Shorewall: Difference between revisions

From Edgar BV Wiki
Jump to navigation Jump to search
Line 132: Line 132:
so in /etc/network/interfaces add something like
so in /etc/network/interfaces add something like
<pre>
<pre>
iface eth0 inet6 static
auto tun6to4
iface tun6to4 inet6 v4tunnel
         address 2002:bccc:8cd7::1
         address 2002:bccc:8cd7::1
         netmask 64
         netmask 16
        gateway ::188.204.140.193
 
        endpoint any
        local 188.204.140.215
</pre>
</pre>
underneath your ipv4 network interfaces. NOTE: Notice the '1' at the end! (see also 3.2.4.2 in http://tldp.org/HOWTO/Linux+IPv6-HOWTO/x513.html)
underneath your ipv4 network interfaces. NOTE: Notice the '1' at the end! (see also 3.2.4.2 in http://tldp.org/HOWTO/Linux+IPv6-HOWTO/x513.html)
Now we need to bring up a ipv6 to ipv4 tunnel http://tldp.org/HOWTO/Linux+IPv6-HOWTO/configuring-ipv6to4-tunnels.html:
<pre>
ip tunnel add tun6to4 mode sit ttl 255 remote any local 188.204.140.215
ip link set dev tun6to4 up
ip -6 addr add 2002:bccc:8cd7::1/16 dev tun6to4
ip -6 route add 2000::/3 via ::188.204.140.193 dev tun6to4 metric 1
</pre>


which we can test with:
which we can test with:
<pre>
<pre>
ip -6 tunnel show tun6to4
ping6 ipv6.google.com
ping6 ipv6.google.com
</pre>
</pre>

Revision as of 13:07, 13 May 2013

2 NIC machine

In /usr/share/doc/shorewall/examples/two-interfaces make the following edits to the following files and then copy them to /etc/shorewall

rules

SNMP(ACCEPT)    loc             $FW
# Public services
ACCEPT   net    fw      tcp     smtp
ACCEPT   net    fw      tcp     pop3
# 143 is for IMAP
ACCEPT  net     fw      tcp     143
ACCEPT   net    fw      tcp     ssh
FTP/ACCEPT      net     fw
ACCEPT   net    fw      tcp     domain
ACCEPT   net    fw      udp     domain
ACCEPT   net    fw      tcp     http
ACCEPT   net    fw      tcp     https
ACCEPT   net    fw      tcp     snmp
ACCEPT   net    fw      udp     snmp
# X11 forwarding
ACCEPT   fw     loc     tcp     x11
ACCEPT   fw     loc     udp     x11

just copy the following files to /etc/shorewall/:

interfaces
masq
policy
routestopped
zones

/etc/default/shorewall

startup=1

To get NFS working

On nfs-kernel-server machine: Edit your /etc/shorewall/rules file like this:

 # Permit NFS
 ACCEPT net $FW tcp 111
 ACCEPT net $FW udp 111
 ACCEPT net $FW udp 2049
 ACCEPT net $FW tcp 2049
 ACCEPT net $FW tcp 32765:32767
 ACCEPT net $FW udp 32765:32767

On nfs-common machine:

# Permit NFS
ACCEPT $FW loc tcp 111
ACCEPT $FW loc udp 111
ACCEPT $FW loc udp 2049
ACCEPT $FW loc tcp 2049
ACCEPT $FW loc tcp 32765:32767
ACCEPT $FW loc udp 32765:32767

/etc/default/nfs-common:

 STATDOPTS="-p 32765 -o 32766"

/etc/default/nfs-kernel-server:

 RPCMOUNTDOPTS="-p 32767"

Make sure in your /etc/services you have the following

 nfs     2049/tcp    # Network File System nfs     2049/udp    # Network File System


old system

The change to /etc/services isn't necessary at all. It just helps produces a nice (sensible) output from netstat -tl on the NFS server.

 # /etc/services
 # NFS ports as per the NFS-HOWTO
 # http://www.tldp.org/HOWTO/NFS-HOWTO/security.html#FIREWALLS
 # Listing here does not mean they will bind to these ports. 
 rpc.nfsd        2049/tcp                        # RPC nfsd
 rpc.nfsd        2049/udp                        # RPC nfsd
 rpc.statd-bc    32765/tcp                       # RPC statd broadcast
 rpc.statd-bc    32765/udp                       # RPC statd broadcast
 rpc.statd       32766/tcp                       # RPC statd listen
 rpc.statd       32766/udp                       # RPC statd listen
 rpc.mountd      32767/tcp                       # RPC mountd
 rpc.mountd      32767/udp                       # RPC mountd
 rcp.lockd       32768/tcp                       # RPC lockd/nlockmgr
 rcp.lockd       32768/udp                       # RPC lockd/nlockmgr
 rpc.quotad      32769/tcp                       # RPC quotad
 rpc.quotad      32769/udp                       # RPC quotad

/etc/default/quota

 RPCRQUOTADOPTS="-p 32769"

You can check which ports are being used with

rpcinfo -p

Shorewall6

http://tldp.org/HOWTO/Linux+IPv6-HOWTO/ http://www.shorewall.net/IPv6Support.html

Shorewall6 is the ipv6 version of shorewall. To get it working you need to do above steps and also:

Make sure you have a valid IPv6 address connected to your NICs.

Because we have no valid ipv6 from KPN yet, we use a 6to4 tunnelling address, which always start with 2002:

In order to calculate the ipv6 from the ipv4 address we need:

ipv6calc --quiet --action conv6to4 188.204.140.215

or

ipv4="1.2.3.4"; printf "2002:%02x%02x:%02x%02x::1" `echo $ipv4 | tr "." " "`

This gives:

2002:bccc:8cd7::

so in /etc/network/interfaces add something like

auto tun6to4
iface tun6to4 inet6 v4tunnel
        address 2002:bccc:8cd7::1
        netmask 16
        gateway ::188.204.140.193

        endpoint any
        local 188.204.140.215

underneath your ipv4 network interfaces. NOTE: Notice the '1' at the end! (see also 3.2.4.2 in http://tldp.org/HOWTO/Linux+IPv6-HOWTO/x513.html)

which we can test with:

ip -6 tunnel show tun6to4
ping6 ipv6.google.com


in /etc/shorewall/shorewall.conf

DISABLE_IPV6=No
TC_ENABLED=Internal

/etc/shorewall6/shorewall.conf

TC_ENABLED=No

test using

ip6tables -L

= Single NIC Machine

=
/etc/default/shorewall
Set startup=1

In /usr/share/doc/shorewall-common/default-config
make the following edits to the following files and then copy them to /etc/shorewall

interfaces
net     eth1    82.94.91.79

modules
(no edits)

policy
fw      net     ACCEPT
net     all     DROP    info
all     all     REJECT  info

NB to drop logging, get rid of the 'info' and replace it with 'crit' or 'err' or get rid of it entirely

rules
(under SECTION NEW)
ACCEPT   net    fw      tcp     smtp
ACCEPT   net    fw      tcp     pop3
ACCEPT   net    fw      tcp     ssh
FTP/ACCEPT      net     fw
ACCEPT   net    fw      tcp     domain
ACCEPT   net    fw      udp     domain
ACCEPT   fw     net     udp     domain
ACCEPT   net    fw      tcp     http
ACCEPT   fw     net     tcp     http
ACCEPT   net    fw      tcp     https
ACCEPT   net    fw      tcp     snmp
ACCEPT   fw     net     tcp     snmp
ACCEPT   net    fw      udp     snmp
ACCEPT   fw     net     udp     snmp
ACCEPT  net     fw      tcp     143
ACCEPT  net     fw      udp     143

start
dmesg -n5

zones
net     ipv4
(above fw      firewall)