config

-----------

vi /etc/shorewall/rules

------------------------------------------------------------------------

#?SECTION ALL

#?SECTION ESTABLISHED

#?SECTION RELATED

#?SECTION INVALID

#?SECTION UNTRACKED

SECTION NEW

DNS/ACCEPT $FW net

DNS/ACCEPT loc net

NTP/ACCEPT $FW net

##WEBMIN

ACCEPT net $FW tcp 10000

ACCEPT loc $FW tcp 10000

## Accept connections from the Internet to the Server

ACCEPT net $FW tcp 22

ACCEPT net $FW tcp 80

ACCEPT net $FW tcp 143

ACCEPT net $FW tcp 443

ACCEPT net $FW tcp 123

ACCEPT net $FW udp 123

ACCEPT net $FW tcp 10000

ACCEPT net $FW tcp 20000

##VNC

ACCEPT net $FW tcp 5800

ACCEPT net $FW tcp 5900

ACCEPT net $FW tcp 5901

ACCEPT net $FW tcp 6000

# Make ping work

ACCEPT fw loc icmp 8

ACCEPT loc fw icmp 8

ACCEPT fw net icmp 8

ACCEPT net fw icmp 8

## POP 3

ACCEPT fw loc tcp 110

ACCEPT loc fw tcp 110

ACCEPT fw net tcp 110

ACCEPT net fw tcp 110

##Allow here any outside SMTP server that the client needs to connect in 25 port

ACCEPT:info loc net:202.22.192.1 tcp 25

ACCEPT:info loc net:202.22.192.3 tcp 25

ACCEPT:info loc net:202.22.192.2 tcp 25

ACCEPT:info net fw tcp 25

ACCEPT:info net fw tcp 465

ACCEPT:info loc fw tcp 25

ACCEPT:info loc fw tcp 465

ACCEPT:info fw net tcp 25

REJECT:info loc net tcp 25

# proxy Server

ACCEPT net fw tcp 80

ACCEPT net fw tcp 443

ACCEPT net fw tcp 143

ACCEPT net fw tcp 993

ACCEPT net fw tcp 995

ACCEPT net fw tcp 3128

ACCEPT fw net tcp 8080

ACCEPT fw net tcp 443

ACCEPT loc fw tcp 3128

REJECT loc net tcp 80

REJECT loc net tcp 3128

##To redirect 80 port request to 3128 port

#REDIRECT loc 3128 tcp www

####################################################################################################################

# only proxy-NET rules

# For information on entries in this file, type "man shorewall-rules"

####################################################################################################################

#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH

# PORT PORT(S) DEST LIMIT GROUP

#SECTION ALL

#SECTION ESTABLISHED

#SECTION RELATED

SECTION NEW

# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..

Ping(DROP) net $FW

# Permit all ICMP traffic FROM the firewall TO the net zone

ACCEPT $FW net icmp

ACCEPT net $FW tcp 10000

ACCEPT net $FW tcp 20000

ACCEPT $FW net tcp 10000

ACCEPT $FW net tcp 20000

ACCEPT net:192.168.0.0/16 $FW tcp 80

ACCEPT net:192.168.0.0/16 $FW tcp 3128

ACCEPT net:192.168.0.0/16 $FW tcp 8080

ACCEPT net:192.168.0.0/16 $FW tcp 443

ACCEPT net:192.168.0.0/16 $FW tcp 143

# Force All web traffic to the Squid proxy server

REDIRECT $FW 3128 tcp www

REDIRECT $FW 3128 tcp 8080

ACCEPT $FW net tcp 53

ACCEPT $FW net udp 53

ACCEPT net $FW tcp 22

ACCEPT net $FW tcp 21

ACCEPT net $FW tcp 20