0

My network address is 192.168.5.0. My host machine is 192.168.5.1 and my client machine is 192.168.5.2. Currently, my client is unable to use the internet browser and even ping the internet. The client can ping the host machine in the local network.

How will I enable my client to ping the internet through a terminal and restrict it to use the browser or port 80 using Shorewall? Below are my configuration files:

/etc/shorewall/interfaces file:

#ZONE     INTERFACE
net      eth0

loc      eth1

The eth0 interface is the one connected to the internet while eth1 is connected to the local network.

/etc/shorewall/zones file:

#ZONE    TYPE
fw       firewall
net      ipv4
loc      ipv4

/etc/shorewall/policy file:
#SOURCE     DEST     POLICY     LOGLEVEL
loc         net      ACCEPT
net         all      DROP       $LOG_LEVEL

all         all      REJECT     $LOG_LEVEL

/etc/shorewall/rules file:

?SECTION  ALL
?SECTION  ESTABLISHED
?SECTION  RELATED
?SECTION  INVALID

?SECTION UNTRACKED

?SECTION NEW


DNS(ACCEPT)     $FW    net

SSH(ACCEPT)     loc    $FW

PING(ACCEPT)    loc    $FW

PING(DROP)      net    $FW


ACCEPT    $FW    loc    icmp

ACCEPT    $FW    net    icmp

Any help would be very much appreciated.

alyssaeliyah
  • 71
  • 1
  • 8
  • 1
    You have the default policy for local to internet is all allowed. Which means, you will need to add a drop rule for lan to net to block anything in particular. Have a look at my updated answer. – Diamond Mar 21 '19 at 13:35

1 Answers1

2

I would recommend you to check this page if you haven't done it already:

http://www.shorewall.org/two-interface.htm

The basics are explained here with examples.

Depending on your version, there are also sample files you can copy and customize from:

 /usr/share/doc/shorewall/examples/two-interfaces

From the quick look, it seems to me, the following are missing:

  1. Masquerading/NAT (snat or masq file depending on your version).
  2. IP_Forwarding=ON in shorewall.conf.
  3. Service Shorewall to start automatically on boot.

Addition1: Please also check the correct spelling for the shorewall macros you are using. For example:

Ping (and not PING)

Addition2: You have the default policy for local to internet is all allowed:

/etc/shorewall/policy file:
#SOURCE     DEST     POLICY     LOGLEVEL
loc         net      ACCEPT

This means by default everything from local network to internet will be allowed through the firewall. Now if you want to block something, lets say port 80, you will need to put a block rule on top. For example:

HTTP(DROP)    loc    net

And you don't need any extra allow rule for ping from lan to net.

Diamond
  • 8,791
  • 3
  • 22
  • 37