Scribd
Upload
3K views5 pages

Shorewall Setup on Fedora Guide

Shorewall installation and configuration on Fedora involves: 1) Backing up the existing iptables configuration. 2) Creating a firewall reset script and testing it does not cause errors. 3) Installing and configuring Shorewall including editing configuration files like interfaces and rules to set up network zones and firewall rules. 4) Enabling Shorewall startup and testing the firewall is working as expected.

Uploaded by

Sharjeel Sayed
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
3K views5 pages

Shorewall Setup on Fedora Guide

Shorewall installation and configuration on Fedora involves: 1) Backing up the existing iptables configuration. 2) Creating a firewall reset script and testing it does not cause errors. 3) Installing and configuring Shorewall including editing configuration files like interfaces and rules to set up network zones and firewall rules. 4) Enabling Shorewall startup and testing the firewall is working as expected.

Uploaded by

Sharjeel Sayed
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd

Shorewall installation and configuration on Fedora

Reference:
[Link]

# Backup your existing Iptables configuration so that you can revert back in case
something goes wrong

cp -a /etc/sysconfig/iptables /etc/sysconfig/iptables_backup_<today_s_date>

# Deploying a safety net to ensure that you dont get locked out
Reference : [Link]
vi /root/firewall_reset

############
# Iptables firewall reset script
*filter
:INPUT ACCEPT [164:15203]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [147:63028]
COMMIT

*mangle
:PREROUTING ACCEPT [164:15203]
:INPUT ACCEPT [164:15203]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [147:63028]
:POSTROUTING ACCEPT [147:63028]
COMMIT

*nat
:PREROUTING ACCEPT [14:672]
:POSTROUTING ACCEPT [9:684]
:OUTPUT ACCEPT [9:684]
COMMIT

###########

# Test if the above script works and throws no error

/sbin/iptables-restore < /root/firewall_reset

/sbin/iptables -L

# The output should be similar to the following


###
Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain INPUT (policy ACCEPT)


target prot opt source destination

Chain OUTPUT (policy ACCEPT)


target prot opt source destination
###

# restore your orginal firewall configuration and proceed


/sbin/iptables-restore < /etc/sysconfig/iptables_backup_<today_s_date>

# Confirm that your original rules have been restored by running the following
command

/sbin/iptables -L

# Create a crontab entry that resets the firewall every 15 minutes

crontab -e

0,15,30,45 * * * * /sbin/iptables-restore < /root/firewall_reset

# Please ensure that you comment out this line after you have succesfully tested
you shorewall working.

# Reference:[Link]

# Before installing ,check if iproute and shorewall already exist

rpm -qa | grep -i "iproute"


rpm -qa | grep -i "shorewall"

# If iproute and shorewall dont exist then proceed as follows

yum install iproute


yum install shorewall

#Setting up Shorewall on a standalone Linux system with a single static IP address


Reference :[Link]

# Add your IP address (IP address of the system/gateway you are connecting from
and not the server IP address where you are installing shorewall) to the
/etc/shorewall/routestopped file to ensure that you stay connected when the
firewall [Link] can find your IP address by visiting [Link]
cp -a /etc/shorewall/routestopped /etc/shorewall/[Link]

vi /etc/shorewall/routestopped
# eg. if your IP address ( the system/gateway you are connecting from) is
[Link]
#INTERFACE HOST(S)
eth0 [Link]/24

# You can also add a CIDR number to indicate a range of IPs from which connection
will not break
# For eg. if you want to keep alive connections from [Link] to [Link]
during the firewall restart add the following line

#INTERFACE HOST(S)
eth0 [Link]/24

# Find the sample configuration files by running

rpm -ql shorewall | fgrep one-interface

cp -a /usr/share/doc/shorewall-3.2.7/Samples/one-interface /tmp/
cd /tmp/one-interface
# Confirm your ethernet interface ( to check if you have a single lan card)

/sbin/ifconfig -a

vi interfaces

########
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 [Link]
norfc1918,routefilter,tcpflags,logmartians,nosmurfs
########

#RFC-1918 reserves several Private IP address ranges for use in private networks:

[Link] - [Link]
[Link] - [Link]
[Link] - [Link]

#If your IP address falls in any of the above range, then please remove
"norfc1918" in the options section of the interfaces file
# If you have a non-static DHCP IP address,add "detect" in the "broadcast" section
and add “dhcp” to the option list.

# Configuration of rules

# You can find custom rules files by running

ls /usr/share/shorewall/macro.*

# You can then use these macros in your shorewall rules file

# For eg. if you want to allow access to your web server running TCP Port 80 and
SSHD running on TCP port 22 do the following

# Tip: You can identify the network services running on your server bu issuing the
following command.

/bin/netstat -luntp

# Based on the output you get , you can decide which services to allow remote
access or not

cd /tmp/one-interface

vi rules

#######
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
Web/ACCEPT net $FW
SSH/ACCEPT net $FW
######

# You can also add the above rules in this way.

vi rules
#########
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT net $FW tcp 80
ACCEPT net $FW tcp 22
#########
# You can also add the following rule if you see port TCP 113 as closed in your
nmap scan.
DROP net $FW tcp 113

If you want to allow conections to let's say the ssh port only from specific IP
Addresses on the internet add the following

ACCEPT net:[Link]/28,[Link] fw tcp 22

# Please ensure that you check the individual macros you applies from
/usr/share/shorewall/macro.* to ensure that they work as desired

# You must enable startup by editing /etc/shorewall/[Link] and setting


STARTUP_ENABLED=Yes

cp -a /etc/shorewall/[Link] /etc/shorewall/[Link]
vi /etc/shorewall/[Link]
# Modify the lines as shown

#STARTUP_ENABLED=No
STARTUP_ENABLED=Yes
#IPTABLES=
IPTABLES=/sbin/iptables
#IP_FORWARDING=On
IP_FORWARDING=Off
#DISABLE_IPV6=Yes

# Copy your configuration files to appropriate locations

cd /etc/shorewall/
cp -a policy [Link]
cp -a rules [Link]
cp -a interfaces [Link]
cp -a zones [Link]

cp -a /tmp/one-interface/* /etc/shorewall/

rm -rf /tmp/one-interface/

/etc/rc.d/init.d/shorewall restart

# You can use the following command to clear all shorewall rules
/sbin/shorewall clear

# Configure shorewall to auto start at boot time

/sbin/chkconfig shorewall on

# Use nmap from a different system to ensure that your firewall rules are in place

# Multiple IP address to single interface


#
Reference:[Link]

# Ensure that all IP addresses ( non virtual ie. additional IP addresses on


separate lan cards ) are configured in the /etc/shorewall/interfaces
# eg.

vi /etc/shorewall/interfaces

#ZONE INTERFACE BROADCAST OPTIONS


net eth1 [Link]
norfc1918,routefilter,tcpflags,logmartians,nosmurfs

#RFC-1918 reserves several Private IP address ranges for use in private networks:

[Link] - [Link]
[Link] - [Link]
[Link] - [Link]

#If your IP address falls in any of the above range, then please remove
"norfc1918" in the options section of the interfaces file
# If you have a non-static DHCP IP address,add "detect" in the "broadcast" section
and add “dhcp” to the option list.

# If you are using virtual IP addresses (eg. eth0:0,eth0:1 etc,) configured for a
single ethernet card, then you can ignore the above setting in
/etc/shorewall/interfaces

# If you have muliple IP addresses and want a sshd to be available on a single IP


address (eg. [Link] )instead of all IP adresses on the server ,then do this

vi /etc/shorewall/rules

#ACCEPT net $FW tcp 22


ACCEPT net $FW:[Link] tcp 22

/sbin/shorewall clear
/etc/rc.d/init.d/shorewall restart

# Remove the firewall_reset cron job and the entries in


/etc/shorewall/routestopped after shorewall is run and firewall behaves as
expected.

You might also like