Shorewall on RPM-based Servers: Difference between revisions

From Alteeve Wiki
Jump to navigation Jump to search
 
(40 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{howto_header}}
{{howto_header}}


This covers setup and maintenance of <span class="code">Shorewall 4.4</span> on Fedora 13. It's a very generic How-To though and should work well on most [[RPM]]-based distributions.
This covers setup and maintenance of <span class="code">Shorewall 4.5</span> on Red Hat Enterprise Linux 5.x, 6.x, [[RHEL]] derivatives and several recent Fedora releases.


= Install =
= Install =


'''Note''': A mirror of [http://www.invoca.ch/pub/packages/shorewall/4.4/ http://www.invoca.ch] was made for this how-to. Please check there for updated packages and, if found, please use their newer version
{{note|1=Updated on <span class="code">2015-05-05</span> for Shorewall release 4.6.8.}}


Download and install <span class="code">shorewall-4.4.13.3-1.noarch.rpm</span>
Install is trivial, we just need to install dependencies and and the latest RPMs.


<source lang="bash">
<syntaxhighlight lang="bash">
rpm -Uvh https://alteeve.com/files/shorewall/4.4/shorewall-4.4.13/shorewall-4.4.13.3-1.noarch.rpm
yum install perl perl-Digest-SHA perl-Digest-SHA1
</source>
</syntaxhighlight>


= Setup =
You can check for the [http://shorewall.net/download.htm latest version here].


== Public IP Address Range ==
<syntaxhighlight lang="bash">
rpm -Uvh http://canada.shorewall.net/pub/shorewall/4.6/shorewall-4.6.8/shorewall-core-4.6.8-0base.noarch.rpm \
        http://canada.shorewall.net/pub/shorewall/4.6/shorewall-4.6.8/shorewall-4.6.8-0base.noarch.rpm
</syntaxhighlight>


If you have multiple public IP addresses, make sure your Internet facing ethernet device, <span class="code">eth1</span> in our case, has all of those public IPs assigned to it. Do this by:
Done!
# Copying the <span class="code">ifcfg-eth1</span> to <span class="code">ifcfg-eth1:x</span> where <span class="code">x</span> is a number, starting at 0, with the next public IP in the pool.
# In each 'ifcfg-eth1:x</span> file:
## Add <span class="code">:x</span> to <span class="code">DEVICE=eth1</span>, for example <span class="code">DEVICE=eth1:0</span> in the <span class="code">ifcfg-eth1:0</span> file.
## Change the IP address in the <span class="code">IPADDR=</span> line. For example, <span class="code">208.67.144.34</span>.
## Comment out the <span class="code">GATEWAY=</span> line.


When done, simply restart networking:
= Setup =


<source lang="bash">
You need to decide which interface will have your internet connection on it and which will connect to your internal network. For this tutorial;
/etc/init.d/network restart
</source>


Or manually bring up each device with:
* <span class="code">eth0</span>; Faces the internal network, has the IP <span class="code">10.255.255.254/16</span> and provides DHCP services to the LAN.
 
* <span class="code">eth1</span>; Faces the Internet.
<source lang="bash">
ifup eth0:x
</source>
 
Setting <span class="code">x</span> to the number of each alias device you are starting. If you are connected over ssh, using <span class="code">ifup</span> is recommended as you are less likely to lose your ssh session.


== Configuring Shorewall ==
== Configuring Shorewall ==


All configuration files are in the following directory, unless explicitly defined:
All configuration files are in the <span class="code">/etc/shorewall</span> directory, unless explicitly defined. The main Shorewall configuration file, which we will edit last is <span class="code">/etc/shorewall/shorewall.conf</span>.
 
<source lang="bash">
/etc/shorewall
</source>
 
The main Shorewall configuration file, which we will edit last is <span class="code">/etc/shorewall/shorewall.conf</span>.
</source>


The files to edit are listed in the order we will edit them in the following subsections.
The files to edit are listed in the order we will edit them in the following subsections.
Line 53: Line 37:
=== zones ===
=== zones ===


This controls the main "zones" used by Shorewall. The <span class="code">fw</span> is special in that it defines the firewall itself. The <span class="code">net</span> zone is the Internet-facing network (eth1 on the firewall). The <span class="code">loc</span> is the local network, the virtual machine network on eth0.
This controls the main "zones" used by Shorewall. The <span class="code">fw</span> is special in that it defines the firewall itself. The <span class="code">net</span> zone is the Internet-facing network (<span class="code">eth1</span> in this tutorial). The <span class="code">loc</span> is the local network, the internal network of machines the firewall is protecting, which is <span class="code">eth0</span> in this tutorial. Both <span class="code">eth0</span> and <span class="code">eth1</span> are <span class="code">[[ipv4]]</span> networks.


Add:
Append two new lines telling shorewall that we have two new <span class="code">ipv4</span> networks that it will use:


<source lang="bash">
<syntaxhighlight lang="bash">
vim /etc/shorewall/zones
vim /etc/shorewall/zones
</source>
</syntaxhighlight>
<source lang="text">
<syntaxhighlight lang="text">
fw      firewall
net    ipv4
net    ipv4
loc    ipv4
loc    ipv4
</source>
</syntaxhighlight>


So that the 'zones' file looks like:
So that the <span class="code">zones</span> file looks like:


<source lang="text">
<syntaxhighlight lang="text">
###############################################################################
###############################################################################
#ZONE  TYPE            OPTIONS        IN                      OUT
#ZONE  TYPE            OPTIONS        IN                      OUT
Line 75: Line 58:
net    ipv4
net    ipv4
loc    ipv4
loc    ipv4
</source>
</syntaxhighlight>


=== interfaces ===
=== interfaces ===


Here you tell Shorewall which network [[#zones|zones]] are on which interfaces.
Just above, we told shorewall that we had two new <span class="code">ipv4</span> networks. In the <span class="code">interfaces</span> configuration file, we link these networks to physical interfaces.


Add:
{{note|1=If you plan to [[DHCP on an RPM-based OS|setup a DHCP]] server on your firewall, you will need to specify the <span class="code">dhcp</span> option, as shown here. You can see a full list of options and their uses on Shorewall's <span class="code">[http://www.shorewall.net/manpages/shorewall-interfaces.html interfaces]</span> page.}}


<source lang="bash">
To link the new networks to the physical interfaces, append the following entries;
 
<syntaxhighlight lang="bash">
vim /etc/shorewall/interfaces
vim /etc/shorewall/interfaces
</source>
</syntaxhighlight>
<source lang="text">
<syntaxhighlight lang="text">
net    eth1            detect         
loc             eth0                   dhcp
loc     eth0           detect          dhcp  
net            eth1
</source>
</syntaxhighlight>


So that the <span class="code">interfaces</span> file looks like:
So that the <span class="code">interfaces</span> file looks like:


<source lang="text">
<syntaxhighlight lang="text">
###############################################################################
###############################################################################
#ZONE   INTERFACE       BROADCAST      OPTIONS
?FORMAT 2
net    eth1            detect         
###############################################################################
loc     eth0           detect          dhcp  
#ZONE           INTERFACE               OPTIONS
</source>
loc             eth0                   dhcp
net            eth1
</syntaxhighlight>


=== policy ===
=== policy ===


Here you tell Shorewall what the default policy is for each network when receiving new connection requests. You don't need to worry about ESTABLISHED and RELATED connections as Shorewall handles these rules. The choices are:
Here you tell shorewall what the default policy is for each network when receiving new connection requests. You don't need to worry about <span class="code">ESTABLISHED</span> and <span class="code">RELATED</span> connections as shorewall handles these rules. The choices are:
 
* <span class="code">ACCEPT</span>; Accept the connection.
* <span class="code">DROP</span>; Ignore the connection request.
* <span class="code">REJECT</span>; Return an appropriate error to the connection request.


* ACCEPT
You can also set the log level for connection requests that fall off the chain and hit these policies. It's a good idea to log <span class="code">info</span> level so you can see twits trying to do "bad things(tm)". The one downside to using <span class="code">info</span> is that it pushes a lot of data into the log files, which might make debugging other issues on the firewall. It's really up to you in the end.
** Accept the connection.
* DROP
** Ignore the connection request.
* REJECT
** Return an appropriate error to the connection request.


You can also set the log level for connection requests that fall off the chain and hit these policies. It's a good idea to log <span class="code">info</span> level so you can see twits trying to do "bad things(tm)".
Append the following default policies;


<source lang="bash">
<syntaxhighlight lang="bash">
vim /etc/shorewall/policy
vim /etc/shorewall/policy
</source>
</syntaxhighlight>
<source lang="text">
<syntaxhighlight lang="text">
# This allows the firewall out onto the Internet
# Let everything from the firewall machine out onto the net.
fw      net    ACCEPT
fw      net    ACCEPT
# These are the default policies; All VMs are allowed out to the net, Anything
 
# from the Internet is DROPed and anything else to anything else is REJECTed
# Likewise, allow everything from the firewall out onto the local network.
# and logged.
# - Anything from the firewall to the VMs is allowed.
fw      loc    ACCEPT
fw      loc    ACCEPT
# - Protect the firewall from compromised servers.  
 
# Don't allow incoming connections from the web into the fireall *or* into the
# local network. Add 'info' here if you want to log failed connection attempts.
net    all    DROP            info
 
# Don't allow incoming connections from the local network into the firewall.
loc    fw      DROP
loc    fw      DROP
# - Let anything from the VMs out onto the Internet.
 
# Let machines on the local network out onto the web
loc    net    ACCEPT
loc    net    ACCEPT
# - Drop and log anything else.
</syntaxhighlight>
net    all    DROP            info
</source>


So that the <span class="code">policy</span> file looks like:
So that the <span class="code">policy</span> file looks like:


<source lang="text">
<syntaxhighlight lang="text">
###############################################################################
###############################################################################
#SOURCE DEST    POLICY          LOG    LIMIT:          CONNLIMIT:
#SOURCE DEST    POLICY          LOG    LIMIT:          CONNLIMIT:
#                              LEVEL  BURST          MASK
#                              LEVEL  BURST          MASK
# This allows the firewall out onto the Internet
 
# Let everything from the firewall machine out onto the net.
fw      net    ACCEPT
fw      net    ACCEPT
# These are the default policies; All VMs are allowed out to the net, Anything
 
# from the Internet is DROPed and anything else to anything else is REJECTed
# Likewise, allow everything from the firewall out onto the local network.
# and logged.
# - Anything from the firewall to the VMs is allowed.
fw      loc    ACCEPT
fw      loc    ACCEPT
# - Protect the firewall from compromised servers.  
 
# Don't allow incoming connections from the web into the fireall *or* into the
# local network. Add 'info' here if you want to log failed connection attempts.
net    all    DROP            info
 
# Don't allow incoming connections from the local network into the firewall.
loc    fw      DROP
loc    fw      DROP
# - Let anything from the VMs out onto the Internet.
 
# Let machines on the local network out onto the web
loc    net    ACCEPT
loc    net    ACCEPT
# - Drop and log anything else.
</syntaxhighlight>
net    all    DROP            info
</source>


=== rules ===
=== rules ===


Here you tell Shorewall what the exceptions are to the default policies. The first match is used. This is really the heart of the firewall.
This is really the heart of the firewall.
 
Edit <span class="code">rules</span> so that the it file looks like:
 
<source lang="bash">
vim /etc/shorewall/rules
</span>
<source lang="text">
############################################################################################################################################################
#ACTION        SOURCE          DEST                    PROTO  DEST    SOURCE          ORIGINAL        RATE            USER/  MARK    CONNLIMIT      TIME
#                                                              PORT    PORT(S)        DEST            LIMIT          GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW


### Rules for data going into the firewall
Here you tell shorewall what the exceptions there are to the default policies. The first rule to match is used.
# Allow SSH connections to the firewall itself
ACCEPT          net            fw                      tcp    22
# Allow SSH and DHCP requests from the VMs into the firewall.
ACCEPT          loc            fw                      tcp    22
ACCEPT          loc            fw                      udp    67,68


### Forwards using DNAT
The example below shows a setup where remote access in to the firewall itself is allowed only on port <span class="code">22000</span> (modified [[SSH]] port). Then two [[Microsoft]] Windows servers are setup. Both servers are internally set to listen for RDP connections on the same default port (<span class="code">3389</span>). To allow for this with just one external IP address, the firewall is told to route incoming connections on port <span class="code">3390</span> to the internal machine at IP <span class="code">10.255.0.11</span> on port <span class="code">3393</span>. Likewise, incoming connections on port <span class="code">3389</span> will be forwarded to directly to <span class="code">10.255.0.10:3389</span>.
## Internet into 'VSH02' -> 'dom0'
# SSH
DNAT            net            loc:192.168.10.2:22    tcp    22002


## Internet into 'VSH03' -> 'dom0'
We'll also add a couple special rules that tells shorewall to respond to [[ICMP]] ping requests. Some people don't like this as ping sweeps are a quick way for malicious people to find servers on the net. Personally, I find the usefulness of being able to ping my firewall more beneficial.
# SSH
DNAT            net             loc:192.168.10.3:22    tcp    22003


## Internet into 'auth01'
Append <span class="code">rules</span> so that the it file looks like.
# SSH
DNAT            net            loc:192.168.10.100:22  tcp    22100
# OpenVPN
DNAT            net            loc:192.168.10.100:1194 udp    1194


## Internet into 'web01'
<syntaxhighlight lang="bash">
# SSH
vim /etc/shorewall/rules
DNAT            net             loc:192.168.10.101:22  tcp    22101
</syntaxhighlight>
<syntaxhighlight lang="text">
### Rules for data going into the firewall. Consult /etc/services or your local
### search engine for ports and protocols used by your favourite programs.
# Answer ICMP queries
Ping(ACCEPT) net fw
Ping(ACCEPT) loc fw


## Internet into 'web02'
# Allow incoming SSH connections to the firewall itself from the web on port
# SSH
# 22000. Allow incoming SSH connections to the firewall on port 22 and 22000
DNAT            net            loc:192.168.10.102:22  tcp    22102
# from the local network.
 
ACCEPT          net            fw                      tcp    22000
## Internet into 'res01'
ACCEPT          loc             fw                      tcp    22
# SSH
ACCEPT          loc             fw                      tcp    22000
DNAT            net             loc:192.168.10.103:22  tcp    22103


## Internet into 'dev01'
# Allow incoming connections from the internet to two windows servers listening
# SSH
# for RDP connections on the same port. This will be handled using different
DNAT            net            loc:192.168.10.104:22  tcp    22104
# external ports using destination network address translation.
ACCEPT          net            loc:10.255.0.10:3389    tcp    3389
ACCEPT          net            loc:10.255.0.11:3389    tcp    3390
</syntaxhighlight>


## Internet into 'sql01' (ssh and mysql)
This is a spartan example of what you can do. It's meant to show how you can do matching and non-matching TCP port forwards. With this simple format, you should be able to create all the rules you need to setup your network.
# SSH
DNAT            net            loc:192.168.10.105:22  tcp    22105
DNAT            net            loc:192.168.10.105:3306 tcp    3306
</source>


=== masq ===
=== masq ===


This is the file that handles MASQerading the virtual machine LAN (the 'loc' zone). Even though there are several IP addresses, they are not SNATed to hosts but instead used as a pool of addresses to do Port Forward/DNAT'ing on.
This is the file that handles [[MASQ]]erading the machines on the local LAN (the <span class="code">loc</span> zone). This is how shorewall provides internet access to an entire [[subnet]] of machines on a given network.


Add:
So to enable Internet access from your machines, you need to add a line with the '''Internet facing interface''' followed by the subnet of the '''local''' network that you will be masquerading.


<source lang="bash">
<syntaxhighlight lang="bash">
vim /etc/shorewall/masq
vim /etc/shorewall/masq
</span>
</syntaxhighlight>
<source lang="text">
<syntaxhighlight lang="text">
eth1                    192.168.10.0/24
eth1                    10.255.0.0/16
</source>
</syntaxhighlight>


So that the 'rules' file looks like:
So that the <span class="code">masq</span> file looks like:


<source lang="text">
<syntaxhighlight lang="text">
###############################################################################
################################################################################################################
#INTERFACE             SOURCE          ADDRESS        PROTO  PORT(S) IPSEC  MARK    USER/
#INTERFACE:DEST        SOURCE          ADDRESS        PROTO  PORT(S) IPSEC  MARK    USER/   SWITCH  ORIGINAL
#                                                                                      GROUP
#                                                                                      GROUP           DEST
eth1                    192.168.10.0/24
eth1                    10.255.0.0/16
</source>
</syntaxhighlight>


=== shorewall.conf ===
=== shorewall.conf ===
Line 242: Line 210:
Edit <span class="code">/etc/shorewall/shorewall.conf</span> and change the following lines:
Edit <span class="code">/etc/shorewall/shorewall.conf</span> and change the following lines:


<source lang="bash">
<syntaxhighlight lang="bash">
vim /etc/shorewall/shorewall.conf
vim /etc/shorewall/shorewall.conf
</span>
</syntaxhighlight>
<source lang="text">
<syntaxhighlight lang="bash">
STARTUP_ENABLED=No
STARTUP_ENABLED=No
LOGFILE=/var/log/messages
</syntaxhighlight>
</source>


To:
To:


<source lang="text">
<syntaxhighlight lang="bash">
STARTUP_ENABLED=Yes
STARTUP_ENABLED=Yes
LOGFILE=/var/log/shorewall
</syntaxhighlight>
</source>


= Starting the Firewall =
= Starting the Firewall =
Line 261: Line 227:
To start the firewall, simply run:
To start the firewall, simply run:


<source lang="bash">
<syntaxhighlight lang="bash">
/etc/init.d/shorewall restart
/etc/init.d/shorewall restart
</source>
</syntaxhighlight>


The firewall should now be running. To see the new rules, simply run:
The firewall should now be running. To see the new rules, simply run:


<source lang="bash">
<syntaxhighlight lang="bash">
iptables-save
iptables-save
</span>
</syntaxhighlight>


This will print out the actual firewall rules. You will need some experience with <span class="code">iptables</span> to understand all their meaning, but the general flow should be understandable.
This will print out the actual firewall rules. You will need some experience with <span class="code">[[TLUG Talk: Netfilter|iptables]]</span> to understand all their meaning, but the general flow should be understandable.


Lastly, make sure the firewall starts on boot by running:
Lastly, make sure the firewall starts on boot by running:


<source lang="bash">
<syntaxhighlight lang="bash">
chkconfig shorewall on
chkconfig shorewall on
</source>
</syntaxhighlight>
 
== Fixing SELinux Problems ==
 
If you get an error like:
 
<syntaxhighlight lang="bash">
/etc/init.d/shorewall start
</syntaxhighlight>
<syntaxhighlight lang="text">
Compiling...
Can't exec "/usr/lib/shorewall/getparams": Permission denied at /usr/share/perl5/Shorewall/Config.pm line 5041.
  ERROR: Processing of /etc/shorewall/params failed
</syntaxhighlight>
 
If we check <span class="code">/var/log/audit/audit.log</span>, we see:
 
<syntaxhighlight lang="text">
type=AVC msg=audit(1403851868.309:165): avc:  denied  { execute_no_trans } for  pid=11114 comm="perl" path="/usr/lib/shorewall/getparams" dev=sda3 ino=1705335 scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
</syntaxhighlight>
 
To fix this, run:
 
<syntaxhighlight lang="text">
semanage fcontext -a -t bin_t /usr/lib/shorewall/getparams
restorecon -vF /usr/lib/shorewall/getparams
</syntaxhighlight>
 
Now <span class="code">shorewall</span> should start properly.
 
<syntaxhighlight lang="bash">
/etc/init.d/shorewall start
</syntaxhighlight>
<syntaxhighlight lang="text">
Compiling...
Shorewall configuration compiled to /var/lib/shorewall/.start
Starting Shorewall....
done.
</syntaxhighlight>


{{footer}}
{{footer}}

Latest revision as of 22:21, 5 May 2015

 AN!Wiki :: How To :: Shorewall on RPM-based Servers

This covers setup and maintenance of Shorewall 4.5 on Red Hat Enterprise Linux 5.x, 6.x, RHEL derivatives and several recent Fedora releases.

Install

 Note: Updated on 2015-05-05 for Shorewall release 4.6.8.

Install is trivial, we just need to install dependencies and and the latest RPMs. 

yum install perl perl-Digest-SHA perl-Digest-SHA1

You can check for the latest version here. 

rpm -Uvh http://canada.shorewall.net/pub/shorewall/4.6/shorewall-4.6.8/shorewall-core-4.6.8-0base.noarch.rpm \
         http://canada.shorewall.net/pub/shorewall/4.6/shorewall-4.6.8/shorewall-4.6.8-0base.noarch.rpm

Done!

Setup

You need to decide which interface will have your internet connection on it and which will connect to your internal network. For this tutorial;

  • eth0; Faces the internal network, has the IP 10.255.255.254/16 and provides DHCP services to the LAN.
  • eth1; Faces the Internet.

Configuring Shorewall

All configuration files are in the /etc/shorewall directory, unless explicitly defined. The main Shorewall configuration file, which we will edit last is /etc/shorewall/shorewall.conf.

The files to edit are listed in the order we will edit them in the following subsections.

zones

This controls the main "zones" used by Shorewall. The fw is special in that it defines the firewall itself. The net zone is the Internet-facing network (eth1 in this tutorial). The loc is the local network, the internal network of machines the firewall is protecting, which is eth0 in this tutorial. Both eth0 and eth1 are ipv4 networks.

Append two new lines telling shorewall that we have two new ipv4 networks that it will use: 

vim /etc/shorewall/zones

net     ipv4
loc     ipv4

So that the zones file looks like: 

###############################################################################
#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
net     ipv4
loc     ipv4

interfaces

Just above, we told shorewall that we had two new ipv4 networks. In the interfaces configuration file, we link these networks to physical interfaces.

Note: If you plan to setup a DHCP server on your firewall, you will need to specify the dhcp option, as shown here. You can see a full list of options and their uses on Shorewall's interfaces page.

To link the new networks to the physical interfaces, append the following entries; 

vim /etc/shorewall/interfaces

loc             eth0                    dhcp
net             eth1

So that the interfaces file looks like: 

###############################################################################
?FORMAT 2
###############################################################################
#ZONE           INTERFACE               OPTIONS
loc             eth0                    dhcp
net             eth1

policy

Here you tell shorewall what the default policy is for each network when receiving new connection requests. You don't need to worry about ESTABLISHED and RELATED connections as shorewall handles these rules. The choices are:

  • ACCEPT; Accept the connection.
  • DROP; Ignore the connection request.
  • REJECT; Return an appropriate error to the connection request.

You can also set the log level for connection requests that fall off the chain and hit these policies. It's a good idea to log info level so you can see twits trying to do "bad things(tm)". The one downside to using info is that it pushes a lot of data into the log files, which might make debugging other issues on the firewall. It's really up to you in the end.

Append the following default policies; 

vim /etc/shorewall/policy

# Let everything from the firewall machine out onto the net.
fw      net     ACCEPT

# Likewise, allow everything from the firewall out onto the local network.
fw      loc     ACCEPT

# Don't allow incoming connections from the web into the fireall *or* into the
# local network. Add 'info' here if you want to log failed connection attempts.
net     all     DROP            info

# Don't allow incoming connections from the local network into the firewall.
loc     fw      DROP

# Let machines on the local network out onto the web
loc     net     ACCEPT

So that the policy file looks like: 

###############################################################################
#SOURCE DEST    POLICY          LOG     LIMIT:          CONNLIMIT:
#                               LEVEL   BURST           MASK

# Let everything from the firewall machine out onto the net.
fw      net     ACCEPT

# Likewise, allow everything from the firewall out onto the local network.
fw      loc     ACCEPT

# Don't allow incoming connections from the web into the fireall *or* into the
# local network. Add 'info' here if you want to log failed connection attempts.
net     all     DROP            info

# Don't allow incoming connections from the local network into the firewall.
loc     fw      DROP

# Let machines on the local network out onto the web
loc     net     ACCEPT

rules

This is really the heart of the firewall.

Here you tell shorewall what the exceptions there are to the default policies. The first rule to match is used.

The example below shows a setup where remote access in to the firewall itself is allowed only on port 22000 (modified SSH port). Then two Microsoft Windows servers are setup. Both servers are internally set to listen for RDP connections on the same default port (3389). To allow for this with just one external IP address, the firewall is told to route incoming connections on port 3390 to the internal machine at IP 10.255.0.11 on port 3393. Likewise, incoming connections on port 3389 will be forwarded to directly to 10.255.0.10:3389.

We'll also add a couple special rules that tells shorewall to respond to ICMP ping requests. Some people don't like this as ping sweeps are a quick way for malicious people to find servers on the net. Personally, I find the usefulness of being able to ping my firewall more beneficial.

Append rules so that the it file looks like. 

vim /etc/shorewall/rules

### Rules for data going into the firewall. Consult /etc/services or your local
### search engine for ports and protocols used by your favourite programs.
# Answer ICMP queries
Ping(ACCEPT)	net		fw
Ping(ACCEPT)	loc		fw

# Allow incoming SSH connections to the firewall itself from the web on port
# 22000. Allow incoming SSH connections to the firewall on port 22 and 22000
# from the local network.
ACCEPT          net             fw                      tcp     22000
ACCEPT          loc             fw                      tcp     22
ACCEPT          loc             fw                      tcp     22000

# Allow incoming connections from the internet to two windows servers listening
# for RDP connections on the same port. This will be handled using different
# external ports using destination network address translation.
ACCEPT          net             loc:10.255.0.10:3389    tcp     3389
ACCEPT          net             loc:10.255.0.11:3389    tcp     3390

This is a spartan example of what you can do. It's meant to show how you can do matching and non-matching TCP port forwards. With this simple format, you should be able to create all the rules you need to setup your network.

masq

This is the file that handles MASQerading the machines on the local LAN (the loc zone). This is how shorewall provides internet access to an entire subnet of machines on a given network.

So to enable Internet access from your machines, you need to add a line with the Internet facing interface followed by the subnet of the local network that you will be masquerading. 

vim /etc/shorewall/masq

eth1                    10.255.0.0/16

So that the masq file looks like: 

################################################################################################################
#INTERFACE:DEST         SOURCE          ADDRESS         PROTO   PORT(S) IPSEC   MARK    USER/   SWITCH  ORIGINAL
#                                                                                       GROUP           DEST
eth1                    10.255.0.0/16

shorewall.conf

Once you have the above files in place, you need to enable the firewall.

Edit /etc/shorewall/shorewall.conf and change the following lines: 

vim /etc/shorewall/shorewall.conf

STARTUP_ENABLED=No

To: 

STARTUP_ENABLED=Yes

Starting the Firewall

To start the firewall, simply run: 

/etc/init.d/shorewall restart

The firewall should now be running. To see the new rules, simply run: 

iptables-save

This will print out the actual firewall rules. You will need some experience with iptables to understand all their meaning, but the general flow should be understandable.

Lastly, make sure the firewall starts on boot by running: 

chkconfig shorewall on

Fixing SELinux Problems

If you get an error like: 

/etc/init.d/shorewall start

Compiling...
Can't exec "/usr/lib/shorewall/getparams": Permission denied at /usr/share/perl5/Shorewall/Config.pm line 5041.
   ERROR: Processing of /etc/shorewall/params failed

If we check /var/log/audit/audit.log, we see: 

type=AVC msg=audit(1403851868.309:165): avc:  denied  { execute_no_trans } for  pid=11114 comm="perl" path="/usr/lib/shorewall/getparams" dev=sda3 ino=1705335 scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file

To fix this, run: 

semanage fcontext -a -t bin_t /usr/lib/shorewall/getparams
restorecon -vF /usr/lib/shorewall/getparams

Now shorewall should start properly. 

/etc/init.d/shorewall start

Compiling...
Shorewall configuration compiled to /var/lib/shorewall/.start
Starting Shorewall....
done.

 

Any questions, feedback, advice, complaints or meanderings are welcome.
Alteeve's Niche! Enterprise Support:
Alteeve Support 		Community Support
© Alteeve's Niche! Inc. 1997-2024   Anvil! "Intelligent Availability®" Platform
legal stuff: All info is provided "As-Is". Do not use anything here unless you are willing and able to take responsibility for your own actions.
Retrieved from ‘https://alteeve.com/w/index.php?title=Shorewall_on_RPM-based_Servers&oldid=6656