home       inleiding       sysadmin       services       links       bash       werk       nothing      

shorewall

 
In this example we use shorewall as the firewall connecting to the internet, leading to an apache2 server in a DMZ. So we need masquerading NAT. We need a zone DMZ and the zone NET (the internet). Later we could add a zone LOC (local) leading to machines in a subnet never exposed to the internet.
 

  1. Enable ipv4 routing ( we need NAT)
     
    If we want to make this configuration permanent the best way to do it is using the file /etc/sysctl.conf where we can add a line containing net.ipv4.ip_forward = 1
     
    File /etc/sysctl.conf:
    net.ipv4.ip_forward = 1

     

  2. inventory 
     
    In the directory /etc/shorewall, we need the following files:
    conntrack.old    interfaces    masq    params    policy    rules    shorewall.conf    zones

    First, we should rename the obsolete file conntrack to contrack.old ...
    Next we should configure the following files as needed ...
     

  3. file /etc/shorewall/interfaces
    #
    # Shorewall version 4.0 - Sample Interfaces File for two-interface configuration.
    # Copyright (C) 2006 by the Shorewall Team
    #
    # This library is free software; you can redistribute it and/or
    # modify it under the terms of the GNU Lesser General Public
    # License as published by the Free Software Foundation; either
    # version 2.1 of the License, or (at your option) any later version.
    #
    # See the file README.txt for further details.
    #------------------------------------------------------------------------------
    # For information about entries in this file, type "man shorewall-interfaces"
    ###############################################################################
    #ZONE  INTERFACE   BROADCAST       OPTIONS
    net     eth0             detect  dhcp, tcpflags, nosmurfs, routefilter, logmartians, sourceroute=0
    dmz     eth1             detect  tcpflags, nosmurfs, routefilter, logmartians

     

  4. file /etc/shorewall/zones
    #
    # Shorewall version 4.0 - Sample Zones File for two-interface configuration.
    # Copyright (C) 2006 by the Shorewall Team
    #
    # This library is free software; you can redistribute it and/or
    # modify it under the terms of the GNU Lesser General Public
    # License as published by the Free Software Foundation; either
    # version 2.1 of the License, or (at your option) any later version.
    #
    # fw                 firewall (this machine)
    # net    ipv4        (outside -- in fact the entire internet)
    # dmz    ipv4        (inside  172.16.0.0/16 pointing to DMZ-servers
    # loc    ipv4        (not used: 192.168.0.0/24 -- the machines beyond DMZ)
    #
    # See the file README.txt for further details.
    #------------------------------------------------------------------------------
    # For information about entries in this file, type "man shorewall-zones"
    ###############################################################################
    #ZONE    TYPE    OPTIONS            IN            OUT
    #                    OPTIONS            OPTIONS
    fw     firewall
    net    ipv4
    dmz    ipv4
    loc    ipv4

     

  5. file /etc/shorewall/masq
    #interface      source
    # this is the interface pointing outside, and the network pointing to inside
    eth0        172.16.0.0/16

     

  6. file /etc/shorewall/policy
    #
    # Shorewall version 4.0 - Sample Policy File for two-interface configuration.
    # Copyright (C) 2006 by the Shorewall Team
    #
    # This library is free software; you can redistribute it and/or
    # modify it under the terms of the GNU Lesser General Public
    # License as published by the Free Software Foundation; either
    # version 2.1 of the License, or (at your option) any later version.
    #
    # See the file README.txt for further details.
    #------------------------------------------------------------------------------
    # For information about entries in this file, type "man shorewall-policy"
    ###############################################################################
    #SOURCE        DEST        POLICY        LOG LEVEL    LIMIT:BURST
    #there is no trafic from LAN to INTERNET via this firewall
    #loc    net        ACCEPT
    #from DMZ-machines to outside
    dmz        net        ACCEPT
    #from INTERNET
    net        all        DROP        info
    # THE FOLLOWING POLICY MUST BE LAST
    all        all        REJECT        info

     

  7. file /etc/shorewall/rules
    # Shorewall version 4.0 - Sample Rules File for two-interface configuration.
    # Copyright (C) 2006,2007 by the Shorewall Team
    #
    # This library is free software; you can redistribute it and/or
    # modify it under the terms of the GNU Lesser General Public
    # License as published by the Free Software Foundation; either
    # version 2.1 of the License, or (at your option) any later version.
    #
    # See the file README.txt for further details.
    #------------------------------------------------------------------------------
    # For information about entries in this file, type "man shorewall-rules"
    ######################################################################################################################################################################################################
    #ACTION  SOURCE   DEST   PROTO  DEST   SOURCE   ORIGINAL   RATE  USER/  MARK   CONNLIMIT
    #  TIME  HEADERS  SWITCH HELPER PORT   PORT(S)  DEST       LIMIT GROUP
    #SECTION ALL
    #SECTION ESTABLISHED
    #SECTION RELATED
    #SECTION INVALID
    #SECTION UNTRACKED
     
    SECTION NEW
     
    ### Don't allow connection pickup from the net
    #
    Invalid(DROP)    net        all        tcp
     
    ### Accept DNS connections from the firewall to the network
    #
    DNS(ACCEPT)    $FW        net
    #
    #############################################
     
    ### SSH #####################################
    #
    ### Accept SSH connections from the local network for administration
    ### To be commented out after SSH has changed port to 2222
    #
    SSH(ACCEPT)    loc        $FW
    SSH(ACCEPT)    dmz        $FW
    #
    ### allow SSH via net @port 2222
    #
    ACCEPT        net        $FW        tcp    1022
    ACCEPT        dmz        $FW        tcp    1022
    #
    #############################################
     
    ### PING and ICMP ###########################
    #
    ### Allow Ping from the DMZ network
    #
    Ping(ACCEPT)    dmz        $FW
    #
    ### Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
    #
    Ping(DROP)    net        $FW
    #
    ### can we still ping to outside?
    #
    ACCEPT        $FW        loc        icmp
    ACCEPT        $FW        dmz        icmp
    #
    #############################################
     
    ### reverse forwarding port 80 to web-server 172.16.10.100
    #
    Web(DNAT) net       dmz:172.16.10.100
    #
    ##########