狼愛上貍

ubuntu下設置shorewall防火墻

服務器采用ubuntu作為操作系統，兩塊網卡，一塊接外網（eth0），一塊接內網（eth1）。采用shorewall作為防火墻。
配置網卡：
sudo vi /etc/network/interfaces

ubuntu下設置shorewall防火墻

服務器采用ubuntu作為操作系統，兩塊網卡，一塊接外網（eth0），一塊接內網（eth1）。采用shorewall作為防火墻。

配置網卡：
sudo vi /etc/network/interfaces
------------------------------------------------
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# This is a list of hotpluggable network interfaces.
# They will be activated automatically by the hotplug subsystem.
mapping hotplug
script grep
map eth0

# The primary network interface
iface eth0 inet static
address 192.168.2.250
netmask 255.255.255.0
network 192.168.2.0
broadcast 192.168.2.255
gateway 192.168.2.1
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 202.96.209.6

auto eth1
iface eth1 inet static
address 192.168.10.254
netmask 255.255.255.0
network 192.168.10.0
broadcast 192.168.10.255

-----------------------------------------------------

1、安裝shorewall
sudo apt-get install shorewall

2、拷貝配置文件
sudo cp /usr/share/shorewall/modules /etc/shorewall
sudo cp /usr/share/doc/shorewall/default-config/policy /etc/shorewall/
sudo cp /usr/share/doc/shorewall/default-config/nat /etc/shorewall/
sudo cp /usr/share/doc/shorewall/default-config/zones /etc/shorewall/
sudo cp /usr/share/doc/shorewall/default-config/maclist /etc/shorewall/
sudo cp /usr/share/doc/shorewall/default-config/blacklist /etc/shorewall/
sudo cp /usr/share/doc/shorewall/default-config/interfaces /etc/shorewall/interfaces
sudo cp /usr/share/doc/shorewall/default-config/rules /etc/shorewall/rules
sudo cp /usr/share/doc/shorewall/default-config/hosts /etc/shorewall/hosts
sudo cp /usr/share/doc/shorewall/default-config/masq /etc/shorewall/masq

3、配置網卡
sudo vi /etc/shorewall/interfaces

在倒數第二行，也就是在 “#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE” 這一行之后加上：

net eth0 detect
loc eth1 detect

4、配置網絡別名
sudo vi /etc/shorewall/zones

在倒數第二行，也就是在 “#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE” 這一行之后加上：

net Net Internet
loc Local Local Networks

5、配置IP偽裝，也就是透明代理

sudo vi /etc/shorewall/masq

在倒數第二行，也就是在 “#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE” 這一行之后加上：

eth0 eth1

6、配置策略
sudo vi /etc/shorewall/policy

在#LAST LINE -- DO NOT REMOVE這一行最后加上：

loc net ACCEPT
net all DROP info
all all REJECT info

7、配置防火墻規則

sudo vi /etc/shorewall/rules

在倒數第二行，也就是在 “#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE” 這一行后加上：

#incoming traffic (由 internet 去 firewall)
AllowSSH net fw
AllowDNS net fw
AllowWeb net fw
AllowSMB net fw
AllowNNTP net fw
AllowNTP net fw
AllowRdate net fw
AllowSMTP net fw
DropPing net fw

#outgoing traffic (由 firewall 去 internet)
AllowWeb fw net
AllowDNS fw net
AllowSMTP fw net
AllowSMB fw net
AllowSMTP fw net
AllowNNTP fw net
AllowNTP fw net
AllowRdate fw net
AllowSSH fw net

#open special ports
ACCEPT net fw tcp 9980

8、修改 shorewall.conf 自動開啟 IP 轉發

sudo gedit /etc/shorewall/shorewall.conf

查找到：

IP_FORWARDING=Keep

修改為：

IP_FORWARDING=On

# 保存關閉文件

9、修改 /etc/default/shorewall 自動運行防火墻

sudo vi /etc/default/shorewall

查找到：

startup=0

修改為：

startup=1

10、啟動防火墻

sudo shorewall start

11、至此防火墻配置完成。

traceback:

http://blog.chinaunix.net/u/11295/showart.php?id=60993

posted on 2007-08-07 22:03 狼愛上貍 閱讀(857) 評論(0)  編輯  收藏 所屬分類: LINUX