I am assuming you only have two interfaces on your firewall and are not running a DMZ.
In your /etc/shorewall/rules file you could:
- Code: Select all
DNAT net loc:xxx.xxx.xxx.xxx tcp http -
where xxx.xxx.xxx.xxx is an internal machine you are using as your web server.
In your /etc/shorewall/policy file you could:
- Code: Select all
loc all ACCEPT
fw all ACCEPT
net all DROP info
all all REJECT info
In your /etc/shorewall/masq file you could:
- Code: Select all
eth0 eth1
Where eth0 is connected to the internet and eth1 is connected to your local private network.
In your /etc/shorewall/interfaces you could have:
- Code: Select all
net eth0 detect dhcp
loc eth1 detect blacklist
In your /etc/shorewall/blacklist you might have:
- Code: Select all
192.168.0.0/24 tcp 80
which would prevent all of your internal machines to connect to the internet via the default http port. This might be useful if you want to also run Squid on your firewall machine and require your internal clients to go through the proxy if they want to get to the net.
I also put some things in my /etc/shorewall/params file:
- Code: Select all
NET_IP=`/sbin/ifconfig eth0 | grep "inet addr" | cut -f2 -d":" | cut -f1 -d" "`
LOC_IP=`/sbin/ifconfig eth1 | grep "inet addr" | cut -f2 -d":" | cut -f1 -d" "`
DMZ_IP=`/sbin/ifconfig eth2 | grep "inet addr" | cut -f2 -d":" | cut -f1 -d" "`
The above allows me to use variables ($NET_IP) in place of my interface IP addresses where required in my configuration files. Comes in handy if my external interface (DHCP) gets a new IP address I don't have to change any configuration files.