iptables Firewall Configuration Tool Shorewall Advanced Practical Introduction

In the previous installment and use example of the Iptables firewall Configuration tool Shorewall, we described how to install and use the Shorewall tool for firewall configuration, and in this article we will give you an example of some of its advanced components.

Introduction of Advanced Components

1, params

This is a file that is used to set up a shell variable, which is a bit like the include feature in C, which puts the variables of the file included in the file, but does not need to be introduced in the Shorewall profile, Params The purpose of this file is to set all the relevant variables in a unified, when your rules are all set up, as long as the change of params content can be applied to other network state, management is very convenient, the following is an example:

在/etc/shorewall/params中的设定：
NET_IF=eth0 NET_BCAST=130.252.100.255
NET_OPTIONS=blacklist,norfc1918
在/etc/shorewall/interfaces中的设定：
net$NET_IF$NET_BCAST$NET_OPTIONS

In this way, other rules can be written in the form of variables, so the rules can be reused once they are written.

2. Rules

This file is the key file of the entire Shorewall, policy file is designed to develop the entire firewall policy, such as Loc the interface to the DMZ policy is reject or accept, usually from outside the firewall to the internal network policy is all set first to shut down. And the rules of the file is in the development of some "exceptional" situation, for example, your firewall will be all the port to shut down, so that the outside can not be connected by SSH, then this time can be defined in the rules of the file, its format is as follows:

#ACTIONSOURCEDESTPROTODESTSOURCEORIGINAL
#PORTPORT(S)DEST
DNAT fw loc:192.168.1.3 tcp ssh,http