Shorewall installation and configuration on Fedora Reference: http://www.shorewall.net/shorewall_setup_guide.htm # Backup your existing Iptables configuration so that you can revert back in case something goes wrong cp -a /etc/sysconfig/iptables /etc/sysconfig/iptables_backup_ # Deploying a safety net to ensure that you dont get locked out Reference : http://www.iptablesrocks.org/guide/safetynet.php vi /root/firewall_reset ############ # Iptables firewall reset script *filter :INPUT ACCEPT [164:15203] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [147:63028] COMMIT *mangle :PREROUTING ACCEPT [164:15203] :INPUT ACCEPT [164:15203] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [147:63028] :POSTROUTING ACCEPT [147:63028] COMMIT *nat :PREROUTING ACCEPT [14:672] :POSTROUTING ACCEPT [9:684] :OUTPUT ACCEPT [9:684] COMMIT ########### # Test if the above script works and throws no error /sbin/iptables-restore < /root/firewall_reset /sbin/iptables -L # The output should be similar to the following ### Chain FORWARD (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source Chain OUTPUT (policy ACCEPT) target prot opt source ###
destination destination
# restore your orginal firewall configuration and proceed
/sbin/iptables-restore < /etc/sysconfig/iptables_backup_ # Confirm that your original rules have been restored by running the following command /sbin/iptables -L # Create a crontab entry that resets the firewall every 15 minutes crontab -e 0,15,30,45 * * * * /sbin/iptables-restore < /root/firewall_reset # Please ensure that you comment out this line after you have succesfully tested you shorewall working. # Reference:http://www.shorewall.net/shorewall_quickstart_guide.htm # Before installing ,check if iproute and shorewall already exist rpm -qa | grep -i "iproute" rpm -qa | grep -i "shorewall" # If iproute and shorewall dont exist then proceed as follows yum install iproute yum install shorewall #Setting up Shorewall on a standalone Linux system with a single static IP address Reference :http://www.shorewall.net/standalone.htm # Add your IP address (IP address of the system/gateway you are connecting from and not the server IP address where you are installing shorewall) to the /etc/shorewall/routestopped file to ensure that you stay connected when the firewall restarts.You can find your IP address by visiting http://whatismyip.com cp -a /etc/shorewall/routestopped /etc/shorewall/routestopped.orig vi /etc/shorewall/routestopped # eg. if your IP address ( the system/gateway you are connecting from) is 59.144.118.69 #INTERFACE HOST(S) eth0 59.144.0.0/24 # You can also add a CIDR number to indicate a range of IPs from which connection will not break # For eg. if you want to keep alive connections from 192.168.0.1 to 192.168.0.254 during the firewall restart add the following line #INTERFACE eth0
HOST(S) 192.168.0.0/24
# Find the sample configuration files by running rpm -ql shorewall | fgrep one-interface cp -a /usr/share/doc/shorewall-3.2.7/Samples/one-interface /tmp/
cd /tmp/one-interface # Confirm your ethernet interface ( to check if you have a single lan card) /sbin/ifconfig -a vi interfaces ######## #ZONE INTERFACE BROADCAST OPTIONS net eth0 210.210.18.90 norfc1918,routefilter,tcpflags,logmartians,nosmurfs ######## #RFC-1918 reserves several Private IP address ranges for use in private networks: 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 #If your IP address falls in any of the above range, then please remove "norfc1918" in the options section of the interfaces file # If you have a non-static DHCP IP address,add "detect" in the "broadcast" section and add “dhcp” to the option list. # Configuration of rules # You can find custom rules files by running ls /usr/share/shorewall/macro.* # You can then use these macros in your shorewall rules file # For eg. if you want to allow access to your web server running TCP Port 80 and SSHD running on TCP port 22 do the following # Tip: You can identify the network services running on your server bu issuing the following command. /bin/netstat -luntp # Based on the output you get , you can decide which services to allow remote access or not cd /tmp/one-interface vi rules ####### #ACTION Web/ACCEPT SSH/ACCEPT ######
SOURCE net net
DESTINATION $FW $FW
PROTO
# You can also add the above rules in this way. vi rules
DEST PORT(S)
######### #ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT net $FW tcp 80 ACCEPT net $FW tcp 22 ######### # You can also add the following rule if you see port TCP 113 as closed in your nmap scan. DROP net $FW tcp 113 If you want to allow conections to let's say the ssh port only from specific IP Addresses on the internet add the following ACCEPT
net:192.0.2.16/28,192.0.2.44 fw
tcp
22
# Please ensure that you check the individual macros you applies from /usr/share/shorewall/macro.* to ensure that they work as desired # You must enable startup by editing /etc/shorewall/shorewall.conf and setting STARTUP_ENABLED=Yes cp -a /etc/shorewall/shorewall.conf /etc/shorewall/shorewall.conf.orig vi /etc/shorewall/shorewall.conf # Modify the lines as shown #STARTUP_ENABLED=No STARTUP_ENABLED=Yes #IPTABLES= IPTABLES=/sbin/iptables #IP_FORWARDING=On IP_FORWARDING=Off #DISABLE_IPV6=Yes # Copy your configuration files to appropriate locations cd cp cp cp cp
/etc/shorewall/ -a policy policy.orig -a rules rules.orig -a interfaces interfaces.orig -a zones zones.orig
cp -a /tmp/one-interface/* /etc/shorewall/ rm -rf /tmp/one-interface/ /etc/rc.d/init.d/shorewall restart # You can use the following command to clear all shorewall rules /sbin/shorewall clear # Configure shorewall to auto start at boot time /sbin/chkconfig shorewall on # Use nmap from a different system to ensure that your firewall rules are in place # Multiple IP address to single interface
# Reference:http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html#id2491727 # Ensure that all IP addresses ( non virtual ie. additional IP addresses on separate lan cards ) are configured in the /etc/shorewall/interfaces # eg. vi /etc/shorewall/interfaces #ZONE INTERFACE BROADCAST OPTIONS net eth1 210.210.23.26 norfc1918,routefilter,tcpflags,logmartians,nosmurfs #RFC-1918 reserves several Private IP address ranges for use in private networks: 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 #If your IP address falls in any of the above range, then please remove "norfc1918" in the options section of the interfaces file # If you have a non-static DHCP IP address,add "detect" in the "broadcast" section and add “dhcp” to the option list. # If you are using virtual IP addresses (eg. eth0:0,eth0:1 etc,) configured for a single ethernet card, then you can ignore the above setting in /etc/shorewall/interfaces # If you have muliple IP addresses and want a sshd to be available on a single IP address (eg. 210.210.23.26 )instead of all IP adresses on the server ,then do this vi /etc/shorewall/rules #ACCEPT ACCEPT
net net
$FW tcp $FW:210.210.23.26
22 tcp
22
/sbin/shorewall clear /etc/rc.d/init.d/shorewall restart # Remove the firewall_reset cron job and the entries in /etc/shorewall/routestopped after shorewall is run and firewall behaves as expected.