HELIOS LUNE ----------- ----------- | | | | | | | | | | | | {net} dsl0 ----------- eth0 {loc} eth0 ----------- ----------------------------------------------| |-----------------------------------------| | | ------------- ppp0 | ------------- | 82.67.59.175 | 192.168.1.0/24 | | | | | | - - >> - - - - - >> - - - | | HOTEQLQ1 | | SLN-01 ----------- | | ----------- | | | TUNNEL VPN en PPTP | | | | | | | | | | | | | | | ----------- modem1 {loc} | ppp1 ----------- | |----|- - >> - - - - - >> - - ----------| | ------------- IP1 192.168.1.62 ------------- | | | | | | - - >> - - - - - >> - - - | | HOTEQLQ2 | | SLN-02 ----------- | | ----------- | | | TUNNEL VPN en PPTP | | | | | | | | | | | | | | | ----------- modem2 {loc} | ppp2 ----------- | |----|- - >> - - - - - >> - - ----------| | ------------- IP2 192.168.1.63 ------------- . . . etc
# # Shorewall 1.3 /etc/shorewall/zones # # This file determines your network zones. Columns are: # # ZONE Short name of the zone # DISPLAY Display name of the zone # COMMENTS Comments about the zone # #ZONE DISPLAY COMMENTS net Net Internet loc Local Local networks #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
# # Shorewall 1.3 -- Interfaces File # # /etc/shorewall/interfaces # # You must add an entry in this file for each network interface on your # firewall system. # # Columns are: # # ZONE Zone for this interface. Must match the short name # of a zone defined in /etc/shorewall/zones. # # If the interface serves multiple zones that will be # defined in the /etc/shorewall/hosts file, you should # place "-" in this column. # # INTERFACE Name of interface. Each interface may be listed only # once in this file. You may NOT specify the name of # an alias (e.g., eth0:0) here; see # # BROADCAST The broadcast address for the subnetwork to which the # If you use the special value "detect", the firewall # will detect the broadcast address for you. If you # select this option, the interface must be up before # the firewall is started, you must have iproute # installed and the interface must only be associated # # OPTIONS A comma-separated list of options including the # following: # ############################################################################## #ZONE INTERFACE BROADCAST OPTIONS loc eth0 detect net dsl0 detect - ppp+ #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
# # Shorewall 1.3 -- Policy File # # /etc/shorewall/policy # # This file determines what to do with a new connection request if we # don't get a match from the /etc/shorewall/rules file or from the # /etc/shorewall/common[.def] file. For each source/destination pair, the # file is processed in order until a match is found ("all" will match # any client or server). # # Columns are: # # SOURCE Source zone. Must be the name of a zone defined # in /etc/shorewall/zones, $FW or "all". # # DEST Destination zone. Must be the name of a zone defined # in /etc/shorewall/zones, $FW or "all" # # WARNING: Firewall->Firewall policies are not allowed; if # you have a policy where both SOURCE and DEST are $FW, # Shorewall will not start! # # POLICY Policy if no match from the rules file is found. Must # be "ACCEPT", "DROP", "REJECT" or "CONTINUE" # # LOG LEVEL If supplied, each connection handled under the default # ############################################################################### #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST net all DROP info $FW all ACCEPT - #Ici nous pourions mettre DROP et définir ensuite des rêgles loc net ACCEPT - #Ici nous pourions mettre DROP et définir ensuite des rêgles loc $FW ACCEPT - #Ici nous pourions mettre DROP et définir ensuite des rêgles loc loc ACCEPT - #Ici nous pourions mettre DROP et définir ensuite des rêgles #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
############################################################################## #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT PORT(S) DEST # VPN ACCEPT:info net $FW tcp 1723 <<------------------- ACCEPT:info net $FW 47 <<------------------- ACCEPT:info $FW net 47 <<------------------- # DNS ACCEPT net $FW udp 53 - ACCEPT net $FW tcp 53 - # WEB ACCEPT net $FW tcp 80 - # WEBS https ACCEPT net $FW tcp 443 - # SMTPS ACCEPT net $FW tcp 995 - # FTP ACCEPT net $FW tcp ftp - ACCEPT net $FW tcp ftp-data - # SMTP ACCEPT net $FW tcp smtp - # POP3 ACCEPT net $FW tcp pop3 - # Tous de local vers firewall ACCEPT loc $FW tcp - - # # ici les rêgles si dans policy tout est à DROP # # Firewall au net : que le web ACCEPT $FW tcp 80 - # # Local au Firewal : que certain services ACCEPT loc $FW tcp 80 - ACCEPT loc $FW tcp 25 - ACCEPT loc $FW tcp 110 - ACCEPT loc $FW tcp ftp - ACCEPT loc $FW tcp ftp-data - ACCEPT loc $FW tcp webmin - # # Local à l'internet : le web et ftp ACCEPT loc net tcp 80 - ACCEPT loc net tcp ftp - ACCEPT loc net tcp ftp-data - #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
pptpserver net
# # Shorewall 1.3 - /etc/shorewall/hosts # # WARNING: 90% of Shorewall users don't need to add entries to this # file and 80% of those who try to add such entries get it # wrong. Unless you are ABSOLUTELY SURE that you need entries # in this file, don't touch it! # # This file is used to define zones in terms of subnets and/or # individual IP addresses. Most simple setups don't need to # (should not) place anything in this file. # # ZONE - The name of a zone defined in /etc/shorewall/zones # # HOST(S) - The name of an interface followed by a colon (":") and # either: # # a) The IP address of a host # b) A subnetwork in the form # / # # The interface must be defined in the # /etc/shorewall/interfaces file. # # Examples: # # eth1:192.168.1.3 # eth2:192.168.2.0/24 # # OPTIONS - A comma-separated list of options. Currently-defined # options are: # # routestopped - (Deprecated -- use # /etc/shorewall/routestopped) # route messages to and from this # member when the firewall is in the # stopped state # maclist - Connection requests from these hosts # are compared against the contents of # /etc/shorewall/maclist. If this option # is specified, the interface must be # an ethernet NIC and must be up before # Shorewall is started. # # #ZONE HOST(S) OPTIONS loc eth0:192.168.1.0/24 routestopped loc ppp+:192.168.1.0/24 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
############################################################################ # Shorewall 1.3 -- /etc/shorewall/start # # Add commands below that you want to be executed after shorewall has # been started or restarted. # # Partage de connexion de dsl0:0.0.0/0 à eth0:192.168.1.0/255.255.255.0 # # Masque les adresses iptables -t nat -A POSTROUTING -o dsl0 -j MASQUERADE; # # Limite le nombre de requètes SYN,ACK,FIN,RST RST par seconde iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT # # Ajuste le mtu iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 128 # # Redirige le masquage echo "Application du partage de connexion !"; echo 1 > /proc/sys/net/ipv4/ip_forward
phpMyVisites : logiciel gratuit de mesure d'audience et de statistiques de sites Internet (licence libre GPL, logiciel en php/MySQL)