config
-----------
vi /etc/shorewall/rules
------------------------------------------------------------------------
#?SECTION ALL
#?SECTION ESTABLISHED
#?SECTION RELATED
#?SECTION INVALID
#?SECTION UNTRACKED
SECTION NEW
DNS/ACCEPT $FW net
DNS/ACCEPT loc net
NTP/ACCEPT $FW net
##WEBMIN
ACCEPT net $FW tcp 10000
ACCEPT loc $FW tcp 10000
## Accept connections from the Internet to the Server
ACCEPT net $FW tcp 22
ACCEPT net $FW tcp 80
ACCEPT net $FW tcp 143
ACCEPT net $FW tcp 443
ACCEPT net $FW tcp 123
ACCEPT net $FW udp 123
ACCEPT net $FW tcp 10000
ACCEPT net $FW tcp 20000
##VNC
ACCEPT net $FW tcp 5800
ACCEPT net $FW tcp 5900
ACCEPT net $FW tcp 5901
ACCEPT net $FW tcp 6000
# Make ping work
#
ACCEPT fw loc icmp 8
ACCEPT loc fw icmp 8
ACCEPT fw net icmp 8
ACCEPT net fw icmp 8
## POP 3
ACCEPT fw loc tcp 110
ACCEPT loc fw tcp 110
ACCEPT fw net tcp 110
ACCEPT net fw tcp 110
##Allow here any outside SMTP server that the client needs to connect in 25 port
ACCEPT:info loc net:202.22.192.1 tcp 25
ACCEPT:info loc net:202.22.192.3 tcp 25
ACCEPT:info loc net:202.22.192.2 tcp 25
ACCEPT:info net fw tcp 25
ACCEPT:info net fw tcp 465
ACCEPT:info loc fw tcp 25
ACCEPT:info loc fw tcp 465
ACCEPT:info fw net tcp 25
REJECT:info loc net tcp 25
# proxy Server
ACCEPT net fw tcp 80
ACCEPT net fw tcp 443
ACCEPT net fw tcp 143
ACCEPT net fw tcp 993
ACCEPT net fw tcp 995
ACCEPT net fw tcp 3128
ACCEPT fw net tcp 8080
ACCEPT fw net tcp 443
ACCEPT loc fw tcp 3128
REJECT loc net tcp 80
REJECT loc net tcp 3128
##To redirect 80 port request to 3128 port
#REDIRECT loc 3128 tcp www
####################################################################################################################
# only proxy-NET rules
# For information on entries in this file, type "man shorewall-rules"
####################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
Ping(DROP) net $FW
# Permit all ICMP traffic FROM the firewall TO the net zone
ACCEPT $FW net icmp
##
ACCEPT net $FW tcp 10000
ACCEPT net $FW tcp 20000
ACCEPT $FW net tcp 10000
ACCEPT $FW net tcp 20000
##
ACCEPT net:192.168.0.0/16 $FW tcp 80
ACCEPT net:192.168.0.0/16 $FW tcp 3128
ACCEPT net:192.168.0.0/16 $FW tcp 8080
ACCEPT net:192.168.0.0/16 $FW tcp 443
ACCEPT net:192.168.0.0/16 $FW tcp 143
# Force All web traffic to the Squid proxy server
REDIRECT $FW 3128 tcp www
REDIRECT $FW 3128 tcp 8080
##
##
ACCEPT $FW net tcp 53
ACCEPT $FW net udp 53
##
ACCEPT net $FW tcp 22
ACCEPT net $FW tcp 21
ACCEPT net $FW tcp 20