Software Internet gateway for not a small company (Shorewall, buns). Part 4
I present the fourth article in the series, aimed at "continuing" system administrators, for experienced ones, I can hardly discover something new.
In these articles, we will look at building an Internet gateway on linux, allowing you to link several company offices, and provide limited access to the network, traffic prioritization (QoS) and simple load balancing with redundancy between two providers.
Specifically in this part:
And in the first part were considered:
And in the second :
And in the third :
')
Everything is both simple and difficult. For interest, consider PortKnocking.
Here we simply announced our action on the event.
Here we do event handling, the idea is this:
If there is a request for port 1600, open port 22 for the same source address for 60 seconds. If there is a request for port 1599 or 1601, close port 22.
And here we have included work with PortKnoking on the appropriate connections.
The topic of event handling is extensive, so you should carefully read the manuals.
They allow you to write rules effectively (we have already mentioned a little about macros).
Apply the rules:
In these articles, we will look at building an Internet gateway on linux, allowing you to link several company offices, and provide limited access to the network, traffic prioritization (QoS) and simple load balancing with redundancy between two providers.
Specifically in this part:
- Automatic events
- Macros
And in the first part were considered:
- The simplest setting is Shorewall
- Awfully tricky dnsmasq setup
- No less complicated setting OpenVPN
- And for many continuing admins atypical, dynamic routing, for example, OSPF
And in the second :
- More detailed setting Shorewall
- Terrible and not clear QoS
- Load balancing and redundancy
And in the third :
- Full QoS in Shorewall
- More detailed setting Shorewall
- Channel traffic scaling according to protocols
- Crutches, without them, nowhere
')
Developments
Everything is both simple and difficult. For interest, consider PortKnocking.
/ etc / shorewall / actions
#ACTION OPTION DESCRIPTION Knock #Port Knocking Here we simply announced our action on the event.
/etc/shorewall/action.Knock
# # Shorewall version 4 - SSH_BLACKLIST Action # ?format 2 ############################################################################### #ACTION SOURCE DEST PROTO DPORT IfEvent(SSH,ACCEPT:info,60,1,src,reset)\ - - tcp 22 SetEvent(SSH,ACCEPT) - - tcp 1600 ResetEvent(SSH,DROP:info) Here we do event handling, the idea is this:
If there is a request for port 1600, open port 22 for the same source address for 60 seconds. If there is a request for port 1599 or 1601, close port 22.
/ etc / shorewall / rules
#ACTION SOURCE DEST PROTO DPORT Knock net $FW tcp 22,1599-1601 And here we have included work with PortKnoking on the appropriate connections.
The topic of event handling is extensive, so you should carefully read the manuals.
Macros
They allow you to write rules effectively (we have already mentioned a little about macros).
/etc/shorewall/macto.TEST
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - udp 6745 PARAM DEST SOURCE tcp 35067 Apply the rules:
/ etc / shorewall / rules
#ACTION SOURCE DEST PROTO DPORT TEST(ACCEPT) loc $FW # : #ACTION SOURCE DEST PROTO DPORT SPORT ACCEPT loc $FW udp 6745 ACCEPT $FW loc tcp 35067 Source: https://habr.com/ru/post/274765/
All Articles