This is my basic how2 for shorewall firewall on the VPS for deb5 / ubuntu 9
http://www.shorewall.net
prepare your VPS;
Code:
apt-get update
apt-get upgrade -y
Install shorewall;
Code:
apt-get install shorewall
/etc/shorewall
/etc/default/shorewall
/usr/share/shorewall
/usr/share/shorewall-shell
There are also some examples and manuals in /usr/share/doc/shorewall *
shorewall is now installed well done, go get a beer and chill.
Thats it.... joke, if only.
Now you need to setup the interfaces, zones, policy rules, blacklist
Code:
cd /etc/shorewall
dir
output;
Code:
Makefile shorewall.conf
shorewall.conf is your config file and there is only really 1 edit that you need to make to get started.
Code:
vi /etc/shorewall/shorewall.conf
find
make sure it says
This disables IPV6 support seems backwards but it does.
There is a redundant file that needs removing to stop some errors being notified later, but lets rename and move it just incase...
Code:
cp /etc/modprobe.conf /etc/modprobe.d/was-modprobe.conf
rm /etc/modprobe.conf
Now to setup the firewall
interface; /etc/shorewall/interface
First we need to find the name of our interface
output;
Code:
192.0.2.1 dev venet0 scope link
default via 192.0.2.1 dev venet0
The name of the external interface is written directly after the device, dev and in my case is 'venet0'
Now we have our dev name we can create the interface file
Code:
vi /etc/shorewall/interface
and add the following;
Code:
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
*net **venet0 ***detect/99.198.122.55,99.198.122.56 ****blacklist
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
REMOVE STARS.... * ** *** ****
*net
this is the name we are going to give to the interface for future reference in rules and zones
net could have been joan, matthew, peter, ihateu it is just a name but net makes good sense
**venet0 is the dev name and needs to be accurate following 'ip route ls'
***detect/99.198.122.55,99.198.122.56
here you have 2 options;
detect - will detect your external ip
or
comma (,) seperated ip list will be a list of your ip's
use just 1 or the other
detect/ bad
/12.24.36.48 - bad
I use
99.198.122.55,99.198.122.56
99.198.122.55 will also work but obviously only for this IP
****blacklist - another comma seperated list of features to apply to this interface. In this tutorial I shall only focus on getting an ALLOW/macronames + the mentioned blacklist
here is is again without the stars;
Code:
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net venet0 99.198.122.55,99.198.122.56 blacklist
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
zones; /etc/shorewall/zones
Code:
vi /etc/shorewall/zones
and add the following
Code:
###############################################################################
#ZONE TYPE OPTIONS IN OUT
fw firewall
net ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
If you used joan, matthew, peter, ihateu instead of net change it in your file but that is the ONLY change you can make.
fw is coded into the installed scripts and is non-negotiable.
policy; /etc/shorewall/policy
Code:
vi /etc/shorewall/policy
and add the following
Code:
###############################################################################
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
$FW net ACCEPT info
net $FW ACCEPT info
net all DROP info
all all REJECT info
#LAST LINE -- DO NOT REMOVE
Again no chnage other than that 1 'net' name.
This is the default policy for the firewall and will always do this if there are no rules stating otherwise.
rules; /etc/shorewall/rules
vi /etc/shorewall/rules
and add the following
Code:
#######################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT(S) PORT(S) DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
ACCEPT net $FW udp 1234
ACCEPT net $FW tcp 2345
HTTP/ACCEPT net $FW
HTTPS/ACCEPT net $FW
IMAP/ACCEPT net $FW
IMAPS/ACCEPT net $FW
MySQL/ACCEPT net $FW
POP3/ACCEPT net $FW
POP3S/ACCEPT net $FW
SMTP/ACCEPT net $FW
SMTPS/ACCEPT net $FW
SSH/ACCEPT net $FW
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
In the above example I have #manually opened 2 ports and then used macros to manage other protocals.
Macro's are available in the following folder
/usr/share/shorewall
remove the macro. from the name and add it to the list in your rules to use it.
If you wanted to change your default ssh port to 222 instead of 22 you could just edit the macro.SSH file to reflect this or you could add the port to the rules. edit macro. makes most sense to me.
blacklist; /etc/shorewall/blacklist
Code:
vi /etc/shorewall/blacklist
and add the following
Code:
12.24.36.48
15.30.46.60
Actually add whatever IP's you do not want to have access to your VPS in this file 1 per line and they will be denied access.
the last thing to do is enable the firewall to start on boot.
Code:
vi /etc/default/shorewall
find
change it to
start the firewall
is the firewall running?
apply those new rules / blacklist
apply any / all changes
what is my firewall capable of right now?
Code:
shorewall show capabilities
Remember if you screw up to just edit the /etc/default/shorewall to 0 again and try again.
BTW if this all goes horribly wrong for you it is your fault for following the blind man...
LinkBack URL
About LinkBacks
How2 - Shorewall Firewall - Deb5 / Ubuntu 9
Reply With Quote
