Thursday, April 03, 2008

Shorewall setup to ease your Iptables setup

Reference:
http://www.shorewall.net/shorewall_setup_guide.htm


# Backup your existing Iptables configuration so that you can revert back in case something goes wrong

cp -a /etc/sysconfig/iptables /etc/sysconfig/iptables_backup_

# Deploying a safety net to ensure that you dont get locked out
Reference : http://www.iptablesrocks.org/guide/safetynet.php
vi /root/firewall_reset

############
# Iptables firewall reset script
*filter
:INPUT ACCEPT [164:15203]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [147:63028]
COMMIT

*mangle
:PREROUTING ACCEPT [164:15203]
:INPUT ACCEPT [164:15203]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [147:63028]
:POSTROUTING ACCEPT [147:63028]
COMMIT

*nat
:PREROUTING ACCEPT [14:672]
:POSTROUTING ACCEPT [9:684]
:OUTPUT ACCEPT [9:684]
COMMIT

###########

# Test if the above script works and throws no error

/sbin/iptables-restore < /root/firewall_reset

/sbin/iptables -L

# The output should be similar to the following
###
Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
###

# restore your orginal firewall configuration and proceed

/sbin/iptables-restore < /etc/sysconfig/iptables_backup_

# Confirm that your original rules have been restored by running the following command

/sbin/iptables -L

# Create a crontab entry that resets the firewall every 15 minutes

crontab -e

0,15,30,45 * * * * /sbin/iptables-restore < /root/firewall_reset

# Please ensure that you comment out this line after you have succesfully tested you shorewall working.


# Reference:http://www.shorewall.net/shorewall_quickstart_guide.htm

# Before installing ,check if iproute and shorewall already exist

rpm -qa | grep -i "iproute"
rpm -qa | grep -i "shorewall"

# If iproute doesn't exist then proceed as follows

yum install iproute

# Shorewall Installation

# Using Yum
yum install shorewall

# Using RPM
# In most cases shorewall would not exist in yum repositories so proceed as follows for the rpm installation

References :
http://www.shorewall.net/Install.htm
http://www.shorewall.net/download.htm

Download the shorewall and shorewall-perl rpm package

cd /tmp

wget http://www.invoca.ch/pub/packages/shorewall/4.2/shorewall-4.2.5/shorewall-4.2.5-3.noarch.rpm

wget http://www.invoca.ch/pub/packages/shorewall/4.2/shorewall-4.2.5/shorewall-perl-4.2.5-3.noarch.rpm

rpm -ivh shorewall-perl-4.2.5-3.noarch.rpm shorewall-4.2.5-3.noarch.rpm

#Setting up Shorewall on a standalone Linux system with a single static IP address
Reference :http://www.shorewall.net/standalone.htm

# Add your IP address (IP address of the system/gateway you are connecting from and not the server IP address where you are installing shorewall) to the /etc/shorewall/routestopped file to ensure that you stay connected when the firewall restarts.You can find your IP address by visiting http://whatismyip.com
cp -a /etc/shorewall/routestopped /etc/shorewall/routestopped.orig

vi /etc/shorewall/routestopped
# eg. if your IP address ( the system/gateway you are connecting from) is 59.144.118.69
#INTERFACE HOST(S)
eth0 59.144.0.0/24

# You can also add a CIDR number to indicate a range of IPs from which connection will not break
# For eg. if you want to keep alive connections from 192.168.0.1 to 192.168.0.254 during the firewall restart add the following line

#INTERFACE HOST(S)
eth0 192.168.0.0/24

# Find the sample configuration files by running

rpm -ql shorewall | fgrep one-interface

cp -a /usr/share/doc/shorewall-4.2.5/Samples/one-interface /tmp/


cd /tmp/one-interface
# Confirm your ethernet interface ( to check if you have a single lan card)

/sbin/ifconfig -a

vi interfaces

########
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 210.210.18.90 norfc1918,routefilter,tcpflags,logmartians,nosmurfs
########

# The BROADCAST address can be ignored above and instead you can put a -

#RFC-1918 reserves several Private IP address ranges for use in private networks:

10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255

#If your IP address falls in any of the above range, then please remove "norfc1918" in the options section of the interfaces file
# If you have a non-static DHCP IP address,add "detect" in the "broadcast" section and add “dhcp” to the option list.

# Configuration of rules

# You can find custom rules files by running

ls /usr/share/shorewall/macro.*

# You can then use these macros in your shorewall rules file

# For eg. if you want to allow access to your web server running TCP Port 80 and SSHD running on TCP port 22 do the following

# Tip: You can identify the network services running on your server bu issuing the following command.

/bin/netstat -luntp

# Based on the output you get , you can decide which services to allow remote access or not

cd /tmp/one-interface

vi rules

#######
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
Web/ACCEPT net $FW
SSH/ACCEPT net $FW
######


# You can also add the above rules in this way.

vi rules

#########
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT net $FW tcp 80
ACCEPT net $FW tcp 22
#########
# You can also add the following rule if you see port TCP 113 as closed in your nmap scan.
DROP net $FW tcp 113

If you want to allow conections to let's say the ssh port only from specific IP Addresses on the internet add the following

ACCEPT net:192.0.2.16/28,192.0.2.44 fw tcp 22

# Please ensure that you check the individual macros you applies from /usr/share/shorewall/macro.* to ensure that they work as desired


# You must enable startup by editing /etc/shorewall/shorewall.conf and setting STARTUP_ENABLED=Yes

cp -a /tmp/one-interface/shorewall.conf /tmp/one-interface/shorewall.conf.orig
vi /tmp/one-interface/shorewall.conf
# Modify the lines as shown

#STARTUP_ENABLED=No
STARTUP_ENABLED=Yes
#IPTABLES=
IPTABLES=/sbin/iptables
#IP_FORWARDING=On
IP_FORWARDING=Off
#DISABLE_IPV6=Yes

# Copy your configuration files to appropriate locations

cd /etc/shorewall/
cp -a policy policy.orig
cp -a rules rules.orig
cp -a interfaces interfaces.orig
cp -a zones zones.orig

cp -a /tmp/one-interface/* /etc/shorewall/

rm -rf /tmp/one-interface/

/etc/rc.d/init.d/shorewall restart

# You can use the following command to clear all shorewall rules
/sbin/shorewall clear

# Configure shorewall to auto start at boot time

/sbin/chkconfig shorewall on

# Use nmap from a different system to ensure that your firewall rules are in place

# Multiple IP address to single interface

# Reference:http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html#id2491727

# Ensure that all IP addresses ( non virtual ie. additional IP addresses on separate lan cards ) are configured in the /etc/shorewall/interfaces
# eg.

vi /etc/shorewall/interfaces

#ZONE INTERFACE BROADCAST OPTIONS
net eth1 210.210.23.26 norfc1918,routefilter,tcpflags,logmartians,nosmurfs

# The BROADCAST address can be ignored above and instead you can put a -

#RFC-1918 reserves several Private IP address ranges for use in private networks:

10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255

#If your IP address falls in any of the above range, then please remove "norfc1918" in the options section of the interfaces file
# If you have a non-static DHCP IP address,add "detect" in the "broadcast" section and add “dhcp” to the option list.

# If you are using virtual IP addresses (eg. eth0:0,eth0:1 etc,) configured for a single ethernet card, then you can ignore the above setting in /etc/shorewall/interfaces

# If you have muliple IP addresses and want a sshd to be available on a single IP address (eg. 210.210.23.26 )instead of all IP adresses on the server ,then do this

vi /etc/shorewall/rules

#ACCEPT net $FW tcp 22
ACCEPT net $FW:210.210.23.26 tcp 22

/sbin/shorewall clear
/etc/rc.d/init.d/shorewall restart

# Remove the firewall_reset cron job and the entries in /etc/shorewall/routestopped after shorewall is run and firewall behaves as expected.

No comments: