wiki.titan2x.com

by Janos Gyerik

Firewall rules for group of hosts or subnets with shorewall

From wiki.titan2x.com


Objectives

  • Allow port 22 from the subnet 192.168.224.0/24
  • Allow a bunch of other ports (LDAP, NFS, etc) from specific hosts (possibly part of subnet 192.168.224.0/24)

Example

  • Below are merely snippets from configuration files, do not simply replace your own files, but merge them, and make adjustments according to your environment.
    • If this is the first time you use shorewall, you probably want to copy one of the example configurations from /usr/share/doc/shorewall-common/examples like this: 
    sudo cp -r /usr/share/doc/shorewall-common/examples/one-interface/* /etc/shorewall
    • In addition, you probably want to set startup=1 in /etc/default/shorewall so that shorewall starts automatically at system boot.
    • But most importantly, if this is your first time with shorewall you really need to read through the documentation (at least the README and manpages).
  • Make sure you have physical access to the machine on which you are tweaking the settings because you can easily lock yourself out when working remotely.
  • When finished with merging, run sudo make to activate the new configuration.
    • When you do this for the first time, an error message will instruct you to set STARTUP_ENABLED=yes in /etc/shorewall/shorewall.conf
  • The snippets from various configuration files in /etc/shorewall 
# /etc/shorewall/zones
#
#ZONE   TYPE    OPTIONS                 IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
lab     ipv4
net     ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

# /etc/shorewall/interfaces
#
#ZONE   INTERFACE       BROADCAST       OPTIONS
-     eth0            detect          dhcp,tcpflags,logmartians,nosmurfs
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

# /etc/shorewall/hosts
#
#ZONE   HOST(S)                                 OPTIONS
lab     eth0:192.168.224.132,192.168.224.129    dhcp,tcpflags,logmartians,nosmurfs
net     eth0:192.168.224.0/24   dhcp,tcpflags,logmartians,nosmurfs
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

# /etc/shorewall/rules
ACCEPT          $FW             net             icmp
ACCEPT          net:192.168.224.0/24            $FW             tcp 22
ACCEPT          $FW             lab             tcp 22
ACCEPT          lab             $FW             tcp 22,636,111,2049,32765:32769
ACCEPT          lab             $FW             udp 111,2049,32765:32769

Resources

  • man shorewall-zones
  • man shorewall-interfaces
  • man shorewall-hosts
  • man shorewall-rules
Retrieved from "http://wiki.titan2x.com/index.php?title=Firewall_rules_for_group_of_hosts_or_subnets_with_shorewall"
Best categories
Users