Shorewall on RPM-based Servers: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
| (6 intermediate revisions by the same user not shown) | |||
| Line 5: | Line 5: | ||
= Install = | = Install = | ||
{{note|1=Updated on <span class="code"> | {{note|1=Updated on <span class="code">2015-05-05</span> for Shorewall release 4.6.8.}} | ||
Install is trivial, we just need to install dependencies and and the latest RPMs. | Install is trivial, we just need to install dependencies and and the latest RPMs. | ||
< | <syntaxhighlight lang="bash"> | ||
yum install perl perl-Digest-SHA perl-Digest-SHA1 | yum install perl perl-Digest-SHA perl-Digest-SHA1 | ||
</ | </syntaxhighlight> | ||
You can check for the [http://shorewall.net/download.htm latest version here]. | You can check for the [http://shorewall.net/download.htm latest version here]. | ||
< | <syntaxhighlight lang="bash"> | ||
rpm -Uvh http://canada.shorewall.net/pub/shorewall/4. | rpm -Uvh http://canada.shorewall.net/pub/shorewall/4.6/shorewall-4.6.8/shorewall-core-4.6.8-0base.noarch.rpm \ | ||
http://canada.shorewall.net/pub/shorewall/4. | http://canada.shorewall.net/pub/shorewall/4.6/shorewall-4.6.8/shorewall-4.6.8-0base.noarch.rpm | ||
</ | </syntaxhighlight> | ||
Done! | Done! | ||
| Line 24: | Line 24: | ||
= Setup = | = Setup = | ||
You need to decide which interface will have your internet connection on it and which will connect to your internal network. For this tutorial; | |||
* <span class="code">eth0</span>; Faces the internal network, has the IP <span class="code">10.255.255.254/16</span> and provides DHCP services to the LAN. | |||
* <span class="code">eth1</span>; Faces the Internet. | |||
== Configuring Shorewall == | == Configuring Shorewall == | ||
All configuration files are in the | All configuration files are in the <span class="code">/etc/shorewall</span> directory, unless explicitly defined. The main Shorewall configuration file, which we will edit last is <span class="code">/etc/shorewall/shorewall.conf</span>. | ||
< | |||
/etc/shorewall | |||
</ | |||
The main Shorewall configuration file, which we will edit last is <span class="code">/etc/shorewall/shorewall.conf</span>. | |||
The files to edit are listed in the order we will edit them in the following subsections. | The files to edit are listed in the order we will edit them in the following subsections. | ||
| Line 93: | Line 37: | ||
=== zones === | === zones === | ||
This controls the main "zones" used by Shorewall. The <span class="code">fw</span> is special in that it defines the firewall itself. The <span class="code">net</span> zone is the Internet-facing network (eth1 | This controls the main "zones" used by Shorewall. The <span class="code">fw</span> is special in that it defines the firewall itself. The <span class="code">net</span> zone is the Internet-facing network (<span class="code">eth1</span> in this tutorial). The <span class="code">loc</span> is the local network, the internal network of machines the firewall is protecting, which is <span class="code">eth0</span> in this tutorial. Both <span class="code">eth0</span> and <span class="code">eth1</span> are <span class="code">[[ipv4]]</span> networks. | ||
Append two new lines telling shorewall that we have two new <span class="code">ipv4</span> networks that it will use: | |||
< | <syntaxhighlight lang="bash"> | ||
vim /etc/shorewall/zones | vim /etc/shorewall/zones | ||
</ | </syntaxhighlight> | ||
< | <syntaxhighlight lang="text"> | ||
net ipv4 | net ipv4 | ||
loc ipv4 | loc ipv4 | ||
</ | </syntaxhighlight> | ||
So that the | So that the <span class="code">zones</span> file looks like: | ||
< | <syntaxhighlight lang="text"> | ||
############################################################################### | ############################################################################### | ||
#ZONE TYPE OPTIONS IN OUT | #ZONE TYPE OPTIONS IN OUT | ||
| Line 115: | Line 58: | ||
net ipv4 | net ipv4 | ||
loc ipv4 | loc ipv4 | ||
</ | </syntaxhighlight> | ||
=== interfaces === | === interfaces === | ||
Just above, we told shorewall that we had two new <span class="code">ipv4</span> networks. In the <span class="code">interfaces</span> configuration file, we link these networks to physical interfaces. | |||
{{note|1=If you plan to [[DHCP on an RPM-based OS|setup a DHCP]] server on your firewall, you will need to specify the <span class="code">dhcp</span> option, as shown here. You can see a full list of options and their uses on Shorewall's <span class="code">[http://www.shorewall.net/manpages/shorewall-interfaces.html interfaces]</span> page.}} | |||
To link the new networks to the physical interfaces, append the following entries; | |||
< | <syntaxhighlight lang="bash"> | ||
vim /etc/shorewall/interfaces | vim /etc/shorewall/interfaces | ||
</ | </syntaxhighlight> | ||
< | <syntaxhighlight lang="text"> | ||
loc eth0 dhcp | |||
net eth1 | |||
</ | </syntaxhighlight> | ||
So that the <span class="code">interfaces</span> file looks like: | So that the <span class="code">interfaces</span> file looks like: | ||
< | <syntaxhighlight lang="text"> | ||
############################################################################### | ############################################################################### | ||
FORMAT 2 | ?FORMAT 2 | ||
############################################################################### | ############################################################################### | ||
#ZONE INTERFACE OPTIONS | #ZONE INTERFACE OPTIONS | ||
loc eth0 dhcp | |||
net eth1 | |||
</ | </syntaxhighlight> | ||
=== policy === | === policy === | ||
Here you tell | Here you tell shorewall what the default policy is for each network when receiving new connection requests. You don't need to worry about <span class="code">ESTABLISHED</span> and <span class="code">RELATED</span> connections as shorewall handles these rules. The choices are: | ||
* ACCEPT | * <span class="code">ACCEPT</span>; Accept the connection. | ||
* <span class="code">DROP</span>; Ignore the connection request. | |||
* DROP | * <span class="code">REJECT</span>; Return an appropriate error to the connection request. | ||
* REJECT | |||
You can also set the log level for connection requests that fall off the chain and hit these policies. It's a good idea to log <span class="code">info</span> level so you can see twits trying to do "bad things(tm)". | You can also set the log level for connection requests that fall off the chain and hit these policies. It's a good idea to log <span class="code">info</span> level so you can see twits trying to do "bad things(tm)". The one downside to using <span class="code">info</span> is that it pushes a lot of data into the log files, which might make debugging other issues on the firewall. It's really up to you in the end. | ||
< | Append the following default policies; | ||
<syntaxhighlight lang="bash"> | |||
vim /etc/shorewall/policy | vim /etc/shorewall/policy | ||
</ | </syntaxhighlight> | ||
< | <syntaxhighlight lang="text"> | ||
# | # Let everything from the firewall machine out onto the net. | ||
fw net ACCEPT | fw net ACCEPT | ||
# | # Likewise, allow everything from the firewall out onto the local network. | ||
fw loc ACCEPT | fw loc ACCEPT | ||
# | # Don't allow incoming connections from the web into the fireall *or* into the | ||
# local network. Add 'info' here if you want to log failed connection attempts. | |||
net all DROP info | |||
# Don't allow incoming connections from the local network into the firewall. | |||
loc fw DROP | loc fw DROP | ||
# Let | # Let machines on the local network out onto the web | ||
loc net ACCEPT | loc net ACCEPT | ||
</syntaxhighlight> | |||
</ | |||
So that the <span class="code">policy</span> file looks like: | So that the <span class="code">policy</span> file looks like: | ||
< | <syntaxhighlight lang="text"> | ||
############################################################################### | ############################################################################### | ||
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: | #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: | ||
# LEVEL BURST MASK | # LEVEL BURST MASK | ||
# | # Let everything from the firewall machine out onto the net. | ||
fw net ACCEPT | fw net ACCEPT | ||
# | # Likewise, allow everything from the firewall out onto the local network. | ||
fw loc ACCEPT | fw loc ACCEPT | ||
# | # Don't allow incoming connections from the web into the fireall *or* into the | ||
# local network. Add 'info' here if you want to log failed connection attempts. | |||
net all DROP info | |||
# Don't allow incoming connections from the local network into the firewall. | |||
loc fw DROP | loc fw DROP | ||
# Let | # Let machines on the local network out onto the web | ||
loc net ACCEPT | loc net ACCEPT | ||
</syntaxhighlight> | |||
=== rules === | |||
This is really the heart of the firewall. | |||
Here you tell shorewall what the exceptions there are to the default policies. The first rule to match is used. | |||
The example below shows a setup where remote access in to the firewall itself is allowed only on port <span class="code">22000</span> (modified [[SSH]] port). Then two [[Microsoft]] Windows servers are setup. Both servers are internally set to listen for RDP connections on the same default port (<span class="code">3389</span>). To allow for this with just one external IP address, the firewall is told to route incoming connections on port <span class="code">3390</span> to the internal machine at IP <span class="code">10.255.0.11</span> on port <span class="code">3393</span>. Likewise, incoming connections on port <span class="code">3389</span> will be forwarded to directly to <span class="code">10.255.0.10:3389</span>. | |||
We'll also add a couple special rules that tells shorewall to respond to [[ICMP]] ping requests. Some people don't like this as ping sweeps are a quick way for malicious people to find servers on the net. Personally, I find the usefulness of being able to ping my firewall more beneficial. | |||
Append <span class="code">rules</span> so that the it file looks like. | |||
< | <syntaxhighlight lang="bash"> | ||
vim /etc/shorewall/rules | vim /etc/shorewall/rules | ||
</ | </syntaxhighlight> | ||
< | <syntaxhighlight lang="text"> | ||
### Rules for data going into the firewall. Consult /etc/services or your local | ### Rules for data going into the firewall. Consult /etc/services or your local | ||
### search engine for ports and protocols used by your favourite programs. | ### search engine for ports and protocols used by your favourite programs. | ||
# Allow SSH connections to the firewall itself. | # Answer ICMP queries | ||
ACCEPT net fw tcp | Ping(ACCEPT) net fw | ||
Ping(ACCEPT) loc fw | |||
# Allow incoming SSH connections to the firewall itself from the web on port | |||
# 22000. Allow incoming SSH connections to the firewall on port 22 and 22000 | |||
# from the local network. | |||
ACCEPT net fw tcp 22000 | |||
ACCEPT loc fw tcp 22 | ACCEPT loc fw tcp 22 | ||
ACCEPT loc fw | ACCEPT loc fw tcp 22000 | ||
# | # Allow incoming connections from the internet to two windows servers listening | ||
# for RDP connections on the same port. This will be handled using different | |||
# external ports using destination network address translation. | |||
# | ACCEPT net loc:10.255.0.10:3389 tcp 3389 | ||
ACCEPT net loc:10.255.0.11:3389 tcp 3390 | |||
</syntaxhighlight> | |||
# | |||
This is a spartan example of what you can do. It's meant to show how you can do matching and non-matching TCP port forwards. With this simple format, you should be able to create all the rules you need to setup your network. | |||
=== masq === | === masq === | ||
This is the file that handles [[MASQ]]erading the | This is the file that handles [[MASQ]]erading the machines on the local LAN (the <span class="code">loc</span> zone). This is how shorewall provides internet access to an entire [[subnet]] of machines on a given network. | ||
So to enable Internet access from your | So to enable Internet access from your machines, you need to add a line with the '''Internet facing interface''' followed by the subnet of the '''local''' network that you will be masquerading. | ||
< | <syntaxhighlight lang="bash"> | ||
vim /etc/shorewall/masq | vim /etc/shorewall/masq | ||
</ | </syntaxhighlight> | ||
< | <syntaxhighlight lang="text"> | ||
eth1 10.255.0.0/16 | eth1 10.255.0.0/16 | ||
</ | </syntaxhighlight> | ||
So that the | So that the <span class="code">masq</span> file looks like: | ||
< | <syntaxhighlight lang="text"> | ||
############################################################################### | ################################################################################################################ | ||
#INTERFACE | #INTERFACE:DEST SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ SWITCH ORIGINAL | ||
# GROUP | # GROUP DEST | ||
eth1 10.255.0.0/16 | eth1 10.255.0.0/16 | ||
</ | </syntaxhighlight> | ||
=== shorewall.conf === | === shorewall.conf === | ||
| Line 293: | Line 210: | ||
Edit <span class="code">/etc/shorewall/shorewall.conf</span> and change the following lines: | Edit <span class="code">/etc/shorewall/shorewall.conf</span> and change the following lines: | ||
< | <syntaxhighlight lang="bash"> | ||
vim /etc/shorewall/shorewall.conf | vim /etc/shorewall/shorewall.conf | ||
</ | </syntaxhighlight> | ||
< | <syntaxhighlight lang="bash"> | ||
STARTUP_ENABLED=No | STARTUP_ENABLED=No | ||
</syntaxhighlight> | |||
</ | |||
To: | To: | ||
< | <syntaxhighlight lang="bash"> | ||
STARTUP_ENABLED=Yes | STARTUP_ENABLED=Yes | ||
</syntaxhighlight> | |||
</ | |||
= Starting the Firewall = | = Starting the Firewall = | ||
| Line 312: | Line 227: | ||
To start the firewall, simply run: | To start the firewall, simply run: | ||
< | <syntaxhighlight lang="bash"> | ||
/etc/init.d/shorewall restart | /etc/init.d/shorewall restart | ||
</ | </syntaxhighlight> | ||
The firewall should now be running. To see the new rules, simply run: | The firewall should now be running. To see the new rules, simply run: | ||
< | <syntaxhighlight lang="bash"> | ||
iptables-save | iptables-save | ||
</ | </syntaxhighlight> | ||
This will print out the actual firewall rules. You will need some experience with <span class="code">iptables</span> to understand all their meaning, but the general flow should be understandable. | This will print out the actual firewall rules. You will need some experience with <span class="code">[[TLUG Talk: Netfilter|iptables]]</span> to understand all their meaning, but the general flow should be understandable. | ||
Lastly, make sure the firewall starts on boot by running: | Lastly, make sure the firewall starts on boot by running: | ||
< | <syntaxhighlight lang="bash"> | ||
chkconfig shorewall on | chkconfig shorewall on | ||
</ | </syntaxhighlight> | ||
== Fixing SELinux Problems == | |||
If you get an error like: | |||
<syntaxhighlight lang="bash"> | |||
/etc/init.d/shorewall start | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="text"> | |||
Compiling... | |||
Can't exec "/usr/lib/shorewall/getparams": Permission denied at /usr/share/perl5/Shorewall/Config.pm line 5041. | |||
ERROR: Processing of /etc/shorewall/params failed | |||
</syntaxhighlight> | |||
If we check <span class="code">/var/log/audit/audit.log</span>, we see: | |||
<syntaxhighlight lang="text"> | |||
type=AVC msg=audit(1403851868.309:165): avc: denied { execute_no_trans } for pid=11114 comm="perl" path="/usr/lib/shorewall/getparams" dev=sda3 ino=1705335 scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file | |||
</syntaxhighlight> | |||
To fix this, run: | |||
<syntaxhighlight lang="text"> | |||
semanage fcontext -a -t bin_t /usr/lib/shorewall/getparams | |||
restorecon -vF /usr/lib/shorewall/getparams | |||
</syntaxhighlight> | |||
Now <span class="code">shorewall</span> should start properly. | |||
<syntaxhighlight lang="bash"> | |||
/etc/init.d/shorewall start | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="text"> | |||
Compiling... | |||
Shorewall configuration compiled to /var/lib/shorewall/.start | |||
Starting Shorewall.... | |||
done. | |||
</syntaxhighlight> | |||
{{footer}} | {{footer}} | ||
Latest revision as of 22:21, 5 May 2015
This covers setup and maintenance of Shorewall 4.5 on Red Hat Enterprise Linux 5.x, 6.x, RHEL derivatives and several recent Fedora releases.
Install
 |
Note: Updated on 2015-05-05 for Shorewall release 4.6.8. |
Install is trivial, we just need to install dependencies and and the latest RPMs.
yum install perl perl-Digest-SHA perl-Digest-SHA1
You can check for the latest version here.
rpm -Uvh http://canada.shorewall.net/pub/shorewall/4.6/shorewall-4.6.8/shorewall-core-4.6.8-0base.noarch.rpm \
http://canada.shorewall.net/pub/shorewall/4.6/shorewall-4.6.8/shorewall-4.6.8-0base.noarch.rpm
Done!
Setup
You need to decide which interface will have your internet connection on it and which will connect to your internal network. For this tutorial;
- eth0; Faces the internal network, has the IP 10.255.255.254/16 and provides DHCP services to the LAN.
- eth1; Faces the Internet.
Configuring Shorewall
All configuration files are in the /etc/shorewall directory, unless explicitly defined. The main Shorewall configuration file, which we will edit last is /etc/shorewall/shorewall.conf.
The files to edit are listed in the order we will edit them in the following subsections.
zones
This controls the main "zones" used by Shorewall. The fw is special in that it defines the firewall itself. The net zone is the Internet-facing network (eth1 in this tutorial). The loc is the local network, the internal network of machines the firewall is protecting, which is eth0 in this tutorial. Both eth0 and eth1 are ipv4 networks.
Append two new lines telling shorewall that we have two new ipv4 networks that it will use:
vim /etc/shorewall/zones
net ipv4
loc ipv4
So that the zones file looks like:
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
interfaces
Just above, we told shorewall that we had two new ipv4 networks. In the interfaces configuration file, we link these networks to physical interfaces.
|
Note: If you plan to setup a DHCP server on your firewall, you will need to specify the dhcp option, as shown here. You can see a full list of options and their uses on Shorewall's interfaces page. |
To link the new networks to the physical interfaces, append the following entries;
vim /etc/shorewall/interfaces
loc eth0 dhcp
net eth1
So that the interfaces file looks like:
###############################################################################
?FORMAT 2
###############################################################################
#ZONE INTERFACE OPTIONS
loc eth0 dhcp
net eth1
policy
Here you tell shorewall what the default policy is for each network when receiving new connection requests. You don't need to worry about ESTABLISHED and RELATED connections as shorewall handles these rules. The choices are:
- ACCEPT; Accept the connection.
- DROP; Ignore the connection request.
- REJECT; Return an appropriate error to the connection request.
You can also set the log level for connection requests that fall off the chain and hit these policies. It's a good idea to log info level so you can see twits trying to do "bad things(tm)". The one downside to using info is that it pushes a lot of data into the log files, which might make debugging other issues on the firewall. It's really up to you in the end.
Append the following default policies;
vim /etc/shorewall/policy
# Let everything from the firewall machine out onto the net.
fw net ACCEPT
# Likewise, allow everything from the firewall out onto the local network.
fw loc ACCEPT
# Don't allow incoming connections from the web into the fireall *or* into the
# local network. Add 'info' here if you want to log failed connection attempts.
net all DROP info
# Don't allow incoming connections from the local network into the firewall.
loc fw DROP
# Let machines on the local network out onto the web
loc net ACCEPT
So that the policy file looks like:
###############################################################################
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
# LEVEL BURST MASK
# Let everything from the firewall machine out onto the net.
fw net ACCEPT
# Likewise, allow everything from the firewall out onto the local network.
fw loc ACCEPT
# Don't allow incoming connections from the web into the fireall *or* into the
# local network. Add 'info' here if you want to log failed connection attempts.
net all DROP info
# Don't allow incoming connections from the local network into the firewall.
loc fw DROP
# Let machines on the local network out onto the web
loc net ACCEPT
rules
This is really the heart of the firewall.
Here you tell shorewall what the exceptions there are to the default policies. The first rule to match is used.
The example below shows a setup where remote access in to the firewall itself is allowed only on port 22000 (modified SSH port). Then two Microsoft Windows servers are setup. Both servers are internally set to listen for RDP connections on the same default port (3389). To allow for this with just one external IP address, the firewall is told to route incoming connections on port 3390 to the internal machine at IP 10.255.0.11 on port 3393. Likewise, incoming connections on port 3389 will be forwarded to directly to 10.255.0.10:3389.
We'll also add a couple special rules that tells shorewall to respond to ICMP ping requests. Some people don't like this as ping sweeps are a quick way for malicious people to find servers on the net. Personally, I find the usefulness of being able to ping my firewall more beneficial.
Append rules so that the it file looks like.
vim /etc/shorewall/rules
### Rules for data going into the firewall. Consult /etc/services or your local
### search engine for ports and protocols used by your favourite programs.
# Answer ICMP queries
Ping(ACCEPT) net fw
Ping(ACCEPT) loc fw
# Allow incoming SSH connections to the firewall itself from the web on port
# 22000. Allow incoming SSH connections to the firewall on port 22 and 22000
# from the local network.
ACCEPT net fw tcp 22000
ACCEPT loc fw tcp 22
ACCEPT loc fw tcp 22000
# Allow incoming connections from the internet to two windows servers listening
# for RDP connections on the same port. This will be handled using different
# external ports using destination network address translation.
ACCEPT net loc:10.255.0.10:3389 tcp 3389
ACCEPT net loc:10.255.0.11:3389 tcp 3390
This is a spartan example of what you can do. It's meant to show how you can do matching and non-matching TCP port forwards. With this simple format, you should be able to create all the rules you need to setup your network.
masq
This is the file that handles MASQerading the machines on the local LAN (the loc zone). This is how shorewall provides internet access to an entire subnet of machines on a given network.
So to enable Internet access from your machines, you need to add a line with the Internet facing interface followed by the subnet of the local network that you will be masquerading.
vim /etc/shorewall/masq
eth1 10.255.0.0/16
So that the masq file looks like:
################################################################################################################
#INTERFACE:DEST SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ SWITCH ORIGINAL
# GROUP DEST
eth1 10.255.0.0/16
shorewall.conf
Once you have the above files in place, you need to enable the firewall.
Edit /etc/shorewall/shorewall.conf and change the following lines:
vim /etc/shorewall/shorewall.conf
STARTUP_ENABLED=No
To:
STARTUP_ENABLED=Yes
Starting the Firewall
To start the firewall, simply run:
/etc/init.d/shorewall restart
The firewall should now be running. To see the new rules, simply run:
iptables-save
This will print out the actual firewall rules. You will need some experience with iptables to understand all their meaning, but the general flow should be understandable.
Lastly, make sure the firewall starts on boot by running:
chkconfig shorewall on
Fixing SELinux Problems
If you get an error like:
/etc/init.d/shorewall start
Compiling...
Can't exec "/usr/lib/shorewall/getparams": Permission denied at /usr/share/perl5/Shorewall/Config.pm line 5041.
ERROR: Processing of /etc/shorewall/params failed
If we check /var/log/audit/audit.log, we see:
type=AVC msg=audit(1403851868.309:165): avc: denied { execute_no_trans } for pid=11114 comm="perl" path="/usr/lib/shorewall/getparams" dev=sda3 ino=1705335 scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
To fix this, run:
semanage fcontext -a -t bin_t /usr/lib/shorewall/getparams
restorecon -vF /usr/lib/shorewall/getparams
Now shorewall should start properly.
/etc/init.d/shorewall start
Compiling...
Shorewall configuration compiled to /var/lib/shorewall/.start
Starting Shorewall....
done.
| Any questions, feedback, advice, complaints or meanderings are welcome. | |||
| Alteeve's Niche! | Enterprise Support: Alteeve Support |
Community Support | |
| © Alteeve's Niche! Inc. 1997-2024 | Anvil! "Intelligent Availability®" Platform | ||
| legal stuff: All info is provided "As-Is". Do not use anything here unless you are willing and able to take responsibility for your own actions. | |||