Install linux (centos) Firewall shorewall

This article from the Linux community website (www.linuxidc.com) original link: http://www.linuxidc.com/Linux/2009-03/18941.htm

Linux provides a powerful firewall iptables, but because the iptables syntax is cumbersome, it is not conducive to deployment and maintenance. shorewall is a third-party free firewall generator, which is equivalent to a collection and optimization of iptables.

Brief Introduction to deployment:
Download: http://www.shorewall.net/or http://slovakia.shorewall.net/pub/shorewall/

You need to download two programs:
Installation environment for shorewall-perl-4.2.2.1.tgz # shorewall
 

Shorewall-common-4.2.2.1.tgz # shorewall main program
First extract the shorewall-perl-4.2.2.1.tgz
Tar-zxvf shorewall-perl-4.2.2.1.tgz
CD shorewall-perl-4.2.2.1
./Configure
Make
Make install
Decompress the shorewall-common-4.2.2.1.tgz
Tar-zxvf shorewall-common-4.2.2.1.tgz
CD shorewall-common-4.2.2.1
./Configure
Make
Make install
The basic configuration document of shorewall is/etc/shorewall. conf.
Set startup_enabled = yes to yes and enable shorewall.
There are many configuration documents in/etc/shorewall, such as zones, interfaces, policy, and masq.
Zones is the area that defines the firewall. I personally think it is similar to the inside and outside definition of the Cisco Firewall.
VI/etc/shorewall/zones
# Shorewall version 4-zones File
#
# For information about this file, type "Man shorewall-zones"
#
# The manpage is also online
# Http://www.shorewall.net/manpages/shorewall-zones.html
#
######################################## #######################################
# Zone type options in out
# Options
FW Firewall
In IPv4
Out IPv4
# Last line-add your entries above this one-do not remove
I have defined the in and out areas. Note that FW is the default area, which refers to the Linux firewall itself.
Save and exit.
Edit Interfaces
VI/etc/shorewall/interfaces
#
# Shorewall version 4-interfaces File
#
# For information about entries in this file, type "Man shorewall-interfaces"
#
# The manpage is also online
# Http://www.shorewall.net/manpages/shorewall-interfaces.html
#
######################################## #######################################
# Zone interface broadcast options
In eth0
Out eth1
# Last line -- add your entries before this one -- Do not remove
I divide the eth0 Nic port into the in area and the eth1 port into the out area. Note that the eth0 Nic is an internal NIC AND THE eth1 Nic is an external Nic.
Save and exit
Then define the policy
VI/etc/shorewall/Policy
# Shorewall version 4-policy file
#
# For information about entries in this file, type "Man shorewall-policy"
#
# The manpage is also online
# Http://www.shorewall.net/manpages/shorewall-policy.html
#
######################################## #######################################
# Source DEST policy log limit: connlimit:
# Level burst mask
FW all accept
All FW accept
In out accept
Out in drop
# Last line -- Do not remove
As long as a region is defined, related policies should be defined. Here, from FW to any region and from any region to FW is accept, that is to say, the traffic from the local machine to any port or any port to the local machine passes, which is obviously not safe, good test, not so called. Traffic from in to out is allowed, and traffic from out to in is denied. Then save the release.
Define Nat and edit the masq File
VI/etc/showrewall/masq
# Shorewall version 4-masq File
#
# For information about entries in this file, type "Man shorewall-masq"
#
# The manpage is also online
# Http://www.shorewall.net/manpages/shorewall-masq.html
#
######################################## #######################################
# Interface source address proto port (s) IPSec mark
Eth1 eth0
# Last line -- add your entries above this line -- Do not remove
Defines the NAT from eth0 to eth1, so that the eht0 network segment will be Nat to eth1
Save and exit.
Run the shorewall check command to check the configuration. If an error occurs, the configuration fails.
Then shorewall restart
Note that once shorewall is enabled, iptables is started and ipforward is started.

Http://www.qqgb.com/NetWorkSecurity/Fireware/FirewareZh/NetWorkSecurity_159365.html