|
|
本人化了三个星期时间看各种资料,把gentoo翻来覆去装了不下20遍,好不容易把该整的都整的明白了,就差最后临门一脚配置shorewall实现NAT了,却卡住了……
本来shorewall在网上的资料挺全的,我shorewall的资料看了n遍,确信不会出配置错误,而且我还用webmin来检查我配置的条目,都通过了,本以为绝对不会出问题的东西出了问题,而且还是匪夷所思的古怪问题——我卡住的问题不是客户端不能正常从NAT上网,也不是端口映射有问题,而是——启动防火墙以后它居然把自己给锁家里了……
我的症状非常奇怪,首先我是一台a64的主机,配一块sis900集成网卡,我又找了一块8139插上,从 /etc/udev/rules.d/70-persistent-net.rules里能看到sis的网卡编号是eth0,8139为eth1。首先可以肯定的是,绝无内核配置问题,我把该弄的芯片驱动全部塞进去,该搞iptables相关的东西也全塞进去了,总之这机器在没开防火墙时,以双网卡都启动,其中任何一块在设置好网关后接内网上都可以正常上网(此时内网通过一个604+宽带路由器拨号adsl出去),然后,问题是这样,首先我用的拨号软件是zhllg老大推荐的ppp,是官方手册上推荐的方法:详细的设置方法我就不多叙述了,总之,在没开防火墙前,我用这东西拨号,很轻松的就上去了,能ping到dns,能用route命令看到自己被分配的gatway,然后,启动shorewall,问题大条了……shorewall很干脆的把自己给锁住了——ping外网,完全不通,ping内网,一切正常,内网也能ping到它……此时用ifconfig,可以看到自己的pppoe拨号连接是好的,没有任何问题,route也能正常看到被分配的外网网关,但就是ping外网不通,也不能上网,shorewall停下后运行一个shorewall clear命令清除所有防火墙规则(shorewall默认会启动一种叫routestop的功能,这功能是我在webmin里发现的,还没有找到禁止的方法,他的作用就是你一旦运行了shorewall,当你用shorewall stop停下时,他会默认的把iptables的策略换成堵塞所有外部进来的访问,非要clear,才能正常,不clear的话,你往外ping正常,别人ping不到你),ok了,又能ping到外网dns服务器了……
我现在是怎么也想不明白到底哪里做错了,因为我完全是理解了shorewall的配置策略后才动手的,又有webmin帮我检查是否有错,我把自己配置的相关设置帖在下面
我的sis900 eth0接内网,8139 eth1接外网
zones文件配置
- #
- # Shorewall version 3.2 - Zones File
- #
- # /etc/shorewall/zones
- #
- # This file declares your network zones. You specify the hosts in
- # each zone through entries in /etc/shorewall/interfaces or
- # /etc/shorewall/hosts.
- #
- # WARNING: The format of this file changed in Shorewall 3.0.0. You can
- # continue to use your old records provided that you set
- # IPSECFILE=ipsec in /etc/shorewall/shorewall.conf. This will
- # signal Shorewall that the IPSEC-related zone options are
- # still specified in /etc/shorewall/ipsec rather than in this
- # file.
- #
- # To use records in the format described below, you must have
- # IPSECFILE=zones specified in /etc/shorewall/shorewall.conf
- # AND YOU MUST NOT SET THE 'FW' VARIABLE IN THAT FILE!!!!!
- #
- # Columns are:
- #
- # ZONE Short name of the zone (5 Characters or less in length).
- # The names "all" and "none" are reserved and may not be
- # used as zone names.
- #
- # Where a zone is nested in one or more other zones,
- # you may follow the (sub)zone name by ":" and a
- # comma-separated list of the parent zones. The parent
- # zones must have been defined in earlier records in this
- # file.
- #
- # Example:
- #
- # #ZONE TYPE OPTIONS
- # a ipv4
- # b ipv4
- # c:a,b ipv4
- #
- # Currently, Shorewall uses this information to reorder the
- # zone list so that parent zones appear after their subzones in
- # the list. The IMPLICIT_CONTINUE option in shorewall.conf can
- # also create implicit CONTINUE policies to/from the subzone.
- #
- # In the future, Shorewall may make additional use
- # of nesting information.
- #
- # TYPE ipv4 - This is the standard Shorewall zone type and is the
- # default if you leave this column empty or if you enter
- # "-" in the column. Communication with some zone hosts
- # may be encrypted. Encrypted hosts are designated using
- # the 'ipsec'option in /etc/shorewall/hosts.
- # ipsec - Communication with all zone hosts is encrypted
- # Your kernel and iptables must include policy
- # match support.
- # firewall
- # - Designates the firewall itself. You must have
- # exactly one 'firewall' zone. No options are
- # permitted with a 'firewall' zone. The name that you
- # enter in the ZONE column will be stored in the shell
- # variable $FW which you may use in other configuration
- # files to designate the firewall zone.
- #
- # OPTIONS, A comma-separated list of options as follows:
- # IN OPTIONS,
- # OUT OPTIONS reqid=<number> where <number> is specified
- # using setkey(8) using the 'unique:<number>
- # option for the SPD level.
- #
- # spi=<number> where <number> is the SPI of
- # the SA used to encrypt/decrypt packets.
- #
- # proto=ah|esp|ipcomp
- #
- # mss=<number> (sets the MSS field in TCP packets)
- #
- # mode=transport|tunnel
- #
- # tunnel-src=<address>[/<mask>] (only
- # available with mode=tunnel)
- #
- # tunnel-dst=<address>[/<mask>] (only
- # available with mode=tunnel)
- #
- # strict Means that packets must match all rules.
- #
- # next Separates rules; can only be used with
- # strict
- #
- # Example:
- # mode=transport,reqid=44
- #
- # The options in the OPTIONS column are applied to both incoming
- # and outgoing traffic. The IN OPTIONS are applied to incoming
- # traffic (in addition to OPTIONS) and the OUT OPTIONS are
- # applied to outgoing traffic.
- #
- # If you wish to leave a column empty but need to make an entry
- # in a following column, use "-".
- #------------------------------------------------------------------------------
- # Example zones:
- #
- # You have a three interface firewall with internet, local and DMZ
- # interfaces.
- #
- # #ZONE TYPE OPTIONS IN OUT
- # # OPTIONS OPTIONS
- # fw firewall
- # net ipv4
- # loc ipv4
- # dmz ipv4
- #
- #
- # For more information, see http://www.shorewall.net/Documentation.htm#Zones
- #
- ###############################################################################
- #ZONE TYPE OPTIONS IN OUT
- # OPTIONS OPTIONS
- fw firewall
- net ipv4
- lan ipv4
- #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
Interfaces文件配置
- #
- # Shorewall version 3.2 - Interfaces File
- #
- # /etc/shorewall/interfaces
- #
- # You must add an entry in this file for each network interface on your
- # firewall system.
- #
- # Columns are:
- #
- # ZONE Zone for this interface. Must match the name of a
- # zone defined in /etc/shorewall/zones. You may not
- # list the firewall zone in this column.
- #
- # If the interface serves multiple zones that will be
- # defined in the /etc/shorewall/hosts file, you should
- # place "-" in this column.
- #
- # If there are multiple interfaces to the same zone,
- # you must list them in separate entries:
- #
- # Example:
- #
- # loc eth1 -
- # loc eth2 -
- #
- # INTERFACE Name of interface. Each interface may be listed only
- # once in this file. You may NOT specify the name of
- # an alias (e.g., eth0:0) here; see
- # http://www.shorewall.net/FAQ.htm#faq18
- #
- # You may specify wildcards here. For example, if you
- # want to make an entry that applies to all PPP
- # interfaces, use 'ppp+'.
- #
- # There is no need to define the loopback interface (lo)
- # in this file.
- #
- # BROADCAST The broadcast address for the subnetwork to which the
- # interface belongs. For P-T-P interfaces, this
- # column is left blank.If the interface has multiple
- # addresses on multiple subnets then list the broadcast
- # addresses as a comma-separated list.
- #
- # If you use the special value "detect", Shorewall
- # will detect the broadcast address(es) for you. If you
- # select this option, the interface must be up before
- # the firewall is started.
- #
- # If you don't want to give a value for this column but
- # you want to enter a value in the OPTIONS column, enter
- # "-" in this column.
- #
- # OPTIONS A comma-separated list of options including the
- # following:
- #
- # dhcp - Specify this option when any of
- # the following are true:
- # 1. the interface gets its IP address
- # via DHCP
- # 2. the interface is used by
- # a DHCP server running on the firewall
- # 3. you have a static IP but are on a LAN
- # segment with lots of Laptop DHCP
- # clients.
- # 4. the interface is a bridge with
- # a DHCP server on one port and DHCP
- # clients on another port.
- #
- # norfc1918 - This interface should not receive
- # any packets whose source is in one
- # of the ranges reserved by RFC 1918
- # (i.e., private or "non-routable"
- # addresses). If packet mangling or
- # connection-tracking match is enabled in
- # your kernel, packets whose destination
- # addresses are reserved by RFC 1918 are
- # also rejected.
- #
- # routefilter - turn on kernel route filtering for this
- # interface (anti-spoofing measure). This
- # option can also be enabled globally in
- # the /etc/shorewall/shorewall.conf file.
- #
- # logmartians - turn on kernel martian logging (logging
- # of packets with impossible source
- # addresses. It is suggested that if you
- # set routefilter on an interface that
- # you also set logmartians. This option
- # may also be enabled globally in the
- # /etc/shorewall/shorewall.conf file.
- #
- # blacklist - Check packets arriving on this interface
- # against the /etc/shorewall/blacklist
- # file.
- #
- # maclist - Connection requests from this interface
- # are compared against the contents of
- # /etc/shorewall/maclist. If this option
- # is specified, the interface must be
- # an ethernet NIC and must be up before
- # Shorewall is started.
- #
- # tcpflags - Packets arriving on this interface are
- # checked for certain illegal combinations
- # of TCP flags. Packets found to have
- # such a combination of flags are handled
- # according to the setting of
- # TCP_FLAGS_DISPOSITION after having been
- # logged according to the setting of
- # TCP_FLAGS_LOG_LEVEL.
- #
- # proxyarp -
- # Sets
- # /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
- # Do NOT use this option if you are
- # employing Proxy ARP through entries in
- # /etc/shorewall/proxyarp. This option is
- # intended soley for use with Proxy ARP
- # sub-networking as described at:
- # http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
- #
- # routeback - If specified, indicates that Shorewall
- # should include rules that allow
- # filtering traffic arriving on this
- # interface back out that same interface.
- #
- # arp_filter - If specified, this interface will only
- # respond to ARP who-has requests for IP
- # addresses configured on the interface.
- # If not specified, the interface can
- # respond to ARP who-has requests for
- # IP addresses on any of the firewall's
- # interface. The interface must be up
- # when Shorewall is started.
- #
- # arp_ignore[=<number>]
- # - If specified, this interface will
- # respond to arp requests based on the
- # value of <number>.
- #
- # 1 - reply only if the target IP address
- # is local address configured on the
- # incoming interface
- #
- # 2 - reply only if the target IP address
- # is local address configured on the
- # incoming interface and both with the
- # sender's IP address are part from same
- # subnet on this interface
- #
- # 3 - do not reply for local addresses
- # configured with scope host, only
- # resolutions for global and link
- # addresses are replied
- #
- # 4-7 - reserved
- #
- # 8 - do not reply for all local
- # addresses
- #
- # If no <number> is given then the value
- # 1 is assumed
- #
- # WARNING -- DO NOT SPECIFY arp_ignore
- # FOR ANY INTERFACE INVOLVED IN PROXY ARP.
- #
- # nosmurfs - Filter packets for smurfs
- # (packets with a broadcast
- # address as the source).
- #
- # Smurfs will be optionally logged based
- # on the setting of SMURF_LOG_LEVEL in
- # shorewall.conf. After logging, the
- # packets are dropped.
- #
- # detectnets - Automatically taylors the zone named
- # in the ZONE column to include only those
- # hosts routed through the interface.
- #
- # sourceroute - If this option is not specified for an
- # interface, then source-routed packets
- # will not be accepted from that
- # interface (sets /proc/sys/net/ipv4/
- # conf/<interface>/
- # accept_source_route to 1).
- # Only set this option if you know what
- # you are you doing. This might represent
- # a security risk and is not usually
- # needed.
- #
- # upnp - Incoming requests from this interface
- # may be remapped via UPNP (upnpd).
- #
- # WARNING: DO NOT SET THE detectnets OPTION ON YOUR
- # INTERNET INTERFACE.
- #
- # The order in which you list the options is not
- # significant but the list should have no embedded white
- # space.
- #
- # Example 1: Suppose you have eth0 connected to a DSL modem and
- # eth1 connected to your local network and that your
- # local subnet is 192.168.1.0/24. The interface gets
- # it's IP address via DHCP from subnet
- # 206.191.149.192/27. You have a DMZ with subnet
- # 192.168.2.0/24 using eth2.
- #
- # Your entries for this setup would look like:
- #
- # net eth0 206.191.149.223 dhcp
- # local eth1 192.168.1.255
- # dmz eth2 192.168.2.255
- #
- # Example 2: The same configuration without specifying broadcast
- # addresses is:
- #
- # net eth0 detect dhcp
- # loc eth1 detect
- # dmz eth2 detect
- #
- # Example 3: You have a simple dial-in system with no ethernet
- # connections.
- #
- # net ppp0 -
- #
- # For additional information, see
- # http://shorewall.net/Documentation.htm#Interfaces
- #
- ###############################################################################
- #ZONE INTERFACE BROADCAST OPTIONS
- net eth1
- lan eth0
- #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Policy配置
- #
- # Shorewall version 3.2 - Policy File
- #
- # /etc/shorewall/policy
- #
- # THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
- #
- # This file determines what to do with a new connection request if we
- # don't get a match from the /etc/shorewall/rules file . For each
- # source/destination pair, the file is processed in order until a
- # match is found ("all" will match any client or server).
- #
- # INTRA-ZONE POLICIES ARE PRE-DEFINED
- #
- # For $FW and for all of the zoned defined in /etc/shorewall/zones,
- # the POLICY for connections from the zone to itself is ACCEPT (with no
- # logging or TCP connection rate limiting but may be overridden by an
- # entry in this file. The overriding entry must be explicit (cannot use
- # "all" in the SOURCE or DEST).
- #
- # Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall.conf, then
- # the implicit policy to/from any sub-zone is CONTINUE. These implicit
- # CONTINUE policies may also be overridden by an explicit entry in this
- # file.
- #
- # Columns are:
- #
- # SOURCE Source zone. Must be the name of a zone defined
- # in /etc/shorewall/zones, $FW or "all".
- #
- # DEST Destination zone. Must be the name of a zone defined
- # in /etc/shorewall/zones, $FW or "all"
- #
- # POLICY Policy if no match from the rules file is found. Must
- # be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE".
- #
- # ACCEPT - Accept the connection
- # DROP - Ignore the connection request
- # REJECT - For TCP, send RST. For all other,
- # send "port unreachable" ICMP.
- # QUEUE - Send the request to a user-space
- # application using the QUEUE target.
- # CONTINUE - Pass the connection request past
- # any other rules that it might also
- # match (where the source or
- # destination zone in those rules is
- # a superset of the SOURCE or DEST
- # in this policy).
- # NONE - Assume that there will never be any
- # packets from this SOURCE
- # to this DEST. Shorewall will not set
- # up any infrastructure to handle such
- # packets and you may not have any
- # rules with this SOURCE and DEST in
- # the /etc/shorewall/rules file. If
- # such a packet _is_ received, the
- # result is undefined. NONE may not be
- # used if the SOURCE or DEST columns
- # contain the firewall zone ($FW) or
- # "all".
- #
- # If this column contains ACCEPT, DROP or REJECT and a
- # corresponding common action is defined in
- # /etc/shorewall/actions (or
- # /usr/share/shorewall/actions.std) then that action
- # will be invoked before the policy named in this column
- # is enforced.
- #
- # LOG LEVEL If supplied, each connection handled under the default
- # POLICY is logged at that level. If not supplied, no
- # log message is generated. See syslog.conf(5) for a
- # description of log levels.
- #
- # Beginning with Shorewall version 1.3.12, you may
- # also specify ULOG (must be in upper case). This will
- # log to the ULOG target and sent to a separate log
- # through use of ulogd
- # (http://www.gnumonks.org/projects/ulogd).
- #
- # If you don't want to log but need to specify the
- # following column, place "-" here.
- #
- # LIMIT:BURST If passed, specifies the maximum TCP connection rate
- # and the size of an acceptable burst. If not specified,
- # TCP connections are not limited.
- #
- # Example:
- #
- # a) All connections from the local network to the internet are allowed
- # b) All connections from the internet are ignored but logged at syslog
- # level KERNEL.INFO.
- # d) All other connection requests are rejected and logged at level
- # KERNEL.INFO.
- #
- # #SOURCE DEST POLICY LOG
- # # LEVEL
- # loc net ACCEPT
- # net all DROP info
- # #
- # # THE FOLLOWING POLICY MUST BE LAST
- # #
- # all all REJECT info
- #
- # See http://shorewall.net/Documentation.htm#Policy for additional information.
- #
- ###############################################################################
- #SOURCE DEST POLICY LOG LIMIT:BURST
- # LEVEL
- fw all ACCEPT
- lan all ACCEPT
- net all DROP
- all all REJECT
- #LAST LINE -- DO NOT REMOVE
Rules文件我干脆没配置,留空为了测试方便
- #
- # Shorewall version 3.2 - Rules File
- #
- # /etc/shorewall/rules
- #
- # Rules in this file govern connection establishment. Requests and
- # responses are automatically allowed using connection tracking. For any
- # particular (source,dest) pair of zones, the rules are evaluated in the
- # order in which they appear in this file and the first match is the one
- # that determines the disposition of the request.
- #
- # In most places where an IP address or subnet is allowed, you
- # can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
- # indicate that the rule matches all addresses except the address/subnet
- # given. Notice that no white space is permitted between "!" and the
- # address/subnet.
- #------------------------------------------------------------------------------
- # WARNING: If you masquerade or use SNAT from a local system to the internet,
- # you cannot use an ACCEPT rule to allow traffic from the internet to
- # that system. You *must* use a DNAT rule instead.
- #------------------------------------------------------------------------------
- #
- # The rules file is divided into sections. Each section is introduced by
- # a "Section Header" which is a line beginning with SECTION followed by the
- # section name.
- #
- # Sections are as follows and must appear in the order listed:
- #
- # ESTABLISHED Packets in the ESTABLISHED state are processed
- # by rules in this section.
- #
- # The only ACTIONs allowed in this section are
- # ACCEPT, DROP, REJECT, LOG and QUEUE
- #
- # There is an implicit ACCEPT rule inserted
- # at the end of this section.
- #
- # RELATED Packets in the RELATED state are processed by
- # rules in this section.
- #
- # The only ACTIONs allowed in this section are
- # ACCEPT, DROP, REJECT, LOG and QUEUE
- #
- # There is an implicit ACCEPT rule inserted
- # at the end of this section.
- #
- # NEW Packets in the NEW and INVALID states are
- # processed by rules in this section.
- #
- # Note: If you are not familiar with Netfilter to the point where you are
- # comfortable with the differences between the various connection
- # tracking states, then I suggest that you omit the ESTABLISHED and
- # RELATED sections and place all of your rules in the NEW section
- # (That's after the line that reads SECTION NEW').
- #
- # WARNING: If you specify FASTACCEPT=Yes in shorewall.conf then the
- # ESTABLISHED and RELATED sections must be empty.
- #
- # You may omit any section that you don't need. If no Section Headers appear
- # in the file then all rules are assumed to be in the NEW section.
- #
- # Columns are:
- #
- # ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
- # LOG, QUEUE or an <action>.
- #
- # ACCEPT -- allow the connection request
- # ACCEPT+ -- like ACCEPT but also excludes the
- # connection from any subsequent
- # DNAT[-] or REDIRECT[-] rules
- # NONAT -- Excludes the connection from any
- # subsequent DNAT[-] or REDIRECT[-]
- # rules but doesn't generate a rule
- # to accept the traffic.
- # DROP -- ignore the request
- # REJECT -- disallow the request and return an
- # icmp-unreachable or an RST packet.
- # DNAT -- Forward the request to another
- # system (and optionally another
- # port).
- # DNAT- -- Advanced users only.
- # Like DNAT but only generates the
- # DNAT iptables rule and not
- # the companion ACCEPT rule.
- # SAME -- Similar to DNAT except that the
- # port may not be remapped and when
- # multiple server addresses are
- # listed, all requests from a given
- # remote system go to the same
- # server.
- # SAME- -- Advanced users only.
- # Like SAME but only generates the
- # NAT iptables rule and not
- # the companion ACCEPT rule.
- # REDIRECT -- Redirect the request to a local
- # port on the firewall.
- # REDIRECT-
- # -- Advanced users only.
- # Like REDIRET but only generates the
- # REDIRECT iptables rule and not
- # the companion ACCEPT rule.
- #
- # CONTINUE -- (For experts only). Do not process
- # any of the following rules for this
- # (source zone,destination zone). If
- # The source and/or destination IP
- # address falls into a zone defined
- # later in /etc/shorewall/zones, this
- # connection request will be passed
- # to the rules defined for that
- # (those) zone(s).
- # LOG -- Simply log the packet and continue.
- # QUEUE -- Queue the packet to a user-space
- # application such as ftwall
- # (http://p2pwall.sf.net).
- # <action> -- The name of an action defined in
- # /etc/shorewall/actions or in
- # /usr/share/shorewall/actions.std.
- # <macro> -- The name of a macro defined in a
- # file named macro.<macro-name>. If
- # the macro accepts an action
- # parameter (Look at the macro
- # source to see if it has PARAM in
- # the TARGET column) then the macro
- # name is followed by "/" and the
- # action (ACCEPT, DROP, REJECT, ...)
- # to be substituted for the
- # parameter. Example: FTP/ACCEPT.
- #
- # The ACTION may optionally be followed
- # by ":" and a syslog log level (e.g, REJECT:info or
- # DNAT:debug). This causes the packet to be
- # logged at the specified level.
- #
- # If the ACTION names an action defined in
- # /etc/shorewall/actions or in
- # /usr/share/shorewall/actions.std then:
- #
- # - If the log level is followed by "!' then all rules
- # in the action are logged at the log level.
- #
- # - If the log level is not followed by "!" then only
- # those rules in the action that do not specify
- # logging are logged at the specified level.
- #
- # - The special log level 'none!' suppresses logging
- # by the action.
- #
- # You may also specify ULOG (must be in upper case) as a
- # log level.This will log to the ULOG target for routing
- # to a separate log through use of ulogd
- # (http://www.gnumonks.org/projects/ulogd).
- #
- # Actions specifying logging may be followed by a
- # log tag (a string of alphanumeric characters)
- # are appended to the string generated by the
- # LOGPREFIX (in /etc/shorewall/shorewall.conf).
- #
- # Example: ACCEPT:info:ftp would include 'ftp '
- # at the end of the log prefix generated by the
- # LOGPREFIX setting.
- #
- # SOURCE Source hosts to which the rule applies. May be a zone
- # defined in /etc/shorewall/zones, $FW to indicate the
- # firewall itself, "all", "all+", "all-", "all+-" or
- # "none".
- #
- # When "none" is used either in the SOURCE or DEST
- # column, the rule is ignored.
- #
- # "all" means "All Zones", including the firewall itself.
- # "all-" means "All Zones, except the firewall itself".
- # When "all[-]" is used either in the SOURCE or DEST
- # column intra-zone traffic is not affected. When
- # "all+[-]" is "used, intra-zone traffic is affected.
- #
- # Except when "all[+][-]" is specified, clients may be
- # further restricted to a list of subnets and/or hosts by
- # appending ":" and a comma-separated list of subnets
- # and/or hosts. Hosts may be specified by IP or MAC
- # address; mac addresses must begin with "~" and must use
- # "-" as a separator.
- #
- # Hosts may be specified as an IP address range using the
- # syntax <low address>-<high address>. This requires that
- # your kernel and iptables contain iprange match support.
- # If you kernel and iptables have ipset match support
- # then you may give the name of an ipset prefaced by "+".
- # The ipset name may be optionally followed by a number
- # from 1 to 6 enclosed in square brackets ([]) to
- # indicate the number of levels of source bindings to be
- # matched.
- #
- # dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
- #
- # net:155.186.235.0/24 Subnet 155.186.235.0/24 on the
- # Internet
- #
- # loc:192.168.1.1,192.168.1.2
- # Hosts 192.168.1.1 and
- # 192.168.1.2 in the local zone.
- # loc:~00-A0-C9-15-39-78 Host in the local zone with
- # MAC address 00:A0:C9:15:39:78.
- #
- # net:192.0.2.11-192.0.2.17
- # Hosts 192.0.2.11-192.0.2.17 in
- # the net zone.
- #
- # Alternatively, clients may be specified by interface
- # by appending ":" to the zone name followed by the
- # interface name. For example, loc:eth1 specifies a
- # client that communicates with the firewall system
- # through eth1. This may be optionally followed by
- # another colon (":") and an IP/MAC/subnet address
- # as described above (e.g., loc:eth1:192.168.1.5).
- #
- # DEST Location of Server. May be a zone defined in
- # /etc/shorewall/zones, $FW to indicate the firewall
- # itself, "all". "all+" or "none".
- #
- # When "none" is used either in the SOURCE or DEST
- # column, the rule is ignored.
- #
- # When "all" is used either in the SOURCE or DEST column
- # intra-zone traffic is not affected. When "all+" is
- # used, intra-zone traffic is affected.
- #
- # Except when "all[+]" is specified, the server may be
- # further restricted to a particular subnet, host or
- # interface by appending ":" and the subnet, host or
- # interface. See above.
- #
- # Restrictions:
- #
- # 1. MAC addresses are not allowed.
- # 2. In DNAT rules, only IP addresses are
- # allowed; no FQDNs or subnet addresses
- # are permitted.
- # 3. You may not specify both an interface and
- # an address.
- #
- # Like in the SOURCE column, you may specify a range of
- # up to 256 IP addresses using the syntax
- # <first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
- # the connections will be assigned to addresses in the
- # range in a round-robin fashion.
- #
- # If you kernel and iptables have ipset match support
- # then you may give the name of an ipset prefaced by "+".
- # The ipset name may be optionally followed by a number
- # from 1 to 6 enclosed in square brackets ([]) to
- # indicate the number of levels of destination bindings
- # to be matched. Only one of the SOURCE and DEST columns
- # may specify an ipset name.
- #
- # The port that the server is listening on may be
- # included and separated from the server's IP address by
- # ":". If omitted, the firewall will not modifiy the
- # destination port. A destination port may only be
- # included if the ACTION is DNAT or REDIRECT.
- #
- # Example: loc:192.168.1.3:3128 specifies a local
- # server at IP address 192.168.1.3 and listening on port
- # 3128. The port number MUST be specified as an integer
- # and not as a name from /etc/services.
- #
- # if the ACTION is REDIRECT, this column needs only to
- # contain the port number on the firewall that the
- # request should be redirected to.
- #
- # PROTO Protocol - Must be "tcp", "tcp:syn", "udp", "icmp",
- # "ipp2p", "ipp2p:udp", "ipp2p:all" a number, or "all".
- # "ipp2p*" requires ipp2p match support in your kernel
- # and iptables.
- #
- # "tcp:syn" implies "tcp" plus the SYN flag must be
- # set and the RST,ACK and FIN flags must be reset.
- #
- # DEST PORT(S) Destination Ports. A comma-separated list of Port
- # names (from /etc/services), port numbers or port
- # ranges; if the protocol is "icmp", this column is
- # interpreted as the destination icmp-type(s).
- #
- # If the protocol is ipp2p, this column is interpreted
- # as an ipp2p option without the leading "--" (example
- # "bit" for bit-torrent). If no port is given, "ipp2p" is
- # assumed.
- #
- # A port range is expressed as <low port>:<high port>.
- #
- # This column is ignored if PROTOCOL = all but must be
- # entered if any of the following ields are supplied.
- # In that case, it is suggested that this field contain
- # "-"
- #
- # If your kernel contains multi-port match support, then
- # only a single Netfilter rule will be generated if in
- # this list and the CLIENT PORT(S) list below:
- # 1. There are 15 or less ports listed.
- # 2. No port ranges are included.
- # Otherwise, a separate rule will be generated for each
- # port.
- #
- # SOURCE PORT(S) (Optional) Port(s) used by the client. If omitted,
- # any source port is acceptable. Specified as a comma-
- # separated list of port names, port numbers or port
- # ranges.
- #
- # If you don't want to restrict client ports but need to
- # specify an ORIGINAL DEST in the next column, then
- # place "-" in this column.
- #
- # If your kernel contains multi-port match support, then
- # only a single Netfilter rule will be generated if in
- # this list and the DEST PORT(S) list above:
- # 1. There are 15 or less ports listed.
- # 2. No port ranges are included.
- # Otherwise, a separate rule will be generated for each
- # port.
- #
- # ORIGINAL DEST (0ptional) -- If ACTION is DNAT[-] or REDIRECT[-]
- # then if included and different from the IP
- # address given in the SERVER column, this is an address
- # on some interface on the firewall and connections to
- # that address will be forwarded to the IP and port
- # specified in the DEST column.
- #
- # A comma-separated list of addresses may also be used.
- # This is usually most useful with the REDIRECT target
- # where you want to redirect traffic destined for
- # particular set of hosts.
- #
- # Finally, if the list of addresses begins with "!" then
- # the rule will be followed only if the original
- # destination address in the connection request does not
- # match any of the addresses listed.
- #
- # For other actions, this column may be included and may
- # contain one or more addresses (host or network)
- # separated by commas. Address ranges are not allowed.
- # When this column is supplied, rules are generated
- # that require that the original destination address
- # matches one of the listed addresses. This feature is
- # most useful when you want to generate a filter rule
- # that corresponds to a DNAT- or REDIRECT- rule. In this
- # usage, the list of addresses should not begin with "!".
- #
- # See http://shorewall.net/PortKnocking.html for an
- # example of using an entry in this column with a
- # user-defined action rule.
- #
- # RATE LIMIT You may rate-limit the rule by placing a value in
- # this colume:
- #
- # <rate>/<interval>[:<burst>]
- #
- # where <rate> is the number of connections per
- # <interval> ("sec" or "min") and <burst> is the
- # largest burst permitted. If no <burst> is given,
- # a value of 5 is assumed. There may be no
- # no whitespace embedded in the specification.
- #
- # Example: 10/sec:20
- #
- # USER/GROUP This column may only be non-empty if the SOURCE is
- # the firewall itself.
- #
- # The column may contain:
- #
- # [!][<user name or number>][:<group name or number>][+<program name>]
- #
- # When this column is non-empty, the rule applies only
- # if the program generating the output is running under
- # the effective <user> and/or <group> specified (or is
- # NOT running under that id if "!" is given).
- #
- # Examples:
- #
- # joe #program must be run by joe
- # :kids #program must be run by a member of
- # #the 'kids' group
- # !:kids #program must not be run by a member
- # #of the 'kids' group
- # +upnpd #program named upnpd (This feature was
- # #removed from Netfilter in kernel
- # #version 2.6.14).
- #
- # Example: Accept SMTP requests from the DMZ to the internet
- #
- # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
- # # PORT PORT(S) DEST
- # ACCEPT dmz net tcp smtp
- #
- # Example: Forward all ssh and http connection requests from the
- # internet to local system 192.168.1.3
- #
- # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
- # # PORT PORT(S) DEST
- # DNAT net loc:192.168.1.3 tcp ssh,http
- #
- # Example: Forward all http connection requests from the internet
- # to local system 192.168.1.3 with a limit of 3 per second and
- # a maximum burst of 10
- #
- # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
- # # PORT PORT(S) DEST LIMIT
- # DNAT net loc:192.168.1.3 tcp http - - 3/sec:10
- #
- # Example: Redirect all locally-originating www connection requests to
- # port 3128 on the firewall (Squid running on the firewall
- # system) except when the destination address is 192.168.2.2
- #
- # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
- # # PORT PORT(S) DEST
- # REDIRECT loc 3128 tcp www - !192.168.2.2
- #
- # Example: All http requests from the internet to address
- # 130.252.100.69 are to be forwarded to 192.168.1.3
- #
- # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
- # # PORT PORT(S) DEST
- # DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
- #
- # Example: You want to accept SSH connections to your firewall only
- # from internet IP addresses 130.252.100.69 and 130.252.100.70
- #
- # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
- # # PORT PORT(S) DEST
- # ACCEPT net:130.252.100.69,130.252.100.70 \
- # $FW tcp 22
- #
- # Example: From the Internet, you want to connect to TCP port 2222 on
- # your firewall and have the connection forwarded to port 22
- # on local system 192.168.3.4
- # #ACTION SOURCE DEST PROTO DEST
- # # PORT
- # DNAT net loc:192.168.3.4:22 tcp 2222
- #
- #############################################################################################################
- #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
- # PORT(S) PORT(S) DEST LIMIT GROUP
- #SECTION ESTABLISHED
- #SECTION RELATED
- SECTION NEW
- #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Masq设置
- #
- # Shorewall version 3.2 - Masq file
- #
- # /etc/shorewall/masq
- #
- # Use this file to define dynamic NAT (Masquerading) and to define
- # Source NAT (SNAT).
- #
- # WARNING: The entries in this file are order-sensitive. The first
- # entry that matches a particular connection will be the one that
- # is used.
- #
- # WARNING: If you have more than one ISP, adding entries to this
- # file will *not* force connections to go out through a particular
- # ISP. You must use PREROUTING entries in /etc/shorewall/tcrules
- # to do that.
- #
- # Columns are:
- #
- # INTERFACE -- Outgoing interface. This is usually your internet
- # interface. If ADD_SNAT_ALIASES=Yes in
- # /etc/shorewall/shorewall.conf, you may add ":" and
- # a digit to indicate that you want the alias added with
- # that name (e.g., eth0:0). This will allow the alias to
- # be displayed with ifconfig. THAT IS THE ONLY USE FOR
- # THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER
- # PLACE IN YOUR SHOREWALL CONFIGURATION.
- #
- # This may be qualified by adding the character
- # ":" followed by a destination host or subnet.
- #
- # If you wish to inhibit the action of ADD_SNAT_ALIASES
- # for this entry then include the ":" but omit the digit:
- #
- # eth0:
- # eth2::192.0.2.32/27
- #
- # Normally Masq/SNAT rules are evaluated after those for
- # one-to-one NAT (/etc/shorewall/nat file). If you want
- # the rule to be applied before one-to-one NAT rules,
- # prefix the interface name with "+":
- #
- # +eth0
- # +eth0:192.0.2.32/27
- # +eth0:2
- #
- # This feature should only be required if you need to
- # insert rules in this file that preempt entries in
- # /etc/shorewall/nat.
- #
- # SUBNET -- Subnet that you wish to masquerade. You can specify this as
- # a subnet or as an interface. If you give the name of an
- # interface, the interface must be up before you start the
- # firewall (Shorewall will use your main routing table to
- # determine the appropriate subnet(s) to masquerade).
- #
- # In order to exclude a subset of the specified SUBNET, you
- # may append "!" and a comma-separated list of IP addresses
- # and/or subnets that you wish to exclude.
- #
- # Example: eth1!192.168.1.4,192.168.32.0/27
- #
- # In that example traffic from eth1 would be masqueraded unless
- # it came from 192.168.1.4 or 196.168.32.0/27
- #
- # ADDRESS -- (Optional). If you specify an address here, SNAT will be
- # used and this will be the source address. If
- # ADD_SNAT_ALIASES is set to Yes or yes in
- # /etc/shorewall/shorewall.conf then Shorewall
- # will automatically add this address to the
- # INTERFACE named in the first column.
- #
- # You may also specify a range of up to 256
- # IP addresses if you want the SNAT address to
- # be assigned from that range in a round-robin
- # range by connection. The range is specified by
- # <first ip in range>-<last ip in range>.
- #
- # Example: 206.124.146.177-206.124.146.180
- #
- # You may also use the special value "detect"
- # which causes Shorewall to determine the
- # IP addresses configured on the interface named
- # in the INTERFACES column and substitute them
- # in this column.
- #
- # Finally, you may also specify a comma-separated
- # list of ranges and/or addresses in this column.
- #
- # This column may not contain DNS Names.
- #
- # Normally, Netfilter will attempt to retain
- # the source port number. You may cause
- # netfilter to remap the source port by following
- # an address or range (if any) by ":" and
- # a port range with the format <low port>-
- # <high port>. If this is done, you must
- # specify "tcp" or "udp" in the PROTO column.
- #
- # Examples:
- #
- # 192.0.2.4:5000-6000
- # :4000-5000
- #
- # You can invoke the SAME target using the
- # following in this column:
- #
- # SAME:[nodst:]<address-range>[,<address-range>...]
- #
- # The <address-ranges> may be single addresses
- # or "detect" as described above.
- #
- # SAME works like SNAT with the exception that
- # the same local IP address is assigned to each
- # connection from a local address to a given
- # remote address.
- #
- # If the 'nodst:' option is included, then the
- # same source address is used for a given
- # internal system regardless of which remote
- # system is involved.
- #
- # If you want to leave this column empty
- # but you need to specify the next column then
- # place a hyphen ("-") here.
- #
- # PROTO -- (Optional) If you wish to restrict this entry to a
- # particular protocol then enter the protocol
- # name (from /etc/protocols) or number here.
- #
- # PORT(S) -- (Optional) If the PROTO column specifies TCP (protocol 6)
- # or UDP (protocol 17) then you may list one
- # or more port numbers (or names from
- # /etc/services) separated by commas or you
- # may list a single port range
- # (<low port>:<high port>).
- #
- # Where a comma-separated list is given, your
- # kernel and iptables must have multiport match
- # support and a maximum of 15 ports may be
- # listed.
- #
- # IPSEC -- (Optional) If you specify a value other than "-" in this
- # column, you must be running kernel 2.6 and
- # your kernel and iptables must include policy
- # match support.
- #
- # Comma-separated list of options from the
- # following. Only packets that will be encrypted
- # via an SA that matches these options will have
- # their source address changed.
- #
- # Yes or yes -- must be the only option
- # listed and matches all outbound
- # traffic that will be encrypted.
- #
- # reqid=<number> where <number> is
- # specified using setkey(8) using the
- # 'unique:<number> option for the SPD
- # level.
- #
- # spi=<number> where <number> is the
- # SPI of the SA.
- #
- # proto=ah|esp|ipcomp
- #
- # mode=transport|tunnel
- #
- # tunnel-src=<address>[/<mask>] (only
- # available with mode=tunnel)
- #
- # tunnel-dst=<address>[/<mask>] (only
- # available with mode=tunnel)
- #
- # strict Means that packets must match
- # all rules.
- #
- # next Separates rules; can only be
- # used with strict..
- #
- # Example 1:
- #
- # You have a simple masquerading setup where eth0 connects to
- # a DSL or cable modem and eth1 connects to your local network
- # with subnet 192.168.0.0/24.
- #
- # Your entry in the file can be either:
- #
- # eth0 eth1
- #
- # or
- #
- # eth0 192.168.0.0/24
- #
- # Example 2:
- #
- # You add a router to your local network to connect subnet
- # 192.168.1.0/24 which you also want to masquerade. You then
- # add a second entry for eth0 to this file:
- #
- # eth0 192.168.1.0/24
- #
- # Example 3:
- #
- # You have an IPSEC tunnel through ipsec0 and you want to
- # masquerade packets coming from 192.168.1.0/24 but only if
- # these packets are destined for hosts in 10.1.1.0/24:
- #
- # ipsec0:10.1.1.0/24 196.168.1.0/24
- #
- # Example 4:
- #
- # You want all outgoing traffic from 192.168.1.0/24 through
- # eth0 to use source address 206.124.146.176 which is NOT the
- # primary address of eth0. You want 206.124.146.176 added to
- # be added to eth0 with name eth0:0.
- #
- # eth0:0 192.168.1.0/24 206.124.146.176
- #
- # Example 5:
- #
- # You want all outgoing SMTP traffic entering the firewall
- # on eth1 to be sent from eth0 with source IP address
- # 206.124.146.177. You want all other outgoing traffic
- # from eth1 to be sent from eth0 with source IP address
- # 206.124.146.176.
- #
- # eth0 eth1 206.124.146.177 tcp smtp
- # eth0 eth1 206.124.146.176
- #
- # THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
- #
- # For additional information, see http://shorewall.net/Documentation.htm#Masq
- #
- ###############################################################################
- #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
- eth1 eth0
- #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
就是以上了,我不知道哪里出问题,于是后来为了测试,我干脆这么干,把内网的网卡eth0禁掉了,直接用一块网卡给自己构建了一个防护墙,结果问题和刚才一样,一开防火墙,立刻就ping不通外网,配置如下
zones文件
- #
- # Shorewall version 3.2 - Zones File
- #
- # /etc/shorewall/zones
- #
- # This file declares your network zones. You specify the hosts in
- # each zone through entries in /etc/shorewall/interfaces or
- # /etc/shorewall/hosts.
- #
- # WARNING: The format of this file changed in Shorewall 3.0.0. You can
- # continue to use your old records provided that you set
- # IPSECFILE=ipsec in /etc/shorewall/shorewall.conf. This will
- # signal Shorewall that the IPSEC-related zone options are
- # still specified in /etc/shorewall/ipsec rather than in this
- # file.
- #
- # To use records in the format described below, you must have
- # IPSECFILE=zones specified in /etc/shorewall/shorewall.conf
- # AND YOU MUST NOT SET THE 'FW' VARIABLE IN THAT FILE!!!!!
- #
- # Columns are:
- #
- # ZONE Short name of the zone (5 Characters or less in length).
- # The names "all" and "none" are reserved and may not be
- # used as zone names.
- #
- # Where a zone is nested in one or more other zones,
- # you may follow the (sub)zone name by ":" and a
- # comma-separated list of the parent zones. The parent
- # zones must have been defined in earlier records in this
- # file.
- #
- # Example:
- #
- # #ZONE TYPE OPTIONS
- # a ipv4
- # b ipv4
- # c:a,b ipv4
- #
- # Currently, Shorewall uses this information to reorder the
- # zone list so that parent zones appear after their subzones in
- # the list. The IMPLICIT_CONTINUE option in shorewall.conf can
- # also create implicit CONTINUE policies to/from the subzone.
- #
- # In the future, Shorewall may make additional use
- # of nesting information.
- #
- # TYPE ipv4 - This is the standard Shorewall zone type and is the
- # default if you leave this column empty or if you enter
- # "-" in the column. Communication with some zone hosts
- # may be encrypted. Encrypted hosts are designated using
- # the 'ipsec'option in /etc/shorewall/hosts.
- # ipsec - Communication with all zone hosts is encrypted
- # Your kernel and iptables must include policy
- # match support.
- # firewall
- # - Designates the firewall itself. You must have
- # exactly one 'firewall' zone. No options are
- # permitted with a 'firewall' zone. The name that you
- # enter in the ZONE column will be stored in the shell
- # variable $FW which you may use in other configuration
- # files to designate the firewall zone.
- #
- # OPTIONS, A comma-separated list of options as follows:
- # IN OPTIONS,
- # OUT OPTIONS reqid=<number> where <number> is specified
- # using setkey(8) using the 'unique:<number>
- # option for the SPD level.
- #
- # spi=<number> where <number> is the SPI of
- # the SA used to encrypt/decrypt packets.
- #
- # proto=ah|esp|ipcomp
- #
- # mss=<number> (sets the MSS field in TCP packets)
- #
- # mode=transport|tunnel
- #
- # tunnel-src=<address>[/<mask>] (only
- # available with mode=tunnel)
- #
- # tunnel-dst=<address>[/<mask>] (only
- # available with mode=tunnel)
- #
- # strict Means that packets must match all rules.
- #
- # next Separates rules; can only be used with
- # strict
- #
- # Example:
- # mode=transport,reqid=44
- #
- # The options in the OPTIONS column are applied to both incoming
- # and outgoing traffic. The IN OPTIONS are applied to incoming
- # traffic (in addition to OPTIONS) and the OUT OPTIONS are
- # applied to outgoing traffic.
- #
- # If you wish to leave a column empty but need to make an entry
- # in a following column, use "-".
- #------------------------------------------------------------------------------
- # Example zones:
- #
- # You have a three interface firewall with internet, local and DMZ
- # interfaces.
- #
- # #ZONE TYPE OPTIONS IN OUT
- # # OPTIONS OPTIONS
- # fw firewall
- # net ipv4
- # loc ipv4
- # dmz ipv4
- #
- #
- # For more information, see http://www.shorewall.net/Documentation.htm#Zones
- #
- ###############################################################################
- #ZONE TYPE OPTIONS IN OUT
- # OPTIONS OPTIONS
- fw firewall
- net ipv4
- #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
Interfaces文件配置
- #
- # Shorewall version 3.2 - Interfaces File
- #
- # /etc/shorewall/interfaces
- #
- # You must add an entry in this file for each network interface on your
- # firewall system.
- #
- # Columns are:
- #
- # ZONE Zone for this interface. Must match the name of a
- # zone defined in /etc/shorewall/zones. You may not
- # list the firewall zone in this column.
- #
- # If the interface serves multiple zones that will be
- # defined in the /etc/shorewall/hosts file, you should
- # place "-" in this column.
- #
- # If there are multiple interfaces to the same zone,
- # you must list them in separate entries:
- #
- # Example:
- #
- # loc eth1 -
- # loc eth2 -
- #
- # INTERFACE Name of interface. Each interface may be listed only
- # once in this file. You may NOT specify the name of
- # an alias (e.g., eth0:0) here; see
- # http://www.shorewall.net/FAQ.htm#faq18
- #
- # You may specify wildcards here. For example, if you
- # want to make an entry that applies to all PPP
- # interfaces, use 'ppp+'.
- #
- # There is no need to define the loopback interface (lo)
- # in this file.
- #
- # BROADCAST The broadcast address for the subnetwork to which the
- # interface belongs. For P-T-P interfaces, this
- # column is left blank.If the interface has multiple
- # addresses on multiple subnets then list the broadcast
- # addresses as a comma-separated list.
- #
- # If you use the special value "detect", Shorewall
- # will detect the broadcast address(es) for you. If you
- # select this option, the interface must be up before
- # the firewall is started.
- #
- # If you don't want to give a value for this column but
- # you want to enter a value in the OPTIONS column, enter
- # "-" in this column.
- #
- # OPTIONS A comma-separated list of options including the
- # following:
- #
- # dhcp - Specify this option when any of
- # the following are true:
- # 1. the interface gets its IP address
- # via DHCP
- # 2. the interface is used by
- # a DHCP server running on the firewall
- # 3. you have a static IP but are on a LAN
- # segment with lots of Laptop DHCP
- # clients.
- # 4. the interface is a bridge with
- # a DHCP server on one port and DHCP
- # clients on another port.
- #
- # norfc1918 - This interface should not receive
- # any packets whose source is in one
- # of the ranges reserved by RFC 1918
- # (i.e., private or "non-routable"
- # addresses). If packet mangling or
- # connection-tracking match is enabled in
- # your kernel, packets whose destination
- # addresses are reserved by RFC 1918 are
- # also rejected.
- #
- # routefilter - turn on kernel route filtering for this
- # interface (anti-spoofing measure). This
- # option can also be enabled globally in
- # the /etc/shorewall/shorewall.conf file.
- #
- # logmartians - turn on kernel martian logging (logging
- # of packets with impossible source
- # addresses. It is suggested that if you
- # set routefilter on an interface that
- # you also set logmartians. This option
- # may also be enabled globally in the
- # /etc/shorewall/shorewall.conf file.
- #
- # blacklist - Check packets arriving on this interface
- # against the /etc/shorewall/blacklist
- # file.
- #
- # maclist - Connection requests from this interface
- # are compared against the contents of
- # /etc/shorewall/maclist. If this option
- # is specified, the interface must be
- # an ethernet NIC and must be up before
- # Shorewall is started.
- #
- # tcpflags - Packets arriving on this interface are
- # checked for certain illegal combinations
- # of TCP flags. Packets found to have
- # such a combination of flags are handled
- # according to the setting of
- # TCP_FLAGS_DISPOSITION after having been
- # logged according to the setting of
- # TCP_FLAGS_LOG_LEVEL.
- #
- # proxyarp -
- # Sets
- # /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
- # Do NOT use this option if you are
- # employing Proxy ARP through entries in
- # /etc/shorewall/proxyarp. This option is
- # intended soley for use with Proxy ARP
- # sub-networking as described at:
- # http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
- #
- # routeback - If specified, indicates that Shorewall
- # should include rules that allow
- # filtering traffic arriving on this
- # interface back out that same interface.
- #
- # arp_filter - If specified, this interface will only
- # respond to ARP who-has requests for IP
- # addresses configured on the interface.
- # If not specified, the interface can
- # respond to ARP who-has requests for
- # IP addresses on any of the firewall's
- # interface. The interface must be up
- # when Shorewall is started.
- #
- # arp_ignore[=<number>]
- # - If specified, this interface will
- # respond to arp requests based on the
- # value of <number>.
- #
- # 1 - reply only if the target IP address
- # is local address configured on the
- # incoming interface
- #
- # 2 - reply only if the target IP address
- # is local address configured on the
- # incoming interface and both with the
- # sender's IP address are part from same
- # subnet on this interface
- #
- # 3 - do not reply for local addresses
- # configured with scope host, only
- # resolutions for global and link
- # addresses are replied
- #
- # 4-7 - reserved
- #
- # 8 - do not reply for all local
- # addresses
- #
- # If no <number> is given then the value
- # 1 is assumed
- #
- # WARNING -- DO NOT SPECIFY arp_ignore
- # FOR ANY INTERFACE INVOLVED IN PROXY ARP.
- #
- # nosmurfs - Filter packets for smurfs
- # (packets with a broadcast
- # address as the source).
- #
- # Smurfs will be optionally logged based
- # on the setting of SMURF_LOG_LEVEL in
- # shorewall.conf. After logging, the
- # packets are dropped.
- #
- # detectnets - Automatically taylors the zone named
- # in the ZONE column to include only those
- # hosts routed through the interface.
- #
- # sourceroute - If this option is not specified for an
- # interface, then source-routed packets
- # will not be accepted from that
- # interface (sets /proc/sys/net/ipv4/
- # conf/<interface>/
- # accept_source_route to 1).
- # Only set this option if you know what
- # you are you doing. This might represent
- # a security risk and is not usually
- # needed.
- #
- # upnp - Incoming requests from this interface
- # may be remapped via UPNP (upnpd).
- #
- # WARNING: DO NOT SET THE detectnets OPTION ON YOUR
- # INTERNET INTERFACE.
- #
- # The order in which you list the options is not
- # significant but the list should have no embedded white
- # space.
- #
- # Example 1: Suppose you have eth0 connected to a DSL modem and
- # eth1 connected to your local network and that your
- # local subnet is 192.168.1.0/24. The interface gets
- # it's IP address via DHCP from subnet
- # 206.191.149.192/27. You have a DMZ with subnet
- # 192.168.2.0/24 using eth2.
- #
- # Your entries for this setup would look like:
- #
- # net eth0 206.191.149.223 dhcp
- # local eth1 192.168.1.255
- # dmz eth2 192.168.2.255
- #
- # Example 2: The same configuration without specifying broadcast
- # addresses is:
- #
- # net eth0 detect dhcp
- # loc eth1 detect
- # dmz eth2 detect
- #
- # Example 3: You have a simple dial-in system with no ethernet
- # connections.
- #
- # net ppp0 -
- #
- # For additional information, see
- # http://shorewall.net/Documentation.htm#Interfaces
- #
- ###############################################################################
- #ZONE INTERFACE BROADCAST OPTIONS
- net eth1
- #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Policy配置
- #
- # Shorewall version 3.2 - Policy File
- #
- # /etc/shorewall/policy
- #
- # THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
- #
- # This file determines what to do with a new connection request if we
- # don't get a match from the /etc/shorewall/rules file . For each
- # source/destination pair, the file is processed in order until a
- # match is found ("all" will match any client or server).
- #
- # INTRA-ZONE POLICIES ARE PRE-DEFINED
- #
- # For $FW and for all of the zoned defined in /etc/shorewall/zones,
- # the POLICY for connections from the zone to itself is ACCEPT (with no
- # logging or TCP connection rate limiting but may be overridden by an
- # entry in this file. The overriding entry must be explicit (cannot use
- # "all" in the SOURCE or DEST).
- #
- # Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall.conf, then
- # the implicit policy to/from any sub-zone is CONTINUE. These implicit
- # CONTINUE policies may also be overridden by an explicit entry in this
- # file.
- #
- # Columns are:
- #
- # SOURCE Source zone. Must be the name of a zone defined
- # in /etc/shorewall/zones, $FW or "all".
- #
- # DEST Destination zone. Must be the name of a zone defined
- # in /etc/shorewall/zones, $FW or "all"
- #
- # POLICY Policy if no match from the rules file is found. Must
- # be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE".
- #
- # ACCEPT - Accept the connection
- # DROP - Ignore the connection request
- # REJECT - For TCP, send RST. For all other,
- # send "port unreachable" ICMP.
- # QUEUE - Send the request to a user-space
- # application using the QUEUE target.
- # CONTINUE - Pass the connection request past
- # any other rules that it might also
- # match (where the source or
- # destination zone in those rules is
- # a superset of the SOURCE or DEST
- # in this policy).
- # NONE - Assume that there will never be any
- # packets from this SOURCE
- # to this DEST. Shorewall will not set
- # up any infrastructure to handle such
- # packets and you may not have any
- # rules with this SOURCE and DEST in
- # the /etc/shorewall/rules file. If
- # such a packet _is_ received, the
- # result is undefined. NONE may not be
- # used if the SOURCE or DEST columns
- # contain the firewall zone ($FW) or
- # "all".
- #
- # If this column contains ACCEPT, DROP or REJECT and a
- # corresponding common action is defined in
- # /etc/shorewall/actions (or
- # /usr/share/shorewall/actions.std) then that action
- # will be invoked before the policy named in this column
- # is enforced.
- #
- # LOG LEVEL If supplied, each connection handled under the default
- # POLICY is logged at that level. If not supplied, no
- # log message is generated. See syslog.conf(5) for a
- # description of log levels.
- #
- # Beginning with Shorewall version 1.3.12, you may
- # also specify ULOG (must be in upper case). This will
- # log to the ULOG target and sent to a separate log
- # through use of ulogd
- # (http://www.gnumonks.org/projects/ulogd).
- #
- # If you don't want to log but need to specify the
- # following column, place "-" here.
- #
- # LIMIT:BURST If passed, specifies the maximum TCP connection rate
- # and the size of an acceptable burst. If not specified,
- # TCP connections are not limited.
- #
- # Example:
- #
- # a) All connections from the local network to the internet are allowed
- # b) All connections from the internet are ignored but logged at syslog
- # level KERNEL.INFO.
- # d) All other connection requests are rejected and logged at level
- # KERNEL.INFO.
- #
- # #SOURCE DEST POLICY LOG
- # # LEVEL
- # loc net ACCEPT
- # net all DROP info
- # #
- # # THE FOLLOWING POLICY MUST BE LAST
- # #
- # all all REJECT info
- #
- # See http://shorewall.net/Documentation.htm#Policy for additional information.
- #
- ###############################################################################
- #SOURCE DEST POLICY LOG LIMIT:BURST
- # LEVEL
- fw all ACCEPT
- net all DROP
- all all REJECT
- #LAST LINE -- DO NOT REMOVE
人后rules和masq都是空的
就这样,还是把我给挡住出不去,真乃神奇,我现在只想到两种可能,1,ppp拨号方式和shorewall有兼容问题,2.pppoe拨号方式的nat设置有特别的地方,只有这两种可能了,请高手指教,谢谢,小弟实在是想不出还有什么不对的地方了 |
|
IP卡
狗仔卡
发表于 2007-8-9 19:45:00
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡
楼主