mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-21 23:23:13 +01:00
Add Xen Routed Example
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4641 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
cffebf4832
commit
bb152cf797
@ -326,7 +326,8 @@
|
||||
|
||||
<entry><ulink url="ping.html">'Ping' Management</ulink></entry>
|
||||
|
||||
<entry></entry>
|
||||
<entry><ulink url="XenMyWay-Routed.html">Xen - Tight Firewall in
|
||||
Routed Xen Dom0</ulink></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
|
893
docs/XenMyWay-Routed.xml
Normal file
893
docs/XenMyWay-Routed.xml
Normal file
@ -0,0 +1,893 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||
<article>
|
||||
<!--$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title>Strong Firewall in a Routed Xen Dom0</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
<firstname>Tom</firstname>
|
||||
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2006</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
<legalnotice>
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<caution>
|
||||
<para>This article applies to Shorewall 3.0 and later. If you are running
|
||||
a version of Shorewall earlier than Shorewall 3.0.0 then please see the
|
||||
documentation for that release.</para>
|
||||
</caution>
|
||||
|
||||
<section>
|
||||
<title>Before Xen</title>
|
||||
|
||||
<para>Prior to adopting <ulink url="Xen.html">Xen</ulink>, I had a home
|
||||
office crowded with 5 systems, three monitors a scanner and a printer. The
|
||||
systems were:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Firewall</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Public Server in a DMZ (mail)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Private Server (wookie)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>My personal Linux Desktop (ursa)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>My work system (docked laptop running Windows XP).</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>The result was a very crowded and noisy room.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>After Xen</title>
|
||||
|
||||
<para>Xen has allowed me to reduce the noise and clutter considerably. I
|
||||
now have three systems with two monitors. I've also replaced the
|
||||
individual printer and scanner with a Multifunction
|
||||
FAX/Scanner/Printer.</para>
|
||||
|
||||
<para>The systems now include:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Combination Firewall/Public Server/Private Server/Wireless
|
||||
Gateway using Xen (created by building out my Linux desktop
|
||||
system).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>My work system.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>My Linux desktop (wookie, which is actually the old public
|
||||
server box)</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>Most of the Linux systems run <trademark>SuSE </trademark>10.1; my
|
||||
personal Linux desktop system and our Linux Laptop run
|
||||
<trademark>Ubuntu</trademark> "Dapper Drake".</para>
|
||||
|
||||
<para>If you are unfamiliar with Xen networking, I recommend that you read
|
||||
the first section of the companion <ulink url="Xen.html">Xen and
|
||||
Shorewall</ulink> article.</para>
|
||||
|
||||
<para>Here is a high-level diagram of our network.</para>
|
||||
|
||||
<graphic align="center" fileref="images/Xen5.png" />
|
||||
|
||||
<para>As shown in this diagram, the Xen system has three physical network
|
||||
interfaces. These are:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para><filename class="devicefile">eth0</filename> -- connected to our
|
||||
DSL "Modem".</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename class="devicefile">eth1</filename> -- connected to the
|
||||
switch in my office. That switch is cabled to a second switch in my
|
||||
wife's office where my wife has her desktop and networked printer (I
|
||||
sure wish that there had been wireless back when I strung that CAT-5
|
||||
cable halfway across the house).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename class="devicefile">eth2</filename> -- connected to a
|
||||
Wireless Access Point (WAP) that interfaces to our wireless
|
||||
network.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>There are Two Xen domains.</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Dom0 (DNS name gateway.shorewall.net) is used as our main
|
||||
firewall and wireless gateway as well as a local file server.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The DomU (Dom name <emphasis role="bold">lists</emphasis>, DNS
|
||||
name lists.shorewall.net) is used as a public Web/FTP/Mail/DNS
|
||||
server.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>Shorewall runs in Dom0.</para>
|
||||
|
||||
<caution>
|
||||
<para>As the developer of Shorewall, I have enough experience to be very
|
||||
comfortable with Linux networking and Shorewall/iptables. I arrived at
|
||||
this configuration after a fair amount of trial and error
|
||||
experimentation (see <ulink url="Xen.html">Xen and Shorewall</ulink> and
|
||||
<ulink url="XenMyWay.html">Xen and the art of Consolidation</ulink>). If
|
||||
you are a Linux networking novice, I recommend that you do not attempt a
|
||||
configuration like this one for your first Shorewall installation. You
|
||||
are very likely to frustrate both yourself and the Shorewall support
|
||||
team. Rather I suggest that you start with something simple like a
|
||||
<ulink url="standalone.htm">standalone installation</ulink> in a domU;
|
||||
once you are comfortable with that then you will be ready to try
|
||||
something more substantial.</para>
|
||||
|
||||
<para>As Paul Gear says: <emphasis>Shorewall might make iptables easy,
|
||||
but it doesn't make understanding fundamental networking principles,
|
||||
traffic shaping, or multi-ISP routing any easier</emphasis>.</para>
|
||||
|
||||
<para>The same goes for Xen networking.</para>
|
||||
</caution>
|
||||
|
||||
<section id="Domains">
|
||||
<title>Domain Configuration</title>
|
||||
|
||||
<para>Below are the relevant configuration files for the three domains.
|
||||
I use partitions on my hard drives for DomU storage devices.</para>
|
||||
|
||||
<blockquote>
|
||||
<para><filename>/boot/grub/menu.lst</filename> — here is the entry
|
||||
that boots Xen in Dom0.</para>
|
||||
|
||||
<programlisting>title XEN
|
||||
root (hd0,1)
|
||||
kernel /boot/xen.gz dom0_mem=458752 sched=bvt
|
||||
module /boot/vmlinuz-xen root=/dev/hda2 vga=0x31a selinux=0 resume=/dev/hda1 splash=silent showopts
|
||||
module /boot/initrd-xen</programlisting>
|
||||
|
||||
<para><filename>/etc/modprobe.conf.local</filename></para>
|
||||
|
||||
<programlisting>options netloop nloopbacks=1 #Stop netloop from creating 8 vifs</programlisting>
|
||||
|
||||
<para><filename>/etc/xen/auto/02-lists</filename> — configuration file
|
||||
for the lists domain</para>
|
||||
|
||||
<programlisting># -*- mode: python; -*-
|
||||
|
||||
# configuration name:
|
||||
name = "lists"
|
||||
|
||||
# usable ram:
|
||||
memory = 512
|
||||
|
||||
# kernel and initrd:
|
||||
kernel = "/xen2/vmlinuz-xen"
|
||||
ramdisk = "/xen2/initrd-xen"
|
||||
|
||||
# boot device:
|
||||
root = "/dev/hda3"
|
||||
|
||||
# boot to run level:
|
||||
extra = "3"
|
||||
|
||||
# network interface:
|
||||
vif = [ 'mac=aa:cc:00:00:00:01, ip=206.124.146.177, vifname=eth3' ]
|
||||
|
||||
# storage devices:
|
||||
disk = [ 'phy:hda3,hda3,w' ]</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para>With both Xen domains up and running, the system looks as shown in
|
||||
the following diagram.</para>
|
||||
|
||||
<graphic align="center" fileref="images/Xen4a.png" />
|
||||
|
||||
<para>The zones correspond to the Shorewall zones in the firewall Dom0
|
||||
configuration.</para>
|
||||
|
||||
<caution>
|
||||
<para>Under some circumstances, UDP and/or TCP communication from a
|
||||
domU won't work for no obvious reason. That happened with the
|
||||
<emphasis role="bold">lists</emphasis> domain in my setup. Looking at
|
||||
the IP traffic with <command>tcpdump -nvvi eth1</command> in the
|
||||
<emphasis role="bold">firewall</emphasis> domU showed that UDP packets
|
||||
from the <emphasis role="bold">lists</emphasis> domU had incorrect
|
||||
checksums. That problem was corrected by arranging for the following
|
||||
command to be executed in the <emphasis role="bold">lists</emphasis>
|
||||
domain when its <filename class="devicefile">eth0</filename> device
|
||||
was brought up:</para>
|
||||
|
||||
<para><command>ethtool -K eth0 tx off</command></para>
|
||||
|
||||
<para>Under SuSE 10.1, I placed the following in
|
||||
<filename>/etc/sysconfig/network/if-up.d/resettx</filename> (that file
|
||||
is executable):</para>
|
||||
|
||||
<programlisting>#!/bin/sh
|
||||
|
||||
if [ $2 = eth0 ]; then
|
||||
ethtool -K eth0 tx off
|
||||
echo "TX Checksum reset on eth0"
|
||||
fi</programlisting>
|
||||
|
||||
<para>Under other distributions, the technique will vary. For example,
|
||||
under <trademark>Debian</trademark> or <trademark>Ubuntu</trademark>,
|
||||
you can just add a 'post-up' entry to
|
||||
<filename>/etc/network/interfaces</filename> as shown here:</para>
|
||||
|
||||
<programlisting> iface eth0 inet static
|
||||
address 206.124.146.177
|
||||
netmask 255.255.255.0
|
||||
post-up ethtool -K eth0 tx off</programlisting>
|
||||
</caution>
|
||||
</section>
|
||||
|
||||
<section id="Firewall">
|
||||
<title>Firewall Dom0 Configuration</title>
|
||||
|
||||
<para>In the firewall Dom0, I run a conventional three-interface
|
||||
firewall with Proxy ARP DMZ -- it is very similar to the firewall
|
||||
described in the <ulink url="shorewall_setup_guide.htm">Shorewall Setup
|
||||
Guide</ulink> with the exception that I've added a fourth interface for
|
||||
our wireless network. The firewall runs a routed <ulink
|
||||
url="OPENVPN.html">OpenVPN server</ulink> to provide roadwarrior access
|
||||
for our two laptops and a bridged OpenVPN server for the wireless
|
||||
network in our home. Here is the firewall's view of the network:</para>
|
||||
|
||||
<graphic align="center" fileref="images/network4a.png" />
|
||||
|
||||
<para>The two laptops can be directly attached to the LAN as shown above
|
||||
or they can be attached wirelessly -- their IP addresses are the same in
|
||||
either case; when they are directly attached, the IP address is assigned
|
||||
by the DHCP server running in Dom0 and when they are attached
|
||||
wirelessly, the IP address is assigned by OpenVPN.</para>
|
||||
|
||||
<para>The Shorewall configuration files are shown below. All routing and
|
||||
secondary IP addresses are handled in the SUSE network
|
||||
configuration.</para>
|
||||
|
||||
<blockquote>
|
||||
<para>/etc/shorewall/shorewall.conf</para>
|
||||
|
||||
<programlisting>STARTUP_ENABLED=Yes
|
||||
VERBOSITY=0
|
||||
LOGFILE=/var/log/firewall
|
||||
LOGFORMAT="FW:%s:%s:"
|
||||
LOGTAGONLY=No
|
||||
LOGRATE=
|
||||
LOGBURST=
|
||||
LOGALLNEW=
|
||||
BLACKLIST_LOGLEVEL=
|
||||
MACLIST_LOG_LEVEL=$LOG
|
||||
TCP_FLAGS_LOG_LEVEL=$LOG
|
||||
RFC1918_LOG_LEVEL=$LOG
|
||||
SMURF_LOG_LEVEL=$LOG
|
||||
LOG_MARTIANS=No
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
SHOREWALL_SHELL=/bin/ash
|
||||
SUBSYSLOCK=/var/lock/subsys/shorewall-lite
|
||||
MODULESDIR=
|
||||
CONFIG_PATH=/usr/share/shorewall-lite:/usr/share/shorewall/configfiles:/usr/share/shorewall
|
||||
RESTOREFILE=restore
|
||||
IPSECFILE=zones
|
||||
IP_FORWARDING=On
|
||||
ADD_IP_ALIASES=No
|
||||
ADD_SNAT_ALIASES=No
|
||||
RETAIN_ALIASES=No
|
||||
TC_ENABLED=Internal
|
||||
TC_EXPERT=No
|
||||
CLEAR_TC=Yes
|
||||
MARK_IN_FORWARD_CHAIN=Yes
|
||||
CLAMPMSS=Yes
|
||||
ROUTE_FILTER=No
|
||||
DETECT_DNAT_IPADDRS=Yes
|
||||
MUTEX_TIMEOUT=60
|
||||
ADMINISABSENTMINDED=Yes
|
||||
BLACKLISTNEWONLY=Yes
|
||||
DELAYBLACKLISTLOAD=Yes
|
||||
MODULE_SUFFIX=
|
||||
DISABLE_IPV6=Yes
|
||||
BRIDGING=No
|
||||
DYNAMIC_ZONES=No
|
||||
PKTTYPE=No
|
||||
RFC1918_STRICT=Yes
|
||||
MACLIST_TTL=60
|
||||
SAVE_IPSETS=No
|
||||
MAPOLDACTIONS=No
|
||||
FASTACCEPT=Yes
|
||||
HIGH_ROUTE_MARKS=Yes
|
||||
BLACKLIST_DISPOSITION=DROP
|
||||
MACLIST_TABLE=mangle
|
||||
MACLIST_DISPOSITION=DROP
|
||||
TCP_FLAGS_DISPOSITION=DROP</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/zones</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
fw firewall
|
||||
net ipv4 #Internet
|
||||
loc ipv4 #Local wired Zone
|
||||
dmz ipv4 #DMZ
|
||||
vpn ipv4 #Open VPN clients
|
||||
wifi ipv4 #Local Wireless Zone
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
||||
</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/policy</filename>:</para>
|
||||
|
||||
<programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST
|
||||
# LEVEL
|
||||
$FW $FW ACCEPT
|
||||
$FW net ACCEPT
|
||||
loc net ACCEPT
|
||||
$FW vpn ACCEPT
|
||||
vpn net ACCEPT
|
||||
vpn loc ACCEPT
|
||||
loc vpn ACCEPT
|
||||
$FW loc ACCEPT
|
||||
loc $FW ACCEPT
|
||||
wifi all REJECT $LOG
|
||||
net $FW DROP $LOG 1/sec:2
|
||||
net loc DROP $LOG 2/sec:4
|
||||
net dmz DROP $LOG 8/sec:30
|
||||
net vpn DROP $LOG
|
||||
all all REJECT $LOG
|
||||
#LAST LINE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/params (edited)</filename>:</para>
|
||||
|
||||
<programlisting>MIRRORS=<comma-separated list of Shorewall mirrors>
|
||||
|
||||
NTPSERVERS=<comma-separated list of NTP servers I sync with>
|
||||
|
||||
POPSERVERS=<comma-separated list of server IP addresses>
|
||||
|
||||
LOG=info
|
||||
|
||||
INT_IF=br0
|
||||
DMZ_IF=eth3
|
||||
EXT_IF=eth0
|
||||
WIFI_IF=eth2
|
||||
|
||||
OMAK=<IP address at our second home>
|
||||
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/init</filename>:</para>
|
||||
|
||||
<programlisting>echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net $EXT_IF 206.124.146.255 dhcp,norfc1918,logmartians,blacklist,tcpflags,nosmurfs
|
||||
dmz $DMZ_IF 192.168.0.255 logmartians
|
||||
loc $INT_IF 192.168.1.255 dhcp,routeback,logmartians
|
||||
wifi $WIFI_IF 192.168.3.255 dhcp,maclist
|
||||
vpn tun+ -
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/nat</filename>:</para>
|
||||
|
||||
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL LOCAL
|
||||
# INTERFACES
|
||||
206.124.146.178 $EXT_IF 192.168.1.3 No No #Wookie
|
||||
206.124.146.180 $EXT_IF 192.168.1.6 No No #Work LapTop
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/masq (Note the cute trick here and in
|
||||
the <filename>following proxyarp</filename> file that allows me to
|
||||
access the DSL "Modem" using it's default IP address
|
||||
(192.168.1.1))</filename>. The leading "+" is required to place the
|
||||
rule before the SNAT rules generated by entries in
|
||||
<filename>/etc/shorewall/nat</filename> above.</para>
|
||||
|
||||
<programlisting>#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
|
||||
+$EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254
|
||||
$EXT_IF 192.168.0.0/22 206.124.146.179
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/proxyarp</filename>:</para>
|
||||
|
||||
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
||||
192.168.1.1 $EXT_IF $INT_IF yes
|
||||
206.124.146.177 $DMZ_IF $EXT_IF yes
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/tunnels</filename>:</para>
|
||||
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY
|
||||
# ZONE
|
||||
openvpnserver:udp net 0.0.0.0/0 #Routed server for RoadWarrior access
|
||||
openvpnserver:udp wifi 192.168.3.0/24 #Home wireless network server
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/actions</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION
|
||||
Mirrors # Accept traffic from Shorewall Mirrors
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/action.Mirrors</filename>:</para>
|
||||
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
||||
# PORT PORT(S) DEST LIMIT
|
||||
ACCEPT $MIRRORS
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>SECTION NEW
|
||||
###############################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
###############################################################################################################################################################################
|
||||
REJECT:$LOG loc net tcp 25
|
||||
REJECT:$LOG loc net udp 1025:1031
|
||||
#
|
||||
# Stop NETBIOS crap
|
||||
#
|
||||
REJECT loc net tcp 137,445
|
||||
REJECT loc net udp 137:139
|
||||
#
|
||||
# Stop my idiotic work laptop from sending to the net with an HP source/dest IP address
|
||||
#
|
||||
DROP loc:!192.168.0.0/22 net
|
||||
###############################################################################################################################################################################
|
||||
# Local Network to Firewall
|
||||
#
|
||||
REDIRECT- loc 3128 tcp 80 - !192.168.1.1,192.168.0.7,206.124.146.177,155.98.64.80
|
||||
###############################################################################################################################################################################
|
||||
# Road Warriors to Firewall
|
||||
#
|
||||
ACCEPT vpn fw tcp ssh,time,631,8080
|
||||
ACCEPT vpn fw udp 161,ntp,631
|
||||
Ping/ACCEPT vpn fw
|
||||
###############################################################################################################################################################################
|
||||
# Road Warriors to DMZ
|
||||
#
|
||||
ACCEPT vpn dmz udp domain
|
||||
ACCEPT vpn dmz tcp www,smtp,smtps,domain,ssh,imap,https,imaps,ftp,10023,pop3 -
|
||||
Ping/ACCEPT vpn dmz
|
||||
###############################################################################################################################################################################
|
||||
# Local network to DMZ
|
||||
#
|
||||
ACCEPT loc dmz udp domain
|
||||
ACCEPT loc dmz tcp ssh,smtps,www,ftp,imaps,domain,https -
|
||||
ACCEPT loc dmz tcp smtp
|
||||
Trcrt/ACCEPT loc dmz
|
||||
###############################################################################################################################################################################
|
||||
# Internet to ALL -- drop NewNotSyn packets
|
||||
#
|
||||
dropNotSyn net fw tcp
|
||||
#dropNotSyn net loc tcp
|
||||
dropNotSyn net dmz tcp
|
||||
###############################################################################################################################################################################
|
||||
# Internet to DMZ
|
||||
#
|
||||
ACCEPT net dmz udp domain
|
||||
LOG:$LOG net:64.126.128.0/18 dmz tcp smtp
|
||||
ACCEPT net dmz tcp smtps,www,ftp,imaps,domain,https -
|
||||
ACCEPT net dmz tcp smtp - 206.124.146.177,206.124.146.178
|
||||
ACCEPT net dmz udp 33434:33454
|
||||
Mirrors net dmz tcp rsync
|
||||
Limit:$LOG:SSHA,3,60\
|
||||
net dmz tcp 22
|
||||
Trcrt/ACCEPT net dmz
|
||||
##############################################################################################################################################################################
|
||||
#
|
||||
# Net to Local
|
||||
#
|
||||
# When I'm "on the road", the following two rules allow me VPN access back home using PPTP.
|
||||
#
|
||||
DNAT net loc:192.168.1.4 tcp 1729
|
||||
DNAT net loc:192.168.1.4 gre
|
||||
#
|
||||
# Roadwarrior access to Ursa
|
||||
#
|
||||
ACCEPT net:$OMAK loc tcp 22
|
||||
Limit:$LOG:SSHA,3,60\
|
||||
net loc tcp 22
|
||||
|
||||
#
|
||||
# ICQ
|
||||
#
|
||||
ACCEPT net loc:192.168.1.3 tcp 113,4000:4100
|
||||
#
|
||||
# Bittorrent
|
||||
#
|
||||
ACCEPT net loc:192.168.1.3 tcp 6881:6889,6969
|
||||
ACCEPT net loc:192.168.1.3 udp 6881:6889,6969
|
||||
#
|
||||
# Real Audio
|
||||
#
|
||||
ACCEPT net loc:192.168.1.3 udp 6970:7170
|
||||
#
|
||||
# Overnet
|
||||
#
|
||||
#ACCEPT net loc:192.168.1.3 tcp 4662
|
||||
#ACCEPT net loc:192.168.1.3 udp 12112
|
||||
#
|
||||
# OpenVPN
|
||||
#
|
||||
ACCEPT net loc:192.168.1.3 udp 1194
|
||||
ACCEPT net loc:192.168.1.6 udp 1194
|
||||
# Skype
|
||||
#
|
||||
ACCEPT net loc:192.168.1.6 tcp 1194
|
||||
#
|
||||
# Traceroute
|
||||
#
|
||||
Trcrt/ACCEPT net loc:192.168.1.3
|
||||
#
|
||||
# Silently Handle common probes
|
||||
#
|
||||
REJECT net loc tcp www,ftp,https
|
||||
DROP net loc icmp 8
|
||||
###############################################################################################################################################################################
|
||||
# DMZ to Internet
|
||||
#
|
||||
ACCEPT dmz net udp domain,ntp
|
||||
ACCEPT dmz net tcp echo,ftp,ssh,smtp,whois,domain,www,81,https,cvspserver,2702,2703,8080
|
||||
ACCEPT dmz net:$POPSERVERS tcp pop3
|
||||
Ping/ACCEPT dmz net
|
||||
#
|
||||
# Some FTP clients seem prone to sending the PORT command split over two packets. This prevents the FTP connection tracking
|
||||
# code from processing the command and setting up the proper expectation. The following rule allows active FTP to work in these cases
|
||||
# but logs the connection so I can keep an eye on this potential security hole.
|
||||
#
|
||||
ACCEPT:$LOG dmz net tcp 1024: 20
|
||||
###############################################################################################################################################################################
|
||||
# Local to DMZ
|
||||
#
|
||||
ACCEPT loc dmz udp domain,xdmcp
|
||||
ACCEPT loc dmz tcp www,smtp,smtps,domain,ssh,imap,rsync,https,imaps,ftp,10023,pop3,3128
|
||||
Trcrt/ACCEPT loc dmz
|
||||
###############################################################################################################################################################################
|
||||
# DMZ to Local
|
||||
#
|
||||
ACCEPT dmz loc:192.168.1.5 udp 123
|
||||
ACCEPT dmz loc:192.168.1.5 tcp 21
|
||||
Ping/ACCEPT dmz loc
|
||||
|
||||
###############################################################################################################################################################################
|
||||
# DMZ to Firewall -- ntp & snmp, Silently reject Auth
|
||||
#
|
||||
#ACCEPT net loc:192.168.1.3 udp 12112
|
||||
#
|
||||
# OpenVPN
|
||||
#
|
||||
ACCEPT net loc:192.168.1.3 udp 1194
|
||||
ACCEPT net loc:192.168.1.6 udp 1194
|
||||
# Skype
|
||||
#
|
||||
ACCEPT net loc:192.168.1.6 tcp 1194
|
||||
#
|
||||
# Traceroute
|
||||
#
|
||||
Trcrt/ACCEPT net loc:192.168.1.3
|
||||
#
|
||||
# Silently Handle common probes
|
||||
#
|
||||
REJECT net loc tcp www,ftp,https
|
||||
DROP net loc icmp 8
|
||||
###############################################################################################################################################################################
|
||||
# DMZ to Internet
|
||||
#
|
||||
ACCEPT dmz net udp domain,ntp
|
||||
ACCEPT dmz net tcp echo,ftp,ssh,smtp,whois,domain,www,81,https,cvspserver,2702,2703,8080
|
||||
ACCEPT dmz net:$POPSERVERS tcp pop3
|
||||
Ping/ACCEPT dmz net
|
||||
#
|
||||
# Some FTP clients seem prone to sending the PORT command split over two packets. This prevents the FTP connection tracking
|
||||
# code from processing the command and setting up the proper expectation. The following rule allows active FTP to work in these cases
|
||||
# but logs the connection so I can keep an eye on this potential security hole.
|
||||
#
|
||||
ACCEPT:$LOG dmz net tcp 1024: 20
|
||||
###############################################################################################################################################################################
|
||||
# Local to DMZ
|
||||
#
|
||||
ACCEPT loc dmz udp domain,xdmcp
|
||||
ACCEPT loc dmz tcp www,smtp,smtps,domain,ssh,imap,rsync,https,imaps,ftp,10023,pop3,3128
|
||||
Trcrt/ACCEPT loc dmz
|
||||
###############################################################################################################################################################################
|
||||
# DMZ to Local
|
||||
#
|
||||
ACCEPT dmz loc:192.168.1.5 udp 123
|
||||
ACCEPT dmz loc:192.168.1.5 tcp 21
|
||||
Ping/ACCEPT dmz loc
|
||||
|
||||
###############################################################################################################################################################################
|
||||
# DMZ to Firewall -- ntp & snmp, Silently reject Auth
|
||||
#
|
||||
ACCEPT loc dmz udp domain,xdmcp
|
||||
ACCEPT loc dmz tcp www,smtp,smtps,domain,ssh,imap,rsync,https,imaps,ftp,10023,pop3,3128
|
||||
Trcrt/ACCEPT loc dmz
|
||||
###############################################################################################################################################################################
|
||||
# DMZ to Local
|
||||
#
|
||||
ACCEPT dmz loc:192.168.1.5 udp 123
|
||||
ACCEPT dmz loc:192.168.1.5 tcp 21
|
||||
Ping/ACCEPT dmz loc
|
||||
|
||||
###############################################################################################################################################################################
|
||||
# DMZ to Firewall -- ntp & snmp, Silently reject Auth
|
||||
#
|
||||
ACCEPT dmz fw tcp 161,ssh
|
||||
ACCEPT dmz fw udp 161,ntp
|
||||
REJECT dmz fw tcp auth
|
||||
Ping/ACCEPT dmz fw
|
||||
###############################################################################################################################################################################
|
||||
# Internet to Firewall
|
||||
#
|
||||
REJECT net fw tcp www,ftp,https
|
||||
DROP net fw icmp 8
|
||||
ACCEPT net fw udp 33434:33454
|
||||
ACCEPT net:$OMAK fw udp ntp
|
||||
ACCEPT net fw tcp auth
|
||||
ACCEPT net:$OMAK fw tcp 22
|
||||
Limit:$LOG:SSHA,3,60\
|
||||
net fw tcp 22
|
||||
Trcrt/ACCEPT net fw
|
||||
#
|
||||
# Bittorrent
|
||||
#
|
||||
ACCEPT net fw tcp 6881:6889,6969
|
||||
ACCEPT net fw udp 6881:6889,6969
|
||||
###############################################################################################################################################################################
|
||||
# Firewall to DMZ
|
||||
#
|
||||
ACCEPT fw dmz tcp domain,www,ftp,ssh,smtp,https,993,465
|
||||
ACCEPT fw dmz udp domain
|
||||
REJECT fw dmz udp 137:139
|
||||
Ping/ACCEPT fw dmz
|
||||
##############################################################################################################################################################################
|
||||
# Avoid logging Freenode.net probes
|
||||
#
|
||||
DROP net:82.96.96.3 all
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/tcdevices</filename></para>
|
||||
|
||||
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH
|
||||
$EXT_IF 1.3mbit 384kbit
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/tcclasses</filename><programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
|
||||
$EXT_IF 10 full full 1 tcp-ack,tos-minimize-delay
|
||||
$EXT_IF 20 9*full/10 9*full/10 2 default
|
||||
$EXT_IF 30 6*full/10 6*full/10 3
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting></para>
|
||||
|
||||
<para><filename>/etc/shorewall/tcrules</filename><programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
|
||||
# PORT(S)
|
||||
1:110 192.168.0.0/22 $EXT_IF #Our internel nets get priority
|
||||
#over the server
|
||||
1:130 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the
|
||||
#Shorewall Mirrors.
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting></para>
|
||||
</blockquote>
|
||||
|
||||
<para>The tap0 device used by the bridged OpenVPN server is bridged to
|
||||
eth0 using a SuSE-specific SysV init script:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#!/bin/sh
|
||||
#
|
||||
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V3.0
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# On most distributions, this file should be called /etc/init.d/shorewall.
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
#
|
||||
# If an error occurs while starting or restarting the firewall, the
|
||||
# firewall is automatically stopped.
|
||||
#
|
||||
# Commands are:
|
||||
#
|
||||
# bridge start Starts the bridge
|
||||
# bridge restart Restarts the bridge
|
||||
# bridge reload Restarts the bridge
|
||||
# bridge stop Stops the bridge
|
||||
# bridge status Displays bridge status
|
||||
#
|
||||
|
||||
# chkconfig: 2345 4 99
|
||||
# description: Packet filtering firewall
|
||||
|
||||
### BEGIN INIT INFO
|
||||
# Provides: bridge
|
||||
# Required-Start: boot.udev
|
||||
# Required-Stop:
|
||||
# Default-Start: 2 3 5
|
||||
# Default-Stop: 0 1 6
|
||||
# Description: starts and stops the bridge
|
||||
### END INIT INFO
|
||||
|
||||
################################################################################
|
||||
# Interfaces to be bridged -- may be listed by device name or by MAC
|
||||
#
|
||||
INTERFACES="eth1"
|
||||
|
||||
#
|
||||
# Tap Devices
|
||||
#
|
||||
TAPS="tap0"
|
||||
|
||||
################################################################################
|
||||
# Give Usage Information #
|
||||
################################################################################
|
||||
usage() {
|
||||
echo "Usage: $0 start|stop|reload|restart|status"
|
||||
exit 1
|
||||
}
|
||||
#################################################################################
|
||||
# Find the interface with the passed MAC address
|
||||
#################################################################################
|
||||
find_interface_by_mac() {
|
||||
local mac=$1 first second rest dev
|
||||
|
||||
/sbin/ip link ls | while read first second rest; do
|
||||
case $first in
|
||||
*:)
|
||||
dev=$second
|
||||
;;
|
||||
*)
|
||||
if [ "$second" = $mac ]; then
|
||||
echo ${dev%:}
|
||||
return
|
||||
fi
|
||||
esac
|
||||
done
|
||||
}
|
||||
################################################################################
|
||||
# Convert MAC addresses to interface names
|
||||
################################################################################
|
||||
get_interfaces() {
|
||||
local interfaces= interface
|
||||
|
||||
for interface in $INTERFACES; do
|
||||
case $interface in
|
||||
*:*:*)
|
||||
interface=$(find_interface_by_mac $interface)
|
||||
[ -n "$interface" ] || echo "WARNING: Can't find an interface with MAC address $mac"
|
||||
;;
|
||||
esac
|
||||
interfaces="$interfaces $interface"
|
||||
done
|
||||
|
||||
INTERFACES="$interfaces"
|
||||
}
|
||||
################################################################################
|
||||
# Start the Bridge
|
||||
################################################################################
|
||||
do_start()
|
||||
{
|
||||
local interface
|
||||
|
||||
get_interfaces
|
||||
|
||||
for interface in $TAPS; do
|
||||
/usr/sbin/openvpn --mktun --dev $interface
|
||||
done
|
||||
|
||||
/sbin/brctl addbr br0
|
||||
|
||||
for interface in $INTERFACES $TAPS; do
|
||||
/sbin/ip link set $interface up
|
||||
/sbin/brctl addif br0 $interface
|
||||
done
|
||||
}
|
||||
################################################################################
|
||||
# Stop the Bridge
|
||||
################################################################################
|
||||
do_stop()
|
||||
{
|
||||
local interface
|
||||
|
||||
get_interfaces
|
||||
|
||||
for interface in $INTERFACES $TAPS; do
|
||||
/sbin/brctl delif br0 $interface
|
||||
/sbin/ip link set $interface down
|
||||
done
|
||||
|
||||
/sbin/ip link set br0 down
|
||||
|
||||
/sbin/brctl delbr br0
|
||||
|
||||
for interface in $TAPS; do
|
||||
/usr/sbin/openvpn --rmtun --dev $interface
|
||||
done
|
||||
}
|
||||
################################################################################
|
||||
# E X E C U T I O N B E G I N S H E R E #
|
||||
################################################################################
|
||||
command="$1"
|
||||
|
||||
case "$command" in
|
||||
start)
|
||||
do_start
|
||||
;;
|
||||
stop)
|
||||
do_stop
|
||||
;;
|
||||
restart|reload)
|
||||
do_stop
|
||||
do_start
|
||||
;;
|
||||
status)
|
||||
/sbin/brctl show
|
||||
;;
|
||||
*)
|
||||
usage
|
||||
;;
|
||||
esac
|
||||
</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
</section>
|
||||
</article>
|
@ -107,6 +107,11 @@
|
||||
the first section of the companion <ulink url="Xen.html">Xen and
|
||||
Shorewall</ulink> article.</para>
|
||||
|
||||
<para>This configuration uses a bridged Xen Networking configuration; if
|
||||
you want to see how to accomplish a similar configuration using a Routed
|
||||
Xen configuration then please see <ulink url="XenMyWay-Routed.xml">this
|
||||
article</ulink>.</para>
|
||||
|
||||
<para>Here is a high-level diagram of our network.</para>
|
||||
|
||||
<graphic align="center" fileref="images/Xen5.png" />
|
||||
|
Loading…
Reference in New Issue
Block a user