/etc/default/shorewall
startup=1
mkdir /etc/shorewall/vardir chmod 0750 /etc/shorewall/vardir
/etc/shorewall/shorewall.conf
VARDIR=/etc/shorewall/vardir LOGRATE=10/minute LOGBURST=5 IP_FORWARDING=Off
touch /etc/shorewall/blacklist
/etc/shorewall/interfaces
net eth0 detect norfc1918,routefilter,tcpflags,logmartians,nosmurfs,blacklist
/etc/shorewall/zones
fw firewall net ipv4
/etc/shorewall/policy
$FW net DROP info net $FW DROP info net all DROP info # The FOLLOWING POLICY MUST BE LAST all all REJECT info
/etc/shorewall/start
dmesg -n5
/etc/shorewall/rules
# Permit all ICMP traffic FROM the firewall TO the net zone ACCEPT $FW net icmp # SMTP ACCEPT $FW net tcp 25 1024:65535 # WHOIS ACCEPT $FW net tcp 43 1024:65535 # DNS ACCEPT $FW net udp 53 1024:65535 # HTTP # Ubuntu ACCEPT $FW net:195.248.90.38 tcp 80 1024:65535 ACCEPT $FW net:195.228.252.133 tcp 80 1024:65535 ACCEPT $FW net:91.189.90.142 tcp 80 1024:65535 ACCEPT $FW net:91.189.89.182 tcp 80 1024:65535 ACCEPT $FW net:91.189.89.8 tcp 80 1024:65535 ACCEPT $FW net:91.189.89.6 tcp 80 1024:65535 ACCEPT $FW net:91.189.88.37 tcp 80 1024:65535 ACCEPT $FW net:91.189.88.31 tcp 80 1024:65535 ACCEPT $FW net:82.211.81.138 tcp 80 1024:65535 #GeoIP ACCEPT $FW net:67.15.94.80 tcp 80 1024:65535 # NTP ACCEPT $FW net:193.67.79.202 udp 123 1024:65535 # Reject Ping from the "bad" net zone.. and prevent your log from being flooded.. Ping/REJECT net $FW # FTP ACCEPT net:your_range $FW tcp 21 1024:65535 - 2/sec:3 # SSH ACCEPT net:your_range $FW tcp 22 1024:65535 - 2/sec:3 # SMTP ACCEPT net $FW tcp 25 1024:65535 - 1/sec:1 # HTTP ACCEPT net $FW tcp 80 1024:65535 - 24/sec:32 # HTTPS ACCEPT net $FW tcp 443 1024:65535 - 5/sec:10
