Shorewall Howto
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Shorewall Howto as PDF for free.
More details
- Words: 1,026
- Pages: 5
Shorewall installation and configuration on Fedora Reference: http://www.shorewall.net/shorewall_setup_guide.htm # Backup your existing Iptables configuration so that you can revert back in case something goes wrong cp -a /etc/sysconfig/iptables /etc/sysconfig/iptables_backup_ # Deploying a safety net to ensure that you dont get locked out Reference : http://www.iptablesrocks.org/guide/safetynet.php vi /root/firewall_reset ############ # Iptables firewall reset script *filter :INPUT ACCEPT [164:15203] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [147:63028] COMMIT *mangle :PREROUTING ACCEPT [164:15203] :INPUT ACCEPT [164:15203] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [147:63028] :POSTROUTING ACCEPT [147:63028] COMMIT *nat :PREROUTING ACCEPT [14:672] :POSTROUTING ACCEPT [9:684] :OUTPUT ACCEPT [9:684] COMMIT ########### # Test if the above script works and throws no error /sbin/iptables-restore < /root/firewall_reset /sbin/iptables -L # The output should be similar to the following ### Chain FORWARD (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source Chain OUTPUT (policy ACCEPT) target prot opt source ###
destination destination
# restore your orginal firewall configuration and proceed
/sbin/iptables-restore < /etc/sysconfig/iptables_backup_ # Confirm that your original rules have been restored by running the following command /sbin/iptables -L # Create a crontab entry that resets the firewall every 15 minutes crontab -e 0,15,30,45 * * * * /sbin/iptables-restore < /root/firewall_reset # Please ensure that you comment out this line after you have succesfully tested you shorewall working. # Reference:http://www.shorewall.net/shorewall_quickstart_guide.htm # Before installing ,check if iproute and shorewall already exist rpm -qa | grep -i "iproute" rpm -qa | grep -i "shorewall" # If iproute and shorewall dont exist then proceed as follows yum install iproute yum install shorewall #Setting up Shorewall on a standalone Linux system with a single static IP address Reference :http://www.shorewall.net/standalone.htm # Add your IP address (IP address of the system/gateway you are connecting from and not the server IP address where you are installing shorewall) to the /etc/shorewall/routestopped file to ensure that you stay connected when the firewall restarts.You can find your IP address by visiting http://whatismyip.com cp -a /etc/shorewall/routestopped /etc/shorewall/routestopped.orig vi /etc/shorewall/routestopped # eg. if your IP address ( the system/gateway you are connecting from) is 59.144.118.69 #INTERFACE HOST(S) eth0 59.144.0.0/24 # You can also add a CIDR number to indicate a range of IPs from which connection will not break # For eg. if you want to keep alive connections from 192.168.0.1 to 192.168.0.254 during the firewall restart add the following line #INTERFACE eth0
HOST(S) 192.168.0.0/24
# Find the sample configuration files by running rpm -ql shorewall | fgrep one-interface cp -a /usr/share/doc/shorewall-3.2.7/Samples/one-interface /tmp/
cd /tmp/one-interface # Confirm your ethernet interface ( to check if you have a single lan card) /sbin/ifconfig -a vi interfaces ######## #ZONE INTERFACE BROADCAST OPTIONS net eth0 210.210.18.90 norfc1918,routefilter,tcpflags,logmartians,nosmurfs ######## #RFC-1918 reserves several Private IP address ranges for use in private networks: 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 #If your IP address falls in any of the above range, then please remove "norfc1918" in the options section of the interfaces file # If you have a non-static DHCP IP address,add "detect" in the "broadcast" section and add “dhcp” to the option list. # Configuration of rules # You can find custom rules files by running ls /usr/share/shorewall/macro.* # You can then use these macros in your shorewall rules file # For eg. if you want to allow access to your web server running TCP Port 80 and SSHD running on TCP port 22 do the following # Tip: You can identify the network services running on your server bu issuing the following command. /bin/netstat -luntp # Based on the output you get , you can decide which services to allow remote access or not cd /tmp/one-interface vi rules ####### #ACTION Web/ACCEPT SSH/ACCEPT ######
SOURCE net net
DESTINATION $FW $FW
PROTO
# You can also add the above rules in this way. vi rules
DEST PORT(S)
######### #ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT net $FW tcp 80 ACCEPT net $FW tcp 22 ######### # You can also add the following rule if you see port TCP 113 as closed in your nmap scan. DROP net $FW tcp 113 If you want to allow conections to let's say the ssh port only from specific IP Addresses on the internet add the following ACCEPT
net:192.0.2.16/28,192.0.2.44 fw
tcp
22
# Please ensure that you check the individual macros you applies from /usr/share/shorewall/macro.* to ensure that they work as desired # You must enable startup by editing /etc/shorewall/shorewall.conf and setting STARTUP_ENABLED=Yes cp -a /etc/shorewall/shorewall.conf /etc/shorewall/shorewall.conf.orig vi /etc/shorewall/shorewall.conf # Modify the lines as shown #STARTUP_ENABLED=No STARTUP_ENABLED=Yes #IPTABLES= IPTABLES=/sbin/iptables #IP_FORWARDING=On IP_FORWARDING=Off #DISABLE_IPV6=Yes # Copy your configuration files to appropriate locations cd cp cp cp cp
/etc/shorewall/ -a policy policy.orig -a rules rules.orig -a interfaces interfaces.orig -a zones zones.orig
cp -a /tmp/one-interface/* /etc/shorewall/ rm -rf /tmp/one-interface/ /etc/rc.d/init.d/shorewall restart # You can use the following command to clear all shorewall rules /sbin/shorewall clear # Configure shorewall to auto start at boot time /sbin/chkconfig shorewall on # Use nmap from a different system to ensure that your firewall rules are in place # Multiple IP address to single interface
# Reference:http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html#id2491727 # Ensure that all IP addresses ( non virtual ie. additional IP addresses on separate lan cards ) are configured in the /etc/shorewall/interfaces # eg. vi /etc/shorewall/interfaces #ZONE INTERFACE BROADCAST OPTIONS net eth1 210.210.23.26 norfc1918,routefilter,tcpflags,logmartians,nosmurfs #RFC-1918 reserves several Private IP address ranges for use in private networks: 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 #If your IP address falls in any of the above range, then please remove "norfc1918" in the options section of the interfaces file # If you have a non-static DHCP IP address,add "detect" in the "broadcast" section and add “dhcp” to the option list. # If you are using virtual IP addresses (eg. eth0:0,eth0:1 etc,) configured for a single ethernet card, then you can ignore the above setting in /etc/shorewall/interfaces # If you have muliple IP addresses and want a sshd to be available on a single IP address (eg. 210.210.23.26 )instead of all IP adresses on the server ,then do this vi /etc/shorewall/rules #ACCEPT ACCEPT
net net
$FW tcp $FW:210.210.23.26
22 tcp
22
/sbin/shorewall clear /etc/rc.d/init.d/shorewall restart # Remove the firewall_reset cron job and the entries in /etc/shorewall/routestopped after shorewall is run and firewall behaves as expected.
destination destination
# restore your orginal firewall configuration and proceed
/sbin/iptables-restore < /etc/sysconfig/iptables_backup_
HOST(S) 192.168.0.0/24
# Find the sample configuration files by running rpm -ql shorewall | fgrep one-interface cp -a /usr/share/doc/shorewall-3.2.7/Samples/one-interface /tmp/
cd /tmp/one-interface # Confirm your ethernet interface ( to check if you have a single lan card) /sbin/ifconfig -a vi interfaces ######## #ZONE INTERFACE BROADCAST OPTIONS net eth0 210.210.18.90 norfc1918,routefilter,tcpflags,logmartians,nosmurfs ######## #RFC-1918 reserves several Private IP address ranges for use in private networks: 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 #If your IP address falls in any of the above range, then please remove "norfc1918" in the options section of the interfaces file # If you have a non-static DHCP IP address,add "detect" in the "broadcast" section and add “dhcp” to the option list. # Configuration of rules # You can find custom rules files by running ls /usr/share/shorewall/macro.* # You can then use these macros in your shorewall rules file # For eg. if you want to allow access to your web server running TCP Port 80 and SSHD running on TCP port 22 do the following # Tip: You can identify the network services running on your server bu issuing the following command. /bin/netstat -luntp # Based on the output you get , you can decide which services to allow remote access or not cd /tmp/one-interface vi rules ####### #ACTION Web/ACCEPT SSH/ACCEPT ######
SOURCE net net
DESTINATION $FW $FW
PROTO
# You can also add the above rules in this way. vi rules
DEST PORT(S)
######### #ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT net $FW tcp 80 ACCEPT net $FW tcp 22 ######### # You can also add the following rule if you see port TCP 113 as closed in your nmap scan. DROP net $FW tcp 113 If you want to allow conections to let's say the ssh port only from specific IP Addresses on the internet add the following ACCEPT
net:192.0.2.16/28,192.0.2.44 fw
tcp
22
# Please ensure that you check the individual macros you applies from /usr/share/shorewall/macro.* to ensure that they work as desired # You must enable startup by editing /etc/shorewall/shorewall.conf and setting STARTUP_ENABLED=Yes cp -a /etc/shorewall/shorewall.conf /etc/shorewall/shorewall.conf.orig vi /etc/shorewall/shorewall.conf # Modify the lines as shown #STARTUP_ENABLED=No STARTUP_ENABLED=Yes #IPTABLES= IPTABLES=/sbin/iptables #IP_FORWARDING=On IP_FORWARDING=Off #DISABLE_IPV6=Yes # Copy your configuration files to appropriate locations cd cp cp cp cp
/etc/shorewall/ -a policy policy.orig -a rules rules.orig -a interfaces interfaces.orig -a zones zones.orig
cp -a /tmp/one-interface/* /etc/shorewall/ rm -rf /tmp/one-interface/ /etc/rc.d/init.d/shorewall restart # You can use the following command to clear all shorewall rules /sbin/shorewall clear # Configure shorewall to auto start at boot time /sbin/chkconfig shorewall on # Use nmap from a different system to ensure that your firewall rules are in place # Multiple IP address to single interface
# Reference:http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html#id2491727 # Ensure that all IP addresses ( non virtual ie. additional IP addresses on separate lan cards ) are configured in the /etc/shorewall/interfaces # eg. vi /etc/shorewall/interfaces #ZONE INTERFACE BROADCAST OPTIONS net eth1 210.210.23.26 norfc1918,routefilter,tcpflags,logmartians,nosmurfs #RFC-1918 reserves several Private IP address ranges for use in private networks: 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 #If your IP address falls in any of the above range, then please remove "norfc1918" in the options section of the interfaces file # If you have a non-static DHCP IP address,add "detect" in the "broadcast" section and add “dhcp” to the option list. # If you are using virtual IP addresses (eg. eth0:0,eth0:1 etc,) configured for a single ethernet card, then you can ignore the above setting in /etc/shorewall/interfaces # If you have muliple IP addresses and want a sshd to be available on a single IP address (eg. 210.210.23.26 )instead of all IP adresses on the server ,then do this vi /etc/shorewall/rules #ACCEPT ACCEPT
net net
$FW tcp $FW:210.210.23.26
22 tcp
22
/sbin/shorewall clear /etc/rc.d/init.d/shorewall restart # Remove the firewall_reset cron job and the entries in /etc/shorewall/routestopped after shorewall is run and firewall behaves as expected.
Related Documents
Shorewall Howto
November 2019 42
Howto
May 2020 48
Howto
May 2020 35
Zabbix Howto
October 2019 42
Dcn-howto
November 2019 50
Nis-howto
May 2020 39More Documents from ""
How To Setup And Secure A Linux Server
November 2019 36
Roundcube Installation
November 2019 27
Ie Installation On Linux Howto
October 2019 31
Flash Recruit How To
October 2019 37
Hamachi Howto Install
October 2019 31