From 2d55ce337e60b83fde31dd5d4a2b503a77274b5a Mon Sep 17 00:00:00 2001 From: RainmakerRaw Date: Fri, 14 Dec 2018 10:55:00 +0000 Subject: [PATCH] Add files via upload --- shorewall-interfaces.txt | 4 ++++ shorewall-policy.txt | 21 ++++++++++++++++++ shorewall-rules.txt | 46 ++++++++++++++++++++++++++++++++++++++++ shorewall-snat.txt | 2 ++ shorewall-zones.txt | 5 +++++ 5 files changed, 78 insertions(+) create mode 100644 shorewall-interfaces.txt create mode 100644 shorewall-policy.txt create mode 100644 shorewall-rules.txt create mode 100644 shorewall-snat.txt create mode 100644 shorewall-zones.txt diff --git a/shorewall-interfaces.txt b/shorewall-interfaces.txt new file mode 100644 index 0000000..36b1112 --- /dev/null +++ b/shorewall-interfaces.txt @@ -0,0 +1,4 @@ +net NET_IF tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0,physical=eno1 +loc LOC_IF tcpflags,dhcp,nosmurfs,routefilter,routeback=1,logmartians,physical=enp3s0f0 +dmz DMZ_IF tcpflags,dhcp,nosmurfs,routefilter,routeback=1,logmartians,physical=enp3s0f1 +wg azirevpn-uk1 \ No newline at end of file diff --git a/shorewall-policy.txt b/shorewall-policy.txt new file mode 100644 index 0000000..9611768 --- /dev/null +++ b/shorewall-policy.txt @@ -0,0 +1,21 @@ +$FW net ACCEPT +$FW loc ACCEPT +$FW dmz ACCEPT +$FW wg ACCEPT + +loc net ACCEPT +loc $FW ACCEPT +loc dmz ACCEPT +loc wg ACCEPT + +dmz net ACCEPT +dmz loc ACCEPT +dmz wg ACCEPT + +wg $FW ACCEPT +wg dmz ACCEPT + +net all DROP info + +# THE FOLLOWING POLICY MUST BE LAST +all all REJECT $LOG_LEVEL \ No newline at end of file diff --git a/shorewall-rules.txt b/shorewall-rules.txt new file mode 100644 index 0000000..7454a3d --- /dev/null +++ b/shorewall-rules.txt @@ -0,0 +1,46 @@ +DNS(ACCEPT) loc $FW +DNS(ACCEPT) dmz $FW +# +# Accept WireGuard +ACCEPT net $FW udp 51820 +# Accept SSH connections from the local network to the firewall and DMZ servers +# +SSH(ACCEPT) loc $FW +SSH(ACCEPT) loc dmz +# +# DMZ DNS access to the Internet +# +DNS(ACCEPT) dmz net + + +# Drop Ping from the "bad" net zone. + +Ping(DROP) net $FW + +# +# Make ping work bi-directionally between the dmz, net, Firewall and local zone +# (assumes that the loc-> net policy is ACCEPT). +# + +Ping(ACCEPT) loc $FW +Ping(ACCEPT) dmz $FW +Ping(ACCEPT) net $FW +Ping(ACCEPT) loc dmz +Ping(DROP) dmz loc +Ping(ACCEPT) dmz net + +ACCEPT $FW net icmp +ACCEPT $FW loc icmp +ACCEPT $FW dmz icmp + +# Uncomment this if using Proxy ARP and static NAT and you want to allow ping from +# the net zone to the dmz and loc + +#Ping(ACCEPT) net dmz +#Ping(ACCEPT) net loc + +# DNAT port forwards - add more as required, following this template + +DNAT loc dmz:192.168.2.5 tcp 80 - [WAN_IP] +DNAT dmz dmz:192.168.2.5 tcp 80 - [WAN_IP] +DNAT net dmz:192.168.2.5:80 tcp 80 diff --git a/shorewall-snat.txt b/shorewall-snat.txt new file mode 100644 index 0000000..801d254 --- /dev/null +++ b/shorewall-snat.txt @@ -0,0 +1,2 @@ +MASQUERADE 192.168.1.0/24 azirevpn-uk1 +MASQUERADE 192.168.2.0/24 eno1 \ No newline at end of file diff --git a/shorewall-zones.txt b/shorewall-zones.txt new file mode 100644 index 0000000..e80614a --- /dev/null +++ b/shorewall-zones.txt @@ -0,0 +1,5 @@ +fw firewall +net ipv4 +loc ipv4 +dmz ipv4 +wg ipv4 \ No newline at end of file