Slide

  • LINUX

    LINUX:In 1969 AT&T made a decision to withdraw Multics and go with GECOS (General Electric Comprehensive Operating Supervisor / System), with AT & T in Bells Lab when Multics was withdrawn some of the programmers named Ken Thompson and Dennis Ritchie decided to rewrite operating system in order to support low cost computer..To Know More

    CLICK HERE

  • MICROSOFT

    MICROSOFT:Microsoft was established to develop and sell BASIC interpreters for the Altair 8800. It rose to dominate the home computer operating system market with MS-DOS in the mid-1980s,followed by the Microsoft Windows line of operating systems. To Know More

    CLICK HERE

  • CISCO

    CISCO:During the early 1980s, there was a married couple namely Len and Sandy Bosack who used to work in two different departments of computer located in Stanford University. This couple was facing problem in making their computers communicate with each other To Know More

    CLICK HERE

showinfo=1

Linux Configure Firewall Using Shorewall Under RHEL / CentOS



Linux Configure Firewall Using Shorewall Under RHEL / CentOS



What is Shorewall?

Usually, you write a complicated set of firewall rules using /etc/sysconfig/iptables or shell scripts. However, with shorewall you describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables, iptables-restore, ip and tc utilities, Shorewall configures Netfilter and the Linux networking subsystem to match your requirements. Shorewall is not a simple and easy to use GUI tool.
Install shorewall on CentOS or RHEL
First, turn on EPEL repo and type the following yum command to install shorewall package

# yum install shorewall

A note about config files
1. The default configuration directory is located at /etc/shorewall/.
2. Shorewall global configuration file is located at /etc/shorewall/shorewall.conf. This file sets options that apply to Shorewall as a whole.
3. The /etc/shorewall/zones file declares your network zones. Rules about what traffic to allow and what traffic to deny are expressed in terms of zones.
4. The /etc/shorewall/interfaces file serves to define the firewall's network interfaces to Shorewall.
5. The /etc/shorewall/policy file defines the high-level policy for connections between zones defined in /etc/shorewall/zones.
6. To provide exceptions to policies, add rules to /etc/shorewall/rules. Use this file to open or close ports and so on.
7. To blacklist IPs, applications, MAC address, and subnets use the /etc/shorewall/blacklist file.

Rule status and ordering
The ordering of shorewall is very important as when a rule has been matched that action is performed and then no other action is performed.
1. For each connection request entering the firewall, the request is first checked against the /etc/shorewall/rules file.
2. If no rule in that file matches the connection request then the first policy in /etc/shorewall/policy that matches the request is applied.
3. If there is a default action defined for the policy in /etc/shorewall/shorewall.conf then that action is invoked before the policy is enforced.

Configuration
Shorewall uses the concept of zones. You need to define the network using a set of zones as follows for the two network-interface configuration:
Configure /etc/shorewall/zones
Edit the file /etc/shorewall/zones, enter:
# vi /etc/shorewall/zones
Update the file as follows:
fw firewall
wan ipv4
lan ipv4


Shorewall recognizes the firewall system as its own zone. The name of the zone designating the firewall itself (usually 'fw' as shown in the above file) is stored in the shell variable $FW which may be used throughout the Shorewall configuration to refer to the firewall zone. The wan and lan are our standard IPv4 Shorewall zone type and is the default if you leave this column empty.
Configure /etc/shorewall/interfaces
Next, you need define the hosts in a zone. You can associate the zone with a network interface using the /etc/shorewall/interfaces file. In the two-interface sample, the two zones are defined using that file as follows. Edit the file /etc/shorewall/interfaces, enter:

# vi /etc/shorewall/interfaces

Append the following entires:

wan eth1 - routefilter,blacklist,tcpflags,logmartians,nosmurfs
lan eth0


The above file defines the net zone as all IPv4 hosts interfacing to the firewall. The wan zone as all IPv4 hosts interfacing through eth1 and the lan as all IPv4 hosts interfacing through eth0. The wan interface eth1 has additional advanced protection from the common internet attacks:
1. routefilter - Turn on kernel route filtering for this interface i.e. turn on anti-spoofing measurements.
2. blacklist - Check packets arriving on this interface against the /etc/shorewall/blacklist file. The blacklist file is used to perform static blacklisting. You can blacklist by source address (IP or MAC), or by application.
3. tcpflags - Packets arriving on this interface are checked for certain illegal combinations of TCP flags such as x mas or null or invalid packets. Packets found to have such a combination of flags are dropped (see the settings of TCP_FLAGS_DISPOSITION option in shorewall.conf) after having been logged in /var/log/messages file (see the setting of TCP_FLAGS_LOG_LEVEL in shorewall.conf).
4. logmartians - Turn on kernel martian logging (logging of packets with impossible source addresses). It is strongly suggested that if you set routefilter on an interface that you also set logmartians.
5. nosmurfs - Filter packets for smurfs (packets with a broadcast address as the source) i.e. turn on anti-smurf protection.

Configure /etc/shorewall/policy
You express your default policy for connections from one zone to another zone in the /etc/shorewall/policy. file. The basic choices for policy are:
1. ACCEPT - Accept the connection.
2. DROP - Ignore the connection request.
3. REJECT - Return an appropriate error to the connection request.
4. Connection request logging may be specified as part of a policy and it is conventional (and highly recommended) to log DROP and REJECT policies.
Edit the file /etc/shorewall/policy, enter:

# vi /etc/shorewall/policy

Append the policy:

## allow lan to all and firewall to all (outgoing to internet) but no traffic from wan/internet to lan or firewall itself
lan all ACCEPT
$FW all ACCEPT
wan all DROP info
# this must be last rule
all all REJECT info

Save and close the file.

Configure /etc/shorewall/rules
Entries in this file govern connection establishment by defining exceptions to the policies layed out in /etc/shorewall/policy file. Use this file to open or close TCP/UDP ports. You can allows access to applications server such as FTP, HTTP, HTTPS and many more as defined in /usr/share/shorewall/macro.* files. The syntax is as follows:

For example, to open port 22 from wan (internet) to firewall, enter:
ACCEPT wan $FW tcp 22

You have a policy of ignoring all connection attempts from the wan zone (from the Internet), the above exception to that policy allows you to connect to the SSH server running on your firewall. You can now open port 80 and 443 that allows to connect to the reverse proxy server running on firewall:

## open port 443 from the wan to the nginx running on 202.54.1.1:443 on your firewall.
HTTPS/ACCEPT wan $FW:202.54.1.1 - 443
## open port 80 from the wan to the nginx running on 202.54.1.1:80 and 202.54.1.2:80 on your firewall.
HTTP/ACCEPT wan $FW:202.54.1.1,202.54.1.2 - 80


Configure /etc/shorewall/blacklist
Edit the file /etc/shorewall/blacklist, enter:
# vi /etc/shorewall/blacklist
Block 202.53.1.0/24 subnet and 190.1.2.3 IP address:
202.53.1.0/24
190.1.2.3
Save and close the file.

Check the firewall configuration for errors
Type the following command:

# vi /etc/shorewall/shorewall.conf

Find the line:

STARTUP_ENABLED=No

Replace with:

STARTUP_ENABLED=Yes

Save and close the file. Shorewall uses a "compile" then "execute" approach. The Shorewall configuration compiler reads the configuration files and generates a shell script. Errors in the compilation step cause the script to be discarded and the command to be aborted. If the compilation step doesn't find any errors then the shell script is executed. To check for errors, enter:

# shorewall check
How do I start / stop / restart shorewall?
Type the following commands (warning poorly configured firewall rules may block out your remote access including ssh, so be careful when you type the following commands):
# service shorewall start
# service shorewall stop
# service shorewall restart
# service shorewall status
OR
# /etc/init.d/shorewall start
# /etc/init.d/shorewall stop
# /etc/init.d/shorewall restart
# /etc/init.d/shorewall status

To turn on shorewall at boot time, enter:

# chkconfig shorewall on

How do I list firewall rules?
Type the following command:

# shorewall show
# shorewall show | less

How do I see the IP connections currently being tracked by the firewall?

# shorewall show connections

How do I see firewall logs?

# shorewall show hits
# shorewall show hits|less

How do I displays my kernel/iptables capabilities?

# shorewall show capabilities

The shorewall command and firewall configurations allows many more options. I recommend that you read shorewall command man page for more information.

58 comments:

  1. Thanks combination of suitable and useful information and well-written sentences that will certainly entice your sense.There are so multiple comments here that are really entertaining and conducive to me thanks for sharing a link especially for sharing this blog.
    http://www.healthetarians.com |

    ReplyDelete
  2. For latest information you have to go to see world-wide-web and on world-wide-web I found this web site as a best website for hottest updates.
    realestateinindia |

    ReplyDelete
  3. Very interesting article. I would love to read the book “Start with Why”, by Simon Sinek. I think he has taken a great topic to deal with. Teaching leaders to inspire others is a good idea to bring up a civilized society. Thanks for sharing. Keep posting.
    paradise-house.com |

    ReplyDelete
  4. I've just decided to create a blog, which I have been wanting to do for a while. Thanks for this post, it's really useful!
    http://www.businessresultimprovement.com |

    ReplyDelete
  5. Thank you so much! Really rich content and very useful information. I found my problem’s solution starting over here.
    www.banditcustomauto.com |

    ReplyDelete
  6. I am really enjoying reading your well written articles. It looks like you spend a lot of effort and time on your blog. I have bookmarked it and I am looking forward to reading new articles.
    businessriskinsight.com |

    ReplyDelete
  7. Interesting and amazing how your post is! It Is Useful and helpful for me That I like it very much, and I am looking forward to Hearing from your next..
    www.cadtechlabs.com |

    ReplyDelete
  8. Superbly written article, if only all bloggers oered the same content as you, the internet would be a far better place..
    miamitechnocentral |

    ReplyDelete
  9. It is really a nice and useful piece of information. I am glad that you shared this helpful information with us. Please stay us up to date like this. Thank you for sharing.
    http://www.bestof-denver.com |

    ReplyDelete
  10. Hey what a brilliant post I have come across and believe me I have been searching out for this similar kind of post for past a week and hardly came across this. Thank you very much and will look for more postings from you.
    christinemartincoaching |

    ReplyDelete
  11. Hi there, its pleasant article about media print, we all understand media is a fantastic source of information.
    Business Builders |

    ReplyDelete
  12. It is really a nice and useful piece of information. I am glad that you shared this helpful information with us. Please stay us up to date like this. Thank you for sharing.http://www.fourthsectorhealth.com |

    ReplyDelete
  13. It is really a nice and useful piece of information. I am glad that you shared this helpful information with us. Please stay us up to date like this. Thank you for sharing.ne-urgentcare.com |

    ReplyDelete
  14. All the contents you mentioned in post is too good and can be very useful. I will keep it in mind, thanks for sharing the information keep updating, looking forward for more posts.Thanks
    www.ortechmgt.com |

    ReplyDelete
  15. Hello,that is a good post.Thanks for sharing!
    www.autolawnow.com |

    ReplyDelete
  16. I want to make column field editable, here I am setting the editable properties for specific field under this.layout by using editable: "true"
    Attardco Food Stuffs |

    ReplyDelete
  17. I've just decided to create a blog, which I have been wanting to do for a while. Thanks for this post, it's really useful!
    www.toyotacarsstlouis.com |

    ReplyDelete
  18. Hi, I check your blog like every week. Your humoristic style is witty, keep doing what you’re doing!
    http://www.sandiegofitnessclub.com |

    ReplyDelete
  19. Hey there! This is my first visit to your blog! We are a collection of volunteers and starting a new project in a community in the same niche. Your blog provided us useful information to work on. You have done a extraordinary job!
    timesntechnology |

    ReplyDelete
  20. It's very easy to find out any topic on net as compared to textbooks, as I found this article at this website. 
    atltophomes |

    ReplyDelete
  21. Great! Thanks for sharing the information. That is very helpful for increasing my knowledge in this field.
    pacman |happy wheels |my little pony games | unblocked games
    friv4 kizi 4| unblockedgames

    ReplyDelete
  22. Thank you for another wonferdul article. Where else could anyone get that kind of information in such an ideal way of writing? I have a presentation next week, and I am on the look for such information.
    cool math games| coolmathgames| cool math| math games| cool math a-z| coolmath games
    b cubed| b-cubed| barbie games| friv 4 school| friv4school

    ReplyDelete
  23. What a great online source of information about this topic. you have done great work. keep continue to sharing such kinds of post. keep it up.
    agario , agar io , happy wheels , 8 ball pool , happy wheels 2 , friv , games2girls , juegos de frozen , unblocked games

    ReplyDelete
  24. Can I simply just say what a relief to uncover a person that genuinely knows what they are talking about on the web. You actually know how to bring an issue to light and make it important. A lot more people need to read this and understand this side of your story. I was surprised that you're not more popular because you surely have the gift.
    happy wheels
    super mario bros
    pacman
    agario

    ReplyDelete
  25. Thank you for sharing valuable information. Nice post. I enjoyed reading this post.Can you play more games at :
    hola launcher | paradise bay | subway surfers | cooking fever | red ball 4 | goodgame big farm | hola | cooking fever game | paradise bay game | subway surfers game

    ReplyDelete
  26. Thank you for the information you provide, i like camera b612 | download camera b612 | camera b612 | download b612 | download camera b612 | B612 | download camera b612 | b612 | download camera b612 | papa games | Papas Games | papa's games | Dream League Soccer | Score Hero | Dream League Soccer | Score Hero game | Score Hero. How about you? B612 is perfect for taking selfies anytime, anywhere. B612 is a photography app specially designed for selfies that lets you apply dozens of filters to your images before sharing them through your favorite social networks.
    Free Games Online | free games | free online games | Free Games Online | free games

    ReplyDelete
  27. What a wonderful post shared. This post is really very useful information provided. I get new quality info.. Get gym mats at affordable price from gymflooringco.co.uk

    ReplyDelete
  28. I felt it was wonderful. Thank you for sharing. I also want to introduce the latest game entertaining high, you try to visit from the selection below
    fancy pants 3
    fancy pants
    fancy pants 4
    fancy pants 2
    fancy pants 5
    fancy pants 3 game
    fancy pants 3 hacked
    fancy pants 3 unblocked
    fancy pants adventure 3
    fancy pants adventure

    ReplyDelete
  29. We thank you for your sharing. We look forward to receiving your share more. Besides, we also wish to introduce to you free games to feel the attraction that brings.

    return man 3
    return man 2
    return man
    return man 3
    return man 2
    return man
    return man 3 unblocked
    return man 3 hacked
    return man 3 zombies

    ReplyDelete
  30. Nicely written information in this post, the quality of content is fine and picture very nice. Things are very open and intensely clear explanation of issues.
    play run 3 | head football | free online mahjong |

    ReplyDelete
  31. Nicely written information in this post, the quality of content is fine and picture very nice. Things are very open and intensely clear explanation of issues.
    play run 3 | head football | free online mahjong |

    ReplyDelete
  32. Thanks for sharing this quality information with us. I like this information. Keep posting. I like play games. I just want to say : Why you do not click to play :
    Open Facebook
    Science Kombat
    Science Kombat Game
    I am happy to find this post very useful for me.

    ReplyDelete
  33. Game online a lot of people who love to help them relieve stress of the moment, such as TinyTanks and TinyPlanes or Tiny Planes Beta is the fighting game with a pen or pencil, you have to destroy opponents before they kill you. Or Run 3 Unblocked and Hacked unblocked Gamesare skillful game controller for bears to dance to the goal without falling off a cliff. I wish you happy gaming!

    ReplyDelete
  34. The blog or and best that is extremely useful to keep I can share the ideas. Age Of War 2
    Big Farm | Slitherio | Tank Trouble
    Of the future as this is really what I was looking for, I am very comfortable and pleased to come here. Thank you very much.
    Happy Wheels | Goodgeme Empire | Slither.io

    ReplyDelete
  35. I have been searching out for this similar kind of post for past a week and hardly came across this. score hero Thank you very much and will look for more postings from you. I like play diep.io game, Stick RPG Mutilate A Doll 2

    ReplyDelete
  36. Great! Thanks for sharing the information. I like this information. Keep posting
    fireboy watergirl
    Geometry Dash

    ReplyDelete
  37. This is a great website. Good sparkling user interface and very informative blogs. I will be coming back in a bit, thanks for the great article. I have found it enormously useful.Hill Climb Racing, Clash of Kings, Photo Grid, baixar mobogenie, Happy Wheels 4, Dream League Soccer

    ReplyDelete
  38. With a Hotmail account, you can send and receive emails quickly and easily as well as login and use all Microsoft services.
    hotmail login | create new hotmail account
    Creating a Gmail account is quick and easy. You can follow the tutorial to sign up Gmail here.
    gmail login | gmail sign in | install google drive

    ReplyDelete
  39. I understand what you bring it very meaningful and useful, thanks.

    Facebook Lite

    ReplyDelete
  40. I like your post. It really useful with me. Thanks for sharing these useful information!
    happywheels3game.com

    ReplyDelete
  41. Thanks for your post. photoshop online Alternative is a perfect alternative to photoshop online photo editor. A free photos edit includes all the basic features as well as the extra bells and whistles that most people need to online photoshop free and enhance their photos and images photoshop alternative

    ReplyDelete
  42. Thanks for the information you shared. Please share useful information with your friends regularly
    papasgamesonline.com

    ReplyDelete
  43. I was very impressed by this post, this site has always been pleasant news. Thank you very much for such an interesting post. Keep working, great job! In my free time, I like play game: facebooklite.com.br. What about you?

    ReplyDelete
  44. Thanks for all your information, Website is very nice and informative content.

    www.happywheelsy8.com

    ReplyDelete
  45. I would like to thank you for the efforts you have made in writing this article.
    www.appbaixar.com

    ReplyDelete
  46. Thank you, so Much admin have a nice day :) you information about weight loss is very easy and simple.
    pocafashion

    ReplyDelete
  47. Thank you very much for the information you shared, it’s all I’ve been looking for
    www.happywheels-2.com

    ReplyDelete

Note:- Comment as: Option available to post without login select "Anonymous" from the drop down...........

For Latest Updates: Subscribe Now | | Test Your Knowledge, Take a Quiz now Click Here | | Site Best Viewed In Firefox

X