Prompt and Powerful Personal Firewalling with Shorewall

[Sith_Happens]

Prompt and Powerful Personal Firewalling with Shorewall

Code: Select all

Requirements for this tutorial:

Linux 2.4 or 2.6 kernel: 
          this should be most everybody, Shorewall requires Netfilter, 
          which is only in 2.4 and later kernels. (see section 2 for configuration instructions)

Shorewall:                
          Duh! In portage as "shorewall".  This tutorial is written 
          using the latest unmasked version, 2.0.7.  I'll update this tutorial as neccessary
          to fit with later versions as they become unmasked.

iptables:                   
          In portage under "iptables".  This tutorial is written using the latest unmasked version, 1.2.11-r3. See Section 3.

iproute2:

          In portage as "iproute2".  This tutorial is written using the latest unmasked version, 2.6.10.20050112-r1. See Section 3.

Breakdown of the Tutorial:
          Section 1: Introduction: Linux security and the Shoreline Firewall Utility (Shorewall)
          Section 2: Kernel Configuration
          Section 3: Emerging Shorewall
          Section 4: Configuring Shorewall
                       4.a: /etc/shorewall/interfaces
                       4.b: /etc/shorewall/policy
                       4.c: /etc/shorewall/rules
          Section 5: Finalization and Testing
          Section 6: Logging Shorewall Messages

Section 1: Introduction: Linux security and the Shoreline Firewall Utility (Shorewall)

One of the main reasons people switch to linux is "because it is more secure", however the truth is linux is only as secure as you make it. What I find amazing is the amount of people who neglect setting up a proper firewall, and without one your super secure linux box is just a big bullseye. So no more excuses, it's time to take the security of your system into your own hands, and set up an effective and useable personal firewall for your desktop. I call this a "tutorial" instead of a "how-to" because I try to give some explanation while guiding you through firewall set up. If you give a man a fish, he will eat for a day..... As you may have guessed this tutorial is aimed at desktop users of linux who wan't to set up a personal firewall that works without much fuss. If that's what your looking for, read on, this is for you. If not, read on, you might learn something. Either that or you'll see a mistake or some way to improve on what I'm about to say, in that case I'd appreciate your input.

Now, down to business. When it comes to a firewall utility that's simple to set up, easy to understand, and all powerful, I default to Shorewall. What is Shorewall you ask? Let's turn to the developers themselves:

The Shoreline Firewall, more commonly known as “Shorewall”, is high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables utility, Shorewall configures Netfilter to match your requirements.

What does that mean? It means that Shorewall provides you with a simplified way to configure the built-in packet filtering firewall capabilities of the linux kernel, making your linux box as secure as it's OS is cracked up to be. It is important to realize however that although firewall is a great first line of defense, it isn't a garuntee of security. Setting up a well configured firewall however will make you much more secure, and as you'll see it's very simple to do.

Section 2: Kernel Configuration

Before we begin, let's make sure that you've compiled your kernel with the built in packet filtering capabilities Shorewall is supposed to take advantage of. So, run:

Code: Select all

cd /usr/src/linux
make menuconfig

Then check to make sure you have netfilter compiled into your kernel:

Code: Select all

# For 2.6 kernels look under:

Device Drivers --->
     Networking support --->
           Networking options --->
                 [*] Network packet filtering (replaces ipchains) --->
                       IP: Netfilter Configuration --->
                             <*> Connection tracking (required for masq/NAT)  
                             <*> IP Tables Support (required for filtering/masq/NAT)
                                   # Include (<*> not <M>) all options and sub options under IP tables support

# For 2.4 kernels look under:

Networking options --->
      [*] Network packet filtering (replaces ipchains)
            IP: Netfilter Configuration --->
                  <*> Connection tracking (required for masq/NAT)  
                  <*> IP Tables Support (required for filtering/masq/NAT)
                        # Include (<*> not <M>) all options and sub options under IP tables support

If you don't have netfilter compiled into your kernel, then press "y" to add the option, and recompile/install your kernel just like you did when you first installed Gentoo. For Genkernel users, you'll want to run genkernel --menuconfig kernel, verify that the netfilter option is included, then allow genkernel to recompile/install your kernel.

Section 3: Emerge Shorewall (Does this really need it's own section )

Once you've verified that your kernel is configured to use netfilter, then we can start with Shorewall itself. A wise man (Lao Tzu) once said "A journey of a thousand miles begins with one step" So, first step, emerge Shorewall (this will also emerge iptables and iproute2). Are you done yet? It's not that large of a compile...allright I'll give you a minute. Done? Good.

Section 4: Configuring Shorewall

Setting up a personal firewall in Shorewall comes down to three configuration files, that's it. There are more, however for this tutorial there are only three you need to be concerned with and all are contained within /etc/shorewall: /etc/shorewall/interfaces, /etc/shorewall/policy, and /etc/shorewall/rules.


A central concept to the configuration of Shorewall is the zone. A zone is an abstract group of computers that you can easially assign traffic rules to. For this tutorial, the only zone we will concern ourselves with is the net zone, which consists of every computer but you . The net zone contains both possible legitimate and illegitimate connections, so we must find a way to strike a balance between protection and useablity when it comes to the policies and rules we create for it. However, before we create any rules for this zone, we must first define it.

4.a: /etc/shorewall/interfaces

This is where /etc/shorewall/interfaces comes in. This part is very simple, so I won't give to much explanation outside of the relevant portion of the file itself. The first portion of all the configuration files is a commented section explaining the use of the file in detail, so please, read it. The last portion is the "business end" of the config file. In this case, we assume that the computer is connected to the internet on the interface eth0. The various options listed are explained further in the file itself, so add any options to your file that apply to your particular configuration. For most people, simply adding the zone and interface will suffice.

Code: Select all

##############################################################################
#ZONE    INTERFACE      BROADCAST       OPTIONS
#
net      eth0           detect          dhcp,nosmurfs
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4.b: /etc/shorewall/policy

Now that we've defined the net zone, we have to create some sort of overall policy telling shorwall how to handle traffic to and from your computer (designated by fw in the remaining config files) and the net zone. This is done in /etc/shorewall/policy. Basically, if you are using your computer as a desktop, you probably won't need to concern yourself with new connections to your computer from the internet. So our first overall policy rule is to drop all new incoming connections from the internet. The reason why we want to drop connections rather than simply reject them is simple. If a connection is rejected, the connection is blocked, however a packet is sent back to the requesting computer. This packet contains information which a hacker can use against you, and most importantly it let's them know you exist. So why give them that edge? Dropping packets as opposed to rejecting them makes you practically invisible to anyone who is scanning the internet looking for targets, which makes you a good measure safer. Finally, we make a catchall policy, and tell Shorewall to reject all traffic from all sources, that is to block all traffic from the internet to your computer and visa versa (this sounds stupid but just bear with me). Here is how your /etc/shorewall/policy file should end up looking.

Code: Select all

###############################################################################
#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
#                                               LEVEL
net             all             DROP            info
#
# THE FOLLOWING POLICY MUST BE LAST
#       
all             all             REJECT          info 
#LAST LINE -- DO NOT REMOVE

At this point you may be asking yourself, "If Shorewall is blocking everything, why don't I just unplug the network cable? It'll have the same effect and I won't have to read your stupid tutorial. " If this is running through your mind, you are correct. If we stopped right now, your computer would be absolutely useless, however creating this general policy is a good idea. What we are in effect saying by creating this policy is we are only going to allow traffic to and from this computer that we specify. The reason for resticting traffic from your computer as well is to prevent trojans from connecting out and compromising your security.

4.c: /etc/shorewall/rules

As I said in the beginning of this tutorial, we have to find some middle ground between security and useablity. We've taken care of the security part, in fact your computer is so secure it is impractical. Now we need to add some useablity. We do this in /etc/shorewall/rules. As I said before, the only traffic you will probably need to allow are connections from your computer (fw) to specific ports of computers on the internet (net). This example file contains some common entries that you may want to add to your /etc/shorwall/rules file. For more rules examples, check out this page on the Shorewall site. Here is an example /etc/shorewall/rules.

Code: Select all

####################################################################################################
#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL     RATE            USER/
#                                               PORT    PORT(S)    DEST         LIMIT           GROUP
ACCEPT   fw             net             tcp     80 #http
ACCEPT   fw             net             udp     80 #http
ACCEPT   fw             net             tcp     443 #https
ACCEPT   fw             net             udp     443 #https
ACCEPT   fw             net             tcp     21 #ftp
ACCEPT   fw             net             tcp     53 #DNS
ACCEPT   fw             net             udp     53 #DNS
ACCEPT   fw             net             tcp     110 #unsecure Pop3
ACCEPT   fw             net             tcp     995 #Secure Pop3
ACCEPT   fw             net             tcp     873 #rsync
ACCEPT   fw             net             tcp     25 #unsecure SMTP
ACCEPT   fw             net             tcp     465 #SMTP over SSL 
ACCEPT   fw             net             tcp     5190 #AIM/ICQ
DROP     net            fw              tcp     113 #AUTH/IDENT, I added this to show how to block a port
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Section 5: Finalization/Testing

Now run rc-update add shorewall default && /etc/init.d/shorewall start, and your done! Wasn't that simple. In fact, it's so simple you probably can't belive you have a firewall running. Don't trust me eh? So test out your new firewall. Here is a great computer security webpage. It's aimed more at windows slaves, I mean users , but it never the less contains some great information. It also has a feature called "Shields Up" (the link is about halfway down the main page), that allows you to portscan your computer and test your firewall. If it shows a port is closed and not stealthed (i.e. packets are being rejected not dropped), just add a line like the last one in the example /etc/shorewall/rules file to nip it in the bum. I hope this tutorial helps somebody, and I'd be happy to hear any feedback or constuctive comments ("Your tutorial sucks!!! " is not a constructive comment )

Section 6: Stopping and Starting Shorewall

One thing that people are often confused about when it comes to shorewall, is that issuing the command shorewall stop or /etc/shorewall/stop doesn't really "stop" shorewall. When you stop shorewall with the stop command, the box locks down, blocking all incoming connections. If you want to enable two way connections to another machine on the network when shorewall is stopped, you need to add the interface it connects to the firewall on as well as its IP to /etc/shorewall/routestopped. If you really want to "stop" shorewall, that is to get netfilter to ACCEPT all incoming packets, you need to issue the clear command, with either /etc/init.d/shorewall clear or shorewall clear.

Section 7: Logging Shorewall Messages

This last part is for users of syslog-ng who want to log Shorewall messages to a seperate log file (you can also run shorewall logwatch to look at the latest shorewall messages). Just add these lines to /etc/syslog-ng/syslog-ng.conf:

Code: Select all

## You shouldn't need to add this line, 
## it's probably already there, however 
## I include it because the last line references it.

source src { unix-stream("/dev/log"); internal(); pipe ("/proc/kmsg"); };

## You do need to add these lines though
                                                                         
destination d_shorewall{ file ("/var/log/shorewall/shorewall.log"); };
filter f_shorewall { match ("Shorewall"); };

## If you don't want shorewall messages logged to 
## /var/log/messages anymore add this filter as well

filter f_not_shorewall { not match ("Shorewall"); };

## Then add this to log messages to your shorewall log

log { source(src); filter (f_shorewall); destination (d_shorewall); };

## If you don't want shorewall messages logged to
## any other destination, such as /var/log/messages
## just use the f_not_shorewall filter like so

log { source(src); filter (f_not_shorewall);destination(messages); };

EDITS:
03-26-05: Added kernel configuration section, minor grammatical edits.
03-28-05: Added section headings. It's a short how-to but what the hay.
03-31-05: Fixed the kernel configuration section for 2.4 kernels
04-10-05: Removed norfc1918 from sample /etc/shorewall/interfaces file.
04-10-05: Moved Section 6 to Section 7, added Section 6: Stopping and Starting Shorewall.
04-26-05: Modified kernel configuration section for completeness. Modified the syslog-ng logging section.

[Sith_Happens]

Just a reminder to post comments and feedback in this topic and support requests in the support thread. I'm looking foward to what people have to say.

[digital_]

I'll testify to the fact that shorewall is powerful and easy to setup. I've been running it for 1.5 year plus by now. Great front-end for iptables.

[krolden]

http://www.shorewall.net/standalone.htm

For people who need more information, this is a very complete guide to setting up a firewall for a standalone system.
It helped me alot back in the days.

[Sith_Happens]

The Shorewall site does have some great how-to's, however I decided to create additional documentation because (just so you know I'm not providing rebuttal, I thank you for posting the link, it was a mistake on my part for ommiting it from the main body of the how to):

1) Although that is a good how-to, it is just that, a how-to, and is a little sparse on the "why". I created this tutorial to give a little more explanation than is provided in the shorewall documentation.

2) The tutorial refers to various distros, and this can be confusing to someone who is new to linux and not experienced with any distro much less Gentoo. This tutorial was therefore designed specifically for gentoo, and for those new to Gentoo and Linux in general.

3) The Shorewall how-to has a policy of allowing all outgoing connections from the standalone to the internet. While this makes configuration easier, it is a bad idea from a security standpoint. Therfore I show the opposite policy, defaulting to rejecting all connections, and then show how to selectively allow connections to make the box functional and secure.

Again thank you for posting the link and for your feedback.

[Sith_Happens]

Just another note if anyone uses a logger other than syslog-ng and would like to make an addition to the how-to on logging shorewall messages, post it and I'll add it to the main body of the tutorial with a thanks to the author.

[nford]

Thanks for the tutuorial - I managed to get a firewall running quite painlessly

[Sith_Happens]

Thanks for the tutuorial - I managed to get a firewall running quite painlessly

Glad I could help. Be sure to test your firewall to make sure it's working properly and post any support requests to the support thread.

[Crete]

I really enjoy tutorials where the WHY is definitely clearly stated so I really appreciate you taking the time to document your tutorial on shorewall. I do like to know why this is a good idea rather than knowing it's a good idea, but not knowing why. I will implement it ASAP.

[quantumwire]

Sorry guys but I would like to know which module/s I have to compile in the kernel 2.6.x.

Thanks.

[Sith_Happens]

Sorry guys but I would like to know which module/s I have to compile in the kernel 2.6.x.

Thanks.

All support requests should be posted in this topic, the documentation forum is NOT a support forum. However, since you already asked, look at the top of the how-to for kernel configuration instructions.

[GeorgeM]

I've installed Shorewall per your tutorial on 2 of my Gentoo boxes. I run the Folding@Home clients and was wondering how to allow access. When I started a new install of FAH, it said it was using http, and downloaded a new core and work unit, so the firewall isn't going to impede FAH functioning.
Thanks for your tutorial/how-to. I also appreciate some of the 'whys'.

George

[Sith_Happens]

I've installed Shorewall per your tutorial on 2 of my Gentoo boxes. I run the Folding@Home clients and was wondering how to allow access. When I started a new install of FAH, it said it was using http, and downloaded a new core and work unit, so the firewall isn't going to impede FAH functioning.
Thanks for your tutorial/how-to. I also appreciate some of the 'whys'.

George

Most distributed computing programs use http to download workunits (I know seti@home which I use is the same way). Allowing outgoing connections to destination port 80 as described in the tutorial should allow these programs to function.

[Sith_Happens]

Just a reminder, I'd like to expand on Section 6: Logging Shorewall Messages, so if anybody uses a system logger besided syslog-ng and wants to post or pm me an additional section on setting up that logger to log shorewall messages to a sepearate file, I would much appreciate it. I'll also put "by" and a link to your profile next to the section heading, how cool is that.

[OhSh33t]

Hey Sith_Happens,

Can't wait to see you in the new movie..

Thanks for the nice tutorial. Shorewall indeed rocks the dome. Sorry but iptables manually is just to dry for me. Good learning expirence but thats where it ends. Shorewall makes configuring iptables so easy and seems much more intuitive. Not only that but Shorewalls site is really well documented and intuitive as well.

Is there any way that you could tell us, "Oh pretty please", how you yourself incorparate Snort with Shorewall? I think that would be a great addtion to this tutorial. What I like best about your tutorial is you Show by example. I think many people respond better to learning when they are given simple examples instead of dry man page fill in the blank examples. Thanks for taking the time to write this out.

I also think that having this link in you Kernel config section will be most helpful. http://www.shorewall.net/kernel.htm
Although Tom shows using modules for everything I mostly have everything builtin myself and don't use any of the IPv6 stuff he's selected.

As far as logging I only use Syslog-ng just like you have, to have it log a separate log file for Shorewall only messages instead of sifting through /var/log/messages to look at shorewall related info. This is a good place to start though. Possiblities are endless from here.
http://www.nightbrawler.com/code/shorewall-stats/
Shorewall's site also has this stuff listed. Again, I only use syslog-ng right now.

Quoted for Shorewalls FAQ's:
(FAQ 6a) Are there any log parsers that work with Shorewall?
Answer: Here are several links that may be helpful:

http://www.shorewall.net/pub/shorewall/parsefw/
http://www.fireparse.com
http://cert.uni-stuttgart.de/projects/fwlogwatch
http://www.logwatch.org
http://gege.org/iptables
http://home.regit.org/ulogd-php.html



I myself don't use this because I'm to busy doing other fun things like Qmail, Djbdns, Apchae yadda, yadda, yadda. But once I go live with some public servers I will most definitely be using some sort of logging, graphing, reporting tool.

I was hoping for more of a tcp/ip and udp portocol statistics html reporting engine that graphs Drops, Rejects, Accepts by ip address with totals and such. This ofcourse can be done with MRTG but I'm lazy right now..

Some nice tips of shorewall commands that I use quite a bit. Say your setting up your new web or ftp server and need to setup a port-forwarding (DNAT in most cases) rule to allow people from the internet to connect to your server. If your like me, I wanna see if the desired web or ftp server client traffic is actually getting through the firewall, or atleast being Accepted by it. "INFO" is your friend. Lets say I just setup Apache on one of my internal pc's at say, 192.168.10.5. So I would add an entry like this to my /etc/shorewall/rules file. **NOTICE THE ":info" part appened to my DNAT STATEMENT.

Code: Select all

                                                                                   
DNAT:info  net  loc:192.168.10.5  tcp  80

The little ":info" part will log that DNAT rule and the INFO level which will show up in your logs to help trouble shoot if need be.

Although if your like me and have just configured your Apache web server for the first time you should tighten the above rule up to only allow your friends given ip address to connect with. It's better to do it like this because you really need to make sure apache is setup correctly before you allow the world, (which is "net" by itself) to have access to this server. It's not a good feeling to be OWNED by some stupid Script Kiddy. But if that's what it takes, so beit.

Ok so.. you need your friends ip address to tighten the above rule up so that he is the only person that has access to your server while your testing it out. Simple enough, but what if your friend doesn't know their ip address or they're being natted with a fake address like some ISP's do. Well, the easiest way is to have your friend try and connect to your external ip address on a port that you know your not allowing. Look in /var/log/messages for a Dropped or Rejected connection from your friends IP address on the port that your friend tried to connect on. WAlaw.. you now know the ip address needed to tighten up your portforwarding DNAT rule.... So now to tighten the above DNAT rule you would simply do this assuming your friends ip is 1.2.3.4 :

Code: Select all

DNAT:info  net:1.2.3.4  loc:192.168.10.5  tcp  80

This alows you to securely test your web server with your friends ip only, instead of hanging your arse out in the wind before its secure. That's as long as you trust your friend. Well if he doesn't know his own IP addy, then your probably safe.. heh..

Ok.. so now..Then you have to start and stop or simply restart Shorewall so that it rereads its rules config file and loads the new DNAT rule. Shorewall is really simple. Any changes you make anywhere in shorewal will require Shorewall to be restarted or stopped and then started again to read your newly added rule. I prefer "restart" myself.

Code: Select all

# shorewall restart

Then have your buddy connect to a dns name that resolves to your external interface ip address or just give them your external ip address and have them manually put that in their web browser http://5.6.7.8

Then run the following command below when your buddy is connecting.

Code: Select all

# shorewall logwatch

This basically shows your logs nearly in realtime. Use "Ctrl-c" to stop it from running. I use this when setting up and testing portforwarding rules or just want to take a look at traffic on the Shorewall box. If everything is setup correct your buddy should be able to connect to your web server and you will see a DNAT entry in your output of "shorewall logwatch" confirming that the traffic is being properly passed by shorewall. But sometimes shorewall show's a successful DNAT entry but your buddy can't pull up you web pag.. well thats when you install Ethereal on that particular host server and sniff to see if the traffic is getting to your web server. 9 times out of 10 the traffic is getting there but its a server misconfiguration. AnyWho...

One of the really nice things that I like about Shorewall is the ability to "Dynamically" Blacklist/drop or Blacklist/reject someones stupid infected computer that is port scanning me for what ever reason. Go here to learn more about Static Blacklisting
http://www.shorewall.net/blacklisting_support.htm

Code: Select all

The BLACKLISTNEWONLY option in /etc/shorewall/shorewall.conf controls the degree of blacklist filtering:


1.) BLACKLISTNEWONLY=No --  All incoming packets are checked against the blacklist. New blacklist entries can be used to terminate existing connections. Versions of Shorewall prior to 1.4.8 behave in this manner.


2.) BLACKLISTNEWONLY=Yes -- The blacklists are only consulted for new connection requests. Blacklists may not be used to terminate existing connections. Only the source address is checked against the blacklists.

Have a look at the difference between ACCEPT, DROP, and REJECT.
http://www.chiark.greenend.org.uk/~pete ... -vs-reject

So lets say your friend that is connected to your web server just told you how stupid your web site was but likes sucking down your mp3's and mpeg movies. Having spent the last two sleepness nights configuring Apache for the first time in your life you Take Offense to this ignorant gesture. So in the middle of his download of his favorite song you banish this Bizzatchs connection by doing...

Code: Select all

# shorewall drop 1.2.3.4

Dohp... what happened to my connection..

This assumes that you have BLACKLISTNEWONLY=No set in /etc/shorewall.conf.

Two other tips that I find usefull are DNAT(port forwarding) with port redirection and SSH tunneling. Using the example above with the DNAT rule, lets say that I want to pratice a little security by obscurity and make people connect to tcp port 8181 externally but once the connection hits the external interface on Shorewall you have Shorewall rewrite the destination port to be on 80, which is what apache listens on by default. That would look like this:

Port Forwarding with Redirection:

Code: Select all

                                                                              
DNAT:info  net  loc:192.168.10.5:80  tcp  8181

His browser would look something similar to: http://my.domain.com:8181
The client has no idea that your server is running on tcp port 80 (which is really meaningless except for the fact that anyone trying to connect to your machine on well known ports won't find your shorewall box listening on them). When your web server responds back to the clients original request the packet will enter shorewalls interface with a source port of 80 and a destination port of the clients original source port. When that packet traverses through shorewall back to the client the packet is rewritten with the tcp port 8181 transparently.

[Edit 03/30/2005 01:53am] This was entitled REDIRECT. But my REDIRECT directions weren't correct. I've sense changed this. I will show how this is done using Putty which is an SSH client that is available in Portage. The directions listed in the link I appened assume that SSHD and the VNCserver are running on the same box. My directions are for SSHD running on shorewall and allowing tunneled vnc traffic from shorewall to a box on the local lan. Sorry for any confusion. Putty directions will follow shortly. Ok.. here they are. Read carefully.
http://pigtail.net/LRP/vnc/

SSH Tunneling:

If any of you have messed with SSHD and portfowarding through the ssh tunnel you'll find this helpful. I like VNC. But its not the most secure protocol to run in its natural state. SSH provides encryption and authentication with the ability to tunnel/foreward other services/protocols/applications through the initial SSH tunnel which makes this as secure as you can get without using a full blown ipsec client. I'm assuming that you have SSHD running on the shorewall box listening on the internal interface ipaddress not on the Apache server. (If SSHD was running on Apache then you wouldn't have to write this ACCEPT rule. But this is the whole point right. I also assume that you have some form of Xserver running on the Apache server. Xfree, Xorg with Gnome, KDE, XFCE4.. whatever you use.

So anyways, you decided to install libvncserver on the same box running the Apache server internally so that you can connect to it and control it over the internet as if you were sitting in the same room as the server. (libvncserver by the way is probably the easiest vncserver setup you will ever run into. Even easier than installing it on Windows. Heh.. Go Here for some direction. Trust me.. this is nice and easy. Ok.. so vncserver is running and listening for incoming requests on the standard tcp port. (Usually tcp 5901). At work I use Windows XP with Putty's ssh client and I have the tightvnc client running as well. Configure putty as described Here.

Ok. On Shorewall we need to make two rules: One that allows us to SSH in on and One that takes the tcp 5901 traffic that we push throught the ssh tunnel and allows the vnc traffic coming through the tunnel to the Apache box with the VNCserver installed on it. You will have to explicity allow vnc traffic from the FW zone to the LOC zone in your "rules" file. The following scenario below assumes that the firewall internal nic is192.168.10.1 and SSHD is configured to listen on that ip address. Here we go:

Code: Select all

DNAT:info  net  fw:192.168.10.1  tcp  22
ACCEPT:info  fw  loc  tcp  5901

Restart Shorewall and the pretend your now at work.. or somewhere external out on the internet.

At work once the ssh Putty client is configured correctly and you connect to Shorewall which is also running the SSHD service and you authenticate, then minimize Putty and pull up the Tight VNC client and type in localhost:1 for the Server then type your Password then Connect. WAlaw... That's the shizz if you ask me. You can do all kinds of stuff with SSH tunneling that I could go on forever talking about. Google is your friend here if your looking for any additonal info related to SSH Tunneling.

Now if the SSHD server were running on the Apache server we would only need a DNAT rule that portforwarded ssh on tcp 22 to the internal Apache machine. No Redirects neccessary at this point. Connect with SSH, fireup the vnc client and connect as before..

Have fun..

[Sith_Happens]

Thanks OhSh33t, your post is longer than my entire tutorial.

There's a lot of good information in there, thanks for posting it. It goes a little outside of what I was trying to accomplish with my tutorial but it is good information none the less. I'd just like to say right now though that while I encourage people to read his post and perhaps even play around with what's in there, please don't post support requests for the information contained within the preceeding post. Feel free to pm me about it, but I'd like to keep the support thread focused on the body of the how-to. Again, thanks for the how-to, my only problem is the nightbrawler.com link doesn't seem to work. Not only that its hosted on a Red Hat Server (I hope that's not yours ).

[OhSh33t]

Thanks OhSh33t, your post is longer than my entire tutorial.

Ya. Kinda long. My bad. I didn't realize how long it was until I looked at it again after reading your last posting.

Again, thanks for the how-to, my only problem is the nightbrawler.com link doesn't seem to work. Not only that its hosted on a Red Hat Server (I hope that's not yours ).

Doesn't work as in the actual web page doesn't render or is down? I get to the site just fine with Firefox.
Nope, not my Redhat server. I'm a Gentoo only guy.

If I'm not understanding you please let me know and I will remove the link if your referring to the directions on that webpage being Redhat Centric. Anyways. I shouldn't of posted this to your HowTo. Sorry about that. If you would like I can move it. Just let me know. Thanks Sith.

[Sith_Happens]

About the link, it's up now, it was giving me a 404 last time I tried it. I knew it was a redhat server because when I went to http://www.nightbrawler.com/ , I got the default Redhat Enterprise Server modified Apache2 index page. Somebody hadn't properly configured their apache server.

As far as keeping your post here, feel free to if you want. You could also move it and make your own how-to, "Shorewall Tips" or something like that, and edit your above post to be a link to it if you want, it's up to you.

[Bob P]

Thanks, Ryan, for the very helpful Tutorial. I followed this Guide and the result was a rock-solid firewall that wouldn't let any unwanted traffic pass through.

It seems that this Guide is optimized for a standalone linux box with an ethernet connection to the internet. Although this Guide works very well for supporting that type of installation, I encountered a couple of problems using this Guide to install a single-ended firewall on a Gentoo box that exists on a LAN (behind an appliance firewall/router) with a group of Windows and Gentoo computers. I'd like to suggest a tip that will be helpful in enabling Shorewall to function properly in this type of environment.

4.a: /etc/shorewall/interfaces

This is where /etc/shorewall/interfaces comes in. This part is very simple, so I won't give to much explanation outside of the relevant portion of the file itself. The first portion of all the configuration files is a commented section explaining the use of the file in detail, so please, read it. The last portion is the "business end" of the config file. In this case, we assume that the computer is connected to the internet on the interface eth0. The various options listed are explained further in the file itself, so add any options to your file that apply to your particular configuration. For most people, simply adding the zone and interface will suffice.

Code: Select all

##############################################################################
#ZONE    INTERFACE      BROADCAST       OPTIONS
#
net      eth0           detect          norfc1918,dhcp,nosmurfs
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

The norfc1918 parameter can be a little tricky to implement if you're not aware of exactly what it does. This parameter instructs Shorewall to prohibit traffic involving packets that bear an RFC 1918-compliant IP address. This may or not be what you want, so we should probably review what the RFC 1918 standard means and how it will effect the function of Shorewall.

RFC 1918 is an IP address standard that reserves several IP address ranges for use on private networks. These addresses are:

Code: Select all

10.0.0.0    - 10.255.255.255
172.16.0.0  - 172.31.255.255
192.168.0.0 - 192.168.255.255

Because these addresses are "reserved" by the RFC 1918 standard, they are considered non-routable. By non-routable, I mean that the Internet backbone routers will not forward any packets which contain a destination address that is reserved by the RFC-1918 definitions. If norfc1918 is specified in your interface options, you are instructing Shorewall to "just say no" to all packets that bear an RFC 1918-compliant IP address. In doing so, Shorewall will not respond to any packets that contain IP addresses that lie within the range of values defined by RFC 1918.

What this means is that if you use the norfc1918 option in your interfaces file, you have instructed your router to never respond to any packets bearing an RFC 1918-compliant address. In practical terms, if you are on a LAN that uses RFC 1918-compiliant routing addresses (such as a home network that uses a firewall/router to allow your boxes to share a DSL connection), then Shorewall will render your box totally unresponsive to ALL of the other boxes on your network. No matter how you configure your rules table or your policy table, Shorewall absolutely WILL NOT respond to the other machines on your LAN.

In the event that you are planning on using Shorewall as a personal firewall on your box, and your box sits on a LAN that uses RFC 1918-compliant addressing, remember that if you "just say no" to RFC 1918 by specifying the norfc1918 option in your interfaces file, then you will effectively insulate your box from the rest of the boxes on your LAN. If you want to be an isolationist on your LAN, then norfc1918 is exactly what you need!

OTOH, if you want to be able to communicate with other boxes on your LAN, you MUST remove the norfc1918 option in your interfaces file. After doing that, Shorewall will respond to policies and rules that permit communication between other PCs on your network that present packets containing RDC 1918-compliant IP addresses.

I hope this helps. This problem was a real head-scratcher for me, as everyone I talked to seemed to agree that there had to be a problem with my configuration of the rules table, when the real problem was that I had unwittingly used norfc1918 in defining my firewall's interface table.

edit: added the word "containing" in the second to the last paragraph.

[woZa]

Does that not make norfc1918 ideal for adding to your internet connection in the interfaces file just not to your lan connection?

eg my interfaces file

Code: Select all

#ZONE   INTERFACE       BROADCAST       OPTIONS
net         ppp0                -                        routefilter,norfc1918,tcpflags
loc          eth0                detect               tcpflags

Please correct me if I am wrong!

[Sith_Happens]

If you have an interface that should not be recieving rfc 1918 traffic, such as a modem, then defining that interface with the norfc1918 option describes that interface to shorewall. If you have an interface that will be recieving both internal network traffic (with rfc 1918 addresses) and externel network traffic on the same interface, such as a computer behind a router with port fowarding set up, then norfc1918 doesn't fit your interface, so you shouldn't define that interface with the norfc1918 option. It's that simple.

[lmcogs]

Hi

Getting this error message

rc-update add shorewall default && /etc/init.d/shorewall start
* shorewall already installed in runlevel default; skipping
* Starting firewall...
Warning: Zone loc is empty
Warning: Zone dmz is empty
FATAL: Module ip_tables not found.
iptables v1.2.11: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
FATAL: Module ip6_tables not found.
ip6tables v1.2.11: can't initialize ip6tables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
FATAL: Module ip6_tables not found.
ip6tables v1.2.11: can't initialize ip6tables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
FATAL: Module ip6_tables not found.

I have emerged iptables, shorewall and iproute2. I changed the config file as you mentioned and I compiled the kernel with packet filtering. I originally compiled the kernel with 'genkernel --udev --all' so I recompiled as you mentioned 'genkernel --menuconfig kernel' but I got this message. This did not produce an initrd file so after I got the above error I again recompiled the kernel using 'genkernel --menuconfig --udev all'. However I got the above error message again.

Not as easy as you mentioned. Can you advise.

Lmcogs

[Sith_Happens]

First, this is a documentation thread, not a support thread. All support requests need to be posted in the support thread. That said, I suggest you go back and make sure you completed Section 2 of the tutorial, also make sure the options in the menuconfig have <*> next to them and not <M>. If you still have trouble, post to the support thread, not to this thread though.

[manicman]

i cant delete my superfluous posting...:\

[Sith_Happens]

Hi there

perhaps it would be useful to mention that there are many action files in /usr/share/shorewall which are perhaps not really wanted to be loaded.
therefor one have to edit the CONFIG_PATH variable in the /etc/shorewall/shorewall.conf to /etc/shorewall only. then all actions listed in /usr/share/shorewall wont be loaded...
but if anybody follows my suggestion please have a look into that folder, there are many useful actions....

I suppose preventing shorewall from loading the actions would save some load time, however, the actions are only "pre-processed", they aren't actually used unless you specify them.