RuggedCom RX1000 ユーザーズマニュアル
Chapter 11 – Configuring The Firewall
2) In this SNAT rule a static address of 66.11.180.161 is acquired from the ISP.
Traffic from the subnet handled by eth2 should be translated to 66.11.180.161 as it
sent to the Internet over ppp. The + at the end of “ppp+” causes Shorewall to
match any ppp interface.
sent to the Internet over ppp. The + at the end of “ppp+” causes Shorewall to
match any ppp interface.
3) This example is much the same as the previous one only the subnet is explicitly
described, and could include traffic from any of the Ethernet ports.
4) In this SNAT rule, traffic from the subnet handled by only port eth1 should be
translated to 100.1.101.16 as it sent to the Internet on t1/e1 port w1ppp.
5) This example is much the same as the previous one excepting that only smtp from
eth1 will be allowed.
Masquerading and SNAT rules are defined in the file /etc/shorewall/masq and are
modified from the Masquerading menu.
modified from the Masquerading menu.
Rules
The default policies can completely configure traffic based upon zones. But the
default policies cannot take into account criteria such as the type of protocol, IP
source/destination addresses and the need to perform special actions such as port
forwarding. The Shorewall rules can accomplish this.
The Shorewall rules provide exceptions to the default policies. In actuality, when a
connection request arrives the rules file is inspected first. If no match is found then
the default policy is applied. Rules are of the form:
Action
default policies cannot take into account criteria such as the type of protocol, IP
source/destination addresses and the need to perform special actions such as port
forwarding. The Shorewall rules can accomplish this.
The Shorewall rules provide exceptions to the default policies. In actuality, when a
connection request arrives the rules file is inspected first. If no match is found then
the default policy is applied. Rules are of the form:
Action
Source-Zone Destination-Zone Protocol Destination-Port Source-
Port Original-Destination-IP Rate-Limit User-Group
Actions are ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, REDIRECT-,
CONTINUE, LOG and QUEUE. The DNAT-, REDIRECT-, CONTINUE, LOG and
QUEUE actions are not widely used used and are not described here.
Actions are ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, REDIRECT-,
CONTINUE, LOG and QUEUE. The DNAT-, REDIRECT-, CONTINUE, LOG and
QUEUE actions are not widely used used and are not described here.
Action
Description
ACCEPT
Allow the connection request to proceed.
DROP
The connection request is simply ignored. No notification is made to
the requesting client.
the requesting client.
REJECT
The connection request is rejected with an RST (TCP) or an ICMP
destination-unreachable packet being returned to the client.
destination-unreachable packet being returned to the client.
DNAT
Forward the request to another system (and optionally another port).
REDIRECT Redirect the request to a local tcp port number on the local firewall.
This is most often used to “remap” port numbers for services on the
firewall itself.
firewall itself.
The remaining fields of a rule are as described below:
Action
The action as described in the previous table.
Source-Zone
The zone the connection originated from.
Destination-Zone The zone the connection is destined for.
Protocol
Protocol
The tcp or udp protocol type.
Destination-Port The tcp/udp port the connection is destined for.
RuggedCom 109