root@hubot-vps:~# tail /var/log/syslog
May 12 18:08:19 hubot-vps postfix/smtpd[2887]: disconnect from unknown[208.79.218.105]
May 12 18:08:19 hubot-vps postfix/smtpd[2887]: disconnect from unknown[208.79.218.105]
May 12 18:08:27 hubot-vps kernel: [1255643.491579] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=00:50:56:b8:c4:02:00:16:9c:6f:d4:80:08:00 SRC=109.162.13.89 DST=81.2.239.96 LEN=40 TOS=0x08 PREC=0x20 TTL=57 ID=52666 PROTO=TCP SPT=29073 DPT=23 WINDOW=16807 RES=0x00 SYN URGP=0
May 12 18:08:27 hubot-vps kernel: [1255643.491579] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=00:50:56:b8:c4:02:00:16:9c:6f:d4:80:08:00 SRC=109.162.13.89 DST=81.2.239.96 LEN=40 TOS=0x08 PREC=0x20 TTL=57 ID=52666 PROTO=TCP SPT=29073 DPT=23 WINDOW=16807 RES=0x00 SYN URGP=0
May 12 18:09:01 hubot-vps CRON[2893]: (root) CMD ( [ -x /usr/lib/php5/sessionclean ] && /usr/lib/php5/sessionclean)
May 12 18:09:01 hubot-vps CRON[2893]: (root) CMD ( [ -x /usr/lib/php5/sessionclean ] && /usr/lib/php5/sessionclean)
May 12 18:09:16 hubot-vps kernel: [1255691.690116] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=00:50:56:b8:c4:02:00:14:a9:11:7a:80:08:00 SRC=187.75.196.246 DST=81.2.239.96 LEN=44 TOS=0x08 PREC=0x40 TTL=44 ID=41396 PROTO=TCP SPT=38443 DPT=23 WINDOW=36147 RES=0x00 SYN URGP=0
May 12 18:09:16 hubot-vps kernel: [1255691.690116] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=00:50:56:b8:c4:02:00:14:a9:11:7a:80:08:00 SRC=187.75.196.246 DST=81.2.239.96 LEN=44 TOS=0x08 PREC=0x40 TTL=44 ID=41396 PROTO=TCP SPT=38443 DPT=23 WINDOW=36147 RES=0x00 SYN URGP=0
May 12 18:09:45 hubot-vps kernel: [1255721.019364] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=00:50:56:b8:c4:02:00:16:9c:6f:d4:80:08:00 SRC=109.162.13.89 DST=81.2.239.96 LEN=40 TOS=0x08 PREC=0x20 TTL=57 ID=52666 PROTO=TCP SPT=29073 DPT=23 WINDOW=16807 RES=0x00 SYN URGP=0
May 12 18:09:45 hubot-vps kernel: [1255721.019364] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=00:50:56:b8:c4:02:00:16:9c:6f:d4:80:08:00 SRC=109.162.13.89 DST=81.2.239.96 LEN=40 TOS=0x08 PREC=0x20 TTL=57 ID=52666 PROTO=TCP SPT=29073 DPT=23 WINDOW=16807 RES=0x00 SYN URGP=0
root@hubot-vps:~# ip route
default via 81.2.239.1 dev eth0
10.8.0.0/24 via 10.8.0.2 dev tun0
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1
81.2.239.0/24 dev eth0 proto kernel scope link src 81.2.239.96
root@hubot-vps:~# cat /etc/shorewall/tunnels
#TYPE ZONE GATEWAY GATEWAY_ZONE
openvpnserver:7480 net 0.0.0.0/0
root@hubot-vps:~# cat /etc/shorewall/interfaces
#
# Shorewall version 4.0 - Sample Interfaces File for one-interface configuration.
# Copyright (C) 2006-2014 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-interfaces"
###############################################################################
?FORMAT 2
###############################################################################
#ZONE INTERFACE OPTIONS
net eth0 dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0
vpn tun0 routefilter,dhcp,tcpflags,logmartians,nosmurfs
root@hubot-vps:~# cat /etc/shorewall/zones
#
# Shorewall version 4.0 - Sample Zones File for one-interface configuration.
# Copyright (C) 2006-2014 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#-----------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-zones"
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
vpn ipv4
root@hubot-vps:~# cat /etc/shorewall/hosts
#ZONE HOSTS OPTIONS
vpn eth0:10.0.0.0/8,95.155.90.197 ipsec
root@hubot-vps:~# cat /etc/shorewall/policy
#
# Shorewall version 4.0 - Sample Policy File for one-interface configuration.
# Copyright (C) 2006-2014 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#-----------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-policy"
###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
$FW net ACCEPT
$FW vpn ACCEPT
vpn $FW ACCEPT info
net all DROP info
# The FOLLOWING POLICY MUST BE LAST
all all REJECT info
root@hubot-vps:~# cat /etc/shorewall/rules
#
# Shorewall version 4.0 - Sample Rules File for one-interface configuration.
# Copyright (C) 2006-2014 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------------------------------------
# For information on entries in this file, type "man shorewall-rules"
######################################################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERSSWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP
?SECTION ALL
Ping(ACCEPT) net all { RATE=d:ping:2/sec:10 }
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
# Drop packets in the INVALID state
Invalid(DROP) net $FW tcp
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
Ping(DROP) net $FW
# Permit all ICMP traffic FROM the firewall TO the net zone
ACCEPT $FW net icmp
# DNS (accept DNS queries)
DNS(ACCEPT) all $FW
# SSH (we allow login SSH)
SSH(ACCEPT) all $FW
# FTP (we allow login FTP)
FTP(DROP) all $FW
# WEB (the whole world can visit our web server on ports 80 and 443)
HTTP(ACCEPT) all $FW
HTTPS(ACCEPT) all $FW
# Mail (we accept mail)
SMTP/ACCEPT all $FW
SMTPS/ACCEPT all $FW
POP3/ACCEPT all $FW
POP3S/ACCEPT all $FW
IMAP/ACCEPT all $FW
IMAPS/ACCEPT all $FW
# ZNC (IRC bouncer)
ACCEPT all $FW tcp 1025
# Glassfish admin console
DROP all $FW tcp 4848
# Glassfish server port (8080)
ACCEPT all $FW tcp 8080
# JEE (development container of JEE)
DROP all $FW tcp 24848
DROP all $FW tcp 28080
DROP all $FW tcp 28181
DROP all $FW tcp 23700
DROP all $FW tcp 23820
DROP all $FW tcp 23920
DROP all $FW tcp 29009
DROP all $FW tcp 27676
DROP all $FW tcp 28686
DROP all $FW tcp 26666
# Accept traffic from VPN
ACCEPT:info net $FW udp 7480
ACCEPT:info vpn $FW
ACCEPT:info $FW vpn
Pobierz program!
