Shorewall: firewall for everyone
Suddenly it turned out that the Shoreline firewall is not at all illuminated on Habre, despite the fact that it is an extremely convenient tool (and a powerful argument against pf in holivars) for setting up a firewall under Linux.
Please do not cholivarit on the topic “Linux is shit, we are better at OpenBSD”, “And I have Kerio WinRoute, and you are all losers” and the like.
An article for those who chose Linux for some reason and does not want to spend a lot of time learning iptables (and there is where to get confused).
Therefore, under the cut sheet
')
For starters, what is it - Shorewall?
Shorewall - binding to thegood old iptables, the standard firewall configuration tool in Linux. The current version uses something Perl to read and parse a whole pile of several configuration files, generate a file that is compatible with iptables-restore and feed it to the last one. It is notable for its simplicity of configuration, added levels of abstraction during configuration, active development, making it stable for Debian highly outdated, as well as very tasty things like supporting several uplinks.
Now the current version of Shorewall 4.4, in Lenny - 4.0, in Karmic - 4.2. Since the machine closest to me works under Ubuntu Server 9.10, basically I will talk about version 4.2, and since the main set of features appeared in Shorewall right away, everything or almost everything should work with any version of Shorewall.
Up to version 4.2 inclusive, Shorewall could use both Perl and Shell for processing configs. In version 4.4, Shell support was thrown away (for there is nothing to produce buggy entities), so we will only talk about the Perl version.
So Installation
Since the whole shorewall is a collection of perl-scripts and stubs for configs, it’s silly to talk about dependencies. Perl and iptables needed. If there is a shorewall-perl version in the repositories of your distribution, install it, if not, take deb or rpm from another distribution, there’s nothing to break.
Start and stop
Since we are all impatient, I want to immediately launch a new softphone. This can be done not only with an init script, but also with commands
Configuration note
All standard configs should be taken from those that come in the box. They contain not only meaningful comments about the purpose of the file, but also markers for the parser, the performance of the system without which is not guaranteed. In ubunt they ended up in / usr / share / doc / shorewall-common / default-config.
The configuration of the firewall itself lies in / etc / shorewall, then all configuration files without paths should be located there.
Typical home router configuration
1. Zones.
The rules of packet walking in Shorewall use zone abstraction - all networks that you want to process must be somehow called. First you need to decide on the names of the zones. In my case there will be 4 of them: a necessary zone containing the firewall itself, a home network with DHCP, a provider LAN, and the Internet via PPPoE. Do not forget to copy the blank from your package! Config turned out like this:
Here, nbn is the provider LAN (yes, netbook), mork is the home network.
2. Interfaces and Hosts
When you have decided on what zones you will have, you need to tell how to divide the network interfaces (l2) and the IP networks (l3) between the zones.
In the interfaces file, list all the interfaces to be processed. This is done in the format “This interface will be entirely in this zone,” so when dividing the interface into several zones, you must specify a dash instead of a zone.
My simplest option:
Yes, yes, my network card called lan and prov. Most will have eth0, eth1, etc.
As you can see from the example, you can use masks. In this case, a variety of PPP tunnels will fall under ppp +, including ppp0.
When dividing one interface into several zones, in the host file, indicate which subnet of which interface falls into which zone. The syntax is simple - “interface zone: subnet”, with the possibility of adding exceptions.
3. Policies
When you have divided the world into zones, you should definitely say to whom what can be done by default. This business is called politicians, lies in the policy file, it is necessary to determine policies for all possible directions of traffic passing. It is best to add the default policy to the end, and a little higher - exceptions:
Here I allowed all the traffic from my home grid and from the firewall to anywhere, and forbade everything else
4. First flight
At this stage, the config should compile and make money. Only here the Internet will be only on the firewall - because we have not configured NAT. But when something works, it already pleases :)
5. Configure NAT
Masquerading, as always, is included simply. Pay attention: not zones, but interfaces are specified. You can specify an IP subnet, you can make exceptions. Masq file:
6. shorewall.conf
We got to where it was necessary to climb at the very beginning, but it was lazy and incomprehensible. In this file is the configuration of the parser, some features of the behavior and other nonsense. We rule and pay attention to the following parameters:
7. Rules (well, finally!)
For fully correct operation, I would still allow the entire ICMP here. At the same time ssh outside. Rules file:
7a. Port-forwarding is described in the same place:
8. Profit!
At this point, you should have a fully configured home router with NAT from the home grid in all directions and with port forwarding. Only ICMP and SSH are allowed outside. All configuration files (5 new, 1 corrected) contain lines that are difficult to make a mistake, the configuration is easily transferred to machines with a different name of network cards, other addresses of connected networks. You are not soaring about the TCP packet flags, about the origin of incoming UDP packets (oh, how I debugged the DNS with simple iptables and the “all inbound to deny” policy). In Debian and Ubunt, you should also correct / etc / default / shorewall, so that the init script can work out normally, in some places you need to add shorewall to your favorite runner.
9. PostScriptum
At this opportunity Shorewall is not limited. It has built-in support for shaping (via tc from iproute2), several uplinks (deserves a separate article), IPv6, and more. It is possible to configure it using Webmin . The volume of documentation , FAQ and details of manov are able to impress. I hope many Linuxers, both beginners and experienced administrators, will find something useful in this binding to iptables.
Please do not cholivarit on the topic “Linux is shit, we are better at OpenBSD”, “And I have Kerio WinRoute, and you are all losers” and the like.
An article for those who chose Linux for some reason and does not want to spend a lot of time learning iptables (and there is where to get confused).
Therefore, under the cut sheet
')
For starters, what is it - Shorewall?
Shorewall - binding to the
Now the current version of Shorewall 4.4, in Lenny - 4.0, in Karmic - 4.2. Since the machine closest to me works under Ubuntu Server 9.10, basically I will talk about version 4.2, and since the main set of features appeared in Shorewall right away, everything or almost everything should work with any version of Shorewall.
Up to version 4.2 inclusive, Shorewall could use both Perl and Shell for processing configs. In version 4.4, Shell support was thrown away (for there is nothing to produce buggy entities), so we will only talk about the Perl version.
So Installation
Since the whole shorewall is a collection of perl-scripts and stubs for configs, it’s silly to talk about dependencies. Perl and iptables needed. If there is a shorewall-perl version in the repositories of your distribution, install it, if not, take deb or rpm from another distribution, there’s nothing to break.
Start and stop
Since we are all impatient, I want to immediately launch a new softphone. This can be done not only with an init script, but also with commands
shorewall {start, stop, restart} that during debugging is even preferable - errors will be written directly to the console.Configuration note
All standard configs should be taken from those that come in the box. They contain not only meaningful comments about the purpose of the file, but also markers for the parser, the performance of the system without which is not guaranteed. In ubunt they ended up in / usr / share / doc / shorewall-common / default-config.
The configuration of the firewall itself lies in / etc / shorewall, then all configuration files without paths should be located there.
Typical home router configuration
1. Zones.
The rules of packet walking in Shorewall use zone abstraction - all networks that you want to process must be somehow called. First you need to decide on the names of the zones. In my case there will be 4 of them: a necessary zone containing the firewall itself, a home network with DHCP, a provider LAN, and the Internet via PPPoE. Do not forget to copy the blank from your package! Config turned out like this:
# cat zones | tail -7 #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall inet ipv4 nbn ipv4 mork ipv4 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
Here, nbn is the provider LAN (yes, netbook), mork is the home network.
2. Interfaces and Hosts
When you have decided on what zones you will have, you need to tell how to divide the network interfaces (l2) and the IP networks (l3) between the zones.
In the interfaces file, list all the interfaces to be processed. This is done in the format “This interface will be entirely in this zone,” so when dividing the interface into several zones, you must specify a dash instead of a zone.
My simplest option:
# tail -5 interfaces #ZONE INTERFACE BROADCAST OPTIONS mork lan detect dhcp inet ppp + detect nbn prov detect #LAST LINE - ADD YOUR ENTRIES BEFORE THIS ONE - DO NOT REMOVE
Yes, yes, my network card called lan and prov. Most will have eth0, eth1, etc.
As you can see from the example, you can use masks. In this case, a variety of PPP tunnels will fall under ppp +, including ppp0.
When dividing one interface into several zones, in the host file, indicate which subnet of which interface falls into which zone. The syntax is simple - “interface zone: subnet”, with the possibility of adding exceptions.
3. Policies
When you have divided the world into zones, you should definitely say to whom what can be done by default. This business is called politicians, lies in the policy file, it is necessary to determine policies for all possible directions of traffic passing. It is best to add the default policy to the end, and a little higher - exceptions:
# tail -6 policy #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: # LEVEL BURST MASK fw all ACCEPT mork all ACCEPT all all REJECT #LAST LINE - DO NOT REMOVE
Here I allowed all the traffic from my home grid and from the firewall to anywhere, and forbade everything else
4. First flight
At this stage, the config should compile and make money. Only here the Internet will be only on the firewall - because we have not configured NAT. But when something works, it already pleases :)
5. Configure NAT
Masquerading, as always, is included simply. Pay attention: not zones, but interfaces are specified. You can specify an IP subnet, you can make exceptions. Masq file:
# cat masq | tail -3 #INTERFACE SOURCE ADDRESS PROTO PORT (S) IPSEC MARK ppp + prov lan #LAST LINE - ADD YOUR ENTRIES ABOVE THIS LINE - DO NOT REMOVE
6. shorewall.conf
We got to where it was necessary to climb at the very beginning, but it was lazy and incomprehensible. In this file is the configuration of the parser, some features of the behavior and other nonsense. We rule and pay attention to the following parameters:
STARTUP_ENABLED = Yes - let it run
VERBOSITY = 1 - verbosity in the console
SHOREWALL_COMPILER = perl - so as not to be confused, if that
* _LOG_LEVEL - when everything is working as it should, put it in none so that dmesg does not litter
LOG_MARTIANS - the same
IP_FORWARDING = On - for masquerading is very necessary. You can, of course, and in sysctl.conf do it, but here it is more appropriate
CLAMPMSS = Yes - it is better to turn it on if the uplink has less MTU than any other machine in the home grid.
No here can lead to an extremely unpleasant bug with broken Wikipedia on the part of the computer.
ADMINISABSENTMINDED = Yes - do not imagine yourself Gd, leave it 7. Rules (well, finally!)
For fully correct operation, I would still allow the entire ICMP here. At the same time ssh outside. Rules file:
# cat rules | tail -11 | grep -v ^ # SECTION | head -5 #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER / MARK CONNLIMIT TIME # PORT PORT (S) DEST LIMIT GROUP SECTION NEW ACCEPT all all icmp ACCEPT inet $ FW tcp 22
7a. Port-forwarding is described in the same place:
# cat rules | grep -E '(#ACTION | DNAT)' #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER / MARK CONNLIMIT TIME DNAT all mork: navoff: 31840 udp 31840 DNAT nbn mork: navoff: 7777 udp 7777 DNAT nbn mork: navoff: 7777 tcp 7777
8. Profit!
At this point, you should have a fully configured home router with NAT from the home grid in all directions and with port forwarding. Only ICMP and SSH are allowed outside. All configuration files (5 new, 1 corrected) contain lines that are difficult to make a mistake, the configuration is easily transferred to machines with a different name of network cards, other addresses of connected networks. You are not soaring about the TCP packet flags, about the origin of incoming UDP packets (oh, how I debugged the DNS with simple iptables and the “all inbound to deny” policy). In Debian and Ubunt, you should also correct / etc / default / shorewall, so that the init script can work out normally, in some places you need to add shorewall to your favorite runner.
9. PostScriptum
At this opportunity Shorewall is not limited. It has built-in support for shaping (via tc from iproute2), several uplinks (deserves a separate article), IPv6, and more. It is possible to configure it using Webmin . The volume of documentation , FAQ and details of manov are able to impress. I hope many Linuxers, both beginners and experienced administrators, will find something useful in this binding to iptables.
Source: https://habr.com/ru/post/80271/
All Articles