Shorewall on RPM-based Servers: Difference between revisions
| Line 10: | Line 10: | ||
<source lang="bash"> | <source lang="bash"> | ||
wget -c http://canada.shorewall.net/pub/shorewall/4.4/shorewall-4.4.27/shorewall-4.4.27- | wget -c http://canada.shorewall.net/pub/shorewall/4.4/shorewall-4.4.27/shorewall-4.4.27-3.noarch.rpm | ||
rpm -Uvh shorewall-4.4.27- | rpm -Uvh shorewall-4.4.27-3.noarch.rpm | ||
</source> | </source> | ||
Revision as of 20:38, 2 February 2012
This covers setup and maintenance of Shorewall 4.4 on Red Hat Enterprise Linux 5.x, 6.x, RHEL derivatives and several recent Fedora releases.
Install
 |
Note: Previously, RPMs where available but they seem to no longer we maintained. Thus, this section has changed to install from the tarball. |
First, download the latest version of Shorewall. You can find the latest version here.
wget -c http://canada.shorewall.net/pub/shorewall/4.4/shorewall-4.4.27/shorewall-4.4.27-3.noarch.rpm
rpm -Uvh shorewall-4.4.27-3.noarch.rpm
Done!
Setup
Public IP Address Range
If you have multiple public IP addresses, make sure your Internet facing ethernet device, eth1 in our case, has all of those public IPs assigned to it. Do this by:
- Copying the ifcfg-eth0 to ifcfg-eth0:x where x is a number, starting at 0, with the next public IP in the pool.
- In each ifcfg-eth0:x file:
- Add :x to DEVICE=eth1, for example DEVICE=eth1:0 in the ifcfg-eth0:0 file.
- Change the IP address in the IPADDR= line. For example, 208.67.144.34.
- Comment out the GATEWAY= line.
Here is an example showing what an ifcfg-eth0 and it's corresponding ifcfg-eth0:0 alias might look like:
vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=static
HWADDR=00:16:36:71:84:2F
ONBOOT=yes
IPADDR=192.168.1.253
NETMASK=255.255.255.0
GATEWAY=192.168.1.254
DNS1=192.139.81.117
DNS2=192.139.81.1
vim /etc/sysconfig/network-scripts/ifcfg-eth0:0
DEVICE=eth0:0
BOOTPROTO=static
HWADDR=00:16:36:71:84:2F
ONBOOT=yes
IPADDR=206.108.5.129
NETMASK=255.255.255.255
When done, simply restart networking:
/etc/init.d/network restart
Or manually bring up each device with:
ifup eth0:x
Setting x to the number of each alias device you are starting. If you are connected over ssh, using ifup is recommended as you are less likely to lose your ssh session.
Configuring Shorewall
All configuration files are in the following directory, unless explicitly defined:
/etc/shorewall
The main Shorewall configuration file, which we will edit last is /etc/shorewall/shorewall.conf. </source>
The files to edit are listed in the order we will edit them in the following subsections.
zones
This controls the main "zones" used by Shorewall. The fw is special in that it defines the firewall itself. The net zone is the Internet-facing network (eth1 on the firewall). The loc is the local network, the virtual machine network on eth0.
Add:
vim /etc/shorewall/zones
fw firewall
net ipv4
loc ipv4
So that the 'zones' file looks like:
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
interfaces
Here you tell Shorewall which network zones are on which interfaces.
Add:
vim /etc/shorewall/interfaces
net eth0 detect
loc eth1 detect dhcp
|
Note: If you plan to setup a DHCP server on your firewall, you will need to specify the dhcp option, as shown here. You can see a full list of options and their uses on Shorewall's interfaces page. |
So that the interfaces file looks like:
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect
loc eth1 detect dhcp
policy
Here you tell Shorewall what the default policy is for each network when receiving new connection requests. You don't need to worry about ESTABLISHED and RELATED connections as Shorewall handles these rules. The choices are:
- ACCEPT
- Accept the connection.
- DROP
- Ignore the connection request.
- REJECT
- Return an appropriate error to the connection request.
You can also set the log level for connection requests that fall off the chain and hit these policies. It's a good idea to log info level so you can see twits trying to do "bad things(tm)".
vim /etc/shorewall/policy
### These are the default policies;
# This allows the firewall out onto the Internet
fw net ACCEPT
# Anything from the firewall to local machines is default ACCEPTed.
fw loc ACCEPT
# Protect the firewall from compromised machines by default DROPing packets.
loc fw DROP
# Let anything from the local network out onto the Internet.
loc net ACCEPT
# DROP and log anything else.
net all DROP info
So that the policy file looks like:
#
# Shorewall version 4 - Policy File
#
# For information about entries in this file, type "man shorewall-policy"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-policy.html
#
###############################################################################
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
# LEVEL BURST MASK
### These are the default policies;
# This allows the firewall out onto the Internet
fw net ACCEPT
# Anything from the firewall to local machines is default ACCEPTed.
fw loc ACCEPT
# Protect the firewall from compromised machines by default DROPing packets.
loc fw DROP
# Let anything from the local network out onto the Internet.
loc net ACCEPT
# DROP and log anything else.
net all DROP info
rules
Here you tell Shorewall what the exceptions are to the default policies. The first rule to match is used. This is really the heart of the firewall.
The example below shows a setup where remote access in to the firewall itself is allowed only on port 22869 (modified SSH port). Then two Microsoft Windows servers are setup. Both servers are internally set to listen for RDP connections on the same default port (3389). To allow for this with just one external IP address, the firewall is told to route incoming connections on port 3394 to the internal machine at IP 10.254.0.11 on port 3393. Likewise, incoming connections on port 3393 will be forwarded to 10.254.0.10:3393. A few other ports are opened for various services as further examples.
Edit rules so that the it file looks like.
vim /etc/shorewall/rules
######################################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
# PORT PORT(S) DEST LIMIT GROUP
#SECTION BLACKLIST
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
### Rules for data going into the firewall. Consult /etc/services or your local
### search engine for ports and protocols used by your favourite programs.
# Allow SSH connections to the firewall itself.
ACCEPT net fw tcp 22
# Allow SSH and DHCP requests from the VMs into the firewall.
ACCEPT loc fw tcp 22
ACCEPT loc fw udp 67,68
### Forwards using DNAT
## Internet into 'vm0002_c6_ws1' (webserver)
#DNAT <src> loc:<ip>:<srv_port> tcp <ext_port>
# Windows RDP Forwards
DNAT net loc:10.254.0.10:3393 tcp 3393
DNAT net loc:10.254.0.11:3393 tcp 3394
# SSH forward to firewall and internal nodes.
DNAT net loc:10.255.255.254:22 tcp 22869
DNAT net loc:10.255.0.1:22 tcp 22001
DNAT net loc:10.255.0.2:22 tcp 22002
DNAT net loc:10.255.0.3:22 tcp 22003
DNAT net loc:10.255.0.4:22 tcp 22004
DNAT net loc:10.255.0.5:22 tcp 22005
DNAT net loc:10.255.0.6:22 tcp 22006
DNAT net loc:10.255.0.7:22 tcp 22007
masq
This is the file that handles MASQerading the virtual machine LAN (the loc zone). Even though there may be several public IP addresses, they are not SNATed to hosts but instead used as a pool of addresses to do Port Forward/DNATing on.
So to enable Internet access from your servers, you need to add a line with the Internet facing interface followed by the subnet that you will be MASQing.
vim /etc/shorewall/masq
eth1 10.255.0.0/16
So that the 'rules' file looks like:
###############################################################################
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/
# GROUP
eth1 10.255.0.0/16
shorewall.conf
Once you have the above files in place, you need to enable the firewall.
Edit /etc/shorewall/shorewall.conf and change the following lines:
vim /etc/shorewall/shorewall.conf
STARTUP_ENABLED=No
LOGFILE=/var/log/messages
To:
STARTUP_ENABLED=Yes
LOGFILE=/var/log/shorewall
Starting the Firewall
To start the firewall, simply run:
/etc/init.d/shorewall restart
The firewall should now be running. To see the new rules, simply run:
iptables-save
This will print out the actual firewall rules. You will need some experience with iptables to understand all their meaning, but the general flow should be understandable.
Lastly, make sure the firewall starts on boot by running:
chkconfig shorewall on
| Any questions, feedback, advice, complaints or meanderings are welcome. | |||
| Alteeve's Niche! | Enterprise Support: Alteeve Support |
Community Support | |
| © Alteeve's Niche! Inc. 1997-2024 | Anvil! "Intelligent Availability®" Platform | ||
| legal stuff: All info is provided "As-Is". Do not use anything here unless you are willing and able to take responsibility for your own actions. | |||