You could just permit your local network globally. I don't use packaged firewalls like Shorewall, but the relevant iptables rule would be something like
Code:
/sbin/iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
That allows all traffic originating on the 192.168.1.0/24 network. If the forwarding router is also in the same network space, which I'd guess it is, then you'd probably need something more limiting like
Code:
/sbin/iptables -I INPUT -s 192.168.1.1 -p tcp --dport 21 -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.1 -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.1 -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.1 -j REJECT
/sbin/iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
That permits traffic from the router on ports 21, 22, and 80 and rejects any other traffic coming in from the Internet. All the machines on the local network are permitted.
Of course, it might be easier to do all this on the router and use no firewall on the Ubuntu box.
Bookmarks