Perfect Implementation of ShoreWall enterprise firewall

Article Title: Perfect Implementation of ShoreWall enterprise firewall. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
　　 Article 1: network access
Many enterprises now use leased lines and ADSL, but the final result is the same: there is a public IP (or a CIDR block) on the Internet) route to your gateway server or access vro. Now that I know this, let's talk about how to access the internet. I use the leased line access as an example:
　　
　　
　　　
When you access a leased line, there is usually a leased line access ticket with the following information:
　　
1: IP address range
2: Client Access IP address and local IP address
　　
We can see that:
1: The ISP assigns you a Class C public network address.
2: The client must access the IP address 192.168.5.1 and the local IP address 192.168.5.2.
　　
Well, the following is what I want to focus on. many people think that a public IP address must be bound to a firewall's internet interface. In fact, this is a mistake. In fact, as long as there is a Route information, you can access the Internet. The above figure shows an example. at the end of the ISP's router, there must be a Route message bound to 192.168.5.2:
Ip route 211.111.111.0/24 via 192.168.5.1
　　
The usual practice is to set up a public IP address 211.111.111.1 at the Ethernet port of Route B, and then use this as the gateway to access the internet. Generally, the firewall is connected first and then the LAN user is connected,
　　　
This is a typical enterprise application. I guess I'm right, but I think there are some bad points:
　　
1: The public IP address cannot be properly managed. the public IP address is connected between Firewall and Route B, for example, through a vSwitch, in this way, if a computer is connected to a vSwitch and you bind a public IP, you can access the Internet.
2: This is a C-type IP address. you need to bind many public IP addresses to use these IP addresses on Firewall. Therefore, management has many drawbacks.
　　
　　 Article 2: network structure design
For a class C Public IP, we can redesign a network topology:
　　
Solution 1: Do not segment the Class c cidr block or use a CIDR block,
　　　
Note: You need to add a static Route on route B, ip Route 211.111.111.0 255.255.255.0 192.168.1.2
　　
Now, Firewall can completely control and allocate the 254 public IP addresses.
　　
Solution 2: Segment The Class c cidr block into two public ip cidr blocks with two firewalls.
　　
In this way, we split a Class C Public IP into two:
The IP address range of Firewall A is 211.111.111.1-127.
The IP range of Firewall B is 211.111.111.129-254.
　　
　　 Article 3 implementation of firewall
My platform is:
　　
Redhat 8.0 + Shorewall 1.4.8 (in fact, it is based on iptables), there are three NICs, in this example.
　　
Maybe many of my friends are not very clear about shorewall (http://www.shorewall.net), I first introduce shorewall, in fact, he is a firewall based on iptables, his advantage is convenient configuration, easy to manage, it is easy to configure an enterprise-level firewall policy.
　　
In my personal opinion, iptables commands are too complicated and troublesome, and are relatively poor in terms of management and readability, I personally think that as a network administrator, we should focus on designing firewall policies instead of writing a command. Okay, no more nonsense.
　　
After Redhat 8.0 is installed and three NICs are installed,
Download the rpm Package of shorewall from http://slovakia.shorewall.net/pub/s...8-1.noarch.rpm( or both the tar package)
　　
I. Installation
Rpm-ivh shorewall-1.4.8-1.noarch.rpm
　　
II. configuration
　　
All the configuration files of shorewall are under/etc/shorewall. now, I will explain in detail how to configure shorewall.
　　
Here we assume that the DMZ region has the following servers:
　　
　　
Source code :--------------------------------------------------------------------------------
Mail server: 10.1.2.2/24 public network address: 211.111.111.2
Pptp vpn server: 10.1.2.3/24 public network address: 211.111.111.3
Dns server: 10.1.2.4/24 public IP address: 211.111.111.4
Http server: 10.1.2.5/24 public network address: 211.111.111.5
--------------------------------------------------------------------------------
　　
You can see many configuration files in/etc/shorewall:
　　
(I only want to talk about the configuration files we will use. Others are rarely used. you can go and see the help on your own)
　　
Zones)
Interfaces)
Masq)
Policy (define the default policy)
Rules (define firewall rules)
　　
The content of each configuration file is as follows:
　　
Source code :--------------------------------------------------------------------------------
Cat/etc/shorewall/zones:
========================================================== ==========
WanInternet Internet
DmzDMZ
LanLan Lan
========================================================== ==========
　　
Cat/etc/shorewall/interfaces
========================================================== ==========
Wan eth0 detect
Lan eth1 detect
Dmz eth2 detect
========================================================== ==========
　　
Cat/etc/shorewall/masq
========================================================== ==========
Eth0 192.168.1.2/32 211.111.111.1 # ----- Firwall To Internet
Eth0 10.1.1.0/24 211.111.111.1 # ----- Lan A To Internet
Eth0 10.1.2.2/32211.111.111.2 # ----- mail server To Internet
Eth0 10.1.2.3/32211.111.111.3 # ----- pptp server To Internet
Eth0 10.1.2.4/32211.111.111.4 # ----- dns server To Internet
Eth0 10.1.2.5/32211.111.111.5 # ----- http server To Internet
========================================================== ==========
　　
Cat/etc/shorewall/policy
========================================================== ==========
Fw all ACCEPT # Firewall can access all regions, including the Internet
Lan wan ACCEPT # Lan A can access the Internet at will
Dmz wan ACCEPT # The DMZ server can access the Internet at will
Lan dmz ACCEPT # Lan A can access and manage DMZ server zones at will
　　
Wan all DROP # The Internet cannot access the internal network and DMZ at will
All REJECT
========================================================== ==========
　　
Cat/etc/shorewall/rules
========================================================== ==========
# ---------------------- Internet To mail Server -------------------------------
　　
DNAT wan dmz: 10.1.2.2 tcp smtp-211.111.111.2
DNAT wan dmz: 10.1.2.2 tcp POP3-211.111.111.2
　　
# ---------------------- Internet To PPTP Server -------------------------------
　　
DNAT wan dmz: 10.1.2.3 tcp 1723-211.111.111.3
DNAT wan dmz: 10.1.2.3 47--211.111.111.3
　　
# ---------------------- Internet To DNS Server -------------------------------
　　
DNAT wan dmz: 10.1.2.4 tcp 53-211.111.111.4
DNAT wan dmz: 10.1.2.4 udp 53-211.111.111.4
　　
# ---------------------- Internet To http Server -------------------------------
　　
DNAT wan dmz: 10.1.2.5 tcp http-211.111.111.5
　　
========================================================== ==========
--------------------------------------------------------------------------------
Now, all the firewalls are configured. The results of the firewall are as follows:
　　
Source code :--------------------------------------------------------------------------------
All Lan A users 10.1.1.0/24 pretend to be 211.111.111.1 to access the Internet
Mail server: 10.1.2.2/32 access the Internet with a public address: 211.111.111.2
Pptp vpn server: 10.1.2.3/32 access the Internet with a public address: 211.111.111.3
Dns server: 10.1.2.4/32 access the Internet with a public address: 211.111.111.4
Http server: 10.1.2.5/32 access the Internet with a public address: 211.111.111.5
　　
Firewall can access all regions, including the Internet
Lan A can access the Internet at will
DMZ servers can access the Internet at will
Lan A can access and manage DMZ server zones at will
The Internet cannot access the internal network and DMZ at will.
--------------------------------------------------------------------------------
　　
All right, all the configuration files have been configured, and then delete/etc/shorewall/startup