Shorewall: Difference between revisions

From Edgar BV Wiki
Jump to navigation Jump to search
No edit summary
 
(22 intermediate revisions by one other user not shown)
Line 1: Line 1:
= 2 NIC machine =
In /usr/share/doc/shorewall/examples/two-interfaces
make the following edits to the following files and then copy them to /etc/shorewall
== policy ==
You may want to allow everything from the local network to the machine and everything from the machine to the net, as well as everything from the machine to the local network in that case add the following to the policy file:
<pre>
<pre>
/etc/default/shorewall
loc            fw              ACCEPT
Set startup=1
fw              net            ACCEPT
fw              loc            ACCEPT
</pre>
 
If it's a router it would look something like:
<pre>
loc            net            ACCEPT
net            all            DROP            info
fw              all            ACCEPT
loc            all            ACCEPT
# THE FOLLOWING POLICY MUST BE LAST
all            all            REJECT          info
</pre>
 
== rules ==
'''Allready includes the following'''
<pre>
?SECTION NEW


In /usr/share/doc/shorewall-common/default-config
#      Don't allow connection pickup from the net
make the following edits to the following files and then copy them to /etc/shorewall
#
Invalid(DROP)  net            all
#
#      Accept DNS connections from the firewall to the network
#
DNS(ACCEPT)    $FW            net
#
#      Accept SSH connections from the local network for administration
#
SSH(ACCEPT)    loc            $FW
SNMP(ACCEPT)    loc            $FW
#
#      Allow Ping from the local network
#
Ping(ACCEPT)    loc            $FW


interfaces
#
net     eth1    82.94.91.79
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
#


modules
Ping(DROP)     net            $FW
(no edits)


policy
ACCEPT          $FW            loc            icmp
fw      net     ACCEPT
ACCEPT          $FW            net             icmp
net    all    DROP    info
#
all    all    REJECT  info
</pre>


NB to drop logging, get rid of the 'info' and replace it with 'crit' or 'err' or get rid of it entirely
So the following needs to be added:
NOTE: snmp should only be udp 161, so not sure if tcp is necessary


rules
<pre>
(under SECTION NEW)
SNMP(ACCEPT)   loc            $FW
# Public services
ACCEPT  net    fw      tcp    smtp
ACCEPT  net    fw      tcp    smtp
ACCEPT  net    fw      tcp    pop3
ACCEPT  net    fw      tcp    pop3
# 143 is for IMAP
ACCEPT  net    fw      tcp    143
ACCEPT  net    fw      tcp    ssh
ACCEPT  net    fw      tcp    ssh
FTP/ACCEPT      net    fw
FTP/ACCEPT      net    fw
ACCEPT  net    fw      tcp    domain
ACCEPT  net    fw      tcp    domain
ACCEPT  net    fw      udp    domain
ACCEPT  net    fw      udp    domain
ACCEPT  fw    net    udp    domain
ACCEPT  net    fw      tcp    http
ACCEPT  net    fw      tcp    http
ACCEPT  fw    net    tcp    http
ACCEPT  net    fw      tcp    https
ACCEPT  net    fw      tcp    https
ACCEPT  net    fw      tcp    snmp
ACCEPT  net    fw      tcp    snmp
ACCEPT  fw    net    tcp    snmp
ACCEPT  net    fw      udp    snmp
ACCEPT  net    fw      udp    snmp
ACCEPT   fw     net    udp     snmp
</pre>
ACCEPT  net    fw      tcp    143
 
ACCEPT  net    fw      udp     143
Also, apt uses port 80, so you want to allow outgoing traffic for that:
<pre>
ACCEPT $FW     net    tcp     http
</pre>
If you don't do this then you will see ipv6 adresses appear in apt-get
 
Other services you may want to enable from the machine outwards:
<pre>
# Things we allow from this machine outward
ACCEPT  $FW    net    tcp    https
SSH(ACCEPT)    $FW    loc
ACCEPT  $FW    net    tcp    smtp
</pre>
 
For X11 forwarding you will need:
<pre>
# X11 forwarding
ACCEPT  fw    loc    tcp    x11
ACCEPT  fw     loc    udp    x11
</pre>
 
You may want other machines on the local network to access more services:
<pre>
# Things we accept over the local network
FTP/ACCEPT     loc    $FW
ACCEPT  loc    $FW    tcp     http
</pre>
 
== interfaces ==


start
If you have multiple ip addresses bound to a single NIC, in order to allow traffic to flow up and down that NIC, you have to add the option
dmesg -n5
<pre>
routeback
</pre>
behind the nic.


== the rest ==
just copy the following files to /etc/shorewall/:
<pre>
masq
routestopped
zones
zones
net    ipv4
(above fw      firewall)
</pre>
</pre>


== /etc/default/shorewall ==
<pre>
startup=1
</pre>


'''To get NFS working'''
= To get NFS working =
----
 
On both machines


On nfs-kernel-server machine:
Edit your /etc/shorewall/rules file like this:
Edit your /etc/shorewall/rules file like this:
<pre>
  # Permit NFS
  # Permit NFS
  ACCEPT net $FW tcp 111
  ACCEPT net $FW tcp 111
Line 60: Line 135:
  ACCEPT net $FW tcp 32765:32767
  ACCEPT net $FW tcp 32765:32767
  ACCEPT net $FW udp 32765:32767
  ACCEPT net $FW udp 32765:32767
</pre>
On nfs-common machine:
<pre>
# Permit NFS
ACCEPT $FW loc tcp 111
ACCEPT $FW loc udp 111
ACCEPT $FW loc udp 2049
ACCEPT $FW loc tcp 2049
ACCEPT $FW loc tcp 32765:32767
ACCEPT $FW loc udp 32765:32767
</pre>


/etc/default/nfs-common:
/etc/default/nfs-common:
 
<pre>
  STATDOPTS="-p 32765 -o 32766"
  STATDOPTS="-p 32765 -o 32766"
</pre>
/etc/default/nfs-kernel-server:
<pre>
RPCMOUNTDOPTS="-p 32767"
</pre>


/etc/default/nfs-kernel-server:
Make sure in your /etc/services you have the following
<pre>
nfs    2049/tcp    # Network File System nfs     2049/udp    # Network File System
</pre>


RPCMOUNTDOPTS="-p 32767"


== old system ==
The change to /etc/services isn't necessary at all. It just helps produces a nice (sensible) output from netstat -tl  on the NFS server.
The change to /etc/services isn't necessary at all. It just helps produces a nice (sensible) output from netstat -tl  on the NFS server.
 
<pre>
  # /etc/services
  # /etc/services
  # NFS ports as per the NFS-HOWTO
  # NFS ports as per the NFS-HOWTO
Line 87: Line 181:
  rpc.quotad      32769/tcp                      # RPC quotad
  rpc.quotad      32769/tcp                      # RPC quotad
  rpc.quotad      32769/udp                      # RPC quotad
  rpc.quotad      32769/udp                      # RPC quotad
 
</pre>
/etc/default/quota
/etc/default/quota
<pre>
  RPCRQUOTADOPTS="-p 32769"
  RPCRQUOTADOPTS="-p 32769"
</pre>
You can check which ports are being used with
<pre>
rpcinfo -p
</pre>
= Shorewall6 =
http://www.shorewall.net/IPv6Support.html
Shorewall6 is the ipv6 version of shorewall. To get it working you need to do above steps and also:
in /etc/shorewall/shorewall.conf
<pre>
DISABLE_IPV6=No
TC_ENABLED=Internal
</pre>
/etc/shorewall6/shorewall.conf
<pre>
TC_ENABLED=No
</pre>
test using
<pre>
ip6tables -L
</pre>
= Single NIC Machine =
NOTE: snmp should only be udp 161, so not sure if tcp is necessary
<pre>
/etc/default/shorewall
Set startup=1


You can check which ports are being used with
In /usr/share/doc/shorewall-common/default-config
make the following edits to the following files and then copy them to /etc/shorewall
 
interfaces
net    eth1    82.94.91.79
 
modules
(no edits)
 
policy
fw      net    ACCEPT
net    all    DROP    info
all    all    REJECT  info
 
NB to drop logging, get rid of the 'info' and replace it with 'crit' or 'err' or get rid of it entirely
 
rules
(under SECTION NEW)
ACCEPT  net    fw      tcp    smtp
ACCEPT  net    fw      tcp    pop3
ACCEPT  net    fw      tcp    ssh
FTP/ACCEPT      net    fw
ACCEPT  net    fw      tcp    domain
ACCEPT  net    fw      udp    domain
ACCEPT  fw    net    udp    domain
ACCEPT  net    fw      tcp    http
ACCEPT  fw    net    tcp    http
ACCEPT  net    fw      tcp    https
ACCEPT  net    fw      tcp    snmp
ACCEPT  fw    net    tcp    snmp
ACCEPT  net    fw      udp    snmp
ACCEPT  fw    net    udp    snmp
ACCEPT  net    fw      tcp    143
ACCEPT  net    fw      udp    143
 
start
dmesg -n5
 
zones
net    ipv4
(above fw      firewall)
</pre>


rpcinfo -p
= testing =
shorewall check

Latest revision as of 18:43, 30 May 2022

2 NIC machine

In /usr/share/doc/shorewall/examples/two-interfaces make the following edits to the following files and then copy them to /etc/shorewall

policy

You may want to allow everything from the local network to the machine and everything from the machine to the net, as well as everything from the machine to the local network in that case add the following to the policy file:

loc             fw              ACCEPT
fw              net             ACCEPT
fw              loc             ACCEPT

If it's a router it would look something like:

loc             net             ACCEPT
net             all             DROP            info
fw              all             ACCEPT
loc             all             ACCEPT
# THE FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info

rules

Allready includes the following

?SECTION NEW

#       Don't allow connection pickup from the net
#
Invalid(DROP)   net             all
#
#       Accept DNS connections from the firewall to the network
#
DNS(ACCEPT)     $FW             net
#
#       Accept SSH connections from the local network for administration
#
SSH(ACCEPT)     loc             $FW
SNMP(ACCEPT)    loc             $FW
#
#       Allow Ping from the local network
#
Ping(ACCEPT)    loc             $FW

#
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
#

Ping(DROP)      net             $FW

ACCEPT          $FW             loc             icmp
ACCEPT          $FW             net             icmp
#

So the following needs to be added: NOTE: snmp should only be udp 161, so not sure if tcp is necessary

SNMP(ACCEPT)    loc             $FW
# Public services
ACCEPT   net    fw      tcp     smtp
ACCEPT   net    fw      tcp     pop3
# 143 is for IMAP
ACCEPT  net     fw      tcp     143
ACCEPT   net    fw      tcp     ssh
FTP/ACCEPT      net     fw
ACCEPT   net    fw      tcp     domain
ACCEPT   net    fw      udp     domain
ACCEPT   net    fw      tcp     http
ACCEPT   net    fw      tcp     https
ACCEPT   net    fw      tcp     snmp
ACCEPT   net    fw      udp     snmp

Also, apt uses port 80, so you want to allow outgoing traffic for that:

ACCEPT  $FW     net     tcp     http

If you don't do this then you will see ipv6 adresses appear in apt-get

Other services you may want to enable from the machine outwards:

# Things we allow from this machine outward
ACCEPT  $FW     net     tcp     https
SSH(ACCEPT)     $FW     loc
ACCEPT  $FW     net     tcp     smtp

For X11 forwarding you will need:

# X11 forwarding
ACCEPT   fw     loc     tcp     x11
ACCEPT   fw     loc     udp     x11

You may want other machines on the local network to access more services:

# Things we accept over the local network
FTP/ACCEPT      loc     $FW
ACCEPT  loc     $FW     tcp     http

interfaces

If you have multiple ip addresses bound to a single NIC, in order to allow traffic to flow up and down that NIC, you have to add the option

routeback

behind the nic.

the rest

just copy the following files to /etc/shorewall/:

masq
routestopped
zones

/etc/default/shorewall

startup=1

To get NFS working

On nfs-kernel-server machine: Edit your /etc/shorewall/rules file like this:

 # Permit NFS
 ACCEPT net $FW tcp 111
 ACCEPT net $FW udp 111
 ACCEPT net $FW udp 2049
 ACCEPT net $FW tcp 2049
 ACCEPT net $FW tcp 32765:32767
 ACCEPT net $FW udp 32765:32767

On nfs-common machine:

# Permit NFS
ACCEPT $FW loc tcp 111
ACCEPT $FW loc udp 111
ACCEPT $FW loc udp 2049
ACCEPT $FW loc tcp 2049
ACCEPT $FW loc tcp 32765:32767
ACCEPT $FW loc udp 32765:32767

/etc/default/nfs-common:

 STATDOPTS="-p 32765 -o 32766"

/etc/default/nfs-kernel-server:

 RPCMOUNTDOPTS="-p 32767"

Make sure in your /etc/services you have the following

 nfs     2049/tcp    # Network File System nfs     2049/udp    # Network File System


old system

The change to /etc/services isn't necessary at all. It just helps produces a nice (sensible) output from netstat -tl on the NFS server.

 # /etc/services
 # NFS ports as per the NFS-HOWTO
 # http://www.tldp.org/HOWTO/NFS-HOWTO/security.html#FIREWALLS
 # Listing here does not mean they will bind to these ports. 
 rpc.nfsd        2049/tcp                        # RPC nfsd
 rpc.nfsd        2049/udp                        # RPC nfsd
 rpc.statd-bc    32765/tcp                       # RPC statd broadcast
 rpc.statd-bc    32765/udp                       # RPC statd broadcast
 rpc.statd       32766/tcp                       # RPC statd listen
 rpc.statd       32766/udp                       # RPC statd listen
 rpc.mountd      32767/tcp                       # RPC mountd
 rpc.mountd      32767/udp                       # RPC mountd
 rcp.lockd       32768/tcp                       # RPC lockd/nlockmgr
 rcp.lockd       32768/udp                       # RPC lockd/nlockmgr
 rpc.quotad      32769/tcp                       # RPC quotad
 rpc.quotad      32769/udp                       # RPC quotad

/etc/default/quota

 RPCRQUOTADOPTS="-p 32769"

You can check which ports are being used with

rpcinfo -p

Shorewall6

http://www.shorewall.net/IPv6Support.html

Shorewall6 is the ipv6 version of shorewall. To get it working you need to do above steps and also:

in /etc/shorewall/shorewall.conf

DISABLE_IPV6=No
TC_ENABLED=Internal

/etc/shorewall6/shorewall.conf

TC_ENABLED=No

test using

ip6tables -L

Single NIC Machine

NOTE: snmp should only be udp 161, so not sure if tcp is necessary

/etc/default/shorewall
Set startup=1

In /usr/share/doc/shorewall-common/default-config
make the following edits to the following files and then copy them to /etc/shorewall

interfaces
net     eth1    82.94.91.79

modules
(no edits)

policy
fw      net     ACCEPT
net     all     DROP    info
all     all     REJECT  info

NB to drop logging, get rid of the 'info' and replace it with 'crit' or 'err' or get rid of it entirely

rules
(under SECTION NEW)
ACCEPT   net    fw      tcp     smtp
ACCEPT   net    fw      tcp     pop3
ACCEPT   net    fw      tcp     ssh
FTP/ACCEPT      net     fw
ACCEPT   net    fw      tcp     domain
ACCEPT   net    fw      udp     domain
ACCEPT   fw     net     udp     domain
ACCEPT   net    fw      tcp     http
ACCEPT   fw     net     tcp     http
ACCEPT   net    fw      tcp     https
ACCEPT   net    fw      tcp     snmp
ACCEPT   fw     net     tcp     snmp
ACCEPT   net    fw      udp     snmp
ACCEPT   fw     net     udp     snmp
ACCEPT  net     fw      tcp     143
ACCEPT  net     fw      udp     143

start
dmesg -n5

zones
net     ipv4
(above fw      firewall)

testing

shorewall check