Re: shorewall, forwarding net connection
Adam D wrote:
> Seweryn Kokot wrote:
>> Inspired by last posts about iptables/firewall I would like to convert from
>> /etc/init.d/firewall rules to shorewall. I have an external internet
>> connection (ppp0, dynamic ip) and want to forward that net connection
>> by eth0 (192.168.0.1) to another computer. Here are the rules
>> in /etc/init.d/firewall:
>> -----
>> iptables -F
>> iptables -t nat -F
>> iptables -t mangle -F
>> iptables -t filter -F
>> echo 1 > /proc/sys/net/ipv4/ip_forward
>> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
>> iptables -I FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
>> ifconfig ppp0 mtu 1400
>> ----
>> How to represent it in shorewall?
>
>
> Actually quite easy. Do you have shorewall installed?
>
> All your shorewall configs are kept in /etc/shorewall.
>
> /etc/shorewall/zones
> #ZONE DISPLAY COMMENTS
> net Internet Internet
> loc Local-LAN Local Network
>
>
> Set up your /etc/shorewall/interfaces as
> #ZONE INTERFACE BROADCAST OPTIONS (these are extra options for the interface i.e.)
> net ppp0 detect routefilter,tcpflags,detectnets,nosmurfs
> loc eth0 detect routefilter,tcpflags,detectnets,nosmurfs
>
>
> /etc/shorewall/policy (these policies tells netfilter who gets what access)
> #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
> loc net ACCEPT #$LOG
>
>
> /etc/shorewall/rules (this is where you will tell shorwall to build what ports accept connections and what zone.
> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
> # PORT PORT(S) DEST LIMIT GROUP
> ACCEPT net fw tcp http
>
>
> Once you configure your config files and start shorwall, all it does is build the iptables for you and quits. It does not run as a dameon. It configs iptables/netfilter for you.
>
> Shorewall does all the dirty work. I hope this helps.. again this is just the tip. Read up on the shorewall page for bigger in depth.
>
> -Adam
>
The last line in the rules config was just a sample from the config file it self. Not knowing what your actual settings for ports this was a good way to at lease for you to see what that does.
Once setting up the configs all you need to do is start shorewall with /etc/init.d/shorewall start
It will do all the rule writing. That is it in a nut shell.
Reply to: