I had to search a lot and to experiment in order to manage something obviously simple and practical:
Leave the shorewall firewall running, but open “holes” from specific IPs e.g. from work, in order to be sure that only you access your server.
Unfortunately, shorewall is very unpractical, it does not have a user interface and has a lot of theory.
The change below affects just one file:
So, leave the /etc/shorewall/policy file as is (denies or rejects everything).
Edit the /etc/shorewall/rules and write something like this:
#
# Shorewall version 4 - Rules File
#
# For information on the settings in this file, type "man shorewall-rules"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
####################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME
# PORT PORT(S) DEST LIMIT GROUP
ACCEPT net:92.119.205.137 fw tcp 22
ACCEPT net:92.119.205.137 fw tcp 5900
ACCEPT net:92.119.205.137 fw tcp 3389
ACCEPT net:92.119.205.137 fw tcp 7001
ACCEPT net:92.119.205.137 fw tcp 1521
ACCEPT net:192.168.1.3 fw tcp 22
ACCEPT net:192.168.1.3 fw tcp 5900
ACCEPT net:192.168.1.3 fw tcp 3389
ACCEPT net:192.168.1.3 fw tcp 7001
ACCEPT net:192.168.1.3 fw tcp 1521
ACCEPT net fw tcp 80
#SECTION ESTABLISHED
#SECTION RELATED
INCLUDE rules.drakx
#LAST LINE -- DO NOT REMOVE
This means:
– open ports 22, 5900, 3389, 7001, 1521 for internet IP 92.119.205.137
– open ports 22, 5900, 3389, 7001, 1521 for local IP 192.168.1.3
– open port 80 for all IPs on internet
Note, that both local and remote IPs have the same zone (loc is not declared as a zone in my system).
Be careful with “tab” (each value is separated by the next with tab).
Of course you need to restart your shorewall, in order the changes to take effect:
service shorewall restart