Shorewall is an excellent free linux firewall which provides unparalleled level of fine grained control. shorewall是一個很好的免費的Linux防火牆提供了無與倫比的細粒控制。 It not only acts as a firewall and Gateway, it also supports DMZ, IP Masquerading (NAT & SNAT), Proxy ARP and more.它不僅作為一個防火牆和網關,它也支持非軍事區, IP偽裝器( NAT & snat ) ,代理ARP和更多。 In short Shorewall is your one stop solution for complex networking routing needs, flexible & controllable internet connectivity options.在短期shorewall是您的一站式解決方案,為複雜的網絡路由的需要,靈活&可控互聯網連接選項。

The Shoreline Firewall is a high-level tool for configuring Netfilter.海岸線防火牆是一種高層次的工具,配置Netfilter的。 The firewall/gateway requirements are described in a set of configuration files.防火牆/網關的要求,所描述的一套配置文件。 Shorewall reads those configuration files and configures Netfilter to match your requirements. shorewall讀取這些配置文件和配置Netfilter的,以符合您的要求。 Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. shorewall可以用一個專用的防火牆系統,多功能網關/路由器/服務器上還是一個獨立的GNU / Linux系統。 Shorewall takes advantage of Netfilter’s connection state tracking capabilities to create a stateful firewall. shorewall利用Netfilter的的連接狀態跟踪能力,以創造一個狀態防火牆。 In short it provides full power of iptables without the associated complexity.在短期內它提供了充分的權力, iptables的沒有相關的複雜性。

Today I will describe a rather common setup where you have two or more redundant ADSL / Cable / T1 connections which you want to use to provide reliable internet connectivity to your intranet machines.今天,我將描述一個相當普遍安裝的地方你有兩個或兩個以上的多餘的ADSL /有線/ T1的連接,您要使用提供可靠的互聯網連接,以您的Intranet的機器。 You have set aside a machine which will act as the firewall and gateway.您已預留一台機器將作為該防火牆和網關。 It will also provide transparent connectivity to you intranet machines using NAT / SNAT using the dual connections you have most likely configured earlier with load balancing & fail-over (see below).它還將提供透明的連接到你內部的機器使用的NAT / snat使用雙重連接,你最有可能配置較早前與負載平衡與故障排除(見下文) 。

Note: This is the second part of article on providing注:這是第二部分的文章提供 load-balanced with fail-over internet connectivity using two or more DSL / Cable connections負載平衡與故障排除網際網路連線使用兩個或兩個以上的DSL /纜線數據機連線 . You can read the first part您可以閱讀的第一部分 here這裡 .

Note: You can also use the concept from this article to configure a setup with single or more than two internet connection(s).注意:您也可以使用的概念,從這個文章配置安裝與單一或兩個以上的網際網路連線( ) 。

Shorewall is configured using several configuration files. shorewall配置使用的幾個配置文件。 All configuration files are in /etc/shorewall directory.所有的配置文件是在/ etc / shorewall目錄。

Shorewall views the network as being composed of zones. shorewall的意見,網絡作為組成的區。 Shorewall recognizes the firewall system as its own zone. shorewall確認防火牆系統作為其本身的區。 One or more interfaces can be defined as belonging to a single zone.一個或多個接口,可以被界定為屬於一個單一的區域。 However you can have multiple zones within a single interface too as well as nested and overlapped zones.但是你可以有多個區,在一個單一的界面過於以及嵌套和重疊區。

In addition to the default zones I created two new zones - net & loc.此外,到默認區,我創建了兩個新的無核武器區-淨&同上。 I added the following lines to zones file:我已將以下線區的檔案:

net ipv4 淨的IPv4
loc ipv4 在上述的IPv4

The net zone represents the machines interfaces which provide internet connectivity.淨區的代表機接口,提供網際網路連線。 I then define associate these zones with the interfaces in the interfaces file by adding the following lines:然後我確定副國家級經濟技術開發區與接口,在接口文件,加入以下行:

net eth1 detect 淨eth1檢測
net eth2 detect 淨eth2檢測
loc eth0 detect 在上述eth0的檢測

The main functionality of the firewall is configured in the policy file.主要功能的防火牆配置,在政策文件。 Here I specify how the traffic is restricted across various zones.在這裡,我如何指定的交通限制各個區。 I added the following lines in policy file:我已將以下線的政策文件:

loc net ACCEPT 在上述的淨接受
net all DROP info 淨所有下拉信息
$FW net ACCEPT 元購物網接受
$FW loc ACCEPT 元,第一波段在上述接受
loc $FW ACCEPT 在上述元購物接受
all all REJECT info 所有拒絕所有信息

Explanation解釋
———— ----
loc net ACCEPT -&rt; Accept all connections from local network to internet在上述的淨接受-& rt;接受所有連接從本地網絡到I nternet
net all DROP info -&rt; Drop all incoming connection requests from network interfaces淨所有下拉資訊-& rt;丟棄所有傳入的連接請求的網絡接口
$FW net ACCEPT -&rt; Accept connections from firewall to the internet interfaces元購物網接受-& rt;接受連接,從防火牆到I nternet的接口
$FW loc ACCEPT -&rt; Accept connections from firewall to the local network.元,第一波段在上述接受-& rt;接受連接,從防火牆,以本地網絡。 You may want to omit this line for added security.您可能會想要省略此線為增加安全性。
loc $FW ACCEPT -&rt; Accept all connection from local network to firewall machine在上述元購物接受-& rt;接受所有方面從本地網絡防火牆機
all all REJECT info -&rt; Reject everything else所有拒絕所有資訊-& rt;拒絕一切

To enable IP Masquerading I need to specify the interfaces between which IP Masq needs to be enabled.使IP偽裝,我需要指定接口之間,其中的IP masq的需要,必須啟用。 I made the following additions to masq files to accomplish this:我提出以下補充masq文件,要做到這一點:

eth1 172.16.0.0/24 192.168.1.10 eth1 172.16.0.0/24 192.168.1.10
eth2 172.16.0.0/24 192.168.0.10 eth2 172.16.0.0/24 192.168.0.10

The above lines instructs that IP Masquerading should be enabled from intranet to either eth1 or eth2 interfaces.上述各行的指示說, IP偽裝應當能夠從內聯網,無論是eth1或eth2接口。

This completes the core configuration changes.這樣就完成核心的配置更改。 Finally the shorewall.conf needs to be modified to enable shorewall, add the SNAT aliases and you can also do a minor optimization of the firewall while you are at it.最後shorewall.conf需要加以修飾,使shorewall ,添加snat別名和您也可以做一個小的優化防火牆,而你是在它。 The changes to shorewall.conf are as follows:更改shorewall.conf分別如下:

STARTUP_ENABLED=Yes startup_enabled =是
ADD_SNAT_ALIASES=Yes add_snat_aliases =是
FASTACCEPT=Yes fastaccept =是

Now you are ready to go.現在您已經準備好去。 You should set shorewall to start as a service on rebooting with:您應該設定shorewall開始作為一個服務就重新開機:
chkconfig shorewall on chkconfig shorewall就

You can start it now with:您就可以開始與現在:
service shorewall start 服務shorewall啟動