1. Introduction to Advanced components 1. params: this is an archive used to set shell variables. This archive is a bit like the include function in the C language. put the included Archive variables into this archive, it is only in the shorewall configuration file that does not need to be introduced using include. the params file aims
I. Introduction to Advanced Components
1. params
This is an archive used to set shell variables. This archive is a bit like the include function in the C language. put the included Archive variables in this archive, only in the shorewall config file, you do not need to use include again. The params file aims to set all relevant variables in a unified manner. after all your rules are set, as long as you change the params content, it can be applied to other network states, which is very convenient to manage. The following is an example:
Settings in/etc/shorewall/params:
NET_IF = eth0 NET_BCAST = 130.252.100.255
NET_OPTIONS = blacklist, norfc1918
Settings in/etc/shorewall/interfaces:
Net $ NET_IF $ NET_BCAST $ NET_OPTIONS
|
In this way, other rules can be written in the form of variables, so the rules can be used repeatedly as long as they are written once!
2. rules
This archive is the key archive of the entire shorewall. the purpose of the policy archive is to develop the entire firewall policy. for example, the policy of the loc interface to the dmz interface is REJECT or ACCEPT, generally, policies from outside the firewall to the internal network are all set to be disabled first. The rules file is under some [exception] conditions. for example, your firewall has shut down all the ports so that it cannot be connected by ssh from outside, in this case, you can define it in the rules File. Its format is as follows:
# ACTIONSOURCEDESTPROTODESTSOURCEORIGINAL
# PORTPORT (S) DEST
DNAT fw loc: 192.168.1.3 tcp ssh, http
|
The above settings refer to the forwarding of ssh and http requests from all fw firewall interfaces to the loc interface, and the IP address is 192.168.1.3 on the machine.
There are several frequently-used fields in this file, which are described as follows. other less-used fields are not described here:
◆ Field name setting Project Description
ACTIONACCEPT allows this online requirement.
ACCEPT + is the same as ACCETP, but the subsequent REDIRECT-and DNAT-rules are excluded.
DROP: ignore this online request.
REJECT: do not accept this online request, and reply an icmp-unreachable or RST packet to the other party.
DNAT: transfers the packet to another system (or another port number ).
DNAT-: it is used only for advanced use. this is the same as the DNAT rule, but only the DNAT
IptablesIs not an ACCEPT pair.
REDIRECT: re-import the online request to another local port number.
REDIRECT-: this is used only for advanced use. this is the same as the REDIRECT rules, but only the REDIRECT iptables rules are generated and not the ACCEPT pair rules.
CONTINUE: Dedicated to expert mode. requests from the defined source and target will be passed.
LOG: simple recording of packet information
QUEUE: Put this packet in the user's application.
; Defines actions in/etc/shorewall/actions or/usr/share/shorewall/actions. std.
SOURCE: SOURCE Address. the format can be set to the following: loc, net (interface defined in the zones file) 192.168.1.1 (IP format) 192.168.1.0/24 (subnetwork format) loc: 192.168.1.1loc: 192.168.1.0/24loc: 192.168.1.1, 192.168.1.2loc :~ 00-A0-C9-15-39-78 (MACAddress)
DEST: destination address, which is set in the same way as SOURCE. However, if SOURCE is set to all, the following restrictions apply: MACAddress is not allowed in DNAT rules. you can only use IPAddress. you cannot use both interfaces and IP addresses.
PROTO: Must be tcp, udp, icmp, all, or a number.
DESTPORT (S): the destination port number, which can be a number or name. when setting this field, you can use commas (,) to create a list of multiple port numbers, you can also use a port number (1024:2048->; it means all the port numbers from 1024 to 2048) to create a list.
CLIENTPORT (S): the port number of the client. This field can be ignored.
3. nat
This file is mainly used to define one-to-one type of NAT, the so-called "one-to-one" indicates that a real IP address redirects all services to an internal virtual IP address, therefore, a real IP address usually points to only one virtual IP address, which is usually used when this NAT host only runs the firewall service, then, all the hosts that provide external services are hidden in the internal virtual IP address. In general, this file is rarely used. if you want to use the forward or DNAT function, you cannot set this file. you must set the file rules. The nat settings are as follows:
# EXTERNALINTERFACEINTERNALALLLOCAL
# INTERFACES
X. x eth0192.168.1.23
|
EXTERNAL: set the [real IP address] for the EXTERNAL server ].
INTERFACE sets the name of the external network INTERFACE of this server.
INTERNAL sets the virtual IP address to be switched to the INTERNAL virtual IP address.
If you do not want to apply ALLINTERFACES to other network interfaces at the same time, set it to no here. if it is blank, it will only apply to this interface.
LOCAL if this option is set to Yes or yes, and ALLINTERFACES is also set to Yes or yes, then the packets sent to INTERNAL from EXTERNAL will be restricted internally, to enable this function, the core version must be 2.4.19 or later, and you must enable the CONFIG_IP_NF_NAT_LOCAL function,
4. masq
This file is used to set up a so-called NAT server. the content set by masq is as follows:
# INTERFACESUBNETADDRESSPROTOPORT (S) IPSEC
Eth0 eth1 206.124.146.176
# LASTLINE--ADDYOURENTRIESABOVETHISLINE--DONOTREMOVE
|
Set the INTERFACE name for the external network.
SUBNET sets the interface name for the internal network.
ADDRESS is used to set the ip address of the external network. this option can be left unspecified.
PROTO here you can set the content to/etc/protocols service content.
If PORT (S) is set to TCP or UDP in the PROTO part, you can set the PORT number or service name in this option.
IPSEC sets whether to encrypt the network interface online. if it is blank, it is not required. if it is yes, it will be encrypted.
Example:
Eth0 eth1 206.124.146.177 tcps mtp
Eth0 eth1 206.124.146.176
|
The preceding settings indicate all smtp packets of the tcp protocol of eth1. the IP header is set to 206.124.146.177 and then sent out by eth0, then, the other packets set the header of the packet to 206.124.146.176, which is then sent by eth0.
5. modules
This file will load all the modules required by Iptables. the preset content is as follows:
Loadmoduleip_tables
Loadmoduleiptable_filter
Loadmoduleip_conntrack
Loadmoduleip_conntrack_ftp
Loadmoduleip_conntrack_tftp
Loadmoduleip_conntrack_irc
Loadmoduleiptable_nat
Loadmoduleip_nat_ftp
Loadmoduleip_nat_tftp
Loadmoduleip_nat_irc
|
If you have other modules, you only need to add the modules file.
6. blacklist
This file is an online blacklist. you can restrict the online actions of some network addresses in this file.
ADDRESS/subnet protocol port address/SUBNET sets the network ADDRESS to be restricted, or the sub-network and MACAddress, in the following formats: network ADDRESS: 192.168.1.10 sub-network: 192.168.1.0/24 MACAddress :~ 00-A0-C9-15-39-78
The content that can be set by PROTOCOL is the service content of/etc/protocols. you can choose not to set this field.
If PORT is set to TCP or UDP in the PROTOCOL part, you can set the PORT number or service name in this option. you can choose not to set this field.
Example:
The above line indicates blocking the DNS query service requested by IP192.0.2.126.
II. Introduction to Advanced Applications
1. open services
The previous policy was to block all external and internal services, so we need to open them one by one, HTTP, SMTP, POP3, SSH, DNS, and a port10000 Webmin service are available here. the settings in rules are as follows:
ACTION SOURCE DEST PROTO DEST PORT
ACCEPT net fw tcp http
ACCEPT loc fw tcp http
ACCEPT net fw tcp smtp
ACCEPT loc fw tcp smtp
ACCEPTnetfwtcppop3
ACCEPClocfwtcppop3
ACCEPT net fw tcp ssh
ACCEPT loc fw tcp ssh
ACCEPT net fw tcp dns
ACCEPT loc fw tcp dns
ACCEPT net fw udp dns
ACCEPT loc fw udp dns
ACCEPT net fw tcp10000
ACCEPT loc fw tcp10000
|
All the above services are in this firewall, so the DEST field is set to the fw interface, and because there are internal and external interfaces respectively, each service is set twice, however, there is another way to set it, as shown below:
2. instance: blocking MSN
MSN is 1863, while the link to MSN is gateway.messenger.hotmail.com.
First, block all tcp connections of gateway.messenger.hotmail.com and add the following records to the rules File:
DROPlocnet: gateway. messenger. hotmail. comtcp-
|
Then block port 1863 that is connected to any address,
In this way, most of the services connected to msn can be blocked.
