From 07bedee34d9ded6f86904c7e4b4e02464ff8cb14 Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Thu, 15 Sep 2016 00:47:34 +0100 Subject: added tools --- tools/shorewall.html | 201 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 201 insertions(+) create mode 100644 tools/shorewall.html (limited to 'tools/shorewall.html') diff --git a/tools/shorewall.html b/tools/shorewall.html new file mode 100644 index 0000000..749d4e6 --- /dev/null +++ b/tools/shorewall.html @@ -0,0 +1,201 @@ +

2.3. Shorewall

+ +

Shorewall is a gateway/firewall + configuration tool. "You describe your firewall/gateway requirements + using entries in a set of configuration files. Shorewall reads those + configuration files and with the help of the iptables, iptables-restore, + ip and tc utilities, Shorewall configures Netfilter and the Linux + networking subsystem to match your requirements.".

+ +

This is a resume from + Basic Two-Interface Firewall. +

+ +

2.3.1. Install Shorewall

+ +

Shorewall port is part of Kris Collection + and sysdoc collection.

+ + 
+        $ prt-get depinst shorewall
+
+ +

Get the samples from distribution file;

+ + 
+    $ mkdir sample && cd sample
+        $ tar xf ../shorewall-5.0.8.2.tar.bz2
+        $ cd /srv/ports/work/shorewall-5.0.8.2
+        $ ls
+        README.txt            policy            shorewall.conf.annotated
+        interfaces            policy.annotated  stoppedrules
+        interfaces.annotated  rules             stoppedrules.annotated
+        masq                  rules.annotated   zones
+        masq.annotated        shorewall.conf    zones.annotated
+
+ +

Copy files to /etc/shorewall

+ + 
+        $ sudo cp Samples/two-interfaces/* /etc/shorewall/
+
+ +

Distribution extracted files are not needed anymore;

+ + 
+        $ cd ../../ && rm -fR sample
+
+ +

2.3.2. Configure Shorewall

+ +

Tip how to get help about files in /etc/shorewall, for example + to get help about file zones call man shorewall-zones. There are + Some files have names ending in '.annotated'. You might + choose to look at those files instead.

+ +

Rules about traffic to allow and what traffic to deny are expressed in + terms of zones;

+ + + +

Edit /etc/shorewall/shorewall.conf

+ + 
+        ###############################################################################
+        #                      S T A R T U P   E N A B L E D
+        ###############################################################################
+
+        STARTUP_ENABLED=Yes
+
+ +

2.3.5. Configure Interfaces

+ +

Show defoult route, last should be your external interface;

+ + 
+        # ip route ls
+
+ +

This example assumes enp8s0 is connected to router and + wlp7s0 is wireless access point.

+ +

Edit /etc/shorewall/interfaces

+ + 
+        ###############################################################################
+        #ZONE   INTERFACE       OPTIONS
+net     enp8s0            dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
+loc     wlp7s0            tcpflags,nosmurfs,routefilter,logmartians
+
+ +

Edit /etc/shorewall/stoppedrules

+ + 
+        ###############################################################################
+        #ACTION         SOURCE          DEST            PROTO   DEST            SOURCE
+        #                                                       PORT(S)         PORT(S)
+        ACCEPT          enp3s0          -
+        ACCEPT          -               enp3s0
+
+ +

2.3.3. Configure Zones

+ +

Shorewall recognizes the firewall system as its own zone, as can be + seen on zones defined by two-interfaces example;

+ +

Edit /etc/shorewall/zones

+ + 
+        ###############################################################################
+        #ZONE	TYPE	OPTIONS			IN			OUT
+        #					OPTIONS			OPTIONS
+        fw	firewall
+        net	ipv4
+        loc	ipv4
+
+ +

2.3.4. Configure Policy

+ +

Change default /etc/shorewall/policy this example will limit + witch connections are allow to and from firewall, default policy + will be drop;

+ +

Edit /etc/shorewall/policy

+ + 
+        ##############################################################################
+        #SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
+
+        loc             net             ACCEPT          info
+        net             all             DROP            warning
+
+        $FW             net             DROP            warning
+        loc             $FW             DROP            warning
+        $FW             loc             DROP            warning
+
+        # THE FOLLOWING POLICY MUST BE LAST
+        all             all             REJECT          warning
+
+ +

2.3.6. SNAT/Masquerading

+ +

In Shorewall, both Masquerading and SNAT are configured with + entries in the /etc/shorewall/masq file. You will normally use + Masquerading if your external IP is dynamic and SNAT if the IP + is static.

+ +

Since /etc/rc.d/net + configured enp8s0 static, change /etc/shorewall/masq so + that uses SNAT;

+ +

Edit /etc/shorewall/masq

+ + 
+        #######################################################################################
+        #INTERFACE:DEST         SOURCE          ADDRESS         PROTO   PORT(S) IPSEC   MARK
+        #
+        wlp7s0                  10.0.0.0/24      192.168.1.254
+
+ +

2.3.7. DNAT

+ +

Destination Network Address Translation are defined in + /etc/shorewall/rules;

+ +

2.3.8. Rules

+ +

Example /etc/shorewall/rules file.

+ +

2.3.9. Logging

+ + 
+        $ sudo mkdir /var/log/shorewall
+
+ +

Example of syslog-ng configuration for shorewall;

+ + 
+        destination d_shorewall_warn { file ("/var/log/shorewall/warn.log"); };
+        destination d_shorewall_info { file ("/var/log/shorewall/info.log"); };
+
+        filter f_shorewall_warn {
+                level (warn)
+                and match ("Shorewall" value("MESSAGE"));
+        };
+
+        filter f_shorewall_info {
+                level (info)
+                and match ("Shorewall" value("MESSAGE"));
+        };
+
+        log { source (s_kernel); filter (f_shorewall_warn); destination (d_shorewall_warn); flags(final);};
+        log { source (s_kernel); filter (f_shorewall_info); destination (d_shorewall_info); flags(final);};
+
+ + -- cgit 1.4.1-2-gfad0