Mix
loc $FW ACCEPT
loc all REJECT
# Policies for traffic originating from the firewall ($FW)
$FW net ACCEPT
$FW loc ACCEPT
$FW all REJECT
# Policies for traffic originating from the Internet zone (net)
net $FW DROP
net loc DROP
net all DROP
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT
---------------OR-----------------------------
# Policies for traffic originating from the local LAN (loc)
#
# If you want to force clients to access the Internet via a proxy server
# on your firewall, change the loc to net policy to REJECT info.
loc net ACCEPT
loc $FW REJECT info
loc all REJECT info
#
# Policies for traffic originating from the firewall ($FW)
#
# If you want open access to the Internet from your firewall, change the
# $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL.
# This may be useful if you run a proxy server on the firewall.
$FW net REJECT info
$FW loc REJECT info
$FW all REJECT info
#
# Policies for traffic originating from the Internet zone (net)
#
net $FW DROP info
net loc DROP info
-------------------------------------------------------------------------------------------
# vi /etc/shorewall/shorewall.conf
STARTUP_ENABLED=Yes
-------------------------------------------------------------------------------------------
# vi /etc/shorewall/zones
fw firewall
net ipv4
loc ipv4
-------------------------------------------------------------------------------------------
# vi /etc/shorewall/interfaces
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#EXAMPLE-PC-BLOCK-ALL-SERVICE
~00-24-81-15-96-2F
#Shahin CAD
~C8-1F-66-42-A0-A2 tcp 80,8080,3128,443
#Polash CAD
~D4-3D-7E-56-9A-5E tcp 80,8080,3128,443
##EXAMPLE-PC-BLOCK-FOR-INTERNET
192.168.1.1 tcp 80,8080,3128
192.168.20.134 tcp 80,8080,3128
--------------------------------------------------------------------
Check open port
#netstat -nat
#netstat -nat | sort
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST CONNLIMIT: MASK
loc net ACCEPT
Shorewall Sample File Location
~# rpm -ql shorewall | fgrep two-interfaces
/usr/share/doc/packages/shorewall/Samples/two-interfaces
/usr/share/doc/packages/shorewall-4.4.5/Samples/two-interfaces
/usr/share/doc/shorewall-5.0.14.1/Samples/two-interfaces
[root@mail]# systemctl start shorewall.service
[root@mail]# systemctl enable shorewall.service
systemctl restart shorewall.service
systemctl status shorewall.service
# chkconfig shorewall on
service shorewall start
service shorewall stop
service shorewall restart
service shorewall status
OR
/etc/init.d/shorewall start
/etc/init.d/shorewall stop
/etc/init.d/shorewall restart
/etc/init.d/shorewall status
# shorewall check
How do I list firewall rules?
# shorewall show | less
How do I see the IP connections currently being tracked by the firewall?
# shorewall show connections
How do I see firewall logs?
# shorewall show hits|less
How do I displays my kernel/iptables capabilities?
# shorewall show capabilities
Configuration
# vi /etc/shorewall/interfaces
#[proxy]
#ZONE INTERFACE OPTIONS
net eth0 dhcp,tcpflags,nosmurfs,routefilter,logmartians
loc eth1 tcpflags,nosmurfs,routefilter,logmartians
-----------------------------------------------------------------------------------
OR only mail server
# [mail]
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,tcpflags,routefilter,nosmurfs,logmartians
loc eth1 detect tcpflags,nosmurfs
----------------------------------------------------------------------
# [BlackList]
#ZONE INTERFACE BROADCAST OPTIONS
net eth2 detect routefilter,blacklist,tcpflags,nosmurfs
loc eth1 detect dhcp,blacklist,tcpflags,nosmurfs
-------------------------------------------------------------------------------------------------
# vi /etc/shorewall/masq
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
#eth0 192.168.1.0/24
#WAN Local
------------------------------------------------------------------------------------------------
# vi /etc/shorewall/policy