Sie sind auf Seite 1von 5

Shorewall installation and configuration on Fedora

Reference:
http://www.shorewall.net/shorewall_setup_guide.htm

# Backup your existing Iptables configuration so that you can revert back in case
something goes wrong

cp -a /etc/sysconfig/iptables /etc/sysconfig/iptables_backup_<today_s_date>

# Deploying a safety net to ensure that you dont get locked out
Reference : http://www.iptablesrocks.org/guide/safetynet.php
vi /root/firewall_reset

############
# Iptables firewall reset script
*filter
:INPUT ACCEPT [164:15203]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [147:63028]
COMMIT

*mangle
:PREROUTING ACCEPT [164:15203]
:INPUT ACCEPT [164:15203]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [147:63028]
:POSTROUTING ACCEPT [147:63028]
COMMIT

*nat
:PREROUTING ACCEPT [14:672]
:POSTROUTING ACCEPT [9:684]
:OUTPUT ACCEPT [9:684]
COMMIT

###########

# Test if the above script works and throws no error

/sbin/iptables-restore < /root/firewall_reset

/sbin/iptables -L

# The output should be similar to the following


###
Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain INPUT (policy ACCEPT)


target prot opt source destination

Chain OUTPUT (policy ACCEPT)


target prot opt source destination
###

# restore your orginal firewall configuration and proceed


/sbin/iptables-restore < /etc/sysconfig/iptables_backup_<today_s_date>

# Confirm that your original rules have been restored by running the following
command

/sbin/iptables -L

# Create a crontab entry that resets the firewall every 15 minutes

crontab -e

0,15,30,45 * * * * /sbin/iptables-restore < /root/firewall_reset

# Please ensure that you comment out this line after you have succesfully tested
you shorewall working.

# Reference:http://www.shorewall.net/shorewall_quickstart_guide.htm

# Before installing ,check if iproute and shorewall already exist

rpm -qa | grep -i "iproute"


rpm -qa | grep -i "shorewall"

# If iproute and shorewall dont exist then proceed as follows

yum install iproute


yum install shorewall

#Setting up Shorewall on a standalone Linux system with a single static IP address


Reference :http://www.shorewall.net/standalone.htm

# Add your IP address (IP address of the system/gateway you are connecting from
and not the server IP address where you are installing shorewall) to the
/etc/shorewall/routestopped file to ensure that you stay connected when the
firewall restarts.You can find your IP address by visiting http://whatismyip.com
cp -a /etc/shorewall/routestopped /etc/shorewall/routestopped.orig

vi /etc/shorewall/routestopped
# eg. if your IP address ( the system/gateway you are connecting from) is
59.144.118.69
#INTERFACE HOST(S)
eth0 59.144.0.0/24

# You can also add a CIDR number to indicate a range of IPs from which connection
will not break
# For eg. if you want to keep alive connections from 192.168.0.1 to 192.168.0.254
during the firewall restart add the following line

#INTERFACE HOST(S)
eth0 192.168.0.0/24

# Find the sample configuration files by running

rpm -ql shorewall | fgrep one-interface

cp -a /usr/share/doc/shorewall-3.2.7/Samples/one-interface /tmp/
cd /tmp/one-interface
# Confirm your ethernet interface ( to check if you have a single lan card)

/sbin/ifconfig -a

vi interfaces

########
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 210.210.18.90
norfc1918,routefilter,tcpflags,logmartians,nosmurfs
########

#RFC-1918 reserves several Private IP address ranges for use in private networks:

10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255

#If your IP address falls in any of the above range, then please remove
"norfc1918" in the options section of the interfaces file
# If you have a non-static DHCP IP address,add "detect" in the "broadcast" section
and add “dhcp” to the option list.

# Configuration of rules

# You can find custom rules files by running

ls /usr/share/shorewall/macro.*

# You can then use these macros in your shorewall rules file

# For eg. if you want to allow access to your web server running TCP Port 80 and
SSHD running on TCP port 22 do the following

# Tip: You can identify the network services running on your server bu issuing the
following command.

/bin/netstat -luntp

# Based on the output you get , you can decide which services to allow remote
access or not

cd /tmp/one-interface

vi rules

#######
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
Web/ACCEPT net $FW
SSH/ACCEPT net $FW
######

# You can also add the above rules in this way.

vi rules
#########
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT net $FW tcp 80
ACCEPT net $FW tcp 22
#########
# You can also add the following rule if you see port TCP 113 as closed in your
nmap scan.
DROP net $FW tcp 113

If you want to allow conections to let's say the ssh port only from specific IP
Addresses on the internet add the following

ACCEPT net:192.0.2.16/28,192.0.2.44 fw tcp 22

# Please ensure that you check the individual macros you applies from
/usr/share/shorewall/macro.* to ensure that they work as desired

# You must enable startup by editing /etc/shorewall/shorewall.conf and setting


STARTUP_ENABLED=Yes

cp -a /etc/shorewall/shorewall.conf /etc/shorewall/shorewall.conf.orig
vi /etc/shorewall/shorewall.conf
# Modify the lines as shown

#STARTUP_ENABLED=No
STARTUP_ENABLED=Yes
#IPTABLES=
IPTABLES=/sbin/iptables
#IP_FORWARDING=On
IP_FORWARDING=Off
#DISABLE_IPV6=Yes

# Copy your configuration files to appropriate locations

cd /etc/shorewall/
cp -a policy policy.orig
cp -a rules rules.orig
cp -a interfaces interfaces.orig
cp -a zones zones.orig

cp -a /tmp/one-interface/* /etc/shorewall/

rm -rf /tmp/one-interface/

/etc/rc.d/init.d/shorewall restart

# You can use the following command to clear all shorewall rules
/sbin/shorewall clear

# Configure shorewall to auto start at boot time

/sbin/chkconfig shorewall on

# Use nmap from a different system to ensure that your firewall rules are in place

# Multiple IP address to single interface


#
Reference:http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html#id2491727

# Ensure that all IP addresses ( non virtual ie. additional IP addresses on


separate lan cards ) are configured in the /etc/shorewall/interfaces
# eg.

vi /etc/shorewall/interfaces

#ZONE INTERFACE BROADCAST OPTIONS


net eth1 210.210.23.26
norfc1918,routefilter,tcpflags,logmartians,nosmurfs

#RFC-1918 reserves several Private IP address ranges for use in private networks:

10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255

#If your IP address falls in any of the above range, then please remove
"norfc1918" in the options section of the interfaces file
# If you have a non-static DHCP IP address,add "detect" in the "broadcast" section
and add “dhcp” to the option list.

# If you are using virtual IP addresses (eg. eth0:0,eth0:1 etc,) configured for a
single ethernet card, then you can ignore the above setting in
/etc/shorewall/interfaces

# If you have muliple IP addresses and want a sshd to be available on a single IP


address (eg. 210.210.23.26 )instead of all IP adresses on the server ,then do this

vi /etc/shorewall/rules

#ACCEPT net $FW tcp 22


ACCEPT net $FW:210.210.23.26 tcp 22

/sbin/shorewall clear
/etc/rc.d/init.d/shorewall restart

# Remove the firewall_reset cron job and the entries in


/etc/shorewall/routestopped after shorewall is run and firewall behaves as
expected.