Permalänk
Medlem

Shorewall ubuntu 10.04

Hej

Sitter och försöker confa min server/router.
Tänkte använda Shorewall men börjar bli tveksam till att det är ett bra val.

Här kommer mina filer i /etc/shorewall:

interface

#ZONE INTERFACE BROADCAST OPTIONS net eth0 detect norfc1918 loc eth1 detect

masq

#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK eth0 eth0

Policy

#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST fw all ACCEPT loc net ACCEPT net all DROP info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info

Rules

#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK # PORT PORT(S) DEST LIMIT GROUP # # Accept DNS connections from the firewall to the network # DNS(ACCEPT) $FW net DNS(ACCEPT) $FW loc # Accept SSH connections from the local network for administration # SSH(ACCEPT) all $FW ACCEPT all $FW tcp 10022 # # Allow Ping from the local network # Ping(ACCEPT) loc $FW # # Drop Ping from the "bad" net zone.. and prevent your log from being flooded.. # Ping(DROP) net $FW ACCEPT $FW loc icmp ACCEPT $FW net icmp # #HTTP ACCEPT loc $FW tcp www ACCEPT all $FW tcp https ACCEPT all $FW udp 53 ACCEPT all $FW tcp 53

Så här blir iptables när jag kör shorewall start....

# Generated by iptables-save v1.4.4 on Sat Jun 12 00:19:05 2010 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :Drop - [0:0] :Reject - [0:0] :blacklst - [0:0] :dropBcast - [0:0] :dropInvalid - [0:0] :dropNotSyn - [0:0] :dynamic - [0:0] :fw2loc - [0:0] :fw2net - [0:0] :loc2fw - [0:0] :loc2net - [0:0] :logdrop - [0:0] :logflags - [0:0] :logreject - [0:0] :net2fw - [0:0] :net2loc - [0:0] :reject - [0:0] :shorewall - [0:0] :smurfs - [0:0] :tcpflags - [0:0] -A INPUT -m state --state INVALID,NEW -j dynamic -A INPUT -i eth0 -j net2fw -A INPUT -i eth1 -j loc2fw -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -j Reject -A INPUT -j LOG --log-prefix "Shorewall:INPUT:REJECT:" --log-level 6 -A INPUT -g reject -A FORWARD -m state --state INVALID,NEW -j dynamic -A FORWARD -i eth0 -o eth1 -j net2loc -A FORWARD -i eth1 -o eth0 -j loc2net -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -j Reject -A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:REJECT:" --log-level 6 -A FORWARD -g reject -A OUTPUT -o eth0 -j fw2net -A OUTPUT -o eth1 -j fw2loc -A OUTPUT -o lo -j ACCEPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -j ACCEPT -A Drop -A Drop -p tcp -m tcp --dport 113 -m comment --comment "Auth" -j reject -A Drop -j dropBcast -A Drop -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT -A Drop -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT -A Drop -j dropInvalid -A Drop -p udp -m multiport --dports 135,445 -m comment --comment "SMB" -j DROP -A Drop -p udp -m udp --dport 137:139 -m comment --comment "SMB" -j DROP -A Drop -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment "SMB" -j DROP -A Drop -p tcp -m multiport --dports 135,139,445 -m comment --comment "SMB" -j DROP -A Drop -p udp -m udp --dport 1900 -m comment --comment "UPnP" -j DROP -A Drop -p tcp -j dropNotSyn -A Drop -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP -A Reject -A Reject -p tcp -m tcp --dport 113 -m comment --comment "Auth" -j reject -A Reject -j dropBcast -A Reject -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT -A Reject -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT -A Reject -j dropInvalid -A Reject -p udp -m multiport --dports 135,445 -m comment --comment "SMB" -j reject -A Reject -p udp -m udp --dport 137:139 -m comment --comment "SMB" -j reject -A Reject -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment "SMB" -j reject -A Reject -p tcp -m multiport --dports 135,139,445 -m comment --comment "SMB" -j reject -A Reject -p udp -m udp --dport 1900 -m comment --comment "UPnP" -j DROP -A Reject -p tcp -j dropNotSyn -A Reject -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP -A dropBcast -m addrtype --dst-type BROADCAST -j DROP -A dropBcast -d 224.0.0.0/4 -j DROP -A dropInvalid -m state --state INVALID -j DROP -A dropNotSyn -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP -A fw2loc -m state --state RELATED,ESTABLISHED -j ACCEPT -A fw2loc -p udp -m udp --dport 53 -m comment --comment "DNS" -j ACCEPT -A fw2loc -p tcp -m tcp --dport 53 -m comment --comment "DNS" -j ACCEPT -A fw2loc -p icmp -j ACCEPT -A fw2loc -j ACCEPT -A fw2net -p udp -m udp --dport 67:68 -j ACCEPT -A fw2net -m state --state RELATED,ESTABLISHED -j ACCEPT -A fw2net -p udp -m udp --dport 53 -m comment --comment "DNS" -j ACCEPT -A fw2net -p tcp -m tcp --dport 53 -m comment --comment "DNS" -j ACCEPT -A fw2net -p icmp -j ACCEPT -A fw2net -j ACCEPT -A loc2fw -p tcp -j tcpflags -A loc2fw -m state --state RELATED,ESTABLISHED -j ACCEPT -A loc2fw -p tcp -m tcp --dport 22 -m comment --comment "SSH" -j ACCEPT -A loc2fw -p tcp -m tcp --dport 10022 -j ACCEPT -A loc2fw -p icmp -m icmp --icmp-type 8 -m comment --comment "Ping" -j ACCEPT -A loc2fw -p tcp -m tcp --dport 80 -j ACCEPT -A loc2fw -p tcp -m tcp --dport 443 -j ACCEPT -A loc2fw -p udp -m udp --dport 53 -j ACCEPT -A loc2fw -p tcp -m tcp --dport 53 -j ACCEPT -A loc2fw -j Reject -A loc2fw -j LOG --log-prefix "Shorewall:loc2fw:REJECT:" --log-level 6 -A loc2fw -g reject -A loc2net -p tcp -j tcpflags -A loc2net -m state --state RELATED,ESTABLISHED -j ACCEPT -A loc2net -j ACCEPT -A logdrop -j DROP -A logflags -j LOG --log-prefix "Shorewall:logflags:DROP:" --log-level 6 --log-ip-options -A logflags -j DROP -A logreject -j reject -A net2fw -m state --state INVALID,NEW -j blacklst -A net2fw -m state --state INVALID,NEW -j smurfs -A net2fw -p udp -m udp --dport 67:68 -j ACCEPT -A net2fw -p tcp -j tcpflags -A net2fw -m state --state RELATED,ESTABLISHED -j ACCEPT -A net2fw -p tcp -m tcp --dport 22 -m comment --comment "SSH" -j ACCEPT -A net2fw -p tcp -m tcp --dport 10022 -j ACCEPT -A net2fw -p icmp -m icmp --icmp-type 8 -m comment --comment "Ping" -j DROP -A net2fw -p tcp -m tcp --dport 80 -j ACCEPT -A net2fw -p tcp -m tcp --dport 443 -j ACCEPT -A net2fw -p tcp -m tcp --dport 25 -j ACCEPT -A net2fw -p tcp -m tcp --dport 110 -j ACCEPT -A net2fw -p tcp -m tcp --dport 25 -j ACCEPT -A net2fw -p udp -m udp --dport 53 -j ACCEPT -A net2fw -p tcp -m tcp --dport 53 -j ACCEPT -A net2fw -j Drop -A net2fw -j LOG --log-prefix "Shorewall:net2fw:DROP:" --log-level 6 -A net2fw -j DROP -A net2loc -m state --state INVALID,NEW -j blacklst -A net2loc -m state --state INVALID,NEW -j smurfs -A net2loc -p tcp -j tcpflags -A net2loc -m state --state RELATED,ESTABLISHED -j ACCEPT -A net2loc -j Drop -A net2loc -j LOG --log-prefix "Shorewall:net2loc:DROP:" --log-level 6 -A net2loc -j DROP -A reject -m addrtype --src-type BROADCAST -j DROP -A reject -s 224.0.0.0/4 -j DROP -A reject -p igmp -j DROP -A reject -p tcp -j REJECT --reject-with tcp-reset -A reject -p udp -j REJECT --reject-with icmp-port-unreachable -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable -A reject -j REJECT --reject-with icmp-host-prohibited -A smurfs -s 0.0.0.0/32 -j RETURN -A smurfs -m addrtype --src-type BROADCAST -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6 -A smurfs -m addrtype --src-type BROADCAST -j DROP -A smurfs -s 224.0.0.0/4 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6 -A smurfs -s 224.0.0.0/4 -j DROP -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j logflags -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j logflags -A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j logflags -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j logflags -A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -j logflags COMMIT # Completed on Sat Jun 12 00:19:05 2010 # Generated by iptables-save v1.4.4 on Sat Jun 12 00:19:05 2010 *mangle :PREROUTING ACCEPT [26:3685] :INPUT ACCEPT [21:1464] :FORWARD ACCEPT [5:2221] :OUTPUT ACCEPT [16:1840] :POSTROUTING ACCEPT [21:4061] :tcfor - [0:0] :tcout - [0:0] :tcpost - [0:0] :tcpre - [0:0] -A PREROUTING -j tcpre -A FORWARD -j MARK --set-xmark 0x0/0xffffffff -A FORWARD -j tcfor -A OUTPUT -j tcout -A POSTROUTING -j tcpost COMMIT # Completed on Sat Jun 12 00:19:05 2010 # Generated by iptables-save v1.4.4 on Sat Jun 12 00:19:05 2010 *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :eth0_masq - [0:0] -A POSTROUTING -o eth0 -j eth0_masq -A eth0_masq -s 85.228.192.0/20 -j MASQUERADE COMMIT # Completed on Sat Jun 12 00:19:05 2010 # Generated by iptables-save v1.4.4 on Sat Jun 12 00:19:05 2010 *raw :PREROUTING ACCEPT [26:3685] :OUTPUT ACCEPT [16:1840] COMMIT # Completed on Sat Jun 12 00:19:05 2010

Och allting funkar om man kör:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -j ACCEPT

Fast det sparas inte när man startar om datorn..

Nån vänlig själ som ser var jag gör fel?

//simon6

Permalänk
Medlem

Har aldrig använt shorewall men generellt för Linux är att avänd iptables-save <fil> för att spara ner reglerna och sen iptables-restore <fil> vid boot.