Re: shorewall, forwarding net connection

To: debian-user@lists.debian.org
Subject: Re: shorewall, forwarding net connection
From: Adam D <emlists@gmail.com>
Date: Fri, 20 Oct 2006 02:28:37 -0700
Message-id: <[🔎] 453896C5.9050301@gmail.com>
Reply-to: emlists@gmail.com
In-reply-to: <[🔎] 45385E76.1050600@gmail.com>
References: <[🔎] 871wp4t66p.fsf@poczta.po.opole.pl> <[🔎] 45385E76.1050600@gmail.com>

Adam D wrote:
> Seweryn Kokot wrote:
>> Inspired by last posts about iptables/firewall I would like to convert from
>> /etc/init.d/firewall rules to shorewall. I have an external internet
>> connection (ppp0, dynamic ip) and want to forward that net connection
>> by eth0 (192.168.0.1) to another computer. Here are the rules 
>> in /etc/init.d/firewall:
>> -----
>> iptables -F
>> iptables -t nat -F
>> iptables -t mangle -F
>> iptables -t filter -F 
>> echo 1 > /proc/sys/net/ipv4/ip_forward
>> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
>> iptables -I FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
>> ifconfig ppp0 mtu 1400 
>> ----
>> How to represent it in shorewall?
> 
> 
> Actually quite easy.  Do you have shorewall installed?
> 
> All your shorewall configs are kept in /etc/shorewall. 
> 
> /etc/shorewall/zones
> #ZONE   DISPLAY         COMMENTS
> net    Internet        Internet
> loc     Local-LAN       Local Network
> 
> 
> Set up your /etc/shorewall/interfaces as
> #ZONE   INTERFACE       BROADCAST       OPTIONS (these are extra options for the interface i.e.)
> net	ppp0		detect		routefilter,tcpflags,detectnets,nosmurfs
> loc	eth0		detect		routefilter,tcpflags,detectnets,nosmurfs
> 
> 
> /etc/shorewall/policy (these policies tells netfilter who gets what access)
> #SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
> loc             net            ACCEPT          #$LOG
> 
> 
> /etc/shorewall/rules  (this is where you will tell shorwall to build what ports accept connections and what zone.
> #ACTION         SOURCE          DEST            PROTO   DEST    SOURCE  ORIGINAL        RATE    USER/
> #                                                       PORT    PORT(S) DEST            LIMIT   GROUP
> ACCEPT          net             fw              tcp     http
> 
> 
> Once you configure your config files and start shorwall, all it does is build the iptables for you and quits.  It does not run as a dameon.  It configs iptables/netfilter for you.
> 
> Shorewall does all the dirty work.  I hope this helps.. again this is just the tip.  Read up on the shorewall page for bigger in depth.
> 
> -Adam
> 

The last line in the rules config was just a sample from the config file it self.  Not knowing what your actual settings for ports this was a good way to at lease for you to see what that does.

Once setting up the configs all you need to do is start shorewall with /etc/init.d/shorewall start 

It will do all the rule writing.  That is it in a nut shell.

Reply to:

References:
- shorewall, forwarding net connection
  - From: Seweryn Kokot <skokot@po.opole.pl>
- Re: shorewall, forwarding net connection
  - From: Adam D <emlists@gmail.com>

Prev by Date: Re: mail server
Next by Date: Re: Rsync and different sizes
Previous by thread: Re: shorewall, forwarding net connection
Next by thread: Re: shorewall, forwarding net connection
Index(es):
- Date
- Thread