You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

179 lines
4.3 KiB

= Iptables with shorewall!
Apostolos rootApostolos@swarmlab.io
// Metadata:
:description: Intro and Install
:keywords: sec, tcpdump
:data-uri:
:toc: right
:toc-title: Πίνακας περιεχομένων
:toclevels: 4
:source-highlighter: highlight
:icons: font
:sectnums:
include::header.adoc[]
{empty} +
[[cheat-Docker]]
== Install swarmlab-sec (Home PC)
HowTo: See http://docs.swarmlab.io/lab/sec/sec.adoc.html
.NOTE
[NOTE]
====
Assuming you're already logged in
====
== shorewall
**Shorewall** is an open source firewall tool for Linux that builds upon the Netfilter (iptables/ipchains) system built into the Linux kernel, making it easier to manage more complex configuration schemes by providing a higher level of abstraction for describing rules using text files.
https://en.wikipedia.org/wiki/Shorewall[More: wikipedia]
=== Installation
Shorewall is already installed on swarmlab-sec.
== Basic Two-Interface Firewall
image::basics.png[Basic Two-Interface Firewall]
.connect to master first
[NOTE]
====
Assuming you're already logged in master!
master is now our Firewall/Router
swarmlab-sec login
====
== Shorewall Concepts
The configuration files for Shorewall are contained in the directory /etc/shorewall
=== zones — Shorewall zone declaration file
The /etc/shorewall/zones file declares your network zones. You specify the hosts in each zone through entries in /etc/shorewall/interfaces
./etc/shorewall/zones
[source,bash]
----
#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
fw firewall
net ipv4
loc ipv4
----
=== interfaces — Shorewall interfaces file
The interfaces file serves to define the firewall's network interfaces to Shorewall.
./etc/shorewall/interfaces
[source,bash]
----
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 dhcp,routefilter
loc eth1 detect
----
=== policy — Shorewall policy file
This file defines the high-level policy for connections between zone
./etc/shorewall/policy
[source,bash]
----
#SOURCE DEST POLICY LOGLEVEL LIMIT
loc net ACCEPT
net all DROP info
all all REJECT info
----
=== rules — Shorewall rules file
Entries in this file govern connection establishment by defining exceptions to the policies
./etc/shorewall/rules
[source,bash]
----
#ACTION SOURCE DEST PROTO DPORT
ACCEPT $FW net udp 53
ACCEPT net $FW udp 53
ACCEPT $FW net tcp 80
ACCEPT net $FW tcp 80
----
=== Compile then Execute
Shorewall uses a "compile" then "execute" approach. The Shorewall configuration compiler reads the configuration files and generates a shell script. Errors in the compilation step cause the script to be discarded and the command to be aborted. If the compilation step doesn't find any errors then the shell script is executed.
./sbin/shorewall
[source,bash]
----
/sbin/shorewall start
/sbin/shorewall stop
/sbin/shorewall clear
----
.NOTE
[NOTE]
====
The 'compiled' scripts are placed by default in the directory /var/lib/shorewall and are named to correspond to the command being executed. For example, the command /sbin/shorewall start will generate a script named /var/lib/shorewall/.start and, if the compilation is error free, that script will then be executed. If the script executes successfully, it then copies itself to /var/lib/shorewall/firewall. When an /sbin/shorewall stop or /sbin/shorewall clear command is subsequently executed, /var/lib/shorewall/firewall is run to perform the requested operation.
The AUTOMAKE option in /etc/shorewall/shorewall.conf may be set to automatically generate a new script when one of the configuration files is changed. When no file has changed since the last compilation, the /sbin/shorewall start, /sbin/shorewall reload and /sbin/shorewall restart commands will simply execute the current /var/lib/shorewall/firewall script.
====
:hardbreaks:
{empty} +
{empty} +
{empty}
:!hardbreaks:
'''
.Reminder
[NOTE]
====
:hardbreaks:
Caminante, no hay camino,
se hace camino al andar.
Wanderer, there is no path,
the path is made by walking.
*Antonio Machado* Campos de Castilla
====