<div dir="ltr"><div>The configuration is based on /usr/share/doc/shorewall/examples/two-interfaces/ with only a few modifications for Debian-Lan.<br></div>It includes three zones amongst which "roa" stands for road-runners ;)<br>
<div><div><br>./files/etc/default/shorewall/SERVER_A<br><div>startup=1<br><br></div><div>./files/etc/shorewall/shorewall.conf<br>IP_FORWARDING=Yes<br></div><div><br></div><div>./files/etc/shorewall/interfaces<br>#ZONE INTERFACE OPTIONS<br>
net eth1 dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0<br>loc eth0 dhcp,tcpflags,nosmurfs,routefilter,logmartians<br>roa tun+<br><br></div><div>./files/etc/shorewall/routestopped<br>
#INTERFACE HOST(S) OPTIONS<br>
eth0 -<br></div><div><br></div><div>./files/etc/shorewall/masq<br>#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK<br>eth1 <a href="http://10.0.0.0/16" target="_blank">10.0.0.0/16</a><br>
<br></div>
<div>./files/etc/shorewall/policy<br>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST<br>loc net ACCEPT<br>net all DROP info<br># THE FOLLOWING POLICY MUST BE LAST<br>
all all REJECT info<br><br></div><div>./files/etc/shorewall/tunnels<br>#TYPE ZONE GATEWAY GATEWAY ZONE<br>openvpnserver:your_port net <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
<br>./files/etc/shorewall/zones<br>#ZONE TYPE OPTIONS IN OUT<br># OPTIONS OPTIONS<br>fw firewall<br>net ipv4<br>loc ipv4<br>
roa ipv<br>
<br><br>./files/etc/shorewall/rules<br>SECTION NEW<br><br># Don't allow connection pickup from the net<br>#<br>Invalid(DROP) net all<br>#<br># Accept DNS connections from the firewall to the network and from the lan to the firewall<br>
#<br>DNS(ACCEPT) $FW net<br>
DNS(ACCEPT) loc $FW<br>#<br># Accept SSH connections from the local network for administration<br>#<br>SSH(ACCEPT) loc $FW<br>SSH(ACCEPT) roa $FW<br>#SSH(ACCEPT) net $FW # No access from external to ssh std port.<br>
</div><div># or limit throughput to 3 attempts per minute<br></div><div>#SSH(ACCEPT) net $FW - - - - s:1/min:3<br>SSH(ACCEPT) $FW all<br>
# SSH on port 12345<br>ACCEPT loc $FW tcp 12345<br>ACCEPT net $FW tcp 12345<br>ACCEPT roa $FW tcp 12345<br></div>
<div><br>#<br># Allow Ping from the local network<br>#<br>Ping(ACCEPT) $FW all<br>
Ping(ACCEPT) loc $FW<br>Ping(ACCEPT) roa $FW<br><br>#<br># Drop Ping from the "bad" net zone.. and prevent your log from being flooded..<br>#<br><br>Ping(DROP) net $FW<br>
<br>ACCEPT $FW all icmp<br>
#<br>#<br># SPECIFIC RULES REQUIRED FOR Debian-Lan<br>#<br>HTTP(ACCEPT) $FW net<br>HTTP(ACCEPT) loc $FW<br>HTTP(ACCEPT) roa $FW<br>HTTPS(ACCEPT) $FW net<br>
HTTPS(ACCEPT) loc $FW<br>
HTTPS(ACCEPT) roa $FW<br>HTTPS(ACCEPT) net $FW<br><br>LDAP(ACCEPT) loc $FW<br>LDAP(ACCEPT) roa $FW<br>LDAPS(ACCEPT) loc $FW<br>LDAPS(ACCEPT) roa $FW<br>
<br>NTP(ACCEPT) $FW net<br>NTP(ACCEPT) $FW loc<br>NTP(ACCEPT) $FW roa<br>NTP(ACCEPT) loc $FW<br>NTP(ACCEPT) roa $FW<br><br>#<br>
# Allow SAMBA to $FW<br>#<br>SMBBI(ACCEPT) $FW all<br>SMBBI(ACCEPT) loc $FW<br>SMBBI(ACCEPT) roa $FW<br><br>#<br># Allow cups connection<br>#<br>ACCEPT loc $FW tcp 631<br>
## lpr test<br>
## ACCEPT loc $FW tcp 515<br>ACCEPT roa $FW tcp 631<br>Jetdirect(ACCEPT) $FW loc tcp 9100<br>Jetdirect(ACCEPT) $FW roa tcp 9100<br>
<br>#<br># Allow apt-cacher<br>#<br>ACCEPT loc $FW tcp 3142<br>ACCEPT roa $FW tcp 3142<br><br>#<br># Allow TFTP<br>#<br>TFTP(ACCEPT) loc $FW<br>
TFTP(ACCEPT) $FW loc<br><br>#<br># Allow Nagios NRPE<br>#<br>ACCEPT $FW loc tcp 5666<br><br>#<br># Allow Munin<br>#<br>ACCEPT $FW loc tcp 4949<br>
<br>#<br># Allow Syslog server<br>#<br>ACCEPT loc $FW udp 514<br><br># Heimdal/Kerberos 5<br>#<br>
# Kerberos v5 KDC<br>ACCEPT loc $FW tcp 88<br>ACCEPT roa $FW tcp 88<br>ACCEPT loc $FW udp 88<br>ACCEPT roa $FW udp 88<br>
# kpasswd<br>#ACCEPT net $FW tcp 464<br>ACCEPT loc $FW udp 464<br>ACCEPT roa $FW udp 464<br># kadmin v5 (required for remote administration)<br>
#ACCEPT net $FW tcp 749<br># Kerberos v4 KDC<br>#ACCEPT net $FW tcp 750<br>#ACCEPT net $FW udp 750<br># Kerberos 524<br>
#ACCEPT net $FW tcp 4444<br>#ACCEPT net $FW udp 4444<br>#<br># Allow NFSv4<br>#<br>ACCEPT loc $FW udp 111<br>ACCEPT roa $FW udp 111<br>
ACCEPT loc $FW tcp 111<br>ACCEPT roa $FW tcp 111<br>ACCEPT loc $FW tcp 2049<br>ACCEPT roa $FW tcp 2049<br>
ACCEPT loc $FW udp 2049<br>ACCEPT roa $FW udp 2049<br>ACCEPT loc $FW tcp 32764:32769<br>ACCEPT roa $FW tcp 32764:32769<br>
ACCEPT loc $FW udp 32764:32769<br>ACCEPT roa $FW udp 32764:32769<br><br>#<br># SQUID Manual Proxy (see - <a href="http://www.shorewall.net/Shorewall_Squid_Usage.html#Manual" target="_blank">http://www.shorewall.net/Shorewall_Squid_Usage.html#Manual</a>)<br>
#<br>ACCEPT loc $FW tcp 3128<br><br>## below rules must be checked ## mostly triggered during FAI installation<br>
ACCEPT loc $FW tcp 51105<br>ACCEPT loc $FW udp 55850<br>ACCEPT loc $FW tcp 36174<br>ACCEPT loc $FW tcp 4711<br>
ACCEPT $FW loc tcp 39233<br>ACCEPT $FW loc tcp 53615<br></div><div>#### pay extra attention ####<br></div><div><br><br><br></div><div>./files/etc/openvpn/server.conf<br>
</div><div><br># Which local IP address should OpenVPN<br>local 10.0.0.10<br><br># Which TCP/UDP port should OpenVPN listen on?<br>port your_port<br><br>proto udp<br>dev tun<br>ca ssl/ca.crt<br>cert ssl/mainserver.crt<br>
key ssl/mainserver.key # This file should be kept secret<br>dh ssl/dh1024.pem<br>server 10.100.0.0 255.255.255.0<br>ifconfig-pool-persist ipp.txt<br>push "route 10.0.0.0 255.255.0.0"<br>push "dhcp-option DNS 10.0.0.10"<br>
keepalive 10 120<br>tls-auth ssl/ta.key 0 # This file is secret<br>cipher AES-128-CBC # AES<br>comp-lzo<br>max-clients 10<br>user nobody<br>group nogroup<br>persist-key<br>persist-tun<br>status /var/log/openvpn-status.log<br>
log-append /var/log/openvpn.log<br>verb 3<br><br>
<br><br><br><br></div><div><br></div></div></div></div>