1
----------
Shorewall: accepting SSH access from certain IP-addresses only
-----
these policies set up in /etc/shorewall/policy:
#SOURCE DEST POLICY LOG LEVEL net $FW DROP info net loc DROP info net all DROP info
which I think is pretty much standard (note: I’m leaving out empty columns at the end). Now, I needed a rule in /etc/shorewall/rules to make an exception from these default policies:
#ACTION SOURCE DEST PROTO DEST # PORT ACCEPT net:XXX.XXX.XXX.XXX $FW tcp ssh
where XXX is the IP address of the machine at work. Now, that (somewhat to my surprise) didn’t quite work. I could now see my home machine from the work machine (i.e. the SSH request was rejected rather than dropped), but I wasn’t allowed in. The reason is of course that when you use IP masquerading, the system needs to know where to route incoming connections to. So a second rule in /etc/shorewall/rules was needed:
DNAT net:XXX.XXX.XXX.XXX loc:YYY.YYY.YYY.YYY tcp ssh
…and
----- Best---
vi /etc/shorewall/rules
#SECTION NEW
DNS/ACCEPT $FW net
DNS/ACCEPT loc net
NTP/ACCEPT $FW net
##WEBMIN
ACCEPT net $FW tcp 10000
ACCEPT loc $FW tcp 10000
## Accept connections from the Internet to the Server
#ACCEPT net $FW tcp 21
#ACCEPT $FW net tcp 21
#### FTP
FTP(ACCEPT) net:10.10.0.0/16 $FW
FTP(ACCEPT) net:172.16.0.0/16 $FW
FTP(ACCEPT) net:203.82.192.0/20 $FW
FTP(ACCEPT) net:202.22.192.0/20 $FW
FTP(ACCEPT) net:175.29.0.0/16 $FW
FTP(ACCEPT) net:203.76.144.0/20 $FW
FTP(ACCEPT) net:202.161.176.0/20 $FW
## For SSH
SSH(ACCEPT) net $FW
# Make ping work
#
ACCEPT fw loc icmp 8
ACCEPT loc fw icmp 8
ACCEPT fw net icmp 8
ACCEPT net fw icmp 8
# For NTP , Shakil
NTP(ACCEPT) net:10.10.0.0/16 $FW
NTP(ACCEPT) net:172.16.0.0/16 $FW
NTP(ACCEPT) net:203.82.192.0/20 $FW
NTP(ACCEPT) net:202.22.192.0/20 $FW
NTP(ACCEPT) net:175.29.0.0/16 $FW
NTP(ACCEPT) net:203.76.144.0/20 $FW
--------------