RuggedRouter® User Guide
5) This example is much the same as the previous one excepting that only smtp from
eth1 will be allowed.
Masquerading and SNAT rules are defined in the file /etc/shorewall/masq and are
modified from the Masquerading menu.
Rules
The default policies can completely configure traffic based upon zones. But the
default policies cannot take into account criteria such as the type of protocol, IP
source/destination addresses and the need to perform special actions such as port
forwarding. The Shorewall rules can accomplish this.
The Shorewall rules provide exceptions to the default policies. In actuality, when a
connection request arrives the rules file is inspected first. If no match is found then
the default policy is applied. Rules are of the form:
Action Source-Zone Destination-Zone Protocol Destination-Port Source-
Port Original-Destination-IP Rate-Limit User-Group
Actions are ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, REDIRECT-,
CONTINUE, LOG and QUEUE. The DNAT-, REDIRECT-, CONTINUE, LOG and
QUEUE actions are not widely used used and are not described here.
Action Description
ACCEPT Allow the connection request to proceed.
DROP The connection request is simply ignored. No notification is made to
the requesting client.
REJECT The connection request is rejected with an RST (TCP) or an ICMP
destination-unreachable packet being returned to the client.
DNAT Forward the request to another system (and optionally another port).
REDIRECT Redirect the request to a local tcp port number on the local firewall.
This is most often used to “remap” port numbers for services on the
firewall itself.
The remaining fields of a rule are as described below:
Action The action as described in the previous table.
Source-Zone The zone the connection originated from.
Destination-Zone The zone the connection is destined for.
Protocol The tcp or udp protocol type.
Destination-Port The tcp/udp port the connection is destined for.
Source-Port The tcp/udp port the connection originated from.
Original-
Destination-IP
The destination IP address in the connection request as it was
received by the firewall.
Rate-Limit A specification which allows the rate at which connections are
made to be limited.
User-Group A method of limiting outbound traffic from the firewall to a
specific user, group of users and a specific application.
116 RuggedCom