You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
151 lines
2.9 KiB
151 lines
2.9 KiB
= Iptables with shorewall!
|
|
Apostolos rootApostolos@swarmlab.io
|
|
// Metadata:
|
|
:description: Intro and Install
|
|
:keywords: sec, tcpdump
|
|
:data-uri:
|
|
:toc: right
|
|
:toc-title: Πίνακας περιεχομένων
|
|
:toclevels: 4
|
|
:source-highlighter: highlight
|
|
:icons: font
|
|
:sectnums:
|
|
|
|
include::header.adoc[]
|
|
|
|
|
|
{empty} +
|
|
|
|
|
|
[[cheat-Docker]]
|
|
== Install swarmlab-sec (Home PC)
|
|
|
|
HowTo: See http://docs.swarmlab.io/lab/sec/sec.adoc.html
|
|
|
|
|
|
.NOTE
|
|
[NOTE]
|
|
====
|
|
Assuming you're already logged in
|
|
====
|
|
|
|
|
|
|
|
== shorewall
|
|
|
|
|
|
**Shorewall** is an open source firewall tool for Linux that builds upon the Netfilter (iptables/ipchains) system built into the Linux kernel, making it easier to manage more complex configuration schemes by providing a higher level of abstraction for describing rules using text files.
|
|
|
|
https://en.wikipedia.org/wiki/Shorewall[More: wikipedia]
|
|
|
|
|
|
=== Installation
|
|
|
|
Shorewall is already installed on swarmlab-sec.
|
|
|
|
|
|
== Basic Two-Interface Firewall
|
|
|
|
|
|
image::basics.png[Basic Two-Interface Firewall]
|
|
|
|
|
|
|
|
.connect to master first
|
|
[NOTE]
|
|
====
|
|
|
|
Assuming you're already logged in master!
|
|
|
|
master is now our Firewall/Router
|
|
|
|
swarmlab-sec login
|
|
====
|
|
|
|
|
|
== Shorewall Concepts
|
|
|
|
The configuration files for Shorewall are contained in the directory /etc/shorewall
|
|
|
|
=== zones — Shorewall zone declaration file
|
|
|
|
The /etc/shorewall/zones file declares your network zones. You specify the hosts in each zone through entries in /etc/shorewall/interfaces
|
|
|
|
|
|
./etc/shorewall/zones
|
|
[source,bash]
|
|
----
|
|
#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
|
fw firewall
|
|
net ipv4
|
|
loc ipv4
|
|
----
|
|
|
|
=== interfaces — Shorewall interfaces file
|
|
|
|
The interfaces file serves to define the firewall's network interfaces to Shorewall.
|
|
|
|
./etc/shorewall/interfaces
|
|
[source,bash]
|
|
----
|
|
#ZONE INTERFACE BROADCAST OPTIONS
|
|
net eth0 dhcp,routefilter
|
|
loc eth1 detect
|
|
----
|
|
|
|
|
|
=== policy — Shorewall policy file
|
|
|
|
This file defines the high-level policy for connections between zone
|
|
|
|
|
|
./etc/shorewall/policy
|
|
[source,bash]
|
|
----
|
|
#SOURCE DEST POLICY LOGLEVEL LIMIT
|
|
loc net ACCEPT
|
|
net all DROP info
|
|
all all REJECT info
|
|
----
|
|
|
|
|
|
=== rules — Shorewall rules file
|
|
|
|
Entries in this file govern connection establishment by defining exceptions to the policies
|
|
|
|
|
|
./etc/shorewall/rules
|
|
[source,bash]
|
|
----
|
|
#ACTION SOURCE DEST PROTO DPORT
|
|
ACCEPT $FW net udp 53
|
|
ACCEPT net $FW udp 53
|
|
ACCEPT $FW net tcp 80
|
|
ACCEPT net $FW tcp 80
|
|
----
|
|
|
|
|
|
|
|
|
|
:hardbreaks:
|
|
|
|
{empty} +
|
|
{empty} +
|
|
{empty}
|
|
|
|
:!hardbreaks:
|
|
|
|
'''
|
|
|
|
.Reminder
|
|
[NOTE]
|
|
====
|
|
:hardbreaks:
|
|
Caminante, no hay camino,
|
|
se hace camino al andar.
|
|
|
|
Wanderer, there is no path,
|
|
the path is made by walking.
|
|
|
|
*Antonio Machado* Campos de Castilla
|
|
====
|
|
|