extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-16 04:33:17 +01:00
Code Issues Packages Projects Releases Wiki Activity
cbc3ac56b1
shorewall_code/Shorewall-docs/CorpNetwork.htm
teastep cbc3ac56b1 Add Corporate Network Example 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@664 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2003-07-16 18:59:33 +00:00

294 lines
20 KiB
HTML
Raw Blame History

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Corporate Shorewall Configuration</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
<meta name="author" content="Graeme Boyle">
</head>
<body>
<script><!--
function PrivoxyWindowOpen(){return(null);}
//--></script>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Multiple IPs with DMZ and
Internal Servers</font></h1>
</td>
</tr>
</tbody>
</table>
<blockquote> </blockquote>
<h1>Corporate Network</h1>
<p><font size="4" color="#ff0000"><b>Notes</b></font><big><font
color="#ff0000"><b>:</b></font></big></p>
<blockquote>
<ul>
<li><b>This configuration is used on a corporate network that
has a Linux (RedHat 8.0) server with three interfaces, running Shorewall
1.4.5 release,</b></li>
<li><b>Make sure you know what public IP addresses are currently
being used and verify these </b><i>before</i><b> starting.</b></li>
<li><b>Verify you DNS settings </b><i>before</i><b> starting any
Shorewall configuration especially if you have split DNS.</b></li>
<li><b>System names and Internet IP addresses have been changed
to protect the innocent.</b></li>
</ul>
<p><big><font color="#ff0000"><b>Warning: </b></font><b><small>This configuration
uses a combination of Static NAT and Proxy ARP. This is generally not
relevant to a simple configuration with a single public IP address.</small></b></big><big><b><small>
If you have just a single public IP address, most of what you see
here won't apply to your setup so beware of copying parts of this
configuration and expecting them to work for you. What you copy may
or may not work in your configuration.<br>
</small></b></big><br>
</p>
<p> I have a T1 with 64 static IP addresses (63.123.106.65-127/26). The
internet is connected to eth0. The local network is connected via eth1
(10.10.0.0/22) and the DMZ is connected to eth2 (192.168.21.0/24). I
have an IPSec tunnel connecting our offices in Germany to our offices
in the US. I host two Microsoft Exchange servers for two different companies
behind the firewall hence, the two Exchange servers in the diagram below.</p>
<p> Summary:<br>
</p>
<ul>
<li>SNAT for all systems connected to the LAN
- Internal addresses 10.10.x.x to external address 63.123.106.127.</li>
<li>Static NAT for <i>Polaris</i> (Exchange Server
#2). Internal address 10.10.1.8 and external address 63.123.106.70.</li>
<li>Static NAT for <i>Sims</i> (Inventory Management server).
Internal address 10.10.1.56 and external address 63.123.106.75.<br>
</li>
<li>Static NAT for <i>Project</i> (Project Web
Server). Internal address 10.10.1.55 and external
address 63.123.106.84.</li>
<li>Static NAT for <i>Fortress</i> (Exchange
Server). Internal address 10.10.1.252 and external
address 63.123.106.93.</li>
<li>Static NAT for <i>BBSRV</i> (Blackberry Server).
Internal address 10.10.1.230 and external address
63.123.106.97.</li>
<li>Static NAT for <i>Intweb</i> (Intranet Web
Server). Internal address 10.10.1.60 and external
address 63.123.106.115.</li>
</ul>
<p> The firewall runs on a 2Gb, Dual PIV/2.8GHz, Intel motherboard with
RH8.0.</p>
<p> The Firewall is also a proxy server running Privoxy 3.0.</p>
<p> The single system in the DMZ (address 63.123.106.80) runs sendmail,
imap, pop3, DNS, a Web server (Apache) and an FTP server (vsFTPd 1.1.0).
That server is managed through Proxy ARP.</p>
<p> All administration and publishing is done using ssh/scp. I have X installed
on the firewall and the system in the DMZ. X applications tunnel
through SSH to Hummingbird Exceed running on a PC located in the LAN.
Access to the firewall using SSH is restricted to systems in the LAN, DMZ
or the system Kaos which is on the Internet and managed by me.</p>
<p align="center"> <img border="0"
src="images/CorpNetwork.gif" width="770" height="1000"
alt="(Corporate Network Diagram)">
</p>
<p> </p>
<p>The Ethernet 0 interface in the Server is configured with IP
address 63.123.106.68, netmask 255.255.255.192. The server's default
gateway is 63.123.106.65, the Router connected to my network and
the ISP. This is the same default gateway used by the firewall
itself. On the firewall, Shorewall automatically
adds a host route to 63.123.106.80 through Ethernet
2 (192.168.21.1) because of the entry in
/etc/shorewall/proxyarp (see below). I modified the start, stop and
init scripts to include the fixes suggested when having an IPSec tunnel.</p>
<p><b>Some Mistakes I Made:</b></p>
<p>Yes, believe it or not, I made some really basic mistakes when building
this firewall. Firstly, I had the new firewall setup in parallel with
the old firewall so that there was no interruption of service to my users.
During my out-bound testing, I set up systems on the LAN to utilize the
firewall which worked fine. When testing my NAT connections, from the
outside, these would fail and I could not understand why. Eventually,
I changed the default route on the internal system I was trying to access,
to point to the new firewall and "bingo", everything worked as expected.
This oversight delayed my deployment by a couple of days not to mention
level of frustration it produced. </p>
<p>Another problem that I encountered was in setting up the Proxyarp system
in the DMZ. Initially I forgot to remove the entry for the eth2 from
the /etc/shorewall/masq file. Once my file settings were correct, I started
verifying that the ARP caches on the firewall, as well as the outside
system "kaos", were showing the correct Ethernet MAC address. However,
in testing remote access, I could access the system in the DMZ only from
the firewall and LAN but not from the Internet. The message I received
was "connection denied" on all protocols. What I did not realize was that
a "helpful" administrator that had turned on an old system and assigned
the same address as the one I was using for Proxyarp without notifying
me. How did I work this out. I shutdown the system in the DMZ, rebooted
the router and flushed the ARP cache on the firewall and kaos. Then, from
kaos, I started pinging that IP address and checked the updated ARP cache
and lo-and-behold a different MAC address showed up. High levels of frustration
etc., etc. The administrator will <i>not</i> be doing that again! :-)</p>
<p><b>Lessons Learned:</b></p>
<ul>
<li>Read the documentation.</li>
<li>Draw your network topology before starting.</li>
<li>Understand what services you are going to allow in and out of
the firewall, whether they are TCP or UDP packets and make a note
of these port numbers.</li>
<li>Try to get quiet time to build the firewall - you need to focus
on the job at hand.</li>
<li>When asking for assistance, be honest and include as much detail
as requested. Don't try and hide IP addresses etc., you will probably
screw up the logs and make receiving assistance harder.</li>
<li>Read the documentation.</li>
</ul>
<p><b>Futures:</b></p>
<p>This is by no means the final configuration. In the near future, I will
be moving more systems from the LAN to the DMZ. I will also be watching
the logs for port scan programs etc. but, this should be standard security
maintenance.</p>
<p>Here are copies of my files. I have removed most of the internal
documentation for the purpose of this space however, my system still has
the original files with all the comments and I highly recommend you do
the same.</p>
</blockquote>
<h3>Shorewall.conf</h3>
<blockquote>
<pre>##############################################################################<br># /etc/shorewall/shorewall.conf V1.4 - Change the following variables to<br># match your setup<br>#<br># This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]<br>#<br># This file should be placed in /etc/shorewall<br>#<br># (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)<br>##############################################################################<br># L O G G I N G<br>##############################################################################<br>LOGFILE=/var/log/messages<br>LOGFORMAT="Shorewall:%s:%s:"<br>LOGRATE=<br>LOGBURST=<br>LOGUNCLEAN=info<br>BLACKLIST_LOGLEVEL=<br>LOGNEWNOTSYN=<br>MACLIST_LOG_LEVEL=info<br>TCP_FLAGS_LOG_LEVEL=debug<br>RFC1918_LOG_LEVEL=debug<br>PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin<br>SUBSYSLOCK=/var/lock/subsys/shorewall<br>STATEDIR=/var/lib/shorewall<br>MODULESDIR=<br>FW=fw<br>NAT_ENABLED=Yes<br>MANGLE_ENABLED=Yes<br>IP_FORWARDING=On<br>ADD_IP_ALIASES=Yes<br>ADD_SNAT_ALIASES=Yes<br>TC_ENABLED=Yes<br>CLEAR_TC=No<br>MARK_IN_FORWARD_CHAIN=No<br>CLAMPMSS=No<br>ROUTE_FILTER=Yes<br>NAT_BEFORE_RULES=No<br>MULTIPORT=Yes<br>DETECT_DNAT_IPADDRS=Yes<br>MUTEX_TIMEOUT=60<br>NEWNOTSYN=Yes<br>BLACKLIST_DISPOSITION=DROP<br>MACLIST_DISPOSITION=REJECT<br>TCP_FLAGS_DISPOSITION=DROP<br>#LAST LINE -- DO NOT REMOVE<br><br></pre>
</blockquote>
<h3>Zones File</h3>
<blockquote>
<pre><font face="Courier">#<br># Shorewall 1.4 -- Sample Zone File For Two Interfaces<br># /etc/shorewall/zones<br>#<br># This file determines your network zones. Columns are:<br>#<br># ZONE Short name of the zone<br># DISPLAY Display name of the zone<br># COMMENTS Comments about the zone<br>#<br>#ZONE DISPLAY COMMENTS<br>net Net Internet<br>loc Local Local Networks<br>dmz DMZ Demilitarized Zone<br>vpn1 VPN1 VPN to Germany<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font><font
face="Courier" size="2"><br></font></pre>
</blockquote>
<h3>Interfaces File: </h3>
<blockquote>
<p> ##############################################################################<br>
#ZONE INTERFACE BROADCAST OPTIONS<br>
net eth0 62.123.106.127 routefilter,norfc1918,blacklist,tcpflags<br>
loc eth1 detect dhcp,routefilter<br>
dmz eth2 detect<br>
vpn1 ipsec0<br>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</p>
</blockquote>
<h3>Routestopped File:</h3>
<blockquote>
<pre><font face="Courier">#INTERFACE HOST(S)<br>eth1 -<br>eth2 -<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font><font
face="Courier" size="2"> </font></pre>
</blockquote>
<h3>Policy File:</h3>
<blockquote>
<pre>###############################################################################<br>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST<br>loc net ACCEPT<br>loc fw ACCEPT<br>loc dmz ACCEPT<br># If you want open access to the Internet from your Firewall <br># remove the comment from the following line.<br>fw net ACCEPT<br>fw loc ACCEPT<br>fw dmz ACCEPT<br>dmz fw ACCEPT<br>dmz loc ACCEPT<br>dmz net ACCEPT<br># <br># Adding VPN Access<br>loc vpn1 ACCEPT<br>dmz vpn1 ACCEPT<br>fw vpn1 ACCEPT<br>vpn1 loc ACCEPT<br>vpn1 dmz ACCEPT<br>vpn1 fw ACCEPT<br>#<br>net all DROP info<br>all all REJECT info<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
</blockquote>
<h3>Masq File: </h3>
<blockquote>
<pre>#INTERFACE SUBNET ADDRESS<br>eth0 eth1 163.123.106.126<br>#<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
</blockquote>
<h3>NAT File: </h3>
<blockquote>
<pre>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL<br>#<br># Intranet Web Server<br>63.123.106.115 eth0:0 10.10.1.60 No No<br>#<br># Project Web Server<br>63.123.106.84 eth0:1 10.10.1.55 No No<br>#<br># Blackberry Server<br>63.123.106.97 eth0:2 10.10.1.55 No No<br>#<br># Corporate Mail Server<br>63.123.106.93 eth0:3 10.10.1.252 No No<br>#<br># Second Corp Mail Server<br>63.123.106.70 eth0:4 10.10.1.8 No No<br>#<br># Sims Server<br>63.123.106.75 eth0:5 10.10.1.56 No No<br>#<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
</blockquote>
<h3>Proxy ARP File:</h3>
<blockquote>
<pre><font face="Courier" size="2">#ADDRESS INTERFACE EXTERNAL HAVEROUTE<br>#<br># The Corporate email server in the DMZ<br>63.123.106.80 eth2 eth0 No<br>#<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE </font></pre>
</blockquote>
<h3>Tunnels File:</h3>
<blockquote>
<pre># TYPE ZONE GATEWAY GATEWAY ZONE PORT<br>ipsec net 134.147.129.82<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</pre>
</blockquote>
<h3>Rules File (The shell variables are set in /etc/shorewall/params):</h3>
<blockquote>
<pre>##############################################################################<br>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL<br># PORT PORT(S) DEST<br>#<br># Accept DNS connections from the firewall to the network<br>#<br>ACCEPT fw net tcp 53<br>ACCEPT fw net udp 53<br>#<br># Accept SSH from internet interface from kaos only<br>#<br>ACCEPT net:63.123.106.98 fw tcp 22<br>#<br># Accept connections from the local network for administration <br>#<br>ACCEPT loc fw tcp 20:22<br>ACCEPT loc net tcp 22<br>ACCEPT loc fw tcp 53<br>ACCEPT loc fw udp 53<br>ACCEPT loc net tcp 53<br>ACCEPT loc net udp 53<br>#<br># Allow Ping To And From Firewall<br>#<br>ACCEPT loc fw icmp 8<br>ACCEPT loc dmz icmp 8<br>ACCEPT loc net icmp 8<br>ACCEPT dmz fw icmp 8<br>ACCEPT dmz loc icmp 8<br>ACCEPT dmz net icmp 8<br>DROP net fw icmp 8<br>DROP net loc icmp 8<br>DROP net dmz icmp 8<br>ACCEPT fw loc icmp 8<br>ACCEPT fw dmz icmp 8<br>DROP fw net icmp 8<br>#<br># Accept proxy web connections from the inside<br>#<br>ACCEPT loc fw tcp 8118<br>#<br># Forward PcAnywhere, Oracle and Web traffic from outside to the Demo systems<br># From a specific IP Address on the Internet.<br># <br># ACCEPT net:207.65.110.10 loc:10.10.3.151 tcp 1521,http<br># ACCEPT net:207.65.110.10 loc:10.10.2.32 tcp 5631:5632<br>#<br># Intranet web server<br>ACCEPT net loc:10.10.1.60 tcp 443<br>ACCEPT dmz loc:10.10.1.60 tcp 443<br>#<br># Projects web server<br>ACCEPT net loc:10.10.1.55 tcp 80<br>ACCEPT dmz loc:10.10.1.55 tcp 80<br># <br># Blackberry Server<br>ACCEPT net loc:10.10.1.230 tcp 3101<br>#<br># Corporate Email Server<br>ACCEPT net loc:10.10.1.252 tcp 25,53,110,143,443<br>#<br># Corporate #2 Email Server<br>ACCEPT net loc:10.10.1.8 tcp 25,80,110,443<br>#<br># Sims Server<br>ACCEPT net loc:10.10.1.56 tcp 80,443<br>ACCEPT net loc:10.10.1.56 tcp 7001:7002<br>ACCEPT net:63.83.198.0/24 loc:10.10.1.56 tcp 5631:5632<br>#<br># Access to DMZ<br>ACCEPT loc dmz udp 53,177<br>ACCEPT loc dmz tcp 80,25,53,22,143,443,993,20,110 -<br>ACCEPT net dmz udp 53<br>ACCEPT net dmz tcp 25,53,22,21,123<br>ACCEPT dmz net tcp 25,53,80,123,443,21,22<br>ACCEPT dmz net udp 53<br>#<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</pre>
</blockquote>
<h3>Start File:</h3>
<blockquote>
<pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/start<br>#<br># Add commands below that you want to be executed after shorewall has<br># been started or restarted.<br>#<br>qt service ipsec start<br></pre>
</blockquote>
<h3>Stop File:</h3>
<blockquote>
<pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/stop<br>#<br># Add commands below that you want to be executed at the beginning of a<br># "shorewall stop" command.<br>#<br>qt service ipsec stop</pre>
</blockquote>
<h3>Init File:</h3>
<blockquote>
<pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/init<br>#<br># Add commands below that you want to be executed at the beginning of<br># a "shorewall start" or "shorewall restart" command.<br>#<br>qt service ipsec stop<br></pre>
</blockquote>
<p><font size="2">Last updated 7/16/2003</font>
<script><!--
function PrivoxyWindowOpen(a, b, c){return(window.open(a, b, c));}
//</script><br>
</p>
<p><small><a href="GnuCopyright.htm">Copyright 2003 Thomas M. Eastep and
Graeme Boyle</a></small><br>
</p>
<br>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink