Newbie shorewall config files

aquaboot · 08-19-2005, 12:26 PM

Hi All,

I'm up and running on Ubuntu 5.04 and have just installed and configured shorewall firewall. After reading the docs, I think I'm set. I have a standalone workstation with one static ip on eth0. Right now I just want http and ssh traffic. I've included the policy, rules and interfaces files that I configured (just the end of the files where I actually added or changed text.) I am having trouble sshing in though and not sure why.

Will someone please glance at my files and tell me if it looks good or if there is anything I'm forgetting?

Thanks Much,

aquaboot

#########################################

rules file
ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#
ACCEPT net fw 80
ACCEPT net fw 22

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

#########################################
policy file
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
loc net ACCEPT
net all ACCEPT info
#
# THE FOLLOWING POLICY MUST BE LAST
#
#all all ACCEPT info
#LAST LINE -- DO NOT REMOVE

#########################################
interfaces file
#ZONE INTERFACE BROADCAST OPTIONS
#
loc eth0 detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Simon Bridge · 08-20-2005, 06:48 AM

I'm going to direct you at iptables. (someone else may be able to help with your special firewall...)
Here's a good script to install a remarkably secure firewall. This should be fine for your system and U5.04 comes with iptables.

Code:

# == maddog firewall =======
#!/bin/sh

# remove existing rules
iptables --flush
iptables -t nat --flush
iptables --delete_chain
iptables --zero

# Set up a default DROP policy for the built-in chains.
iptables --policy INPUT DROP
iptables --policy FORWARD DROP
iptables --policy OUTPUT DROP

# Allow all traffic through the loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow initiated traffic in
iptables -A INPUT -m state --state RELATED,EXISTING -j ACCEPT

# Allow SSH connections
iptables -A INPUT -t tcp -j ACCEPT -dport 22

# Allow network traffic through eth0
iptables -A INPUT -i eth0 -s 192.168.0.1/24 -j ACCEPT
# we don't really want to allow *all* eth0 traffic, only that for legitimate services
# like internet and nfs and smb shares ... this rule needs to be more strict
# since this is a local LAN, we could just list each host here instead of the network.


# Allow all traffic out
# Any other output rule should go /before/ this one
iptables -A OUTPUT -m state --state NEW,RELATED,EXISTING -j ACCEPT

# Note - to allow http ar ftp connections to be initiated from outside will require an 
# explicit permiassion of the same form as the SSH rule.

This can be made much more secure by switching off some kernel features and setting up external chains. But you'll find this pretty tight. If you see any particular holes - I'll show you how to fill them in.

tkedwards · 08-23-2005, 06:15 PM

What is the loc zone? You say you only have one network interface on your machine (and you only have one in your interfaces section) but you then have both loc and net in your rules and policy file section?

Ok I'll assume you just have one computer directly connected to the net through eth0. Here's what you should have:

Code:

#########################################

rules file
ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#
ACCEPT net fw 80
ACCEPT net fw 22

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

#########################################
policy file
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
fw net ACCEPT
# THE FOLLOWING POLICY MUST BE LAST
all all DROP info
#LAST LINE -- DO NOT REMOVE

#########################################
interfaces file
#ZONE INTERFACE BROADCAST OPTIONS
#
net eth0 detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

This will have the following affects:
* Your computer will drop any packets coming from the internet except those going to the local ssh and web server.
* You will have full access to make connections out to the internet on any port from your local computer.

So you will have full access without restriction to use the internet. And you are also running ssh and web servers which are accessible to anyone on the internet (make sure you know what you're doing with these).