Proxy Rules

vi /etc/shorewall/rules

--------------------------Add line-----------------------------------------------------------------------

SECTION NEW

# Don't allow connection pickup from the net

Invalid(DROP) net all

# Accept DNS connections from the firewall to the network

DNS(ACCEPT) $FW net

DNS(ACCEPT) net $FW

# Accept SSH connections from the local network for administration

SSH(ACCEPT) loc $FW

# Allow Ping from the local network

Ping(ACCEPT) loc $FW

# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..

Ping(DROP) net $FW

ACCEPT $FW loc icmp

ACCEPT $FW net icmp

ACCEPT loc net icmp

ACCEPT $FW net icmp

REJECT net fw tcp 113

REJECT net fw udp 137

REJECT loc fw udp 137

REJECT loc loc udp 137

REJECT loc net udp 137

# Accept DNS connections from the firewall to the network

# Accept SSH connections from the local network for administration

ACCEPT loc fw tcp 22

ACCEPT fw loc tcp 22

# Accept SSH connections from the internet for administration

ACCEPT net fw tcp 22

ACCEPT fw net tcp 22

# Make ping work

# Accept SMTP connections #from the internet for administration

REJECT net:41.0.0.0/8 fw tcp

ACCEPT:info loc net:203.76.153.243 tcp 25

ACCEPT:info net fw tcp 25

ACCEPT:info loc fw tcp 25

ACCEPT:info fw net tcp 25

ACCEPT:info loc net tcp 25

#Accept Webmin Connection

ACCEPT net fw tcp 10000

ACCEPT net fw tcp 20000

ACCEPT fw net tcp 10000

ACCEPT fw net tcp 20000

# Make Sqiud work

ACCEPT loc fw tcp 8080

DNAT net loc:192.168.0.80 tcp 3389 - 102.161.191.120

DNAT net loc:192.168.4.1:80 tcp 8081

DNAT net loc:192.168.4.1:22 tcp 3333

DNAT net loc:192.168.4.2:80 tcp 8082

DNAT net loc:192.168.4.2:22 tcp 4444

DNAT net loc:192.168.5.18:80 tcp 8083

DNAT net loc:192.168.5.18:22 tcp 5555

DNAT net loc:192.168.5.25:3389 tcp 8085

# Accept POP3connections

ACCEPT fw net tcp 110

ACCEPT net fw tcp 110

ACCEPT loc net tcp 110

ACCEPT fw loc tcp 110

# Test

ACCEPT fw net tcp 80

ACCEPT loc net tcp 443

ACCEPT loc net tcp 80

REJECT loc net tcp 3128

REJECT loc net tcp 8080

REJECT loc net tcp 80

ACCEPT net fw tcp 80

ACCEPT net fw tcp 443

ACCEPT net fw tcp 995

ACCEPT net fw tcp 993

ACCEPT fw net tcp 8080

ACCEPT fw net tcp 443

ACCEPT loc fw tcp 3128

ACCEPT loc fw tcp 8080

#End spamassassin

# Force All web traffic to the Squid proxy server

#REDIRECT loc 8080 tcp www

#REDIRECT loc 3128 tcp 8080

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..

#Ping(ACCEPT) net $FW

#Ping(ACCEPT) $FW net