Shorewall: Difference between revisions
| (15 intermediate revisions by the same user not shown) | |||
| Line 3: | Line 3: | ||
make the following edits to the following files and then copy them to /etc/shorewall | make the following edits to the following files and then copy them to /etc/shorewall | ||
rules | == policy == | ||
You may want to allow everything from the local network to the machine and everything from the machine to the net, as well as everything from the machine to the local network in that case add the following to the policy file: | |||
<pre> | |||
loc fw ACCEPT | |||
fw net ACCEPT | |||
fw loc ACCEPT | |||
</pre> | |||
If it's a router it would look something like: | |||
<pre> | |||
loc net ACCEPT | |||
net all DROP info | |||
fw all ACCEPT | |||
loc all ACCEPT | |||
# THE FOLLOWING POLICY MUST BE LAST | |||
all all REJECT info | |||
</pre> | |||
== rules == | |||
'''Allready includes the following''' | |||
These rules like SSH(ACCEPT) are called macros. you can find macros (and actions) in /usr/share/shorewall/ | |||
<pre> | |||
?SECTION NEW | |||
# Don't allow connection pickup from the net | |||
# | |||
Invalid(DROP) net all | |||
# | |||
# Accept DNS connections from the firewall to the network | |||
# | |||
DNS(ACCEPT) $FW net | |||
# | |||
# Accept SSH connections from the local network for administration | |||
# | |||
SSH(ACCEPT) loc $FW | |||
SNMP(ACCEPT) loc $FW | |||
# | |||
# Allow Ping from the local network | |||
# | |||
Ping(ACCEPT) loc $FW | |||
# | |||
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded.. | |||
# | |||
Ping(DROP) net $FW | |||
ACCEPT $FW loc icmp | |||
ACCEPT $FW net icmp | |||
# | |||
</pre> | |||
So the following needs to be added: | |||
NOTE: snmp should only be udp 161, so not sure if tcp is necessary | |||
<pre> | <pre> | ||
SNMP(ACCEPT) loc $FW | SNMP(ACCEPT) loc $FW | ||
| Line 19: | Line 74: | ||
ACCEPT net fw tcp snmp | ACCEPT net fw tcp snmp | ||
ACCEPT net fw udp snmp | ACCEPT net fw udp snmp | ||
</pre> | |||
Also, apt uses port 80, so you want to allow outgoing traffic for that: | |||
<pre> | |||
ACCEPT $FW net tcp http | |||
</pre> | |||
If you don't do this then you will see ipv6 adresses appear in apt-get | |||
Other services you may want to enable from the machine outwards: | |||
<pre> | |||
# Things we allow from this machine outward | |||
ACCEPT $FW net tcp https | |||
SSH(ACCEPT) $FW loc | |||
ACCEPT $FW net tcp smtp | |||
</pre> | |||
For X11 forwarding you will need: | |||
<pre> | |||
# X11 forwarding | # X11 forwarding | ||
ACCEPT fw loc tcp x11 | ACCEPT fw loc tcp x11 | ||
| Line 24: | Line 97: | ||
</pre> | </pre> | ||
You may want other machines on the local network to access more services: | |||
<pre> | |||
# Things we accept over the local network | |||
FTP/ACCEPT loc $FW | |||
ACCEPT loc $FW tcp http | |||
</pre> | |||
== interfaces == | |||
If you have multiple ip addresses bound to a single NIC, in order to allow traffic to flow up and down that NIC, you have to add the option | |||
<pre> | <pre> | ||
routeback | |||
</pre> | </pre> | ||
behind the nic. | |||
== the rest == | |||
just copy the following files to /etc/shorewall/: | just copy the following files to /etc/shorewall/: | ||
<pre> | <pre> | ||
masq | masq | ||
routestopped | routestopped | ||
zones | zones | ||
</pre> | </pre> | ||
/etc/default/shorewall | == /etc/default/shorewall == | ||
< | <pre> | ||
startup=1 | startup=1 | ||
</pre> | </pre> | ||
| Line 113: | Line 195: | ||
= Shorewall6 = | = Shorewall6 = | ||
http://www.shorewall.net/IPv6Support.html | http://www.shorewall.net/IPv6Support.html | ||
Shorewall6 is the ipv6 version of shorewall. To get it working you need to do above steps and also: | Shorewall6 is the ipv6 version of shorewall. To get it working you need to do above steps and also: | ||
in /etc/shorewall/shorewall.conf | in /etc/shorewall/shorewall.conf | ||
| Line 172: | Line 216: | ||
= Single NIC Machine = | = Single NIC Machine = | ||
NOTE: snmp should only be udp 161, so not sure if tcp is necessary | |||
/etc/default/shorewall | |||
<pre> | <pre> | ||
Set startup=1 | Set startup=1 | ||
</pre> | |||
In /usr/share/doc/shorewall-common/default-config | In /usr/share/doc/shorewall-common/default-config | ||
| Line 180: | Line 228: | ||
interfaces | interfaces | ||
<pre> | |||
net eth1 82.94.91.79 | net eth1 82.94.91.79 | ||
</pre> | |||
modules | modules | ||
| Line 186: | Line 236: | ||
policy | policy | ||
<pre> | |||
fw net ACCEPT | fw net ACCEPT | ||
net all DROP info | net all DROP info | ||
all all REJECT info | all all REJECT info | ||
</pre> | |||
NB to drop logging, get rid of the 'info' and replace it with 'crit' or 'err' or get rid of it entirely | NB to drop logging, get rid of the 'info' and replace it with 'crit' or 'err' or get rid of it entirely | ||
rules | rules | ||
<pre> | |||
ACCEPT | ?SECTION NEW | ||
ACCEPT | |||
ACCEPT net | # Drop Ping from the "bad" net zone.. and prevent your log from being flooded.. | ||
ACCEPT net | Ping(DROP) net $FW | ||
ACCEPT net | |||
ACCEPT | # Permit all ICMP traffic FROM the firewall TO the net zone | ||
ACCEPT net | |||
ACCEPT | ACCEPT $FW net icmp | ||
ACCEPT | |||
ACCEPT | # My rules | ||
ACCEPT | |||
ACCEPT | SSH(ACCEPT) net $FW | ||
DNS(ACCEPT) net $FW | |||
FTP(ACCEPT) net $FW | |||
HTTP(ACCEPT) net $FW | |||
HTTPS(ACCEPT) net $FW | |||
# email server | |||
POP3(ACCEPT) net $FW | |||
POP3S(ACCEPT) net $FW | |||
IMAP(ACCEPT) net $FW | |||
IMAPS(ACCEPT) net $FW | |||
SMTP(ACCEPT) net $FW | |||
MSA(ACCEPT) net $FW | |||
#MSA is also known as submission | |||
SMTPS(ACCEPT) net $FW | |||
#SMTPS is also known as submissions and also covers sstmp and urd | |||
# Seafile rules | |||
#ACCEPT net fw tcp 8000 | |||
#ACCEPT net fw tcp 8082 | |||
#ACCEPT net fw tcp 10001 | |||
#ACCEPT net fw tcp 12001 | |||
#ACCEPT net fw tcp 9001 | |||
# Tilaa saying we have an sql server | |||
DROP all all udp 1434 | |||
DROP all all tcp 1433 | |||
</pre> | |||
start | start | ||
<pre> | |||
dmesg -n5 | dmesg -n5 | ||
</pre> | |||
zones | zones | ||
<pre> | |||
net ipv4 | net ipv4 | ||
(above fw firewall) | (above fw firewall) | ||
</pre> | </pre> | ||
= testing = | |||
shorewall check | |||
shorewall dump | |||
shorewall hits (-t = today) | |||
shorewall show | |||
iptables -L chain -n -v ( iptables -L net-fw -n -v ) <--- this one is very useful. Macros show as seperate lines, ACCEPT rules show as multiport dports with the macro description of the ports behind it | |||
shorewall show nat | |||
shorewall status | |||
shorewall open all 127.0.0.1 tcp 22 (opens ssh) | |||
shorewall close all 127.0.0.1 tcp 22 (closes again) | |||
Latest revision as of 08:07, 4 April 2025
2 NIC machine
In /usr/share/doc/shorewall/examples/two-interfaces make the following edits to the following files and then copy them to /etc/shorewall
policy
You may want to allow everything from the local network to the machine and everything from the machine to the net, as well as everything from the machine to the local network in that case add the following to the policy file:
loc fw ACCEPT fw net ACCEPT fw loc ACCEPT
If it's a router it would look something like:
loc net ACCEPT net all DROP info fw all ACCEPT loc all ACCEPT # THE FOLLOWING POLICY MUST BE LAST all all REJECT info
rules
Allready includes the following
These rules like SSH(ACCEPT) are called macros. you can find macros (and actions) in /usr/share/shorewall/
?SECTION NEW # Don't allow connection pickup from the net # Invalid(DROP) net all # # Accept DNS connections from the firewall to the network # DNS(ACCEPT) $FW net # # Accept SSH connections from the local network for administration # SSH(ACCEPT) loc $FW SNMP(ACCEPT) loc $FW # # Allow Ping from the local network # Ping(ACCEPT) loc $FW # # Drop Ping from the "bad" net zone.. and prevent your log from being flooded.. # Ping(DROP) net $FW ACCEPT $FW loc icmp ACCEPT $FW net icmp #
So the following needs to be added: NOTE: snmp should only be udp 161, so not sure if tcp is necessary
SNMP(ACCEPT) loc $FW # Public services ACCEPT net fw tcp smtp ACCEPT net fw tcp pop3 # 143 is for IMAP ACCEPT net fw tcp 143 ACCEPT net fw tcp ssh FTP/ACCEPT net fw ACCEPT net fw tcp domain ACCEPT net fw udp domain ACCEPT net fw tcp http ACCEPT net fw tcp https ACCEPT net fw tcp snmp ACCEPT net fw udp snmp
Also, apt uses port 80, so you want to allow outgoing traffic for that:
ACCEPT $FW net tcp http
If you don't do this then you will see ipv6 adresses appear in apt-get
Other services you may want to enable from the machine outwards:
# Things we allow from this machine outward ACCEPT $FW net tcp https SSH(ACCEPT) $FW loc ACCEPT $FW net tcp smtp
For X11 forwarding you will need:
# X11 forwarding ACCEPT fw loc tcp x11 ACCEPT fw loc udp x11
You may want other machines on the local network to access more services:
# Things we accept over the local network FTP/ACCEPT loc $FW ACCEPT loc $FW tcp http
interfaces
If you have multiple ip addresses bound to a single NIC, in order to allow traffic to flow up and down that NIC, you have to add the option
routeback
behind the nic.
the rest
just copy the following files to /etc/shorewall/:
masq routestopped zones
/etc/default/shorewall
startup=1
To get NFS working
On nfs-kernel-server machine: Edit your /etc/shorewall/rules file like this:
# Permit NFS ACCEPT net $FW tcp 111 ACCEPT net $FW udp 111 ACCEPT net $FW udp 2049 ACCEPT net $FW tcp 2049 ACCEPT net $FW tcp 32765:32767 ACCEPT net $FW udp 32765:32767
On nfs-common machine:
# Permit NFS ACCEPT $FW loc tcp 111 ACCEPT $FW loc udp 111 ACCEPT $FW loc udp 2049 ACCEPT $FW loc tcp 2049 ACCEPT $FW loc tcp 32765:32767 ACCEPT $FW loc udp 32765:32767
/etc/default/nfs-common:
STATDOPTS="-p 32765 -o 32766"
/etc/default/nfs-kernel-server:
RPCMOUNTDOPTS="-p 32767"
Make sure in your /etc/services you have the following
nfs 2049/tcp # Network File System nfs 2049/udp # Network File System
old system
The change to /etc/services isn't necessary at all. It just helps produces a nice (sensible) output from netstat -tl on the NFS server.
# /etc/services # NFS ports as per the NFS-HOWTO # http://www.tldp.org/HOWTO/NFS-HOWTO/security.html#FIREWALLS # Listing here does not mean they will bind to these ports. rpc.nfsd 2049/tcp # RPC nfsd rpc.nfsd 2049/udp # RPC nfsd rpc.statd-bc 32765/tcp # RPC statd broadcast rpc.statd-bc 32765/udp # RPC statd broadcast rpc.statd 32766/tcp # RPC statd listen rpc.statd 32766/udp # RPC statd listen rpc.mountd 32767/tcp # RPC mountd rpc.mountd 32767/udp # RPC mountd rcp.lockd 32768/tcp # RPC lockd/nlockmgr rcp.lockd 32768/udp # RPC lockd/nlockmgr rpc.quotad 32769/tcp # RPC quotad rpc.quotad 32769/udp # RPC quotad
/etc/default/quota
RPCRQUOTADOPTS="-p 32769"
You can check which ports are being used with
rpcinfo -p
Shorewall6
http://www.shorewall.net/IPv6Support.html
Shorewall6 is the ipv6 version of shorewall. To get it working you need to do above steps and also:
in /etc/shorewall/shorewall.conf
DISABLE_IPV6=No TC_ENABLED=Internal
/etc/shorewall6/shorewall.conf
TC_ENABLED=No
test using
ip6tables -L
Single NIC Machine
NOTE: snmp should only be udp 161, so not sure if tcp is necessary
/etc/default/shorewall
Set startup=1
In /usr/share/doc/shorewall-common/default-config make the following edits to the following files and then copy them to /etc/shorewall
interfaces
net eth1 82.94.91.79
modules (no edits)
policy
fw net ACCEPT net all DROP info all all REJECT info
NB to drop logging, get rid of the 'info' and replace it with 'crit' or 'err' or get rid of it entirely
rules
?SECTION NEW # Drop Ping from the "bad" net zone.. and prevent your log from being flooded.. Ping(DROP) net $FW # Permit all ICMP traffic FROM the firewall TO the net zone ACCEPT $FW net icmp # My rules SSH(ACCEPT) net $FW DNS(ACCEPT) net $FW FTP(ACCEPT) net $FW HTTP(ACCEPT) net $FW HTTPS(ACCEPT) net $FW # email server POP3(ACCEPT) net $FW POP3S(ACCEPT) net $FW IMAP(ACCEPT) net $FW IMAPS(ACCEPT) net $FW SMTP(ACCEPT) net $FW MSA(ACCEPT) net $FW #MSA is also known as submission SMTPS(ACCEPT) net $FW #SMTPS is also known as submissions and also covers sstmp and urd # Seafile rules #ACCEPT net fw tcp 8000 #ACCEPT net fw tcp 8082 #ACCEPT net fw tcp 10001 #ACCEPT net fw tcp 12001 #ACCEPT net fw tcp 9001 # Tilaa saying we have an sql server DROP all all udp 1434 DROP all all tcp 1433
start
dmesg -n5
zones
net ipv4 (above fw firewall)
testing
shorewall check
shorewall dump
shorewall hits (-t = today)
shorewall show
iptables -L chain -n -v ( iptables -L net-fw -n -v ) <--- this one is very useful. Macros show as seperate lines, ACCEPT rules show as multiport dports with the macro description of the ports behind it
shorewall show nat
shorewall status
shorewall open all 127.0.0.1 tcp 22 (opens ssh)
shorewall close all 127.0.0.1 tcp 22 (closes again)