Shorewall on RPM-based Servers

From Alteeve Wiki
Revision as of 22:32, 13 October 2010 by Digimer (talk | contribs) (Created page with '{{howto_header}} This covers setup and maintenance of <span class="code">Shorewall 4.4</span> on Fedora 13. It's a very generic How-To though and should work well on most [[RPM]…')
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

 Alteeve Wiki :: How To :: Shorewall on RPM-based Servers

This covers setup and maintenance of Shorewall 4.4 on Fedora 13. It's a very generic How-To though and should work well on most RPM-based distributions.

Install

Note: A mirror of http://www.invoca.ch was made for this how-to. Please check there for updated packages and, if found, please use their newer version

Download and install shorewall-4.4.13.3-1.noarch.rpm 

rpm -Uvh https://alteeve.com/files/shorewall/4.4/shorewall-4.4.13/shorewall-4.4.13.3-1.noarch.rpm

Setup

Public IP Address Range

Make sure your Internet facing ethernet device, eth1 in our case, has all of the public IPs assigned to it. Do this by:

  1. Copying the ifcfg-eth1 to ifcfg-eth1:x where x is a number, starting at 0, with the next public IP in the pool.
  2. In each 'ifcfg-eth1:x file:
    1. Add :x to DEVICE=eth1, for example DEVICE=eth1:0 in the ifcfg-eth1:0 file.
    2. Change the IP address in the IPADDR= line. For example, 208.67.144.34.
    3. Comment out the GATEWAY= line.

When done, simply restart networking: 

/etc/init.d/network restart

Or manually bring up each device with: 

ifup eth0:x

Setting x to the number of each alias device you are starting. If you are connected over ssh, using ifup is recommended as you are less likely to lose your ssh session.

Configuring Shorewall

All configuration files are in the following directory, unless explicitly defined: 

/etc/shorewall

The main Shorewall configuration file will be edited last. It is: 

/etc/shorewall/shorewall.conf

zones

This controls the main "zones" used by Shorewall. The fw is special in that it defines the firewall itself. The net zone is the Internet-facing network (eth1 on the firewall). The loc is the local network, the virtual machine network on eth0.

Add: 

fw      firewall
net     ipv4
loc     ipv4

So that the 'zones' file looks like: 

###############################################################################
#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
net     ipv4
loc     ipv4

interfaces

Here you tell Shorewall which network zones are on which interfaces.

Add: 

net     eth1            detect          
loc     eth0            detect          dhcp

So that the 'interfaces' file looks like: 

###############################################################################
#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth1            detect          
loc     eth0            detect          dhcp

policy

Here you tell Shorewall what the default policy is for each network when receiving new connection requests. You don't need to worry about ESTABLISHED and RELATED connections as Shorewall handles these rules. The choices are:

  • ACCEPT
    • Accept the connection.
  • DROP
    • Ignore the connection request.
  • REJECT
    • Return an appropriate error to the connection request.

You can also set the log level for connection requests that fall off the chain and hit these policies. It's a good idea to log 'info' level so you can see twits trying to do "bad things(tm)". 

# This allows the firewall out onto the Internet
fw      net     ACCEPT
# These are the default policies; All VMs are allowed out to the net, Anything
# from the Internet is DROPed and anything else to anything else is REJECTed
# and logged.
# - Anything from the firewall to the VMs is allowed.
fw      loc     ACCEPT
# - Protect the firewall from compromised servers. 
loc     fw      DROP
# - Let anything from the VMs out onto the Internet.
loc     net     ACCEPT
# - Drop and log anything else.
net     all     DROP            info

So that the 'policy' file looks like: 

###############################################################################
#SOURCE DEST    POLICY          LOG     LIMIT:          CONNLIMIT:
#                               LEVEL   BURST           MASK
# This allows the firewall out onto the Internet
fw      net     ACCEPT
# These are the default policies; All VMs are allowed out to the net, Anything
# from the Internet is DROPed and anything else to anything else is REJECTed
# and logged.
# - Anything from the firewall to the VMs is allowed.
fw      loc     ACCEPT
# - Protect the firewall from compromised servers. 
loc     fw      DROP
# - Let anything from the VMs out onto the Internet.
loc     net     ACCEPT
# - Drop and log anything else.
net     all     DROP            info

rules

Here you tell Shorewall what the exceptions are to the default policies. The first match is used. This is really the heart of the firewall.

Edit 'rules' so that the it file looks like: 

############################################################################################################################################################
#ACTION         SOURCE          DEST                    PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK    CONNLIMIT       TIME
#                                                               PORT    PORT(S)         DEST            LIMIT           GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW

### Rules for data going into the firewall
# Allow SSH connections to the firewall itself
ACCEPT          net             fw                      tcp     22
# Allow SSH and DHCP requests from the VMs into the firewall.
ACCEPT          loc             fw                      tcp     22
ACCEPT          loc             fw                      udp     67,68

### Forwards using DNAT
## Internet into 'VSH02' -> 'dom0'
# SSH
DNAT            net             loc:192.168.10.2:22     tcp     22002

## Internet into 'VSH03' -> 'dom0'
# SSH
DNAT            net             loc:192.168.10.3:22     tcp     22003

## Internet into 'auth01'
# SSH
DNAT            net             loc:192.168.10.100:22   tcp     22100
# OpenVPN
DNAT            net             loc:192.168.10.100:1194 udp     1194

## Internet into 'web01'
# SSH
DNAT            net             loc:192.168.10.101:22   tcp     22101

## Internet into 'web02'
# SSH
DNAT            net             loc:192.168.10.102:22   tcp     22102

## Internet into 'res01'
# SSH
DNAT            net             loc:192.168.10.103:22   tcp     22103

## Internet into 'dev01'
# SSH
DNAT            net             loc:192.168.10.104:22   tcp     22104

## Internet into 'sql01' (ssh and mysql)
# SSH
DNAT            net             loc:192.168.10.105:22   tcp     22105
DNAT            net             loc:192.168.10.105:3306 tcp     3306

masq

This is the file that handles MASQerading the virtual machine LAN (the 'loc' zone). Even though there are several IP addresses, they are not SNATed to hosts but instead used as a pool of addresses to do Port Forward/DNAT'ing on.


Add: 

eth1                    192.168.10.0/24

So that the 'rules' file looks like: 

###############################################################################
#INTERFACE              SOURCE          ADDRESS         PROTO   PORT(S) IPSEC   MARK    USER/
#                                                                                       GROUP
eth1                    192.168.10.0/24

shorewall.conf

Once you have the above files in place, you need to enable the firewall.

Edit /etc/shorewall/shorewall.conf and change the following lines: 

STARTUP_ENABLED=No
LOGFILE=/var/log/messages

To: 

STARTUP_ENABLED=Yes
LOGFILE=/var/log/shorewall

Starting the Firewall

To start the firewall, simply run: 

/etc/init.d/shorewall restart

The firewall should now be running. Address any issues that may have arisen.

Make sure the firewall starts on boot by running: 

chkconfig shorewall on

 

Any questions, feedback, advice, complaints or meanderings are welcome.
Alteeve's Niche! Alteeve Enterprise Support Community Support
© 2025 Alteeve. Intelligent Availability® is a registered trademark of Alteeve's Niche! Inc. 1997-2025
legal stuff: All info is provided "As-Is". Do not use anything here unless you are willing and able to take responsibility for your own actions.
Retrieved from ‘https://alteeve.com/w/index.php?title=Shorewall_on_RPM-based_Servers&oldid=2290