Cài đặt Shorewall Firewall on Centos 5.1
Introduction
This tutorial will walk you through setting up Shorewall (Shoreline) 4.0 firewall on CentOS 5.1 , this can easily be adapted to any other Linux distribution out there.
The Shoreline Firewall, more commonly known as "Shorewall", is a high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables utility, Shorewall configures Netfilter to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall does not use Netfilter's ipchains compatibility mode and can thus take advantage of Netfilter's connection state tracking capabilities.
http://www.shorewall.net/
Important Note: Before installing shorewall we need to uninstall ipchains if you installed in your machine.
Download shorewall
You can check download section in shorewall official web site for newer versions.
http://www.shorewall.net/download.htm
Install Shorewall
Installing shorewall is quite easy. Just open a terminal and do a
rpm -ivh shorewall-perl-4.0.11-2.noarch.rpm shorewall-shell-4.0.11-2.noarch.rpm shorewall-4.0.11-2.noarch.rpm
and you're all ready. Don't close your terminal, because we will need it some more.
Setting Shorewall
The program will not start unless you change the shorewall configuration file
/etc/shorewall/shorewall.conf .You can do this in following way:
Trích dẫn:
|
vim /etc/shorewall/shorewall.conf
|
Change the first line from
Trích dẫn:
|
STARTUP_ENABLED=No
|
to
Trích dẫn:
|
STARTUP_ENABLED=Yes
|
Save and exit (in VIM, hit [ESC] and then ':wq').
If you want to configure shorewall you need to copy the sample configuration file from /usr/share/doc/shorewall-4.0.11/Samples/. In Samples directory there are 3 different directories : one-interface/,two-interfaces/ and three-interfaces/. Depending on your network,you can do this by the following command:
Trích dẫn:
|
cp /usr/share/doc/shorewall-4.0.11/Samples/one-interfaces/{interfaces,policy,masq,routestopped,rules,zones} /etc/shorewall/
or
cp /usr/share/doc/shorewall-4.0.11/Samples/two-interfaces/{interfaces,policy,masq,routestopped,rules,zones} /etc/shorewall/
or
cp /usr/share/doc/shorewall-4.0.11/Samples/three-interfaces/{interfaces,policy,masq,routestopped,rules,zones} /etc/shorewall/
|
Now you have configuration files located in /etc/shorewall.
Zones Configuration
Open and edit the file /etc/shorewall/zones to specify the different network zones, these are just labels that you will use in the other files.
Trích dẫn:
|
vim /etc/shorewall/zones
|
Consider the Internet(net) as one zone, and a private network(dmz) as another zone.The firewall zone or "fw" is your linux box itself. If you have these then the zones file would look like this:
Trích dẫn:
|
#ZONE TYPE OPTIONS IN OPTIONS OUT OPTIONS
#
fw firewall
net ipv4
loc ipv4
dmz ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
Interfaces Configuration
The next file to edit is the interfaces file to specify the interfaces on your machine.
Trích dẫn:
|
vim /etc/shorewall/interfaces
|
Here you will connect the zones that you defined in the previous step with an actual interface. The third field is the broadcast address for the network attached to the interface ("detect" will figure this out for you). Finally the last fields are options for the interface. The options listed below are a good starting point.
Trích dẫn:
|
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect tcpflags,dhcp,routefilter,nosmurfs,logmartians
loc eth1 detect tcpflags,nosmurfs
dmz eth2 detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
Policy Configuration
The next file defines your firewall default policy. The default policy is used if no other rules apply. Often you will set the default policy to REJECT or DROP as the default, and then configure specifically what ports/services are allowed in the next step, and any that you do not configure are by default rejected or dropped according to this policy.
Trích dẫn:
|
vim /etc/shorewall/policy
|
An example policy (based on the zones and interfaces we used above) would be:
Trích dẫn:
|
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
#
# Policies for traffic originating from the local LAN (loc)
#
# If you want to force clients to access the Internet via a proxy server
# in your DMZ, change the following policy to REJECT info.
loc net ACCEPT
# If you want open access to DMZ from loc, change the following policy
# to ACCEPT. (If you chose not to do this, you will need to add a rule
# for each service in the rules file.)
loc dmz REJECT info
loc $FW REJECT info
loc all REJECT info
#
# Policies for traffic originating from the firewall ($FW)
#
# If you want open access to the Internet from your firewall, change the
# $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL.
$FW net REJECT info
$FW dmz REJECT info
$FW loc REJECT info
$FW all REJECT info
#
# Policies for traffic originating from the De-Militarized Zone (dmz)
#
# If you want open access from DMZ to the Internet change the following
# policy to ACCEPT. This may be useful if you run a proxy server in
# your DMZ.
dmz net REJECT info
dmz $FW REJECT info
dmz loc REJECT info
dmz all REJECT info
#
# Policies for traffic originating from the Internet zone (net)
#
net dmz DROP info
net $FW DROP info
net loc DROP info
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
Rules Configuration
The most important file is the rules. This is where you set what is allowed or not. Any new connection that comes into your firewall passes over these rules, if none of these apply, then the default policy will apply.
Note: This is only for new connections, existing connections are automatically accepted.
The comments in the file give you a good idea of how things work, but the following will provided an example that can give you a head-start:
Trích dẫn:
|
vim /etc/shorewall/rules
|
An example would be:
Trích dẫn:
|
################################################## ################################################## #########
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT PORT(S) DEST LIMIT GROUP
#
# Accept DNS connections from the firewall to the Internet
#
DNS/ACCEPT $FW net
#
#
# Accept SSH connections from the local network to the firewall and DMZ
#
SSH/ACCEPT loc $FW
SSH/ACCEPT loc dmz
#
# DMZ DNS access to the Internet
#
DNS/ACCEPT dmz net
#
# Drop Ping from the "bad" net zone.
#
Ping/DROP net $FW
#
# Make ping work bi-directionally between the dmz, net, Firewall and local zone
# (assumes that the loc-> net policy is ACCEPT).
#
Ping/ACCEPT loc $FW
Ping/ACCEPT dmz $FW
Ping/ACCEPT loc dmz
Ping/ACCEPT dmz loc
Ping/ACCEPT dmz net
ACCEPT $FW net icmp
ACCEPT $FW loc icmp
ACCEPT $FW dmz icmp
# Uncomment this if using Proxy ARP and static NAT and you want to allow ping from
# the net zone to the dmz and loc
#Ping/ACCEPT net dmz
#Ping/ACCEPT net loc
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
Finally
Well we are done, let's fire up the services and begin testing.
Trích dẫn:
|
service shorewall start
|
Shorewall Web interface or GUI tool
We have a webmin interface for shorewall to configure through GUI. You can download from
http://www.webmin.com/download/modules/shorewall.wbm.gz.
Have fun!
Theo: howtoforge