Add files via upload

RainmakerRaw · Dec 14, 2018 · 2d55ce3 · 2d55ce3
1 parent 0ee5811
commit 2d55ce3
Show file tree

Hide file tree

Showing 5 changed files with 78 additions and 0 deletions.
diff --git a/shorewall-interfaces.txt b/shorewall-interfaces.txt
@@ -0,0 +1,4 @@
+net     NET_IF          tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0,physical=eno1
+loc     LOC_IF          tcpflags,dhcp,nosmurfs,routefilter,routeback=1,logmartians,physical=enp3s0f0
+dmz     DMZ_IF          tcpflags,dhcp,nosmurfs,routefilter,routeback=1,logmartians,physical=enp3s0f1
+wg      azirevpn-uk1
diff --git a/shorewall-policy.txt b/shorewall-policy.txt
@@ -0,0 +1,21 @@
+$FW     net             ACCEPT
+$FW     loc             ACCEPT
+$FW     dmz             ACCEPT
+$FW     wg              ACCEPT
+
+loc     net             ACCEPT
+loc     $FW             ACCEPT
+loc     dmz             ACCEPT
+loc     wg              ACCEPT
+
+dmz     net             ACCEPT
+dmz     loc             ACCEPT
+dmz     wg              ACCEPT
+
+wg      $FW             ACCEPT
+wg      dmz             ACCEPT
+
+net     all             DROP            info
+
+# THE FOLLOWING POLICY MUST BE LAST
+all     all             REJECT          $LOG_LEVEL
diff --git a/shorewall-rules.txt b/shorewall-rules.txt
@@ -0,0 +1,46 @@
+DNS(ACCEPT)     loc             $FW
+DNS(ACCEPT)     dmz             $FW
+#
+#       Accept WireGuard
+ACCEPT          net             $FW             udp     51820
+#       Accept SSH connections from the local network to the firewall and DMZ servers
+#
+SSH(ACCEPT)     loc             $FW
+SSH(ACCEPT)     loc             dmz
+#
+#       DMZ DNS access to the Internet
+#
+DNS(ACCEPT)     dmz             net
+
+
+# Drop Ping from the "bad" net zone.
+
+Ping(DROP)     net             $FW
+
+#
+#       Make ping work bi-directionally between the dmz, net, Firewall and local zone
+#       (assumes that the loc-> net policy is ACCEPT).
+#
+
+Ping(ACCEPT)    loc             $FW
+Ping(ACCEPT)    dmz             $FW
+Ping(ACCEPT)    net             $FW
+Ping(ACCEPT)    loc             dmz
+Ping(DROP)      dmz             loc
+Ping(ACCEPT)    dmz             net
+
+ACCEPT          $FW             net             icmp
+ACCEPT          $FW             loc             icmp
+ACCEPT          $FW             dmz             icmp
+
+# Uncomment this if using Proxy ARP and static NAT and you want to allow ping from
+# the net zone to the dmz and loc
+
+#Ping(ACCEPT)    net             dmz
+#Ping(ACCEPT)    net             loc
+
+# DNAT port forwards - add more as required, following this template
+
+DNAT            loc     dmz:192.168.2.5         tcp     80    -       [WAN_IP]
+DNAT            dmz     dmz:192.168.2.5         tcp     80    -       [WAN_IP]
+DNAT            net     dmz:192.168.2.5:80		tcp     80
diff --git a/shorewall-snat.txt b/shorewall-snat.txt
@@ -0,0 +1,2 @@
+MASQUERADE              192.168.1.0/24          azirevpn-uk1
+MASQUERADE              192.168.2.0/24          eno1
diff --git a/shorewall-zones.txt b/shorewall-zones.txt
@@ -0,0 +1,5 @@
+fw      firewall
+net     ipv4
+loc     ipv4
+dmz     ipv4
+wg      ipv4
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		MASQUERADE 192.168.1.0/24 azirevpn-uk1
		MASQUERADE 192.168.2.0/24 eno1