lab/sec/ex-4_iptables.adoc

= Iptables with shorewall!
Apostolos rootApostolos@swarmlab.io
// Metadata:
:description: Intro and Install
:keywords: sec, tcpdump
:data-uri:
:toc: right
:toc-title: Πίνακας περιεχομένων
:toclevels: 4
:source-highlighter: highlight
:icons: font
:sectnums: 

include::header.adoc[]


{empty} +


[[cheat-Docker]]
== Install swarmlab-sec (Home PC)

HowTo: See http://docs.swarmlab.io/lab/sec/sec.adoc.html


.NOTE
[NOTE]
====
Assuming you're already logged in
====


== shorewall


**Shorewall** is an open source firewall tool for Linux that builds upon the Netfilter (iptables/ipchains) system built into the Linux kernel, making it easier to manage more complex configuration schemes by providing a higher level of abstraction for describing rules using text files. 

https://en.wikipedia.org/wiki/Shorewall[More: wikipedia]


=== Installation

Shorewall is already installed on swarmlab-sec. 


== Basic Two-Interface Firewall


image::basics.png[Basic Two-Interface Firewall]


.connect to master first
[NOTE]
====

Assuming you're already logged in master!

master is now our Firewall/Router

swarmlab-sec login 
====


== Shorewall Concepts

The configuration files for Shorewall are contained in the directory /etc/shorewall 

=== zones — Shorewall zone declaration file

The /etc/shorewall/zones file declares your network zones. You specify the hosts in each zone through entries in /etc/shorewall/interfaces 


./etc/shorewall/zones
[source,bash]
----
#ZONE   TYPE     OPTIONS                 IN_OPTIONS              OUT_OPTIONS
fw      firewall
net     ipv4
loc     ipv4
----

=== interfaces — Shorewall interfaces file

The interfaces file serves to define the firewall's network interfaces to Shorewall. 

./etc/shorewall/interfaces
[source,bash]
----
#ZONE       INTERFACE       BROADCAST      OPTIONS
net         eth0                           dhcp,routefilter
loc         eth1            detect
----


=== policy — Shorewall policy file

This file defines the high-level policy for connections between zone


./etc/shorewall/policy
[source,bash]
----
#SOURCE    DEST        POLICY      LOGLEVEL    LIMIT
loc        net         ACCEPT
net        all         DROP        info
all        all         REJECT      info
----


=== rules — Shorewall rules file

Entries in this file govern connection establishment by defining exceptions to the policies


./etc/shorewall/rules
[source,bash]
----
#ACTION    SOURCE    DEST               PROTO     DPORT
ACCEPT     $FW       net                udp       53
ACCEPT     net       $FW         	udp       53
ACCEPT     $FW       net                tcp       80
ACCEPT     net       $FW         	tcp       80
----


:hardbreaks:

{empty} +
{empty} +
{empty} 

:!hardbreaks:

'''

.Reminder
[NOTE]
====
:hardbreaks:
Caminante, no hay camino, 
se hace camino al andar.

Wanderer, there is no path, 
the path is made by walking.

*Antonio Machado* Campos de Castilla
====
shorewall 5 years ago			`= Iptables with shorewall!`
			`Apostolos rootApostolos@swarmlab.io`
			`// Metadata:`
			`:description: Intro and Install`
			`:keywords: sec, tcpdump`
			`:data-uri:`
			`:toc: right`
			`:toc-title: Πίνακας περιεχομένων`
			`:toclevels: 4`
			`:source-highlighter: highlight`
			`:icons: font`
			`:sectnums:`

			`include::header.adoc[]`


			`{empty} +`


			`[[cheat-Docker]]`
			`== Install swarmlab-sec (Home PC)`

			`HowTo: See http://docs.swarmlab.io/lab/sec/sec.adoc.html`


			`.NOTE`
			`[NOTE]`
			`====`
			`Assuming you're already logged in`
			`====`



			`== shorewall`


			`Shorewall is an open source firewall tool for Linux that builds upon the Netfilter (iptables/ipchains) system built into the Linux kernel, making it easier to manage more complex configuration schemes by providing a higher level of abstraction for describing rules using text files.`

			`https://en.wikipedia.org/wiki/Shorewall[More: wikipedia]`


			`=== Installation`

			`Shorewall is already installed on swarmlab-sec.`


			`== Basic Two-Interface Firewall`


shorewall 5 years ago			`image::basics.png[Basic Two-Interface Firewall]`
shorewall 5 years ago


			`.connect to master first`
			`[NOTE]`
			`====`

			`Assuming you're already logged in master!`

shorewall 5 years ago			`master is now our Firewall/Router`

shorewall 5 years ago			`swarmlab-sec login`
			`====`


shorewall 5 years ago			`== Shorewall Concepts`

			`The configuration files for Shorewall are contained in the directory /etc/shorewall`

			`=== zones — Shorewall zone declaration file`

			`The /etc/shorewall/zones file declares your network zones. You specify the hosts in each zone through entries in /etc/shorewall/interfaces`


			`./etc/shorewall/zones`
			`[source,bash]`
			`----`
			`#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS`
			`fw firewall`
			`net ipv4`
			`loc ipv4`
			`----`

			`=== interfaces — Shorewall interfaces file`

			`The interfaces file serves to define the firewall's network interfaces to Shorewall.`

			`./etc/shorewall/interfaces`
			`[source,bash]`
			`----`
			`#ZONE INTERFACE BROADCAST OPTIONS`
			`net eth0 dhcp,routefilter`
			`loc eth1 detect`
			`----`


			`=== policy — Shorewall policy file`

			`This file defines the high-level policy for connections between zone`


			`./etc/shorewall/policy`
			`[source,bash]`
			`----`
			`#SOURCE DEST POLICY LOGLEVEL LIMIT`
			`loc net ACCEPT`
			`net all DROP info`
			`all all REJECT info`
			`----`


			`=== rules — Shorewall rules file`

			`Entries in this file govern connection establishment by defining exceptions to the policies`


			`./etc/shorewall/rules`
			`[source,bash]`
			`----`
			`#ACTION SOURCE DEST PROTO DPORT`
			`ACCEPT $FW net udp 53`
			`ACCEPT net $FW udp 53`
			`ACCEPT $FW net tcp 80`
			`ACCEPT net $FW tcp 80`
			`----`
shorewall 5 years ago



			`:hardbreaks:`

			`{empty} +`
			`{empty} +`
			`{empty}`

			`:!hardbreaks:`

			`'''`

			`.Reminder`
			`[NOTE]`
			`====`
			`:hardbreaks:`
			`Caminante, no hay camino,`
			`se hace camino al andar.`

			`Wanderer, there is no path,`
			`the path is made by walking.`

			`Antonio Machado Campos de Castilla`
			`====`