Shorewall Configuration

My objectives for Shorewall were as follows

  1. Move my Owncloud server onto a dmz subnet that is still behind a router
  2. Provide a second subnet on that router for desktop machines
  3. Permit access to Owncloud from the local subnet, from my home lan (behind the AT&T gateway) and from the internet
  4. Secure the router from access by the dmz subnet or the internet
  5. Provide ssh access to the router from the local subnet.

Shorewall uses multiple configuration files to implement those objectives.

Zones
First is the /etc/shorewall/zones file which in this case defines the firewall in terms of 4 zones. The first zone is the firewall itself and the remaining three define zones for each of the three network interfaces. “net” is the internet zone, dmz is the subnet withe the apache based owncloud server and loc is the local network where normal desktop machines reside.

Here is the zones file for this system:

# For information about entries in this file, type "man shorewall-zones"
###############################################################################
fw firewall
net ipv4
dmz ipv4
loc ipv4


Interfaces

The next file is the interfaces file which defines the zones in terms of the ethernet cards to which they are attached.

Here is the interfaces file:

# For information about entries in this file, type "man shorewall-interfaces"
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,tcpflags,nosmurfs,routefilter,logmartians
dmz eth1 detect tcpflags,nosmurfs,routefilter,logmartians
loc eth2 detect tcpflags,nosmurfs,routefilter,logmartians

Note: the fw zone is not associated with any interface and therefore does not appear.

Masquerade
The next file is the masq file. It is used to define how the firewall will translate local (loc and dmz) addresses for communications to and from the internet. When one of the local systems say with local address 192.168.ww.xx sends a connection request to an Internet host, the firewall must perform Network Address Translation (NAT). The firewall rewrites the source address in the packet to be the address of the firewall’s external interface; in other words, the firewall makes it look as if the firewall itself is initiating the connection. This is necessary so that the internet destination host will be able to route return packets back to the firewall. When the firewall receives a return packet, it rewrites the destination address back to 192.168.ww.xx and forwards the packet on to the appropriate local computer.

On Linux systems, the above process is often referred to as IP Masquerading and you will also see the term Source Network Address Translation (SNAT) used. Shorewall follows the convention used with Netfilter:

Masquerade describes the case where you let your firewall system automatically detect the external interface address.

SNAT refers to the case when you explicitly specify the source address that you want outbound packets from your local network to use.

In Shorewall, both Masquerading and SNAT are configured with entries in the /etc/shorewall/masq file.

Here’s the /etc/shorewall/masq file

# For information about entries in this file, type "man shorewall-masq"
###############################################################################
eth0 192.168.ww.0/24
eth0 192.168.yy.0/24

Note: in this case we are explicitly defining the subnets associated with the ehernet cards used for the DMZ and the local subnets. Also the values ww, yy are to be chosen and explicitly entered by you. They should not be the same and you also need to make sure that 192.168.ww and 192.168.yy are both different from that of your upstream router. In my case the AT&T Gateway.

Policies

Next up is the /etc/shorewall/policy file. This file defines connection policies between the various defined “interfaces”.
It looks like this:

# For information about entries in this file, type "man shorewall-masq"
###############################################################################
# Drop connections coming from the internet unless otherwise allowed by a specific
# rule
net all DROP
# Uncomment the following line if you want to be support connections from the dmz
# to the internet
# Note without a specific rule this means no browsing from the dmz and even
# prohibits Linux Updates
#dmz net ACCEPT
# Allows browsing the internet from the local subnet
loc net ACCEPT
fw net ACCEPT
all all REJECT

Rules
The /etc/shorewall/rules file supplies rules defining how hosts on one “interface” are permitted to communicate with hosts on another interface. Here is my rules file:

#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
# allow access to owncloud server from the internet.
# Note: I bought myself a domain name and then set up domain name services to
# permit this.
DNAT net dmz:192.168.0.7 tcp http
DNAT net dmz:192.168.0.7:4430 tcp 4430
# allow webmn access from loc
ACCEPT loc fw tcp 10000
# allow DNS and DHCP on loc and dmz
DNS(ACCEPT) dmz fw
DNS(ACCEPT) loc fw
DHCPfwd(ACCEPT) dmz fw
DHCPfwd(ACCEPT) loc fw
#accept ssh from loc but not from dmz
SSH(ACCEPT) loc fw
# remove the "#" from the following to permit hosts on the dmz subnet to ssh
# into the firewall.
# I do not allow this because I see it as a security risk,
#SSH(ACCEPT) dmz fw
# allow systems in loc access to the owncloud server in the dmz
ACCEPT loc dmz:192.168.0.7 tcp 80 -
ACCEPT loc dmz:192.168.0.7 tcp 4430 -
# the following allow servers in the dmz to access US Ubuntu mirrors for
# software updates
ACCEPT dmz net:91.189.91.15 tcp 80
ACCEPT dmz net:91.189.91.14 tcp 80
ACCEPT dmz net:91.189.91.13 tcp 80
# I found the server name in the /etc/apt/sources.list file and then used
# nslookup to get the ip addresses.

Shorewall.conf
The final file that needs to be configured is the largest it is /etc/shorewall.conf. The only line that must be changed is the STARTUP_ENABLED which needs to be changed from “No” to “Yes” Here it is:

###############################################################################
#
# Shorewall Version 4 -- /etc/shorewall/shorewall.conf
#
# For information about the settings in this file, type "man shorewall.conf"
#
# Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html
###############################################################################
# S T A R T U P E N A B L E D
###############################################################################
STARTUP_ENABLED=Yes

###############################################################################
# V E R B O S I T Y
###############################################################################
VERBOSITY=1
###############################################################################
# L O G G I N G
###############################################################################
LOGFILE=/var/log/messages
STARTUP_LOG=/var/log/shorewall-init.log
LOG_VERBOSITY=2
LOGFORMAT="Shorewall:%s:%s:"
LOGTAGONLY=No
LOGRATE=
LOGBURST=
LOGALLNEW=
BLACKLIST_LOGLEVEL=
MACLIST_LOG_LEVEL=info
TCP_FLAGS_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
LOG_MARTIANS=Yes
###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
###############################################################################
IPTABLES=
IP=
TC=
IPSET=
PERL=/usr/bin/perl
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=""
MODULESDIR=
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
RESTOREFILE=
IPSECFILE=zones
LOCKFILE=
###############################################################################
# D E F A U L T A C T I O N S / M A C R O S
###############################################################################
DROP_DEFAULT="Drop"
REJECT_DEFAULT="Reject"
ACCEPT_DEFAULT="none"
QUEUE_DEFAULT="none"
NFQUEUE_DEFAULT="none"
###############################################################################
# R S H / R C P C O M M A N D S
###############################################################################
RSH_COMMAND='ssh ${root}@${system} ${command}'
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
###############################################################################
# F I R E W A L L O P T I O N S
###############################################################################
IP_FORWARDING=On
ADD_IP_ALIASES=No
ADD_SNAT_ALIASES=No
RETAIN_ALIASES=No
TC_ENABLED=Internal
TC_EXPERT=No
TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
CLEAR_TC=Yes
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=No
ROUTE_FILTER=Yes
DETECT_DNAT_IPADDRS=No
MUTEX_TIMEOUT=60
ADMINISABSENTMINDED=Yes
BLACKLISTNEWONLY=Yes
DELAYBLACKLISTLOAD=No
MODULE_SUFFIX=ko
DISABLE_IPV6=No
BRIDGING=No
DYNAMIC_ZONES=No
PKTTYPE=Yes
NULL_ROUTE_RFC1918=No
MACLIST_TABLE=filter
MACLIST_TTL=
SAVE_IPSETS=No
MAPOLDACTIONS=No
FASTACCEPT=No
IMPLICIT_CONTINUE=No
HIGH_ROUTE_MARKS=No
USE_ACTIONS=Yes
OPTIMIZE=0
EXPORTPARAMS=Yes
EXPAND_POLICIES=Yes
KEEP_RT_TABLES=No
DELETE_THEN_ADD=Yes
MULTICAST=No
DONT_LOAD=
AUTO_COMMENT=Yes
MANGLE_ENABLED=Yes
USE_DEFAULT_RT=No
RESTORE_DEFAULT_ROUTE=Yes
AUTOMAKE=No
WIDE_TC_MARKS=No
TRACK_PROVIDERS=No
ZONE2ZONE=2
ACCOUNTING=Yes
DYNAMIC_BLACKLIST=Yes
OPTIMIZE_ACCOUNTING=No
LOAD_HELPERS_ONLY=No
REQUIRE_INTERFACE=No
FORWARD_CLEAR_MARK=Yes
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE

Starting Shorewall
At this point you are almost ready to start Shorewall. All that remains to be done is enable it in the system. To do that:

nano -w /etc/default/shorewall

Now simply change
startup = 0
to
startup = 1

Then start Shorewall with:

/etc/init.d/shorewall start

Several outcomes are possible at that point.

Worst Case Failure: You lose SSH access when Shorewall Starts

If this happens, you’ll need to power off your pogoplug/dockstar and remove the usb flash drive containing debian. Then insert the drive in another system and review your configuration. You should probably check the filesystem before continuing. To do that you will need to know the device letter assigned to that drive. One way to do that in linux is to open a terminal and

sudo lshw -c disk -c storage

This should list the vendor, the size and the logical name for each storage device on your system. You should be able to find the logical name for the device that has the size and perhaps the vendor for your usb flash. The logical name of that device is what you’ll need to check for errors on your usb drive. Assuming the device you found is /dev/sdx, first make sure it’s unmounted:

sudo umount /dev/sdx

Then check the root partition (usually sdx1) on your drive, using:

sudo fsck -a /dev/sdx1

Once that’s finished. mount the partition you just fixed:

sudo mount /dev/sdx1 /mnt

at that point you can either examine and fix the configuration files in /mnt/etc/shorewall

or, you can

sudo gedit /mnt/etc/default/shorewall

and change startup=1 to startup =0 so that shorewall is disabled and you can fix it on our pogoplug after you reboot.

In either case:

sudo umount /dev/sdx1

remove the usb drive from your desktop and insert it back into the pogoplug and power it on.

Second Possibility: Shorewall Fails to Start

You have an error in one of your configuration files. If the console message doesn’t point you to the problem, check the last few lines of the /var/log/shorewall-init.log. Once you find and fix the problem try to start shorewall again and repeat the troubleshooting process as needed.

Third possibility: Shorewall starts and all seems well.
At that point you need to test to make sure that your rules to make sure they are working. Make sure that the systems have the access that they are supposed to have and that you cannot access the things that are supposed to be protected by your firewall.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: