March 2024
M T W T F S S
 123
45678910
11121314151617
18192021222324
25262728293031

Categories

March 2024
M T W T F S S
 123
45678910
11121314151617
18192021222324
25262728293031

Shorewall Firewall

Installing and configuring Shorewall in CentOS

Netfilter is a packet filtering in Linux 2.4.x and 2.6.x kernels Enables packet filtering (network address and port), NAT and other packages. Redesigned and highly improved from the previous kernel 2.2.x, ipchains and ipfwadm kernel 2.0.x.

Netfilter is a set of structures within the kernel that allows modules to register with the network functions.

A record of the information is returned to tell the fate of this package. DENY, ACCEPT, REJECT is returned information to inform the target / request.

DROP – Reject the packet without sending a message.

REJECT – Do the same function as DROP, with the difference that sends an ICMP “icmp-port-unreachable” to the source machine.

Iptables is a table structure for the definition of rulesets. Each rule within a table (IP) consists of a request and action (rules).

Netfilter, ip_tables, connection tracking (ip_conntrack, nf_conntrack) and NAT are subsystems together to build the main parts of the structure.

Reference: http://www.netfilter.org

 

Shoreline Firewall (netfilter)
Site Developer: www.shorewall.net / index.htm
Go to Documentation (Documentation) that there is going item by item and include other things that can add to Shorewall.
Using the “shorewall” you will be using iptables, but in an easier way.

 

yum install shorewall

Checking the processes that are to be started during reboot:

# Chkconfig – list

iptables 0: off 1: off 2: on 3: on 4: on 5: on 6: off
shorewall 0: off 1: off 2: off 3: off 4: off 5: off 6: off

Note that Shorewall is off. That is, every time the machine is rebooted, Shorewall will not rise.

# Chkconfig shorewall on

Leaving it (shorewall) enabled looks like this:

shorewall 0: off 1: off 2: on 3: on 4: on 5: on 6: off

Shorewall configuration files:

/ etc / shorewall / shorewall.conf
/ etc / shorewall / interfaces
/ etc / shorewall / masq
/ etc / shorewall / policy
/ etc / shorewall / rules
/ etc / shorewall / zones

where:

interfaces – each interface definition that will
masq – Definition of Masquerade / SNAT (eth0, eth1, eth2 …)
Police – Policies (ACCEPT, DROP, REJECT …)
rules – Firewall Rules
zones – zones Statement

 

Configuring Shorewall
Change in shorewall.conf:

STARTUP_ENABLED=Yes

SHOREWALL_COMPILER=

SHOREWALL_COMPILER=perl

 

cat /etc/shorewall/interfaces

#
# Shorewall version 4 – Interfaces File
#
# For information about entries in this file, type “man shorewall-interfaces”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-interfaces.html
#
#######################################
#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth0      detect        tcpflags,dhcp,routefilter,nosmurfs,logmartians
loc     eth1      detect        tcpflags,nosmurfs
#LAST LINE — ADD YOUR ENTRIES BEFORE THIS ONE — DO NOT REMOVE# cat masq
#
# Shorewall version 4 – Masq file
#
# For information about entries in this file, type “man shorewall-masq”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-masq.html
#
#######################################
#INTERFACE              SOURCE          ADDRESS         PROTO   PORT(S) IPSEC   MARK
eth0    203.x.x.x
eth0:1  203.y.y.y
eth1    10.x.y.z
#LAST LINE — ADD YOUR ENTRIES ABOVE THIS LINE — DO NOT REMOVE

Note: Read the fine manual, has several options to configure.

 

cat policy

#
# Shorewall version 4 – Policy File
#
# For information about entries in this file, type “man shorewall-policy”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-policy.html
#
#######################################
#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
fw      loc     ACCEPT
fw      net     ACCEPT
fw      fw      ACCEPTloc     fw      ACCEPT
loc     net     ACCEPT
loc     loc     ACCEPTnet     fw      DROP    info
net     loc     DROP    info
net     net     DROP    info

all     all     DROP    info
#                                               LEVEL
#LAST LINE — DO NOT REMOVE

Note: I left that last line (all all DROP info) because I decree that passes and does not pass the firewall and will generate a log of what is.
cat rules

#
# Shorewall version 4 – Rules File
#
# For information on the settings in this file, type “man shorewall-rules”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
############################################
#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK
#                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW### NET to FWACCEPT  net     fw   icmp  echo-request
ACCEPT  net     fw   tcp   80
ACCEPT  net     fw   tcp   22

### LOC to FW

ACCEPT  loc     fw   tcp   ssh
ACCEPT  loc     fw   icmp  echo-request
ACCEPT  loc     fw   udp   snmp

### LOC to NET

ACCEPT  loc     net  udp   domain
ACCEPT  loc     net  tcp   domain
ACCEPT  loc     net  tcp   http,https
ACCEPT  loc     net  icmp  echo-request
#LAST LINE — ADD YOUR ENTRIES BEFORE THIS ONE — DO NOT REMOVE

# cat zones
#
# Shorewall version 4 – Zones File
#
# For information about this file, type “man shorewall-zones”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-zones.html
#
#######################################
#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
net     ipv4
loc     ipv4
#LAST LINE – ADD YOUR ENTRIES ABOVE THIS ONE – DO NOT REMOVE

# service shorewall start

If you get any error:# Restart shorewall debugYou can check where the error is giving informed.

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>