Shorewall¶
loc eth0 detect tcpflags,dhcp,nosmurfs,routefilter,logmartians=0
net eth1 detect tcpflags,dhcp,nosmurfs,routefilter,logmartians
wifi eth2 detect tcpflags,dhcp,nosmurfs,routefilter,logmartians=0
tun tun0 detect tcpflags,dhcp,nosmurfs,routefilter,logmartians=0
eth0 10.0.0.0/8,\
169.254.0.0/16,\
172.16.0.0/12,\
192.168.0.0/16
eth2 192.168.0.0/16
tun0 192.168.0.0/16
loc net ACCEPT
wifi net ACCEPT
tun net ACCEPT
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
DNS(ACCEPT) $FW net
DNS(ACCEPT) loc $FW
DNS(ACCEPT) wifi $FW
DNS(ACCEPT) tun $FW
DNS(ACCEPT) tun loc
NTP(ACCEPT) $FW net
#
#
# Accept SSH connections from the local network to the firewall and wifi
#
SSH(ACCEPT) net $FW
SSH(ACCEPT) loc $FW
SSH(ACCEPT) loc wifi
SSH(ACCEPT) loc tun
#on autorise les connexions vers le serveur web et https
ACCEPT net $FW tcp 443 #https
ACCEPT net $FW udp 443 #https
ACCEPT net $FW tcp www #web
ACCEPT net $FW udp www #web
#on autorise l'accès au proxy :) et on redirige le trafic qui essaye de
#sortir directement via le port 81 (a ameliorer cf webadmin)
ACCEPT tun $FW tcp www
ACCEPT tun $FW udp www
ACCEPT wifi $FW tcp www
ACCEPT wifi $FW udp www
#autorisation de sortie pour le reseau chilli
ACCEPT wifi net tcp www
ACCEPT wifi net udp www
ACCEPT tun $FW tcp 443
ACCEPT tun $FW udp 443
ACCEPT wifi $FW tcp 443
ACCEPT wifi $FW udp 443
ACCEPT $FW tun tcp 443
ACCEPT $FW tun udp 443
ACCEPT $FW wifi tcp 443
ACCEPT $FW wifi udp 443
ACCEPT tun $FW tcp 1812
ACCEPT tun $FW udp 1812
ACCEPT wifi $FW tcp 1812
ACCEPT wifi $FW udp 1812
ACCEPT tun $FW tcp 1813
ACCEPT tun $FW udp 1813
ACCEPT wifi $FW tcp 1813
ACCEPT wifi $FW udp 1813
#acces chilli
ACCEPT tun $FW tcp 3990
ACCEPT tun $FW udp 3990
ACCEPT wifi $FW tcp 3990
ACCEPT wifi $FW udp 3990
#ACCEPT wifi $FW tcp 3128
#ACCEPT wifi $FW udp 3128
#ACCEPT tun $FW tcp 3128
#ACCEPT tun $FW udp 3128
ACCEPT wifi $FW tcp 81
ACCEPT wifi $FW udp 81
REDIRECT wifi 81 tcp www -
REDIRECT wifi 81 udp www -
ACCEPT tun $FW tcp 81
ACCEPT tun $FW udp 81
REDIRECT tun 81 tcp www -
REDIRECT tun 81 udp www -
ACCEPT loc $FW tcp www
ACCEPT loc $FW udp www
ACCEPT loc $FW tcp 81
ACCEPT loc $FW udp 81
ACCEPT loc $FW tcp 3128
ACCEPT loc $FW udp 3128
REDIRECT loc 81 tcp www -
REDIRECT loc 81 udp www -
#a ameliorer pour eviter que les utilisateurs en TX ne puissent surfer
#sans filtre
ACCEPT $FW net tcp www
# Drop Ping from the "bad" net zone.
Ping(DROP) net $FW
#
# Make ping work bi-directionally between the wifi, net, Firewall and local zone
# (assumes that the loc-> net policy is ACCEPT).
#
Ping(ACCEPT) loc $FW
Ping(ACCEPT) wifi $FW
Ping(ACCEPT) tun $FW
Ping(ACCEPT) loc wifi
Ping(ACCEPT) loc tun
Ping(ACCEPT) wifi loc
Ping(ACCEPT) tun loc
Ping(ACCEPT) wifi net
Ping(ACCEPT) tun net
ACCEPT $FW net icmp
ACCEPT $FW loc icmp
ACCEPT $FW wifi icmp
ACCEPT $FW tun icmp
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
loc ipv4
net ipv4
wifi ipv4
tun ipv4