Ubuntu Linux系统下设置shorewall防火墙_Linux教程

服务器采用Ubuntu作为操作系统，两块网卡，一块接外网（eth0），一块接内网（eth1）。采用shorewall作为防火墙。

配置网卡：

sudo vi /etc/network/interfaces

Ubuntu下设置shorewall防火墙

服务器采用Ubuntu作为操作系统，两块网卡，一块接外网（eth0），一块接内网（eth1）。采用shorewall作为防火墙。

配置网卡：

sudo vi /etc/network/interfaces
------------------------------------------------
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# This is a list of hotpluggable network interfaces.
# They will be activated automatically by the hotplug subsystem.
mapping hotplug
script grep
map eth0

# The primary network interface
iface eth0 inet static
address 192.168.2.250
netmask 255.255.255.0
network 192.168.2.0
broadcast 192.168.2.255
gateway 192.168.2.1
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 202.96.209.6

auto eth1
iface eth1 inet static
address 192.168.10.254
netmask 255.255.255.0
network 192.168.10.0
broadcast 192.168.10.255

1、安装shorewall

sudo apt-get install shorewall

2、拷贝配置文件

sudo cp /usr/share/shorewall/modules /etc/shorewall

sudo cp /usr/share/doc/shorewall/default-config/policy /etc/shorewall/

sudo cp /usr/share/doc/shorewall/default-config/nat /etc/shorewall/

sudo cp /usr/share/doc/shorewall/default-config/zones /etc/shorewall/

sudo cp /usr/share/doc/shorewall/default-config/maclist /etc/shorewall/

sudo cp /usr/share/doc/shorewall/default-config/blacklist /etc/shorewall/

sudo cp /usr/share/doc/shorewall/default-config/interfaces /etc/shorewall/interfaces

sudo cp /usr/share/doc/shorewall/default-config/rules /etc/shorewall/rules

sudo cp /usr/share/doc/shorewall/default-config/hosts /etc/shorewall/hosts

sudo cp /usr/share/doc/shorewall/default-config/masq /etc/shorewall/masq

3、配置网卡

sudo vi /etc/shorewall/interfaces

在倒数第二行，也就是在 “#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE” 这一行之后加上：

net eth0 detect

loc eth1 detect

4、配置网络别名

sudo vi /etc/shorewall/zones

在倒数第二行，也就是在 “#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE” 这一行之后加上：

net Net Internet

loc Local Local Networks

5、配置IP伪装，也就是透明代理

sudo vi /etc/shorewall/masq

在倒数第二行，也就是在 “#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE” 这一行之后加上：

eth0 eth1

6、配置策略

sudo vi /etc/shorewall/policy

在#LAST LINE -- DO NOT REMOVE这一行最后加上：

loc net ACCEPT

net all DROP info

all all REJECT info

7、配置防火墙规则

sudo vi /etc/shorewall/rules

在倒数第二行，也就是在 “#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE” 这一行后加上：

#incoming traffic (由 internet 去 firewall)

AllowSSH net fw

AllowDNS net fw

AllowWeb net fw

AllowSMB net fw

AllowNNTP net fw

AllowNTP net fw

AllowRdate net fw

AllowSMTP net fw

DropPing net fw

#outgoing traffic (由 firewall 去 internet)

AllowWeb fw net

AllowDNS fw net

AllowSMTP fw net

AllowSMB fw net

AllowSMTP fw net

AllowNNTP fw net

AllowNTP fw net

AllowRdate fw net

AllowSSH fw net

#open special ports

ACCEPT net fw tcp 9980

8、修改 shorewall.conf 自动开启 IP 转发

sudo gedit /etc/shorewall/shorewall.conf

查找到：

IP_FORWARDING=Keep

修改为：

IP_FORWARDING=On

# 保存关闭文件

9、修改 /etc/default/shorewall 自动运行防火墙

sudo vi /etc/default/shorewall

查找到：

startup=0

修改为：

startup=1

10、启动防火墙

sudo shorewall start

11、至此防火墙配置完成。