用 ubuntu 做小型网关和防火墙
Posted 11 months, 1 week ago at 11:32 am. 0 comments
原文来自 Set Up Ubuntu-Server 6.10 As A Firewall/Gateway For Your Small Business Environment
有意思的文章。学习笔记如下:
安装 SSH
apt-get install openssh-server
编辑网卡配置
Edit /etc/network/interfaces and add the following at the bottom:
参考下面
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet dhcp
auto eth1
iface eth1 inet static
address 192.168.1.1
netmask 255.255.255.0
broadcast 192.168.1.255
network 192.168.1.0
重启
/etc/init.d/networking restart
安装库文件
apt-get install libmd5-perl libnet-ssleay-perl libauthen-pam-perl libio-pty-perl shorewall dnsmasq
安装 webmin
wget http://surfnet.dl.sourceforge.net/sourceforge/webadmin/webmin_1.310_all.deb
“surfnet” is the dutch server. Change that to “heanet”(for Ireland), “belnet”(for Belgium), “mesh” (for Germany) and so on.
dpkg -i webmin_1.310_all.deb
安装 shorewall
cp /usr/share/doc/shorewall/examples/two-interfaces/* /etc/shorewall/
cd /etc/shorewall
gunzip interfaces.gz masq.gz rules.gz policy.gz
登陆 webmin 界面管理 shorewall(http://xxx.xxx.xxx.xxx:10000)
Now open your browser and login to webmin at https://192.168.1.1:10000 as root with your root password and, using webmin’s shorewall module, change the policy’s and rules of your firewall as needed (for now, I only set the policy file to the example as shown, you may copy and paste my policy file for starters, if you don’t like webmin).
Also set in /etc/shorewall.conf the line “IP_FORWARDING=Keep” to “IP_FORWARDING=On” (without quotes) and enable the firewall in /etc/default/shorewall.
My /etc/shorewall/policy now looks like this:
###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
#
# Note about policies and logging:
# This file contains an explicit policy for every combination of
# zones defined in this sample. This is solely for the purpose of
# providing more specific messages in the logs. This is not
# necessary for correct operation of the firewall, but greatly
# assists in diagnosing problems.
#
#
# Policies for traffic originating from the local LAN (loc)
#
# If you want to force clients to access the Internet via a proxy server
# on your firewall, change the loc to net policy to REJECT info.
loc net ACCEPT
loc $FW ACCEPT
loc all REJECT info
#
# Policies for traffic originating from the firewall ($FW)
#
# If you want open access to the Internet from your firewall, change the
# $FW to net policy to ACCEPT and remove the ‘info’ LOG LEVEL.
# This may be useful if you run a proxy server on the firewall.
$FW net ACCEPT
$FW loc ACCEPT
$FW all REJECT info
#
# Policies for traffic originating from the Internet zone (net)
#
net $FW DROP info
net loc DROP info
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE — ADD YOUR ENTRIES ABOVE THIS LINE — DO NOT REMOVE
启动防火墙
/etc/init.d/shorewall start
Popularity: 15% [?]
Tags: deb, install, ls, ubuntu, viRelated posts
No Replies
Feel free to leave a reply using the form below!