{"id":57,"date":"2012-06-10T12:32:19","date_gmt":"2012-06-10T12:32:19","guid":{"rendered":"http:\/\/rmohan.com\/?p=57"},"modified":"2012-06-10T12:37:34","modified_gmt":"2012-06-10T12:37:34","slug":"shorewall-firewall","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=57","title":{"rendered":"Shorewall – Firewall"},"content":{"rendered":"

CentOS – Install and Configure Shorewall <\/p>\n

Add repository EPEL that is provided from Fedora project.
\nwget http:\/\/ftp.riken.jp\/Linux\/fedora\/epel\/RPM-GPG-KEY-EPEL-6
\nrpm –import RPM-GPG-KEY-EPEL-6
\nrm -f RPM-GPG-KEY-EPEL-6
\nvi \/etc\/yum.repos.d\/epel.repo
\n# create new
\n[epel]
\nname=EPEL RPM Repository for Red Hat Enterprise Linux
\nbaseurl=http:\/\/ftp.riken.jp\/Linux\/fedora\/epel\/6\/$basearch\/
\ngpgcheck=1
\nenabled=0
\n# when you use the repository, input yum command like follows<\/p>\n

yum –enablerepo=epel install shorewall<\/p>\n

Backup and Edit System Control<\/p>\n

cp \/etc\/sysctl.conf \/etc\/sysctl.conf.org<\/p>\n

sed -i ‘s\/net.ipv4.ip_forward = 0\/net.ipv4.ip_forward = 1\/g’ \/etc\/sysctl.conf<\/p>\n

Backup and Edit Shorewall Zones
\ncp \/etc\/shorewall\/zones \/etc\/shorewall\/zones.org
\nvi \/etc\/shorewall\/zones<\/p>\n

##
\n# For information about this file, type “man shorewall-zones”
\n#
\n# The manpage is also online at
\n# http:\/\/www.shorewall.net\/manpages\/shorewall-zones.html
\n#
\n###############################################################################
\n#ZONE TYPE OPTIONS IN OUT
\n# OPTIONS OPTIONS
\nfw firewall
\nnet ipv4
\nloc ipv4
\ndmz ipv4
\n#LAST LINE – ADD YOUR ENTRIES ABOVE THIS ONE – DO NOT REMOVE<\/p>\n

Backup and Edit Shorewall Interfaces
\ncp \/etc\/shorewall\/interfaces \/etc\/shorewall\/interfaces.ori
\nvi \/etc\/shorewall\/interfaces<\/p>\n

#
\n###############################################################################
\n#ZONE INTERFACE BROADCAST OPTIONS
\nnet eth0 detect tcpflags,dhcp,routefilter,nosmurfs,logmartians
\nloc eth1 detect tcpflags,nosmurfs
\ndmz eth2 detect
\n#LAST LINE — ADD YOUR ENTRIES BEFORE THIS ONE — DO NOT REMOVE<\/p>\n

Backup and Edit Shorewall Policy
\ncp \/etc\/shorewall\/policy \/etc\/shorewall\/policy.ori
\nvi \/etc\/shorewall\/policy<\/p>\n

#
\n# Shorewall version 4 – Policy File
\n#
\n# For information about entries in this file, type “man shorewall-policy”
\n#
\n# The manpage is also online at
\n# http:\/\/www.shorewall.net\/manpages\/shorewall-policy.html
\n#
\n###############################################################################
\n#SOURCE DEST POLICY LOG LIMIT:BURST
\n# LEVEL
\n# Policies for traffic originating from the local LAN (loc)
\n#
\n# If you want to force clients to access the Internet via a proxy server
\n# in your DMZ, change the following policy to REJECT info.
\nloc net ACCEPT
\n# If you want open access to DMZ from loc, change the following policy
\n# to ACCEPT. (If you chose not to do this, you will need to add a rule
\n# for each service in the rules file.)
\nloc dmz REJECT info
\nloc $FW REJECT info
\nloc all REJECT info
\n#
\n# Policies for traffic originating from the firewall ($FW)
\n#
\n# If you want open access to the Internet from your firewall, change the
\n# $FW to net policy to ACCEPT and remove the ‘info’ LOG LEVEL.
\n$FW net REJECT info
\n$FW dmz REJECT info
\n$FW loc REJECT info
\n$FW all REJECT info
\n#
\n# Policies for traffic originating from the De-Militarized Zone (dmz)
\n#
\n# If you want open access from DMZ to the Internet change the following
\n# policy to ACCEPT. This may be useful if you run a proxy server in
\n# your DMZ.
\ndmz net REJECT info
\ndmz $FW REJECT info
\ndmz loc REJECT info
\ndmz all REJECT info
\n#
\n# Policies for traffic originating from the Internet zone (net)
\n#
\nnet dmz DROP info
\nnet $FW DROP info
\nnet loc DROP info
\nnet all DROP info
\n# THE FOLLOWING POLICY MUST BE LAST
\nall all REJECT info
\n#LAST LINE — DO NOT REMOVE<\/p>\n

Backup and Edit Shorewall Rules<\/p>\n

cp \/etc\/shorewall\/rules \/etc\/shorewall\/rules.orig<\/p>\n

vi \/etc\/shorewall\/rules<\/p>\n

# The manpage is also online at
\n# http:\/\/www.shorewall.net\/manpages\/shorewall-rules.html
\n#
\n#######################################################################
\n#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER\/ MARK
\n# PORT PORT(S) DEST LIMIT GROUP
\n#SECTION ESTABLISHED
\n#SECTION RELATED
\n#
\n# Accept DNS connections from the firewall to the Internet
\n#
\nDNS\/ACCEPT $FW net
\n#
\n#
\n# Accept SSH connections from the local network to the firewall and DMZ
\n#
\nSSH\/ACCEPT loc $FW
\nSSH\/ACCEPT loc dmz
\n#
\n# DMZ DNS access to the Internet
\n#
\nDNS\/ACCEPT dmz net
\n#
\n# Drop Ping from the “bad” net zone.
\n#
\nPing\/DROP net $FW
\n#
\n# Make ping work bi-directionally between the dmz, net, Firewall and local zone
\n# (assumes that the loc->net policy is ACCEPT).
\n#
\nPing\/ACCEPT loc $FW
\nPing\/ACCEPT dmz $FW
\nPing\/ACCEPT loc dmz
\nPing\/ACCEPT dmz loc
\nPing\/ACCEPT dmz net
\nACCEPT $FW net icmp
\nACCEPT $FW loc icmp
\nACCEPT $FW dmz icmp
\n# Uncomment this if using Proxy ARP and static NAT and you want to allow ping from
\n# the net zone to the dmz and loc
\n#Ping\/ACCEPT net dmz
\n#Ping\/ACCEPT net loc
\n#LAST LINE — ADD YOUR ENTRIES BEFORE THIS ONE — DO NOT REMOVE<\/p>\n

Backup and Edit Shorewall Configuration
\n[root@localhost ~]# cp \/etc\/shorewall\/shorewall.conf \/etc\/shorewall\/shorewall.conf.orig
\n[root@localhost ~]# vi \/etc\/shorewall\/shorewall.conf
\nsed -i ‘s\/STARTUP_ENABLED=No\/STARTUP_ENABLED=Yes\/g’ \/etc\/shorewall\/shorewall.conf
\nCheck Shorewall Configuration
\nshorewall check
\nCreate Auto Start and Restart Shorewall
\nchkconfig shorewall on
\nservice shorewall restart
\nor
\nshorewall restart<\/p>\n","protected":false},"excerpt":{"rendered":"

CentOS – Install and Configure Shorewall <\/p>\n

Add repository EPEL that is provided from Fedora project. wget http:\/\/ftp.riken.jp\/Linux\/fedora\/epel\/RPM-GPG-KEY-EPEL-6 rpm –import RPM-GPG-KEY-EPEL-6 rm -f RPM-GPG-KEY-EPEL-6 vi \/etc\/yum.repos.d\/epel.repo # create new [epel] name=EPEL RPM Repository for Red Hat Enterprise Linux baseurl=http:\/\/ftp.riken.jp\/Linux\/fedora\/epel\/6\/$basearch\/ gpgcheck=1 enabled=0 # when you use the repository, input yum command like follows<\/p>\n

yum –enablerepo=epel install […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,8],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/57"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=57"}],"version-history":[{"count":5,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/57\/revisions"}],"predecessor-version":[{"id":62,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/57\/revisions\/62"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=57"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=57"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=57"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}