Shorewall quick setup – RuggedCom RuggedRouter RX1100 User Manual

14. Configuring The Firewall

Revision 1.14.3

120

RX1000/RX1100™

When connections are attempted from the Internet to the intranet, the NAT gateway will have multiple
hosts on the intranet that could accept the connection. It needs additional information to identify the
specific host to accept the connection.

Suppose that two hosts, 192.168.1.10 and 192.168.1.20 are located behind a NAT gateway having a
public interface of 213.18.101.62. When a connection request for http port 80 arrives at 213.18.101.62,
the NAT gateway could forward the request to either of the hosts (or could accept it itself). Port
forwarding configuration could be used to redirect the requests to port 80 to the first host.

Port forwarding can also remap port numbers. The second host may also need to answer http
requests. As connections to port 80 are directed to the first host, another port number (such as 8080)
can be dedicated to the second host. As requests arrive at the gateway for port 8080, the gateway
remaps the port number to 80 and forwards the request to the second host.

Finally, port forwarding can take the source address into account. Another way to solve the above
problem could be to dedicate two hosts 200.0.0.1 and 200.0.0.2 and have the NAT gateway forward
requests on port 80 from 200.0.0.1 to 192.168.1.10 and from 200.0.0.2 to 192.168.1.20.

14.3. Shorewall Quick Setup

For users familiar with Shorewall the following will serves as a reminder of how to build the firewall.
New users may wish to read the ShoreWall Terminology And Concepts section before continuing.

1.

Logically partition your network into zones. Will you establish a DMZ? Will all Ethernet
interfaces need to forward traffic to the public network? Which interfaces are to be treated
in a similar fashion?

2.

Assign your interfaces to the zones. If using T1/E1, have you created your T1/E1 interfaces
prior to building the firewall?

3.

Set the default policies for traffic from zone to zone to be as restrictive as possible. Has the
local zone been been blocked from connecting to the DMZ or firewall? Does the DMZ or
firewall need to accept connections? Which connections should be dropped and which reset?
What logs are kept?

4.

How is the network interface IP assigned, i.e. dynamically or statically? Do hosts at the central
site need to know the local address?

5.

If your network interface IP is dynamically assigned, configure masquerading.

6.

If your network interface IP is statically assigned, configure Source Network address
Translation (SNAT). If a sufficient number of IP addresses are provided by the ISP, static NAT
can be employed instead.

7.

If your hosts must accept sessions from the Internet configure the rules file to support
Destination Network address Translation (DNAT). Which hosts need to accept connections,
from whom and on which ports?

8.

Configure the rules file to override the default policies. Have external connections been limited
to approved IP address ranges. Have all but the required protocols been blocked?

9.

If you are supporting a VPN, add additional rules.

10. Check the configuration using the Shorewall Firewall menu, “Check Firewall” button.