Shorewall 5 on EL7

From AN!Wiki
Jump to: navigation, search

 AN!Wiki :: How To :: Shorewall 5 on EL7

This covers setup and maintenance of Shorewall 5 on Enterprise Linux 7.x (RHEL, CentOS and derivatives).

This tutorial will introduce the basic concepts of firewalling by taking an Internet connection and sharing it with a local subnetwork of computers. It will also act as a DHCP server for the internal network. This combination of DHCP server and internet routing will cover the most common use case for shorewall; Acting as a traditional Internet router.

Contents

Install

Install is trivial via the EPEL repository.

Adding the EPEL Repo

If your firewall does not yet have EPEL installed, do so now:

rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

Rename Interfaces

For this tutorial, we will use two network interfaces. To make them easier to track, rename the two interfaces to reflect their role. We will use lan0 for the internal network and wan0 for the interface connected to the outside Internet.

If you are unfamiliar with renaming interfaces in EL7, please pause and follow this tutorial:

Install Shorewall 5

Now to install Shorewall 5, and while we're at it, we will install DHCP server as well.

yum install shorewall dhcp

That was easy.

Setup

You need to decide which interface will have your internet connection on it and which will connect to your internal network. For this tutorial;

  • lan0; Faces the internal network, has the IP 10.200.255.254/16 and provides DHCP services to the LAN.
  • wan0; Faces the Internet.

Configuring Shorewall

All configuration files are in the /etc/shorewall directory, unless explicitly defined. The main Shorewall configuration file, which we will edit last is /etc/shorewall/shorewall.conf.

The files to edit are listed in the order we will edit them in the following subsections.

Backups

Before we start, we will create a backups directory and save original copies of the files there.

mkdir /etc/shorewall/backups
cp /etc/shorewall/zones /etc/shorewall/backups/
cp /etc/shorewall/interfaces /etc/shorewall/backups/
cp /etc/shorewall/policy /etc/shorewall/backups/
cp /etc/shorewall/rules /etc/shorewall/backups/
cp /etc/shorewall/masq /etc/shorewall/backups/
cp /etc/shorewall/shorewall.conf /etc/shorewall/backups/

zones

This controls the main "zones" used by Shorewall. The fw is special in that it defines the firewall itself. The wan zone is the Internet-facing network (wan0 in this tutorial). The lan is the local network, the internal network of machines the firewall is protecting, which is lan0 in this tutorial. Both lan0 and wan0 are ipv4 networks.

Append two new lines telling shorewall that we have two new ipv4 networks that it will use so that the zones file looks like:

###############################################################################
#ZONE		TYPE		OPTIONS		IN_OPTIONS	OUT_OPTIONS
 
fw		firewall
wan		ipv4
lan		ipv4

interfaces

Just above, we told shorewall that we had two new ipv4 networks. In the interfaces configuration file, we link these networks to physical interfaces.

To link the new networks to the physical interfaces, append the following entries so that the interfaces file looks like:

?FORMAT 2
###############################################################################
#ZONE		INTERFACE		OPTIONS
lan		lan0			dhcp
wan		wan0

policy

Here you tell shorewall what the default policy is for each network when receiving new connection requests. You don't need to worry about ESTABLISHED and RELATED connections as shorewall handles these rules. The choices are:

Action Description
ACCEPT Accept the connection.
DROP Ignore the connection request.
REJECT Return an appropriate error to the connection request.

You can also set the log level for connection requests that fall off the chain and hit these policies. It's a good idea to log info level so you can see twits trying to do "bad things(tm)". The one downside to using info is that it pushes a lot of data into the log files, which might make debugging other issues on the firewall. It's really up to you in the end.

Append the following default policies so that the policy file looks like:

###############################################################################
#SOURCE		DEST		POLICY	LOGLEVEL	LIMIT	CONNLIMIT
 
# Let everything from the firewall machine out onto the WAN.
fw		wan		ACCEPT
 
# Likewise, allow everything from the firewall out onto the local network.
fw		lan		ACCEPT
 
# Don't allow incoming connections from the WAN into the fireall *or* into the
# local network. Add 'info' here if you want to log failed connection attempts.
wan		all		DROP	info
 
# Don't allow incoming connections from the local network into the firewall.
lan		fw		DROP
 
# Let machines on the local network out onto the web
lan		wan		ACCEPT

rules

This is really the heart of the firewall.

Here you tell shorewall what the exceptions there are to the default policies. The first rule to match is used.

The example below shows a setup where remote access in to the firewall itself is allowed only on port 22000 (modified SSH port). An example SSH forward from the external TCP port 3022 to an internal server on the private network listening on the standard SSH TCP port 22.

This example can be easily adapted to any other use. Just create a new entry per line, choosing the external port and pointing it at the desired IP address the internal machine is using and the TCP the internal machine's server is listening on. You can use the same external and internal TCP port if you wish to make the connection more seamless for external users. It is entirely up to you.

We'll also add a couple special rules that tells shorewall to respond to ICMP ping requests. Some people don't like this as ping sweeps are a quick way for malicious people to find servers on the net. Personally, I find the usefulness of being able to ping my firewall more beneficial. Also, "security through obscurity is no security at all".

Append rules so that the it file looks like.

vim /etc/shorewall/rules
##############################################################################################################################################################
#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
 
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
 
# Allow pings, because this author finds being able to ping for helpful than 
# risky.
Ping(ACCEPT)	wan		fw
Ping(ACCEPT)	lan		fw
 
# Allow SSH into the firewall from the WAN on port 22000 and from the LAN on
# port 22 and 22000.
ACCEPT		wan		fw		tcp	22000
ACCEPT		lan		fw		tcp	22000
ACCEPT		lan		fw		tcp	22
 
### Example; Enable and adapt to your needs.
# Allow SSH connection from the WAN on external port 3022 to an internal server
# at IP 10.200.255.250 port 22.
#ACCEPT		wan		lan:10.200.255.250:22	3022

masq

This is the file that handles MASQerading the machines on the local LAN (the lan zone). This is how shorewall provides internet access to an entire subnet of machines on a given network.

So to enable Internet access from your machines, you need to add a line with the Internet facing interface followed by the subnet of the local network that you will be masquerading.

Append masq so that the it file looks like.

vim /etc/shorewall/masq
###################################################################################################################################
#INTERFACE		SOURCE		ADDRESS		PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
wan0			10.200.0.0/16

shorewall.conf

Once you have the above files in place, you need to enable the firewall.

Edit /etc/shorewall/shorewall.conf and change the following lines:

vim /etc/shorewall/shorewall.conf
STARTUP_ENABLED=No

To:

STARTUP_ENABLED=Yes

To keep the noise in the syslog down, we'll tell shorewall to use a dedicated log file. Change:

LOGFILE=/var/log/messages

To:

LOGFILE=/var/log/shorewall

Starting the Firewall

Disable firewalld

Before we can start using shorewall, we need to stop and disable the built-in firewall called firewalld.

systemctl stop firewalld
systemctl disable firewalld
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.

Make sure the firewall is off.

systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
 
Jul 02 02:11:20 an-fw05.alteeve.ca systemd[1]: Starting firewalld - dynamic firewall daemon...
Jul 02 02:11:21 an-fw05.alteeve.ca systemd[1]: Started firewalld - dynamic firewall daemon.
Jul 02 03:56:48 an-fw05.alteeve.ca systemd[1]: Stopping firewalld - dynamic firewall daemon...
Jul 02 03:56:50 an-fw05.alteeve.ca systemd[1]: Stopped firewalld - dynamic firewall daemon.

We can double-confirm by looking at iptables-save:

iptables-save
# No output

Starting shorewall

Template warning icon.png
Warning: If there are any problems, this might well lock you out of your firewall. Be sure you have direct access to the firewall before proceeding!

To start the firewall, simply run:

systemctl start shorewall
systemctl enable shorewall
Created symlink from /etc/systemd/system/basic.target.wants/shorewall.service to /usr/lib/systemd/system/shorewall.service.

Verify that it is running and enabled;

systemctl status shorewall
● shorewall.service - Shorewall IPv4 firewall
   Loaded: loaded (/usr/lib/systemd/system/shorewall.service; enabled; vendor preset: disabled)
   Active: active (exited) since Sat 2016-07-02 03:59:53 EDT; 53s ago
 Main PID: 1568 (code=exited, status=0/SUCCESS)
 
Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: Setting up Route Filtering...
Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: Setting up Martian Logging...
Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: Setting up Proxy ARP...
Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: Preparing iptables-restore input...
Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: Running /sbin/iptables-restore ...
Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: IPv4 Forwarding Enabled
Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: Processing /etc/shorewall/start ...
Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: Processing /etc/shorewall/started ...
Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: done.
Jul 02 03:59:53 an-fw05.alteeve.ca systemd[1]: Started Shorewall IPv4 firewall.

To see the new rules in place, simply run:

iptables-save
# Generated by iptables-save v1.4.21 on Sat Jul  2 04:01:15 2016
*nat
:PREROUTING ACCEPT [6:1404]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [1:144]
:POSTROUTING ACCEPT [1:144]
:wan0_masq - [0:0]
-A POSTROUTING -o wan0 -j wan0_masq
-A wan0_masq -s 10.200.0.0/16 -j MASQUERADE
COMMIT
# Completed on Sat Jul  2 04:01:15 2016
# Generated by iptables-save v1.4.21 on Sat Jul  2 04:01:15 2016
*mangle
:PREROUTING ACCEPT [83:6436]
:INPUT ACCEPT [83:6436]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [51:6584]
:POSTROUTING ACCEPT [51:6584]
:tcfor - [0:0]
:tcin - [0:0]
:tcout - [0:0]
:tcpost - [0:0]
:tcpre - [0:0]
-A PREROUTING -j tcpre
-A INPUT -j tcin
-A FORWARD -j MARK --set-xmark 0x0/0xff
-A FORWARD -j tcfor
-A OUTPUT -j tcout
-A POSTROUTING -j tcpost
COMMIT
# Completed on Sat Jul  2 04:01:15 2016
# Generated by iptables-save v1.4.21 on Sat Jul  2 04:01:15 2016
*raw
:PREROUTING ACCEPT [91:6852]
:OUTPUT ACCEPT [60:7880]
-A PREROUTING -p udp -m udp --dport 10080 -j CT --helper amanda
-A PREROUTING -p tcp -m tcp --dport 21 -j CT --helper ftp
-A PREROUTING -p udp -m udp --dport 1719 -j CT --helper RAS
-A PREROUTING -p tcp -m tcp --dport 1720 -j CT --helper Q.931
-A PREROUTING -p tcp -m tcp --dport 6667 -j CT --helper irc
-A PREROUTING -p udp -m udp --dport 137 -j CT --helper netbios-ns
-A PREROUTING -p tcp -m tcp --dport 1723 -j CT --helper pptp
-A PREROUTING -p tcp -m tcp --dport 6566 -j CT --helper sane
-A PREROUTING -p udp -m udp --dport 5060 -j CT --helper sip
-A PREROUTING -p udp -m udp --dport 161 -j CT --helper snmp
-A PREROUTING -p udp -m udp --dport 69 -j CT --helper tftp
-A OUTPUT -p udp -m udp --dport 10080 -j CT --helper amanda
-A OUTPUT -p tcp -m tcp --dport 21 -j CT --helper ftp
-A OUTPUT -p udp -m udp --dport 1719 -j CT --helper RAS
-A OUTPUT -p tcp -m tcp --dport 1720 -j CT --helper Q.931
-A OUTPUT -p tcp -m tcp --dport 6667 -j CT --helper irc
-A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns
-A OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp
-A OUTPUT -p tcp -m tcp --dport 6566 -j CT --helper sane
-A OUTPUT -p udp -m udp --dport 5060 -j CT --helper sip
-A OUTPUT -p udp -m udp --dport 161 -j CT --helper snmp
-A OUTPUT -p udp -m udp --dport 69 -j CT --helper tftp
COMMIT
# Completed on Sat Jul  2 04:01:15 2016
# Generated by iptables-save v1.4.21 on Sat Jul  2 04:01:15 2016
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:Broadcast - [0:0]
:Drop - [0:0]
:Reject - [0:0]
:dynamic - [0:0]
:fw-lan - [0:0]
:fw-wan - [0:0]
:lan-fw - [0:0]
:lan-wan - [0:0]
:lan_frwd - [0:0]
:logdrop - [0:0]
:logflags - [0:0]
:logreject - [0:0]
:reject - [0:0]
:sfilter - [0:0]
:sha-lh-85bd0fbd43893f6cb64f - [0:0]
:sha-rh-1564976a559d45f214cb - [0:0]
:shorewall - [0:0]
:tcpflags - [0:0]
:wan-fw - [0:0]
:wan-lan - [0:0]
:wan_frwd - [0:0]
-A INPUT -i wan0 -j wan-fw
-A INPUT -i lan0 -j lan-fw
-A INPUT -i lo -j ACCEPT
-A INPUT -j Drop
-A INPUT -j LOG --log-prefix "Shorewall:INPUT:DROP:" --log-level 6
-A INPUT -j DROP
-A FORWARD -i wan0 -j wan_frwd
-A FORWARD -i lan0 -j lan_frwd
-A FORWARD -j Reject
-A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:REJECT:" --log-level 6
-A FORWARD -g reject
-A OUTPUT -o wan0 -j fw-wan
-A OUTPUT -o lan0 -j fw-lan
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j Reject
-A OUTPUT -j LOG --log-prefix "Shorewall:OUTPUT:REJECT:" --log-level 6
-A OUTPUT -g reject
-A Broadcast -m addrtype --dst-type BROADCAST -j DROP
-A Broadcast -m addrtype --dst-type MULTICAST -j DROP
-A Broadcast -m addrtype --dst-type ANYCAST -j DROP
-A Drop
-A Drop -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT
-A Drop -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT
-A Drop -j Broadcast
-A Drop -m conntrack --ctstate INVALID -j DROP
-A Drop -p udp -m multiport --dports 135,445 -m comment --comment SMB -j DROP
-A Drop -p udp -m udp --dport 137:139 -m comment --comment SMB -j DROP
-A Drop -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment SMB -j DROP
-A Drop -p tcp -m multiport --dports 135,139,445 -m comment --comment SMB -j DROP
-A Drop -p udp -m udp --dport 1900 -m comment --comment UPnP -j DROP
-A Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A Drop -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP
-A Reject
-A Reject -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT
-A Reject -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT
-A Reject -j Broadcast
-A Reject -m conntrack --ctstate INVALID -j DROP
-A Reject -p udp -m multiport --dports 135,445 -m comment --comment SMB -g reject
-A Reject -p udp -m udp --dport 137:139 -m comment --comment SMB -g reject
-A Reject -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment SMB -g reject
-A Reject -p tcp -m multiport --dports 135,139,445 -m comment --comment SMB -g reject
-A Reject -p udp -m udp --dport 1900 -m comment --comment UPnP -j DROP
-A Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A Reject -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP
-A fw-lan -p udp -m udp --dport 67:68 -j ACCEPT
-A fw-lan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A fw-lan -j ACCEPT
-A fw-wan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A fw-wan -j ACCEPT
-A lan-fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A lan-fw -p udp -m udp --dport 67:68 -j ACCEPT
-A lan-fw -p tcp -j tcpflags
-A lan-fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A lan-fw -p icmp -m icmp --icmp-type 8 -m comment --comment Ping -j ACCEPT
-A lan-fw -p tcp -m tcp --dport 22000 -j ACCEPT
-A lan-fw -p tcp -m tcp --dport 22 -j ACCEPT
-A lan-fw -j Drop
-A lan-fw -j DROP
-A lan-wan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A lan-wan -j ACCEPT
-A lan_frwd -o lan0 -g sfilter
-A lan_frwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A lan_frwd -p tcp -j tcpflags
-A lan_frwd -o wan0 -j lan-wan
-A logdrop -j DROP
-A logflags -j LOG --log-prefix "Shorewall:logflags:DROP:" --log-level 6 --log-ip-options
-A logflags -j DROP
-A logreject -j reject
-A reject -m addrtype --src-type BROADCAST -j DROP
-A reject -s 224.0.0.0/4 -j DROP
-A reject -p igmp -j DROP
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A reject -j REJECT --reject-with icmp-host-prohibited
-A sfilter -j LOG --log-prefix "Shorewall:sfilter:DROP:" --log-level 6
-A sfilter -j DROP
-A shorewall -m recent --set --name %CURRENTTIME --mask 255.255.255.255 --rsource
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,PSH,ACK FIN,PSH -g logflags
-A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g logflags
-A wan-fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A wan-fw -p tcp -j tcpflags
-A wan-fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A wan-fw -p icmp -m icmp --icmp-type 8 -m comment --comment Ping -j ACCEPT
-A wan-fw -p tcp -m tcp --dport 22000 -j ACCEPT
-A wan-fw -j Drop
-A wan-fw -j LOG --log-prefix "Shorewall:wan-fw:DROP:" --log-level 6
-A wan-fw -j DROP
-A wan-lan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A wan-lan -j Drop
-A wan-lan -j LOG --log-prefix "Shorewall:wan-lan:DROP:" --log-level 6
-A wan-lan -j DROP
-A wan_frwd -o wan0 -g sfilter
-A wan_frwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A wan_frwd -p tcp -j tcpflags
-A wan_frwd -o lan0 -j wan-lan
COMMIT
# Completed on Sat Jul  2 04:01:15 2016

This will print out the actual firewall rules. You will need some experience with iptables to understand all their meaning, but the general flow should be understandable.

Configure DHCP

Template note icon.png
Note: If you have an external DHCP server, or don't need one, you can stop here.

If all went well, you now have a fully functioning router and firewall.

 

Any questions, feedback, advice, complaints or meanderings are welcome.
Us: Alteeve's Niche! Support: Mailing List IRC: #clusterlabs on Freenode   © Alteeve's Niche! Inc. 1997-2018
legal stuff: All info is provided "As-Is". Do not use anything here unless you are willing and able to take responsibility for your own actions.
Personal tools
Namespaces

Variants
Actions
Navigation
projects
Toolbox