Proxy Rules
vi /etc/shorewall/rules
--------------------------Add line-----------------------------------------------------------------------
SECTION NEW
# Don't allow connection pickup from the net
#
Invalid(DROP) net all
#
# Accept DNS connections from the firewall to the network
#
DNS(ACCEPT) $FW net
DNS(ACCEPT) net $FW
#
# Accept SSH connections from the local network for administration
#
SSH(ACCEPT) loc $FW
#
# Allow Ping from the local network
#
Ping(ACCEPT) loc $FW
#
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
#
Ping(DROP) net $FW
ACCEPT $FW loc icmp
ACCEPT $FW net icmp
ACCEPT loc net icmp
ACCEPT $FW net icmp
#
REJECT net fw tcp 113
REJECT net fw udp 137
REJECT loc fw udp 137
REJECT loc loc udp 137
REJECT loc net udp 137
#
# Accept DNS connections from the firewall to the network
#
#
# Accept SSH connections from the local network for administration
#
ACCEPT loc fw tcp 22
ACCEPT fw loc tcp 22
#
# Accept SSH connections from the internet for administration
#
ACCEPT net fw tcp 22
ACCEPT fw net tcp 22
#
# Make ping work
#
# Accept SMTP connections #from the internet for administration
#
REJECT net:41.0.0.0/8 fw tcp
ACCEPT:info loc net:203.76.153.243 tcp 25
ACCEPT:info net fw tcp 25
ACCEPT:info loc fw tcp 25
ACCEPT:info fw net tcp 25
ACCEPT:info loc net tcp 25
#Accept Webmin Connection
ACCEPT net fw tcp 10000
ACCEPT net fw tcp 20000
ACCEPT fw net tcp 10000
ACCEPT fw net tcp 20000
#
# Make Sqiud work
#
ACCEPT loc fw tcp 8080
#
DNAT net loc:192.168.0.80 tcp 3389 - 102.161.191.120
DNAT net loc:192.168.4.1:80 tcp 8081
DNAT net loc:192.168.4.1:22 tcp 3333
DNAT net loc:192.168.4.2:80 tcp 8082
DNAT net loc:192.168.4.2:22 tcp 4444
DNAT net loc:192.168.5.18:80 tcp 8083
DNAT net loc:192.168.5.18:22 tcp 5555
DNAT net loc:192.168.5.25:3389 tcp 8085
#
# Accept POP3connections
#
ACCEPT fw net tcp 110
ACCEPT net fw tcp 110
ACCEPT loc net tcp 110
ACCEPT fw loc tcp 110
# Test
ACCEPT fw net tcp 80
ACCEPT loc net tcp 443
ACCEPT loc net tcp 80
REJECT loc net tcp 3128
REJECT loc net tcp 8080
REJECT loc net tcp 80
ACCEPT net fw tcp 80
ACCEPT net fw tcp 443
ACCEPT net fw tcp 995
ACCEPT net fw tcp 993
ACCEPT fw net tcp 8080
ACCEPT fw net tcp 443
ACCEPT loc fw tcp 3128
ACCEPT loc fw tcp 8080
#End spamassassin
# Force All web traffic to the Squid proxy server
#REDIRECT loc 8080 tcp www
#REDIRECT loc 3128 tcp 8080
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
#Ping(ACCEPT) net $FW
#Ping(ACCEPT) $FW net