Pogoplug Shorewall based firewall/router—draft–in progress
Modified for pogoplug from Debian wiki: HowToshorewall
Linux uses iptables to provide its firewall facilities. For more information on iptables, see
Iptables is the core of all of our pogoplug firewall and routing functionality. Iptables is installed by default as part of the minimal Debian installation, so there’s no further installation needed.
Iptables is powerful, but requires configuration. It can technically be configured by hand, but there are a number of linux alternatives to make the task less formidable. This post uses one of those called Shorewall. Since Debian has a package for shorewall, so there’s no need to download and install it by hand. To start, use apt-get to install the shorewall package:
debian:~# apt-get update
debian:~# apt-get install shorewall
At this point apt may tell you it has to install a couple extra supporting package along with shorewall. This is normal and you should accept the prompt to allow it to install everything. Don’t worry about the “suggested” packages, we won’t need those.
Before we move on, let’s clear up a couple common misconceptions: Shorewall is not a firewall, and in fact it’s not even an application. The common notion of a program (or daemon) is that of an application that runs continuously. This is not the case with Shorewall. Instead, Shorewall is actually just a very large set of scripts which run once and then exit. Shorewall itself does not perform any firewalling work; it merely configures iptables to your specifications, then quits.
Now on to configuration. You probably noticed a warning message at the end of the Shorewall installation telling you the program will not start unless you change the /etc/default/shorewall file. That’s good, we definitely don’t want to make shorewall start automatically until after we are sure it works. Otherwise we could end up locked out of our pogoplug so we’ll wait until we test it before configuring it to start automatically.
Shorewall files are stored in two separate places: /etc/shorewall stores all the program configuration files, /usr/share/shorewall stores supporting files and action files.
On the Debian package version of shorewall, /etc/shorewall is rather empty upon installation. Luckily, we’re provided with default configuration files in /usr/share/doc/shorewall/default-config if you choose to use them. However, for this HowTo we are going create them from scratch instead of copying those files over.
Organizing your Network with Zones
Shorewall uses zones as a way of defining different portions of our network. Our simple example will have three zones: internet, dmz, and local. Shorewall can easily be extended to support many more zones such as a DMZ or a VPN zone. This configuration is performed in /etc/shorewall/zones:
debian:~# nano -w /etc/shorewall/zones
All we have to do here is name our zones and specify their IP version types:
The first on is a special zone that represents your machine, and thus uses “firewall” as its type. The other three zones are for our three network interfaces. One for the Net, one for our DMZ, and one for our local network. That’s it, save and exit.
Associating Zones with Interfaces
Next, we have to add our physical interfaces. This is done via /etc/shorewall/interfaces:
debian:~# nano -w /etc/shorewall/interfaces
Now we have to associate our zones with thier respective ethernet interface. In this example our “eth0” interface is for our “net” zone, our “eth1” is for our DMZ, and “eth2” interface is connected to our “loc” zone. We are also going to set them to automatically detect the network settings, and also make it so that they will never block dhcp traffic.
net eth0 detect dhcp,routefilter,tcpflags
dmz eth1 detect dhcp
loc eth2 detect dhcp
Notice that there are a few extra options on the “net” zone. These options help filter out some of the invalid packets and garbage we see on the Internet. Interface configuratin is done, so save and close the file.
Creating Default Policies
Now comes the ever important firewall policy. The policy forms the basis for how all traffic on our network will be treated. This is not for fine grained control, we’ll get to that later. This just sets the baseline actions for a zone.
debian:~# nano -w /etc/shorewall/policy
Here are the default policies we are going to use for our example. They are made up of three columns: Source Zone, Destination Zone, and Action.
net all DROP
dmz all REJECT
loc all REJECT
fw all ACCEPT
all all REJECT
The first line says we are going to drop all traffic from the Internet. We don’t trust external traffic from the internet, so this should make sense. When we see internet traffic that doesn’t match any specific rules (later), we want it DROPPED. Now, whats the defference between REJECT and DROP? REJECT will let the person know that their traffic is not allow. The DROP action simply throws the traffic in the bin bucket (you know, the garbage can) and doesn’t bother telling the person. The makes it a little harder for attacker to figure out how your firewall is configured.
The second and third lines say that we are going to REJECT all traffic comming from our local network and our DMZ, no matter where its headed. This might sound funny, as most people trust their local traffic. In fact, most individuals and companies would configure this with an ACCEPT action. But I am a firm believer that if you are going to learn how to secure your network, don’t only do it half way. And remember, most attacks come from inside your network. But keep in mind, if you do not add rules later on for every protocol you want your workstations to use, their traffic will kindly rejected. For example, if you want your users to surf the web, you are going to have to create rules allowing them to use HTTP, HTTPS, and DNS.
The forth rule is for the firewall machine itself, which is “fw” by default. You have the option of adding that to the policy as well. It says all traffic generated by the machine is allowed. You can also leave this out and configure a more strict rule (in the rules file) to only allow certain traffic, but keep in mind if you do not add some type of policy or rule, you will not be able to use any network based features of the system. For example apt will no longer work if fw traffic is not ACCEPTed. The rest of this tutorial assumes this option is added.
And finally, any traffic not matching the above is rejected. This should always be added as the last rule, just in case you forgot a zone.
Creating Rules (where you will spend most your time in the future!)
So, we are going to DROP or REJECT everything except traffic originating from our firewall. I guess that means that we need to create some exceptions and specify what we do want to allow. These are called rules, and configure in the /etc/shorewall/rules file.
Lets add the following rules:
ACCEPT loc net tcp 80,443
ACCEPT loc fw udp 53
ACCEPT all dmz tcp 80
Ok, line one says we are going to accept all HTTP(80) and HTTPS(443) traffic from our local network to the internet. Line two allows us to do DNS lookups to our firewall (assuming that you setup a DNS server there). And line three allows everyone (both internet users and local users) to connect to the webserver in our DMZ.
Notice that this configuration only allows the servers in your DMZ to serve up web pages. They can’t do anything else, not even surf the web. While this is a much more secure setting, you may need to add a rule so you can download updates. If so, I would recommend limiting it to a specific IP if possible. Add the following line if you want your servers to be able to download updates from ftp.debian.org:
ACCEPT dmz net:18.104.22.168 tcp 80
Remember, the more we restrict the traffic through our firewall, the safer you are. Take a look the default rules file in your documentation directory for more examples:
debian:~# less /usr/share/doc/shorewall/default-config/rules
PAT and NAT
Our system uses PAT (port address translation). This is featured as the default on most small home and SOHO firewall devices. Basically, PAT allows our router to translate between our external IP address (on eth0) and all our internal addresses (connecting to eth1). This feature is often referred to (incorrectly) as NAT, or Network Address Translation. Please note that PAT/NAT are not required to operate a firewall, but you will have to set up alternative methods of routing instead. In Shorewall, PAT is configured in /etc/shorewall/masq:
debian:~# nano -w /etc/shorewall/masq
We have to tell shorewall that we want all traffic coming from inside the network (on eth1) to be translated out through the interface on eth0). We do this simply by specifying the interfaces:
It is important to note that as always, there are more advanced possibilities here than what we’re using…read the documentation! Also, don’t be fooled by /etc/shorewall/nat. This file is for providing Network Address Translation, which translates internal IP addresses to external IP addresses directly, rather than using a single external address and translating the ports. I recommend Wikipedia and Google if you want to learn more.
Turning on Forwarding
Finally we get to the last necessary file, /etc/shorewall/shorewall.conf. This file manages global shorewall options, and you should read it through completely.
debian:~# nano -w /etc/shorewall/shorewall.conf
We need to find the secion of the file that talks about “IP_FORWARDING” and change it from “Off” to “On”. If you don’t, your packets won’t be able to get from one interface to the other.
Read through the whole file and customize it as you wish. When you’re done, save your work. That should complete the basic firewall configuration. You should run “shorewall check” to see if you’ve made any typos. It won’t catch all possible errors, but it helps:
Checking Your Configs and Starting Shorewall
debian:~# shorewall check
If you get “Configuration Validated” you can go ahead and start Shorewall:
debian:~# /etc/init.d/shorewall start
Note that Shorewall should run automatically every time the system boots, so you won’t have to do it manually. If you want to change your settings without rebooting, just use “restart” instead of start in the above command.
Assuming we still have root access after starting shorewall, we cna set it to run on startup.
debian:~# nano -w /etc/default/shorewall
Now simply change
startup = 0
startup = 1
save, and exit.