Shorewall is not a daemon program. it is a tool for loading iptables commands. therefore, do not count on using commands such as ps-aux to query its itinerary, the following sections describe the functions and formats of each set file. Essentially, shorewall is the Iptables configuration tool. Because the syntax of Iptables is obscure, the command shorewall is not a daemon program, it is a load
IptablesCommand suite, so do not count on using commands such as ps-aux to query its itinerary. the following sections describe the functions and formats of each set file respectively.
Essentially, shorewall is the Iptables configuration tool. Because the syntax of Iptables is obscure, there are many commands that are hard to remember and understand. Therefore, configure the firewall by configuring shorewall, which is easier to understand. then, shorewall automatically calls Iptables to complete the configuration.
1. download, install, and uninstall
1. Download
ShoreWall's official website is http://www.shorewall.net. before installing it, download its original code program
2. anti-installation process
Tarball:
Enter the following commands in the original installation directory:
#./Uninstall. sh
This command will remove all configuration files of shorewall.
RPM:
# Rpm-eshorewall
II. Edit Settings
After the installation is complete, you must first set each configuration file to start shorewall.
1./etc/shorewall. conf
The configuration file shorewall. conf is the most important file in the entire software configuration. There are many settings in it. if it is wrong, it may cause the startup failure or error of shorewall:
The default value is No. if you decide to use shorewall to manage your firewall, we strongly recommend that you set this option to Yes.
LOGFILE =/var/log/messages
|
Set the location of the record file. the default record file is the file messages. you can also specify another file to distinguish between the firewall and general information, so that you can quickly grasp the situation in case of errors.
Set the Record File level. Generally, the shorewall record is performed by The syslog program. There are eight levels in total, and the shorewall preset record level is info, you can refer to/etc/syslog. conf to understand the record content of other levels.
CONFIG_PATH =/etc/shorewall:/usr/share/shorewall
|
Set the directory location where all configuration files of shorewall are stored. if your configuration file is not in this location, modify it to the correct path.
The default firewall interface name. in shorewall, a firewall Zone name is set. this name does not need to be defined in/etc/shorewall/zones, it can be used directly in various configuration files.
The default setting is enabled. this option indicates that IPForward is enabled. if your Linux host is an independent host and does not need to use NAT or DNAT functions, this option can be disabled.
Taking the simplest network architecture as an example, taking a Linux host as the main unit, there are two Ethernet cards, and eth0 is an external network card, eth1 is an internal network card, and the internal local area network is connected to the external network through NAT. This Linux host also has the simple firewall function, which describes the configuration files below.
2./etc/shorewall/zones
In the zones file, you can define your network region code, which is limited to five or five characters. There are a total of three fields, which are described as follows:
ZONE: The name defined. it must be 5 or less characters.
DISPLAY: The name displayed for this interface, which is usually the same as that set for ZONE.
COMMENTS: A brief description of this interface.
In this example, the author defines two interfaces. the configuration of zones is as follows:
# ZONEDISPLAYCOMMENTS
Loc Local Localhost
Net Net Internet
# Last line-add your entries above this one-DO NOT REMOVE
|
Here, loc is the internal network interface, while net is the network interface to the external network.
3./etc/shorewall/interfaces
Next, we need to establish a table of network interfaces and zones. As mentioned earlier, eth0 is an interface for the Internet and eth1 is an interface for the internal local area network, the set content is as follows:
# ZONE INTERFACE BROADCAST OPTIONS
Net eth0 xxx. xxx. xxx.128
Loc eth1 192.168.1.255 dhcp
# Last line -- add your entries before this one -- DO NOT REMOVE
|
The first field corresponds to the ZONE name of/etc/shorewall/zones, and the second field corresponds to the interface name in Linux. In this example, eth0 is an interface to the external network, so it corresponds to net, and eth1 is an interface to the internal local area network, so it corresponds to loc. The third field is to set the BROADCAST of the network interface, for Cclass, it is set to x. x. x.255. The last OPTIPNS field is the function used by this interface. for example, in this example, the eth1 interface is also responsible for DHCP distribution, therefore, add a dhcp record to the OPTIONS field. for other functions, see interfaces comments. do not describe too much here.
4./etc/shorewall/policy
This archive is a firewall policy that sets the overall direction. it is generally recommended that a safer solution be to first set all internal and external policies as denied, then open the available port numbers one by one, so the policy settings are as follows:
# Source dest policy log limit: BURST
Loc net ACCEPT
Net all DROP info
All REJECT info
# Last line -- DO NOT REMOVE
|
The first line is to allow the internal local area network to connect to the external network, and the second line is to discard all external packets and record them to the record file, the functions of the third line are the same.
5./etc/shorewall/masq
This file is set to allow internal virtual IP addresses to forge real IP addresses online, that is, the NAT function. the configuration content is as follows:
# INTERFACE SUBNET ADDRESS
Eth0 eth1 xxx. xxx
# Last line -- add your entries above this line -- DO NOT REMOVE
|
The INTERFACE is an external network card, while the SUBNET is a network card for the internal virtual network, and the final field ADDRESS is the real ip address of the external network card. after the input, the file is archived and left.
Restart the shorewall firewall again. please follow the instructions below to restart
# Shorewall check
# Shorewall restart
# Chkconfig -- level2345 shorewall on
|
Done!
In this way, the most basic firewall construction has been completed, and all internal services from the external are closed, so that the internal virtual IP addresses can be connected to the external network in NAT mode, in this way, a firewall is successfully created.
