikan)  atau ini dapat diganti dengan  ($FW      loc     ACCEPT     &  $FW     net      ACCEPT)
loc        $FW     DROP    info
loc        net        DROP    info
net       $FW      DROP    info
net       loc         DROP    info
all        all          DROP     info

Options: $LOG

rules
ACCEPT      loc     $FW     tcp     21,22,25,53,80,110,143,443
ACCEPT     loc      $FW    udp     53
ACCEPT     loc       net       tcp     21,22,25,53,80,110,143,443
ACCPET     loc      net       udp    53
format lain:

DNAT     net                     loc:192.168.221.5:443    tcp     443
ACCEPT          fw                      net                     tcp     80
REDIRECT        loc:!192.168.221.200    3128                    tcp     80      -       !192.168.221.254,192.168.221.4
ACCEPT          loc:192.168.221.200     net                     tcp     80
ACCEPT:$LOG     net                     fw                      tcp     22                      # SSH
ACCEPT          net                     fw                      icmp    8  # Ping

ACCEPT:info     loc                     fw                      tcp     22                      # SSH
/etc/init.d/shorewall restart
iptables -nL
shisdew

Listens until think alike

moses.spaceku@yahoo.com / voip ipbx

Hosted PBX, IP-PBX SOHO/ CALL CENTER, VOICE GATEWAY, VOICE CARD, COST EFECTIVE SOLUTIONS (LCR), GSM/CDMA GATEWAY

%d bloggers like this: