Rules – RuggedCom RuggedRouter RX1000 User Manual

Chapter 11 – Configuring The Firewall

2) In this SNAT rule a static address of 66.11.180.161 is acquired from the ISP.

Traffic from the subnet handled by eth2 should be translated to 66.11.180.161 as it
sent to the Internet over ppp. The + at the end of “ppp+” causes Shorewall to
match any ppp interface.

3) This example is much the same as the previous one only the subnet is explicitly

described, and could include traffic from any of the Ethernet ports.

4) In this SNAT rule, traffic from the subnet handled by only port eth1 should be

translated to 100.1.101.16 as it sent to the Internet on t1/e1 port w1ppp.

5) This example is much the same as the previous one excepting that only smtp from

eth1 will be allowed.

Masquerading and SNAT rules are defined in the file /etc/shorewall/masq and are
modified from the Masquerading menu.

Rules

The default policies can completely configure traffic based upon zones. But the
default policies cannot take into account criteria such as the type of protocol, IP
source/destination addresses and the need to perform special actions such as port
forwarding. The Shorewall rules can accomplish this.
The Shorewall rules provide exceptions to the default policies. In actuality, when a
connection request arrives the rules file is inspected first. If no match is found then
the default policy is applied. Rules are of the form:
Action

Source-Zone Destination-Zone Protocol Destination-Port Source-

Port Original-Destination-IP Rate-Limit User-Group
Actions are ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, REDIRECT-,
CONTINUE, LOG and QUEUE. The DNAT-, REDIRECT-, CONTINUE, LOG and
QUEUE actions are not widely used used and are not described here.

Action

Description

ACCEPT

Allow the connection request to proceed.

DROP

The connection request is simply ignored. No notification is made to
the requesting client.

REJECT

The connection request is rejected with an RST (TCP) or an ICMP
destination-unreachable packet being returned to the client.

DNAT

Forward the request to another system (and optionally another port).

REDIRECT Redirect the request to a local tcp port number on the local firewall.

This is most often used to “remap” port numbers for services on the
firewall itself.

The remaining fields of a rule are as described below:

Action

The action as described in the previous table.

Source-Zone

The zone the connection originated from.

Destination-Zone The zone the connection is destined for.
Protocol

The tcp or udp protocol type.

Destination-Port The tcp/udp port the connection is destined for.

RuggedCom 109