# # Shorewall -- /etc/shorewall/policy # # For information about entries in this file, type "man shorewall-policy" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-policy.html # ############################################################################### #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: # LEVEL BURST MASK $FW all REJECT grn all REJECT tun all REJECT red all DROP
# # Shorewall -- /etc/shorewall/rules # # For information on the settings in this file, type "man shorewall-rules" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-rules.html # ###################################################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER # PORT(S) PORT(S) DEST LIMIT GROUP ?SECTION ALL ?SECTION ESTABLISHED ?SECTION RELATED ?SECTION INVALID ?SECTION UNTRACKED ?SECTION NEW INCLUDE rules.fw INCLUDE rules.grn INCLUDE rules.red INCLUDE rules.red-dnat INCLUDE rules.tun
# # Shorewall -- /etc/shorewall/rules.fw # # For information on the settings in this file, type "man shorewall-rules" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-rules.html # ###################################################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER # PORT(S) PORT(S) DEST LIMIT GROUP DNS(ACCEPT) $FW red Web(ACCEPT) $FW red FTP(ACCEPT) $FW red OpenVPN(ACCEPT) $FW red Ping(ACCEPT) $FW all OSPF(ACCEPT) $FW tun SSH(ACCEPT) $FW all
# # Shorewall -- /etc/shorewall/rules.grn # # For information on the settings in this file, type "man shorewall-rules" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-rules.html # ###################################################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER # PORT(S) PORT(S) DEST LIMIT GROUP DNS(ACCEPT) grn $FW Web(ACCEPT) grn red FTP(ACCEPT) grn red Ping(ACCEPT) grn all SSH(ACCEPT) grn all - - - - s:3/min #, , SIP ( ) ACCEPT grn red udp 5060 - - - - - - - - sip
# # Shorewall -- /etc/shorewall/rules.red # # For information on the settings in this file, type "man shorewall-rules" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-rules.html # ###################################################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER # PORT(S) PORT(S) DEST LIMIT GROUP OpenVPN(ACCEPT) red $FW SSH(ACCEPT) red $FW - - - - s:3/min SIP(ACCEPT) red grn
# # Shorewall -- /etc/shorewall/rules.tun # # For information on the settings in this file, type "man shorewall-rules" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-rules.html # ###################################################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER # PORT(S) PORT(S) DEST LIMIT GROUP Ping(ACCEPT) tun $FW OSPF(ACCEPT) tun $FW SSH(ACCEPT) tun $FW - - - - s:3/min SSH(ACCEPT) tun grn - - - - s:3/min
# # Shorewall -- /etc/shorewall/rules.red-dnat # # For information on the settings in this file, type "man shorewall-rules" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-rules.html # ###################################################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER # PORT(S) PORT(S) DEST LIMIT GROUP Web(DNAT) red grn:172.16.0.2 #, , DNAT : #Web(DNAT) red grn:172.16.0.2 - - - 192.168.10.37 #, : #DNAT red grn:172.16.0.2 tcp 80,443 #DNAT red grn:172.16.0.2 tcp 80,443 - 192.168.10.37 # : #DNAT red grn:172.16.0.2:80 tcp 8080
# # Shorewall -- /etc/shorewall/rules # # For information on the settings in this file, type "man shorewall-rules" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-rules.html # ###################################################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER # PORT(S) PORT(S) DEST LIMIT GROUP # ipsets OpenVPN(ACCEPT) red:192.168.10.4,192.168.23.2 $FW # ipsets OpenVPN(ACCEPT) red:+ovpn_allow $FW
# iphash ( , man ipset ) ipset -N ovpn_allow iphash # ipset -A ovpn_allow 192.168.10.4 ipset -A ovpn_allow 192.168.23.2
Name: ovpn_allow Type: hash:ip Revision: 1 Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16560 References: 0 Members: 192.168.23.2 192.168.10.4
# # Shorewall -- /etc/shorewall/providers # # For information about entries in this file, type "man shorewall-providers" # # For additional information, see http://shorewall.net/MultiISP.html # ############################################################################################ #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY pr1 1 0x10000 - $IF_RED1 $GW_RED1 track,fallback=1 pr2 2 0x20000 - $IF_RED2 $GW_RED2 track,fallback=4
# # Shorewall -- /etc/shorewall/params # # Assign any variables that you need here. # # It is suggested that variable names begin with an upper case letter # to distinguish them from variables used internally within the # Shorewall programs # # Example: # # NET_IF=eth0 # NET_BCAST=130.252.100.255 # NET_OPTIONS=routefilter,norfc1918 # # Example (/etc/shorewall/interfaces record): # # net $NET_IF $NET_BCAST $NET_OPTIONS # # The result will be the same as if the record had been written # # net eth0 130.252.100.255 routefilter,norfc1918 # ############################################################################### IF_RED1=eth0 GW_RED1=192.168.10.1 IF_RED2=eth2 GW_RED2=detect IF_GRN=eth1 NET_GRN=172.16.0.0/23 IF_TUN=tap+ #LAST LINE -- DO NOT REMOVE
# # Shorewall version 4 - Findgw File # # /etc/shorewall/findgw # # The code in this file is executed when Shorewall is trying to detect the # gateway through an interface in /etc/shorewall/providers that has GATEWAY # specified as 'detect'. # # The function should echo the IP address of the gateway if it knows what # it is; the name of the interface is in $1. # # See http://shorewall.net/shorewall_extension_scripts.htm for additional # information. # ############################################################################### LANG='C' nmcli --terse --fields IP6.GATEWAY device show ${1} | cut -f2- -d':' #IPv6 LANG='C' nmcli --terse --fields IP4.GATEWAY device show ${1} | cut -f2- -d':' #IPv4
# # Shorewall -- /etc/shorewall/masq # # For information about entries in this file, type "man shorewall-masq" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-masq.html # ################################################################################################################################### #INTERFACE:DEST SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ SWITCH ORIGINAL PROBABILITY # GROUP DEST $IF_RED1 $NET_GRN detect $IF_RED2 $NET_GRN detect
#!/bin/bash IF=$1 # , STATUS=$2 # function check_prov() { PARAM=$(grep -v '^#' /etc/shorewall/params | grep $1 | cut -d '=' -f 1) if [ -z "$PARAM" ]; then grep -v '^#' /etc/shorewall/providers | grep -q $1 [[ $? == 0 ]] && shorewall restart else grep -v '^#' /etc/shorewall/providers | grep -q $PARAM [[ $? == 0 ]] && shorewall restart fi } case $STATUS in up) # shorewall enable $IF shorewall6 enable $IF check_prov $IF ;; down) # shorewall disable $IF shorewall6 disable $IF check_prov $IF ;; esac
shorewall show routing
Shorewall 5.0.2.1 Routing at cent1.domain.local - 8 23:41:30 MSK 2016 Routing Rules 0: from all lookup local 999: from all lookup main 10000: from all fwmark 0x10000/0xff0000 lookup pr1 10001: from all fwmark 0x20000/0xff0000 lookup pr2 20000: from 192.168.10.37 lookup pr1 20000: from 192.168.10.36 lookup pr2 32765: from all lookup balance 32767: from all lookup default Table balance: Table default: default nexthop via 192.168.10.1 dev eth0 weight 1 nexthop via 192.168.10.1 dev eth2 weight 1 Table local: local 192.168.10.37 dev eth0 proto kernel scope host src 192.168.10.37 local 192.168.10.36 dev eth2 proto kernel scope host src 192.168.10.36 local 172.16.3.1 dev tap0 proto kernel scope host src 172.16.3.1 local 172.16.3.129 dev tap1 proto kernel scope host src 172.16.3.129 local 172.16.248.1 dev lo proto kernel scope host src 172.16.248.1 local 172.16.0.1 dev eth1 proto kernel scope host src 172.16.0.1 local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1 broadcast 192.168.10.255 dev eth2 proto kernel scope link src 192.168.10.36 broadcast 192.168.10.255 dev eth0 proto kernel scope link src 192.168.10.37 broadcast 192.168.10.0 dev eth2 proto kernel scope link src 192.168.10.36 broadcast 192.168.10.0 dev eth0 proto kernel scope link src 192.168.10.37 broadcast 172.16.3.255 dev tap1 proto kernel scope link src 172.16.3.129 broadcast 172.16.3.128 dev tap1 proto kernel scope link src 172.16.3.129 broadcast 172.16.3.127 dev tap0 proto kernel scope link src 172.16.3.1 broadcast 172.16.3.0 dev tap0 proto kernel scope link src 172.16.3.1 broadcast 172.16.248.1 dev lo proto kernel scope link src 172.16.248.1 broadcast 172.16.1.255 dev eth1 proto kernel scope link src 172.16.0.1 broadcast 172.16.0.0 dev eth1 proto kernel scope link src 172.16.0.1 broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1 broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1 local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1 Table main: 192.168.10.1 dev eth2 scope link src 192.168.10.36 172.16.3.1 dev tap0 proto zebra 172.16.3.129 dev tap1 proto zebra 172.16.248.2 via 172.16.3.2 dev tap0 proto zebra metric 13 172.16.12.129 via 172.16.3.2 dev tap0 proto zebra metric 3 172.16.11.1 via 172.16.3.2 dev tap0 proto zebra metric 3 172.16.3.128/25 dev tap1 proto kernel scope link src 172.16.3.129 172.16.3.0/25 dev tap0 proto kernel scope link src 172.16.3.1 192.168.10.0/24 dev eth2 proto kernel scope link src 192.168.10.36 metric 101 192.168.10.0/24 dev eth0 proto kernel scope link src 192.168.10.37 metric 100 172.16.8.0/23 via 172.16.3.2 dev tap0 proto zebra metric 13 172.16.0.0/23 dev eth1 proto kernel scope link src 172.16.0.1 metric 100 Table pr1: 192.168.10.1 dev eth0 scope link src 192.168.10.37 default via 192.168.10.1 dev eth0 src 192.168.10.37 Table pr2: 192.168.10.1 dev eth2 scope link src 192.168.10.36 default via 192.168.10.1 dev eth2 src 192.168.10.36
# # Shorewall -- /etc/shorewall/mangle # # For information about entries in this file, type "man shorewall-mangle" # # See http://shorewall.net/traffic_shaping.htm for additional information. # For usage in selecting among multiple ISPs, see # http://shorewall.net/MultiISP.html # # See http://shorewall.net/PacketMarking.html for a detailed description of # the Netfilter/Shorewall packet marking mechanism. # #################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP # PORT(S) PORT(S) MARK(0x20000):P 172.16.0.4 0.0.0.0/0!172.16.0.0/12
# # Shorewall -- /etc/shorewall/init # # Add commands below that you want to be executed at the beginning of # a "shorewall start", "shorewall-reload" or "shorewall restart" command. # # For additional information, see # http://shorewall.net/shorewall_extension_scripts.htm # ############################################################################### modprobe ifb numifbs=3 ip link set ifb0 up ip link set ifb1 up ip link set ifb2 up
# # Shorewall -- /etc/shorewall/tcdevices # # For information about entries in this file, type "man shorewall-tcdevices" # # See http://shorewall.net/traffic_shaping.htm for additional information. # ############################################################################### #NUMBER: IN-BANDWITH OUT-BANDWIDTH OPTIONS REDIRECTED #INTERFACE INTERFACES 1:$IF_GRN - 1000mbit hfsc,classify 2:ifb1 - 1000mbit hfsc,classify $IF_GRN 3:$IF_RED1 - 10mbit hfsc,classify 4:ifb0 - 10mbit hfsc,classify $IF_RED1 5:$IF_RED2 - 10mbit hfsc,classify 6:ifb2 - 10mbit hfsc,classify $IF_RED2
# # Shorewall -- /etc/shorewall/tcclasses # # For information about entries in this file, type "man shorewall-tcclasses" # # See http://shorewall.net/traffic_shaping.htm for additional information. # ############################################################################### #INTERFACE:CLASS MARK RATE: CEIL PRIORITY OPTIONS # DMAX:UMAX 1:1:2 - 1mbit 3mbit 2 default 1:1:3 - 256kbit full 1 2:1:2 - 1mbit 3mbit 2 default 2:1:3 - 256kbit full 1 3:1:2 - 1mbit 3mbit 2 default 3:1:3 - 256kbit full 1 4:1:2 - 1mbit 3mbit 2 default 4:1:3 - 256kbit full 1 5:1:2 - 1mbit 3mbit 2 default 5:1:3 - 256kbit full 1 6:1:2 - 1mbit 3mbit 2 default 6:1:3 - 256kbit full 1
# # Shorewall -- /etc/shorewall/mangle # # For information about entries in this file, type "man shorewall-mangle" # # See http://shorewall.net/traffic_shaping.htm for additional information. # For usage in selecting among multiple ISPs, see # http://shorewall.net/MultiISP.html # # See http://shorewall.net/PacketMarking.html for a detailed description of # the Netfilter/Shorewall packet marking mechanism. # #################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP # PORT(S) PORT(S) CLASSIFY(1:3) 0.0.0.0/0 0.0.0.0/0 tcp - 80,443 CLASSIFY(3:3) 0.0.0.0/0 0.0.0.0/0 tcp 80,443
# # Shorewall -- /etc/shorewall/tcfilters # # For information about entries in this file, type "man shorewall-tcfilters" # # See http://shorewall.net/traffic_shaping.htm for additional information. # ######################################################################################################## #INTERFACE: SOURCE DEST PROTO DEST SOURCE TOS LENGTH PRIORITY #CLASS PORT(S) PORT(S) 2:3 0.0.0.0/0 0.0.0.0/0 tcp - 80,443 4:3 0.0.0.0/0 0.0.0.0/0 tcp 80,443
Source: https://habr.com/ru/post/274677/
All Articles