Reference:
http://www.shorewall.net/shorewall_setup_guide.htm
# Backup your existing Iptables configuration so that you can revert back in case something goes wrong
cp -a /etc/sysconfig/iptables /etc/sysconfig/iptables_backup_
# Deploying a safety net to ensure that you dont get locked out
Reference : http://www.iptablesrocks.org/guide/safetynet.php
vi /root/firewall_reset
############
# Iptables firewall reset script
*filter
:INPUT ACCEPT [164:15203]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [147:63028]
COMMIT
*mangle
:PREROUTING ACCEPT [164:15203]
:INPUT ACCEPT [164:15203]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [147:63028]
:POSTROUTING ACCEPT [147:63028]
COMMIT
*nat
:PREROUTING ACCEPT [14:672]
:POSTROUTING ACCEPT [9:684]
:OUTPUT ACCEPT [9:684]
COMMIT
###########
# Test if the above script works and throws no error
/sbin/iptables-restore < /root/firewall_reset
/sbin/iptables -L
# The output should be similar to the following
###
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
###
# restore your orginal firewall configuration and proceed
/sbin/iptables-restore < /etc/sysconfig/iptables_backup_
# Confirm that your original rules have been restored by running the following command
/sbin/iptables -L
# Create a crontab entry that resets the firewall every 15 minutes
crontab -e
0,15,30,45 * * * * /sbin/iptables-restore < /root/firewall_reset
# Please ensure that you comment out this line after you have succesfully tested you shorewall working.
# Reference:http://www.shorewall.net/shorewall_quickstart_guide.htm
# Before installing ,check if iproute and shorewall already exist
rpm -qa | grep -i "iproute"
rpm -qa | grep -i "shorewall"
# If iproute doesn't exist then proceed as follows
yum install iproute
# Shorewall Installation
# Using Yum
yum install shorewall
# Using RPM
# In most cases shorewall would not exist in yum repositories so proceed as follows for the rpm installation
References :
http://www.shorewall.net/Install.htm
http://www.shorewall.net/download.htm
Download the shorewall and shorewall-perl rpm package
cd /tmp
wget http://www.invoca.ch/pub/packages/shorewall/4.2/shorewall-4.2.5/shorewall-4.2.5-3.noarch.rpm
wget http://www.invoca.ch/pub/packages/shorewall/4.2/shorewall-4.2.5/shorewall-perl-4.2.5-3.noarch.rpm
rpm -ivh shorewall-perl-4.2.5-3.noarch.rpm shorewall-4.2.5-3.noarch.rpm
#Setting up Shorewall on a standalone Linux system with a single static IP address
Reference :http://www.shorewall.net/standalone.htm
# Add your IP address (IP address of the system/gateway you are connecting from and not the server IP address where you are installing shorewall) to the /etc/shorewall/routestopped file to ensure that you stay connected when the firewall restarts.You can find your IP address by visiting http://whatismyip.com
cp -a /etc/shorewall/routestopped /etc/shorewall/routestopped.orig
vi /etc/shorewall/routestopped
# eg. if your IP address ( the system/gateway you are connecting from) is 59.144.118.69
#INTERFACE HOST(S)
eth0 59.144.0.0/24
# You can also add a CIDR number to indicate a range of IPs from which connection will not break
# For eg. if you want to keep alive connections from 192.168.0.1 to 192.168.0.254 during the firewall restart add the following line
#INTERFACE HOST(S)
eth0 192.168.0.0/24
# Find the sample configuration files by running
rpm -ql shorewall | fgrep one-interface
cp -a /usr/share/doc/shorewall-4.2.5/Samples/one-interface /tmp/
cd /tmp/one-interface
# Confirm your ethernet interface ( to check if you have a single lan card)
/sbin/ifconfig -a
vi interfaces
########
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 210.210.18.90 norfc1918,routefilter,tcpflags,logmartians,nosmurfs
########
# The BROADCAST address can be ignored above and instead you can put a -
#RFC-1918 reserves several Private IP address ranges for use in private networks:
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
#If your IP address falls in any of the above range, then please remove "norfc1918" in the options section of the interfaces file
# If you have a non-static DHCP IP address,add "detect" in the "broadcast" section and add “dhcp” to the option list.
# Configuration of rules
# You can find custom rules files by running
ls /usr/share/shorewall/macro.*
# You can then use these macros in your shorewall rules file
# For eg. if you want to allow access to your web server running TCP Port 80 and SSHD running on TCP port 22 do the following
# Tip: You can identify the network services running on your server bu issuing the following command.
/bin/netstat -luntp
# Based on the output you get , you can decide which services to allow remote access or not
cd /tmp/one-interface
vi rules
#######
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
Web/ACCEPT net $FW
SSH/ACCEPT net $FW
######
# You can also add the above rules in this way.
vi rules
#########
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT net $FW tcp 80
ACCEPT net $FW tcp 22
#########
# You can also add the following rule if you see port TCP 113 as closed in your nmap scan.
DROP net $FW tcp 113
If you want to allow conections to let's say the ssh port only from specific IP Addresses on the internet add the following
ACCEPT net:192.0.2.16/28,192.0.2.44 fw tcp 22
# Please ensure that you check the individual macros you applies from /usr/share/shorewall/macro.* to ensure that they work as desired
# You must enable startup by editing /etc/shorewall/shorewall.conf and setting STARTUP_ENABLED=Yes
cp -a /tmp/one-interface/shorewall.conf /tmp/one-interface/shorewall.conf.orig
vi /tmp/one-interface/shorewall.conf
# Modify the lines as shown
#STARTUP_ENABLED=No
STARTUP_ENABLED=Yes
#IPTABLES=
IPTABLES=/sbin/iptables
#IP_FORWARDING=On
IP_FORWARDING=Off
#DISABLE_IPV6=Yes
# Copy your configuration files to appropriate locations
cd /etc/shorewall/
cp -a policy policy.orig
cp -a rules rules.orig
cp -a interfaces interfaces.orig
cp -a zones zones.orig
cp -a /tmp/one-interface/* /etc/shorewall/
rm -rf /tmp/one-interface/
/etc/rc.d/init.d/shorewall restart
# You can use the following command to clear all shorewall rules
/sbin/shorewall clear
# Configure shorewall to auto start at boot time
/sbin/chkconfig shorewall on
# Use nmap from a different system to ensure that your firewall rules are in place
# Multiple IP address to single interface
# Reference:http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html#id2491727
# Ensure that all IP addresses ( non virtual ie. additional IP addresses on separate lan cards ) are configured in the /etc/shorewall/interfaces
# eg.
vi /etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net eth1 210.210.23.26 norfc1918,routefilter,tcpflags,logmartians,nosmurfs
# The BROADCAST address can be ignored above and instead you can put a -
#RFC-1918 reserves several Private IP address ranges for use in private networks:
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
#If your IP address falls in any of the above range, then please remove "norfc1918" in the options section of the interfaces file
# If you have a non-static DHCP IP address,add "detect" in the "broadcast" section and add “dhcp” to the option list.
# If you are using virtual IP addresses (eg. eth0:0,eth0:1 etc,) configured for a single ethernet card, then you can ignore the above setting in /etc/shorewall/interfaces
# If you have muliple IP addresses and want a sshd to be available on a single IP address (eg. 210.210.23.26 )instead of all IP adresses on the server ,then do this
vi /etc/shorewall/rules
#ACCEPT net $FW tcp 22
ACCEPT net $FW:210.210.23.26 tcp 22
/sbin/shorewall clear
/etc/rc.d/init.d/shorewall restart
# Remove the firewall_reset cron job and the entries in /etc/shorewall/routestopped after shorewall is run and firewall behaves as expected.
No comments:
Post a Comment