You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

151 lines
2.9 KiB

= Iptables with shorewall!
Apostolos rootApostolos@swarmlab.io
// Metadata:
:description: Intro and Install
:keywords: sec, tcpdump
:data-uri:
:toc: right
:toc-title: Πίνακας περιεχομένων
:toclevels: 4
:source-highlighter: highlight
:icons: font
:sectnums:
include::header.adoc[]
{empty} +
[[cheat-Docker]]
== Install swarmlab-sec (Home PC)
HowTo: See http://docs.swarmlab.io/lab/sec/sec.adoc.html
.NOTE
[NOTE]
====
Assuming you're already logged in
====
== shorewall
**Shorewall** is an open source firewall tool for Linux that builds upon the Netfilter (iptables/ipchains) system built into the Linux kernel, making it easier to manage more complex configuration schemes by providing a higher level of abstraction for describing rules using text files.
https://en.wikipedia.org/wiki/Shorewall[More: wikipedia]
=== Installation
Shorewall is already installed on swarmlab-sec.
== Basic Two-Interface Firewall
image::basics.png[Basic Two-Interface Firewall]
.connect to master first
[NOTE]
====
Assuming you're already logged in master!
master is now our Firewall/Router
swarmlab-sec login
====
== Shorewall Concepts
The configuration files for Shorewall are contained in the directory /etc/shorewall
=== zones — Shorewall zone declaration file
The /etc/shorewall/zones file declares your network zones. You specify the hosts in each zone through entries in /etc/shorewall/interfaces
./etc/shorewall/zones
[source,bash]
----
#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
fw firewall
net ipv4
loc ipv4
----
=== interfaces — Shorewall interfaces file
The interfaces file serves to define the firewall's network interfaces to Shorewall.
./etc/shorewall/interfaces
[source,bash]
----
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 dhcp,routefilter
loc eth1 detect
----
=== policy — Shorewall policy file
This file defines the high-level policy for connections between zone
./etc/shorewall/policy
[source,bash]
----
#SOURCE DEST POLICY LOGLEVEL LIMIT
loc net ACCEPT
net all DROP info
all all REJECT info
----
=== rules — Shorewall rules file
Entries in this file govern connection establishment by defining exceptions to the policies
./etc/shorewall/rules
[source,bash]
----
#ACTION SOURCE DEST PROTO DPORT
ACCEPT $FW net udp 53
ACCEPT net $FW udp 53
ACCEPT $FW net tcp 80
ACCEPT net $FW tcp 80
----
:hardbreaks:
{empty} +
{empty} +
{empty}
:!hardbreaks:
'''
.Reminder
[NOTE]
====
:hardbreaks:
Caminante, no hay camino,
se hace camino al andar.
Wanderer, there is no path,
the path is made by walking.
*Antonio Machado* Campos de Castilla
====