Shorewall - GNU/Linux的网关/防火墙配置工具

Shorewall官网

Step 1: 安装 shorewall IPV4和IPV6

apt update
apt install shorewall
apt install shorewall6
Step 2:复制配置
cp /usr/share/doc/shorewall/examples/one-interface/* /etc/shorewall/
cp /usr/share/doc/shorewall6/examples/one-interface/* /etc/shorewall6/

Step 3:检查&修改shorewall 接口

ip addr

查看互联网接口

cat "/etc/shorewall/interfaces"
cat "/etc/shorewall6/interfaces"

查看shorewall绑定的接口,如果和本机接口不一致,请修改.

Step 4:修改shorewall规则

cat "/etc/shorewall/rules"

配置示例:

#
# Shorewall - Sample Rules File for one-interface configuration.
# Copyright (C) 2006-2014 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------------------------------------
# For information on entries in this file, type "man shorewall-rules"
######################################################################################################################################################################################################
#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
#							PORT	PORT(S)		DEST		LIMIT		GROUP
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW

# Drop packets in the INVALID state

Invalid(DROP)  net    	        $FW		tcp

# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..

Ping(DROP)	net		$FW

# Permit all ICMP traffic FROM the firewall TO the net zone


ACCEPT		$FW		net		all
#system
ACCEPT  net  fw  tcp  22
ACCEPT  net  fw  tcp  80
ACCEPT  net  fw  tcp  443
#dns service
ACCEPT  net  fw  tcp  53
#Email
ACCEPT  net  fw  tcp  25
ACCEPT  net  fw  tcp  465
ACCEPT  net  fw  tcp  587
ACCEPT  net  fw  tcp  143
ACCEPT  net  fw  tcp  993
ACCEPT  net  fw  tcp  110
ACCEPT  net  fw  tcp  995
ACCEPT  net  fw  tcp  587
#axigen
ACCEPT  net  fw  tcp  8443
ACCEPT  net  fw  tcp  9443
ACCEPT  net  fw  udp

Step 5:检测配置

shorewall check

Step 6:开机自启

vi /etc/default/shorewall
vi /etc/default/shorewall6

startup = 0 更改为 startup = 1

使用shorewall

systemctl enable shorewall

启动shorewall