{"id":453,"date":"2012-06-26T09:11:55","date_gmt":"2012-06-26T01:11:55","guid":{"rendered":"http:\/\/rmohan.com\/?p=453"},"modified":"2012-06-26T09:15:09","modified_gmt":"2012-06-26T01:15:09","slug":"shorewall-firewall-2","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=453","title":{"rendered":"Shorewall Firewall"},"content":{"rendered":"

Installing and configuring Shorewall in CentOS<\/strong><\/p>\n

Netfilter is a packet filtering in Linux 2.4.x and 2.6.x kernels Enables packet filtering (network address and port), NAT and other packages. Redesigned and highly improved from the previous kernel 2.2.x, ipchains and ipfwadm kernel 2.0.x.<\/p>\n

Netfilter is a set of structures within the kernel that allows modules to register with the network functions.<\/p>\n

A record of the information is returned to tell the fate of this package. DENY, ACCEPT, REJECT is returned information to inform the target \/ request.<\/p>\n

DROP – Reject the packet without sending a message.<\/p>\n

REJECT – Do the same function as DROP, with the difference that sends an ICMP “icmp-port-unreachable” to the source machine.<\/p>\n

Iptables is a table structure for the definition of rulesets. Each rule within a table (IP) consists of a request and action (rules).<\/p>\n

Netfilter, ip_tables, connection tracking (ip_conntrack, nf_conntrack) and NAT are subsystems together to build the main parts of the structure.<\/p>\n

Reference: http:\/\/www.netfilter.org<\/p>\n

 <\/p>\n

Shoreline Firewall (netfilter)<\/strong>
\nSite Developer: www.shorewall.net \/ index.htm
\nGo to Documentation (Documentation) that there is going item by item and include other things that can add to Shorewall.
\nUsing the “shorewall” you will be using iptables, but in an easier way.<\/p>\n

 <\/p>\n

yum install shorewall<\/strong><\/p>\n

Checking the processes that are to be started during reboot:<\/p>\n

# Chkconfig – list<\/strong><\/p>\n

iptables 0: off 1: off 2: on 3: on 4: on 5: on 6: off
\nshorewall 0: off 1: off 2: off 3: off 4: off 5: off 6: off<\/p>\n

Note that Shorewall is off. That is, every time the machine is rebooted, Shorewall will not rise.<\/p>\n

# Chkconfig shorewall on<\/strong><\/p>\n

Leaving it (shorewall) enabled looks like this:<\/p>\n

shorewall 0: off 1: off 2: on 3: on 4: on 5: on 6: off<\/p>\n

Shorewall configuration files:<\/p>\n

\/ etc \/ shorewall \/ shorewall.conf
\n\/ etc \/ shorewall \/ interfaces
\n\/ etc \/ shorewall \/ masq
\n\/ etc \/ shorewall \/ policy
\n\/ etc \/ shorewall \/ rules
\n\/ etc \/ shorewall \/ zones<\/p>\n

where:<\/p>\n

interfaces – each interface definition that will
\nmasq – Definition of Masquerade \/ SNAT (eth0, eth1, eth2 …)
\nPolice – Policies (ACCEPT, DROP, REJECT …)
\nrules – Firewall Rules
\nzones – zones Statement<\/p>\n

 <\/p>\n

Configuring Shorewall<\/strong>
\nChange in shorewall.conf:<\/p>\n

<\/div>\n
STARTUP_ENABLED=Yes<\/div>\n

SHOREWALL_COMPILER=<\/p>\n

SHOREWALL_COMPILER=perl<\/p>\n

 <\/p>\n

cat \/etc\/shorewall\/interfaces<\/strong><\/p>\n

#
\n# Shorewall version 4 – Interfaces File
\n#
\n# For information about entries in this file, type “man shorewall-interfaces”
\n#
\n# The manpage is also online at
\n# http:\/\/www.shorewall.net\/manpages\/shorewall-interfaces.html
\n#
\n#######################################
\n#ZONE\u00a0\u00a0 INTERFACE\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 BROADCAST\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 OPTIONS
\nnet\u00a0\u00a0\u00a0\u00a0 eth0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0detect\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0tcpflags,dhcp,routefilter,nosmurfs,logmartians
\nloc\u00a0\u00a0\u00a0\u00a0 eth1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0detect\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0tcpflags,nosmurfs
\n#LAST LINE — ADD YOUR ENTRIES BEFORE THIS ONE — DO NOT REMOVE# cat masq
\n#
\n# Shorewall version 4 – Masq file
\n#
\n# For information about entries in this file, type “man shorewall-masq”
\n#
\n# The manpage is also online at
\n# http:\/\/www.shorewall.net\/manpages\/shorewall-masq.html
\n#
\n#######################################
\n#INTERFACE\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0SOURCE\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ADDRESS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 PROTO\u00a0\u00a0 PORT(S) IPSEC\u00a0\u00a0 MARK
\neth0\u00a0\u00a0\u00a0 203.x.x.x
\neth0:1\u00a0 203.y.y.y
\neth1\u00a0\u00a0\u00a0\u00a010.x.y.z
\n#LAST LINE — ADD YOUR ENTRIES ABOVE THIS LINE — DO NOT REMOVE<\/div>\n

Note: Read the fine manual, has several options to configure.<\/p>\n

 <\/p>\n

cat policy<\/strong><\/p>\n

#
\n# Shorewall version 4 – Policy File
\n#
\n# For information about entries in this file, type “man shorewall-policy”
\n#
\n# The manpage is also online at
\n# http:\/\/www.shorewall.net\/manpages\/shorewall-policy.html
\n#
\n#######################################
\n#SOURCE\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 DEST\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0POLICY\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0LOG\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 LIMIT:BURST
\nfw\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0loc\u00a0\u00a0\u00a0\u00a0 ACCEPT
\nfw\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0net\u00a0\u00a0\u00a0\u00a0 ACCEPT
\nfw\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0fw\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ACCEPTloc\u00a0\u00a0\u00a0\u00a0 fw\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ACCEPT
\nloc\u00a0\u00a0\u00a0\u00a0 net\u00a0\u00a0\u00a0\u00a0 ACCEPT
\nloc\u00a0\u00a0\u00a0\u00a0 loc\u00a0\u00a0\u00a0\u00a0 ACCEPTnet\u00a0\u00a0\u00a0\u00a0 fw\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0DROP\u00a0\u00a0\u00a0\u00a0info
\nnet\u00a0\u00a0\u00a0\u00a0 loc\u00a0\u00a0\u00a0\u00a0 DROP\u00a0\u00a0\u00a0\u00a0info
\nnet\u00a0\u00a0\u00a0\u00a0 net\u00a0\u00a0\u00a0\u00a0 DROP\u00a0\u00a0\u00a0\u00a0info<\/p>\n

all\u00a0\u00a0\u00a0\u00a0 all\u00a0\u00a0\u00a0\u00a0 DROP\u00a0\u00a0\u00a0\u00a0info
\n#\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 LEVEL
\n#LAST LINE — DO NOT REMOVE<\/p>\n<\/div>\n

<\/div>\n
\n
\n
Note: I left that last line (all all DROP info) because I decree that passes and does not pass the firewall and will generate a log of what is.<\/div>\n<\/div>\n
<\/div>\n<\/div>\n
<\/div>\n
cat rules<\/strong><\/p>\n
#
\n# Shorewall version 4 – Rules File
\n#
\n# For information on the settings in this file, type “man shorewall-rules”
\n#
\n# The manpage is also online at
\n# http:\/\/www.shorewall.net\/manpages\/shorewall-rules.html
\n#
\n############################################
\n#ACTION\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 SOURCE\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0DEST\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0PROTO\u00a0\u00a0 DEST\u00a0\u00a0\u00a0\u00a0SOURCE\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ORIGINAL\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0RATE\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0USER\/\u00a0\u00a0 MARK
\n#\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 PORT\u00a0\u00a0\u00a0\u00a0PORT(S)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 DEST\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0LIMIT\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 GROUP
\n#SECTION ESTABLISHED
\n#SECTION RELATED
\nSECTION NEW### NET to FWACCEPT\u00a0\u00a0net\u00a0\u00a0\u00a0\u00a0 fw\u00a0\u00a0 icmp\u00a0\u00a0echo-request
\nACCEPT\u00a0\u00a0net\u00a0\u00a0\u00a0\u00a0 fw\u00a0\u00a0 tcp\u00a0\u00a0 80
\nACCEPT\u00a0\u00a0net\u00a0\u00a0\u00a0\u00a0 fw\u00a0\u00a0 tcp\u00a0\u00a0 22<\/p>\n

### LOC to FW<\/p>\n

ACCEPT\u00a0\u00a0loc\u00a0\u00a0\u00a0\u00a0 fw\u00a0\u00a0 tcp\u00a0\u00a0 ssh
\nACCEPT\u00a0\u00a0loc\u00a0\u00a0\u00a0\u00a0 fw\u00a0\u00a0 icmp\u00a0\u00a0echo-request
\nACCEPT\u00a0\u00a0loc\u00a0\u00a0\u00a0\u00a0 fw\u00a0\u00a0 udp\u00a0\u00a0 snmp<\/p>\n

### LOC to NET<\/p>\n

ACCEPT\u00a0\u00a0loc\u00a0\u00a0\u00a0\u00a0 net\u00a0\u00a0udp\u00a0\u00a0 domain
\nACCEPT\u00a0\u00a0loc\u00a0\u00a0\u00a0\u00a0 net\u00a0\u00a0tcp\u00a0\u00a0 domain
\nACCEPT\u00a0\u00a0loc\u00a0\u00a0\u00a0\u00a0 net\u00a0\u00a0tcp\u00a0\u00a0 http,https
\nACCEPT\u00a0\u00a0loc\u00a0\u00a0\u00a0\u00a0 net\u00a0\u00a0icmp\u00a0\u00a0echo-request
\n#LAST LINE — ADD YOUR ENTRIES BEFORE THIS ONE — DO NOT REMOVE<\/p>\n

# cat zones
\n#
\n# Shorewall version 4 – Zones File
\n#
\n# For information about this file, type “man shorewall-zones”
\n#
\n# The manpage is also online at
\n# http:\/\/www.shorewall.net\/manpages\/shorewall-zones.html
\n#
\n#######################################
\n#ZONE\u00a0\u00a0 TYPE\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0OPTIONS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 IN\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0OUT
\n#\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 OPTIONS\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 OPTIONS
\nfw\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0firewall
\nnet\u00a0\u00a0\u00a0\u00a0 ipv4
\nloc\u00a0\u00a0\u00a0\u00a0 ipv4
\n#LAST LINE – ADD YOUR ENTRIES ABOVE THIS ONE – DO NOT REMOVE<\/p>\n

# service shorewall start<\/p>\n<\/div>\n<\/div>\n

<\/div>\n
If you get any error:# Restart shorewall debugYou can check where the error is giving informed.<\/p>\n<\/div>\n
<\/div>\n","protected":false},"excerpt":{"rendered":"

Installing and configuring Shorewall in CentOS<\/p>\n

Netfilter is a packet filtering in Linux 2.4.x and 2.6.x kernels Enables packet filtering (network address and port), NAT and other packages. Redesigned and highly improved from the previous kernel 2.2.x, ipchains and ipfwadm kernel 2.0.x.<\/p>\n

Netfilter is a set of structures within the kernel that allows modules to […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/453"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=453"}],"version-history":[{"count":4,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/453\/revisions"}],"predecessor-version":[{"id":455,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/453\/revisions\/455"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=453"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=453"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=453"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}