forked from extern/shorewall_code
Update XenMyWay
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3698 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
93bcef109a
commit
86418ae9ed
@ -15,7 +15,7 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2006-03-14</pubdate>
|
<pubdate>2006-03-19</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2006</year>
|
<year>2006</year>
|
||||||
@ -125,16 +125,14 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<para>There are three Xen domains. Dom0 (ursa) is used as a file server.
|
<para>There are four Xen domains. Dom0 (ursa) is used as a file server.
|
||||||
One DomU (which is usually Domain 1) is used as a firewall and the other
|
The first DomU (which is usually Domain 1) is used as a firewall; the
|
||||||
(lists, normally Domain 2) is used as a public Web/FTP/Mail/DNS server.
|
second DomU (lists, normally Domain 2) is used as a public
|
||||||
Because Xen 3 only supports three virtual interfaces per DomU, I also use
|
Web/FTP/Mail/DNS server while the third DomU (wireless, normally Domain 3)
|
||||||
ursa as a gateway for our wireless network rather than placing that
|
is used as a gateway to our wireless network. A seperate wireless gateway
|
||||||
function in the firewall DomU (that domain already has three interfaces).
|
is necessary because Xen 3 only supports three virtual interfaces per DomU
|
||||||
Shorewall runs in both Dom0 and in the firewall domain.</para>
|
and the firewall DomU already has three interfaces. Shorewall runs in
|
||||||
|
Dom0, in the firewall domain and in the wireless gateway..</para>
|
||||||
<para>The system has 1.5GB of RAM so I allocate 512MB to each server and
|
|
||||||
448MB to the firewall (the remaining 64MB is used by Xen).</para>
|
|
||||||
|
|
||||||
<para>Below are the relevant configuration files for the three domains.
|
<para>Below are the relevant configuration files for the three domains.
|
||||||
The "loopback.nloopbacks=..." entries are used to restrict the number of
|
The "loopback.nloopbacks=..." entries are used to restrict the number of
|
||||||
@ -147,7 +145,7 @@
|
|||||||
|
|
||||||
<programlisting>title XEN
|
<programlisting>title XEN
|
||||||
root (hd0,1)
|
root (hd0,1)
|
||||||
kernel /boot/xen.gz dom0_mem=524288 sched=bvt
|
kernel /boot/xen.gz dom0_mem=458752 sched=bvt
|
||||||
module /boot/vmlinuz-xen root=/dev/hda2 vga=0x31a selinux=0 resume=/dev/hda1 splash=silent showopts loopback.nloopbacks=1
|
module /boot/vmlinuz-xen root=/dev/hda2 vga=0x31a selinux=0 resume=/dev/hda1 splash=silent showopts loopback.nloopbacks=1
|
||||||
module /boot/initrd-xen</programlisting>
|
module /boot/initrd-xen</programlisting>
|
||||||
|
|
||||||
@ -160,7 +158,7 @@
|
|||||||
name = "gateway"
|
name = "gateway"
|
||||||
|
|
||||||
# usable ram:
|
# usable ram:
|
||||||
memory = 448
|
memory = 256
|
||||||
|
|
||||||
# kernel and initrd:
|
# kernel and initrd:
|
||||||
kernel = "/boot/vmlinuz-xen"
|
kernel = "/boot/vmlinuz-xen"
|
||||||
@ -206,9 +204,38 @@ hostname = name
|
|||||||
|
|
||||||
# storage devices:
|
# storage devices:
|
||||||
disk = [ 'phy:hda3,hda3,w' ]</programlisting>
|
disk = [ 'phy:hda3,hda3,w' ]</programlisting>
|
||||||
|
|
||||||
|
<para>/etc/xen/auto/03-gateway — configuration file for the wireless
|
||||||
|
domain.</para>
|
||||||
|
|
||||||
|
<programlisting># -*- mode: python; -*-
|
||||||
|
|
||||||
|
# configuration name:
|
||||||
|
name = "wireless"
|
||||||
|
|
||||||
|
# usable ram:
|
||||||
|
memory = 256
|
||||||
|
|
||||||
|
# kernel and initrd:
|
||||||
|
kernel = "/boot/vmlinuz-xen"
|
||||||
|
ramdisk = "/boot/initrd-xen"
|
||||||
|
|
||||||
|
# boot device:
|
||||||
|
root = "/dev/hdb4"
|
||||||
|
|
||||||
|
# boot to run level:
|
||||||
|
extra = "loopback.nloopbacks=0 3"
|
||||||
|
|
||||||
|
# network interface:
|
||||||
|
vif = [ 'mac=aa:cc:00:00:00:04, bridge=xenbr0', 'mac=00:a0:cc:d1:db:12, bridge=xenbr3' ]
|
||||||
|
dhcp = 'dhcp'
|
||||||
|
hostname = name
|
||||||
|
|
||||||
|
# storage devices:
|
||||||
|
disk = [ 'phy:hdb4,hdb4,w' ]</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
|
|
||||||
<para>With all three Xen domains up and running, the system looks as shown
|
<para>With all four Xen domains up and running, the system looks as shown
|
||||||
in the following diagram.</para>
|
in the following diagram.</para>
|
||||||
|
|
||||||
<graphic align="center" fileref="images/Xen4.png" />
|
<graphic align="center" fileref="images/Xen4.png" />
|
||||||
@ -217,20 +244,17 @@ disk = [ 'phy:hda3,hda3,w' ]</programlisting>
|
|||||||
configuration.</para>
|
configuration.</para>
|
||||||
|
|
||||||
<para>SuSE 10.0 includes Xen 3.0 which does not support PCI delegation; I
|
<para>SuSE 10.0 includes Xen 3.0 which does not support PCI delegation; I
|
||||||
therefore use a bridged configuration with three briges (one for each
|
therefore use a bridged configuration with four bridges (one for each
|
||||||
network interface). When Shorewall starts during boot, it creates the
|
network interface). When Shorewall starts during boot, it creates the four
|
||||||
three bridges and the tap device <filename
|
bridges.</para>
|
||||||
class="devicefile">tap0</filename> and adds tap0 to <filename
|
|
||||||
class="devicefile">xenbr0</filename>. tap0 is used by <ulink
|
|
||||||
url="OPENVPN.html">OpenVPN</ulink> to secure the Wifi zone.</para>
|
|
||||||
|
|
||||||
<para>Here is <filename>/etc/shorewall/init in Dom0</filename>:</para>
|
<para>Here is <filename>/etc/shorewall/init in Dom0</filename>:</para>
|
||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<programlisting>for bridge in xenbr0 xenbr1 xenbr2; do
|
<programlisting>for bridge in xenbr0 xenbr1 xenbr2 xenbr3; do
|
||||||
if [ -z "$(/sbin/brctl show 2> /dev/null | fgrep $bridge)" ]; then
|
if [ -z "$(/sbin/brctl show 2> /dev/null | fgrep $bridge)" ]; then
|
||||||
/sbin/brctl addbr $bridge
|
/sbin/brctl addbr $bridge
|
||||||
/sbin/ip link set dev $bridge up
|
|
||||||
case $bridge in
|
case $bridge in
|
||||||
xenbr2)
|
xenbr2)
|
||||||
mac=`ip link show eth1 | grep 'link\/ether' | sed -e 's/.*ether \(..:..:..:..:..:..\).*/\1/'`
|
mac=`ip link show eth1 | grep 'link\/ether' | sed -e 's/.*ether \(..:..:..:..:..:..\).*/\1/'`
|
||||||
@ -238,14 +262,15 @@ disk = [ 'phy:hda3,hda3,w' ]</programlisting>
|
|||||||
/sbin/ip link set dev eth1 up
|
/sbin/ip link set dev eth1 up
|
||||||
/sbin/brctl addif xenbr2 eth1
|
/sbin/brctl addif xenbr2 eth1
|
||||||
;;
|
;;
|
||||||
xenbr0)
|
xenbr3)
|
||||||
if ! qt /sbin/ip link ls dev tap0; then
|
mac=`ip link show eth2 | grep 'link\/ether' | sed -e 's/.*ether \(..:..:..:..:..:..\).*/\1/'`
|
||||||
/usr/sbin/openvpn --mktun --dev tap0
|
[ "$mac" = "fe:ff:ff:ff:ff:ff" ] || /sbin/ip link set dev eth2 addr fe:ff:ff:ff:ff:ff
|
||||||
/sbin/ip link set dev tap0 up
|
/sbin/ip link set dev eth2 up
|
||||||
/sbin/brctl addif xenbr0 tap0
|
/sbin/brctl addif xenbr3 eth2
|
||||||
fi
|
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
|
/sbin/ip link set dev $bridge up
|
||||||
fi
|
fi
|
||||||
done</programlisting>
|
done</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
@ -254,11 +279,6 @@ done</programlisting>
|
|||||||
follows:</para>
|
follows:</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
|
||||||
<para>Isolate the Wireless Network so that only VPN access to the
|
|
||||||
local lan is allowed.</para>
|
|
||||||
</listitem>
|
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Allow traffic to flow unrestricted through the three bridges.
|
<para>Allow traffic to flow unrestricted through the three bridges.
|
||||||
This is done by configuring the hosts connected to each bridge as a
|
This is done by configuring the hosts connected to each bridge as a
|
||||||
@ -293,6 +313,7 @@ net ipv4
|
|||||||
<programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST
|
<programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST
|
||||||
# LEVEL
|
# LEVEL
|
||||||
Wifi all REJECT info
|
Wifi all REJECT info
|
||||||
|
all Wifi REJECT info
|
||||||
dmz all REJECT info
|
dmz all REJECT info
|
||||||
all dmz REJECT info
|
all dmz REJECT info
|
||||||
net all REJECT info
|
net all REJECT info
|
||||||
@ -303,7 +324,7 @@ all all ACCEPT
|
|||||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||||
|
|
||||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||||
Wifi eth2 192.168.3.255 dhcp,maclist
|
Wifi xenbr3 - routeback
|
||||||
loc xenbr0 192.168.1.255 dhcp,routeback
|
loc xenbr0 192.168.1.255 dhcp,routeback
|
||||||
dmz xenbr1 - routeback
|
dmz xenbr1 - routeback
|
||||||
net xenbr2 - routeback
|
net xenbr2 - routeback
|
||||||
@ -316,23 +337,6 @@ net xenbr2 - routeback
|
|||||||
#SECTION ESTABLISHED
|
#SECTION ESTABLISHED
|
||||||
#SECTION RELATED
|
#SECTION RELATED
|
||||||
SECTION NEW
|
SECTION NEW
|
||||||
#############################################################################################################
|
|
||||||
#
|
|
||||||
# BS Address rules
|
|
||||||
#
|
|
||||||
DROP Wifi net:15.0.0.0/8
|
|
||||||
DROP Wifi net:16.0.0.0/8
|
|
||||||
#
|
|
||||||
# Insecure Wireless to local network
|
|
||||||
#
|
|
||||||
ACCEPT Wifi loc udp 500
|
|
||||||
ACCEPT Wifi loc udp 53
|
|
||||||
ACCEPT Wifi loc udp 4500
|
|
||||||
Ping/ACCEPT Wifi loc
|
|
||||||
#
|
|
||||||
# Insecure Wireless to firewall
|
|
||||||
#
|
|
||||||
ACCEPT Wifi fw udp 123
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
|
|
||||||
@ -675,5 +679,236 @@ Ping/ACCEPT fw dmz
|
|||||||
DROP net:82.96.96.3 all
|
DROP net:82.96.96.3 all
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
|
|
||||||
|
<para>The Shorewall configuration in the 'wireless' DomU is similarly
|
||||||
|
simple-minded. It's sole purpose is to protect the local network from the
|
||||||
|
Wireless net.</para>
|
||||||
|
|
||||||
|
<para>We restrict wireless access to clients that have established an
|
||||||
|
<ulink url="OPENVPN.html">OpenVPN</ulink> Bridged connection. The 'tap0'
|
||||||
|
device used by OpenVPN is bridged to eth2 using this startup
|
||||||
|
script:</para>
|
||||||
|
|
||||||
|
<blockquote>
|
||||||
|
<para><filename>/etc/init.d/bridge</filename>:</para>
|
||||||
|
|
||||||
|
<programlisting>#!/bin/sh
|
||||||
|
#
|
||||||
|
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V3.0
|
||||||
|
#
|
||||||
|
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||||
|
#
|
||||||
|
# (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
|
||||||
|
#
|
||||||
|
# On most distributions, this file should be called /etc/init.d/shorewall.
|
||||||
|
#
|
||||||
|
# Complete documentation is available at http://shorewall.net
|
||||||
|
#
|
||||||
|
# This program is free software; you can redistribute it and/or modify
|
||||||
|
# it under the terms of Version 2 of the GNU General Public License
|
||||||
|
# as published by the Free Software Foundation.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program; if not, write to the Free Software
|
||||||
|
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||||
|
#
|
||||||
|
# If an error occurs while starting or restarting the firewall, the
|
||||||
|
# firewall is automatically stopped.
|
||||||
|
#
|
||||||
|
# Commands are:
|
||||||
|
#
|
||||||
|
# bridge start Starts the bridge
|
||||||
|
# bridge restart Restarts the bridge
|
||||||
|
# bridge reload Restarts the bridge
|
||||||
|
# bridge stop Stops the bridge
|
||||||
|
# bridge status Displays bridge status
|
||||||
|
#
|
||||||
|
|
||||||
|
# chkconfig: 2345 4 99
|
||||||
|
# description: Packet filtering firewall
|
||||||
|
|
||||||
|
### BEGIN INIT INFO
|
||||||
|
# Provides: bridge
|
||||||
|
# Required-Start: boot.udev
|
||||||
|
# Required-Stop:
|
||||||
|
# Default-Start: 2 3 5
|
||||||
|
# Default-Stop: 0 1 6
|
||||||
|
# Description: starts and stops the bridge
|
||||||
|
### END INIT INFO
|
||||||
|
|
||||||
|
################################################################################
|
||||||
|
# Interfaces to be bridged -- may be listed by device name or by MAC
|
||||||
|
#
|
||||||
|
INTERFACES="eth0"
|
||||||
|
|
||||||
|
#
|
||||||
|
# Tap Devices
|
||||||
|
#
|
||||||
|
TAPS="tap0"
|
||||||
|
|
||||||
|
################################################################################
|
||||||
|
# Give Usage Information #
|
||||||
|
################################################################################
|
||||||
|
usage() {
|
||||||
|
echo "Usage: $0 start|stop|reload|restart|status"
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
#################################################################################
|
||||||
|
# Find the interface with the passed MAC address
|
||||||
|
#################################################################################
|
||||||
|
find_interface_by_mac() {
|
||||||
|
local mac=$1 first second rest dev
|
||||||
|
|
||||||
|
/sbin/ip link ls | while read first second rest; do
|
||||||
|
case $first in
|
||||||
|
*:)
|
||||||
|
dev=$second
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
if [ "$second" = $mac ]; then
|
||||||
|
echo ${dev%:}
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
}
|
||||||
|
################################################################################
|
||||||
|
# Convert MAC addresses to interface names
|
||||||
|
################################################################################
|
||||||
|
get_interfaces() {
|
||||||
|
local interfaces= interface
|
||||||
|
|
||||||
|
for interface in $INTERFACES; do
|
||||||
|
case $interface in
|
||||||
|
*:*:*)
|
||||||
|
interface=$(find_interface_by_mac $interface)
|
||||||
|
[ -n "$interface" ] || echo "WARNING: Can't find an interface with MAC address $mac"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
interfaces="$interfaces $interface"
|
||||||
|
done
|
||||||
|
|
||||||
|
INTERFACES="$interfaces"
|
||||||
|
}
|
||||||
|
################################################################################
|
||||||
|
# Start the Bridge
|
||||||
|
################################################################################
|
||||||
|
do_start()
|
||||||
|
{
|
||||||
|
local interface
|
||||||
|
|
||||||
|
get_interfaces
|
||||||
|
|
||||||
|
for interface in $TAPS; do
|
||||||
|
/usr/sbin/openvpn --mktun --dev $interface
|
||||||
|
done
|
||||||
|
|
||||||
|
/sbin/brctl addbr br0
|
||||||
|
|
||||||
|
for interface in $INTERFACES $TAPS; do
|
||||||
|
/sbin/ip link set $interface up
|
||||||
|
/sbin/brctl addif br0 $interface
|
||||||
|
done
|
||||||
|
}
|
||||||
|
################################################################################
|
||||||
|
# Stop the Bridge
|
||||||
|
################################################################################
|
||||||
|
do_stop()
|
||||||
|
{
|
||||||
|
local interface
|
||||||
|
|
||||||
|
get_interfaces
|
||||||
|
|
||||||
|
for interface in $INTERFACES $TAPS; do
|
||||||
|
/sbin/brctl delif br0 $interface
|
||||||
|
/sbin/ip link set $interface down
|
||||||
|
done
|
||||||
|
|
||||||
|
/sbin/ip link set br0 down
|
||||||
|
|
||||||
|
/sbin/brctl delbr br0
|
||||||
|
|
||||||
|
for interface in $TAPS; do
|
||||||
|
/usr/sbin/openvpn --rmtun --dev $interface
|
||||||
|
done
|
||||||
|
}
|
||||||
|
################################################################################
|
||||||
|
# E X E C U T I O N B E G I N S H E R E #
|
||||||
|
################################################################################
|
||||||
|
command="$1"
|
||||||
|
|
||||||
|
case "$command" in
|
||||||
|
start)
|
||||||
|
do_start
|
||||||
|
;;
|
||||||
|
stop)
|
||||||
|
do_stop
|
||||||
|
;;
|
||||||
|
restart|reload)
|
||||||
|
do_stop
|
||||||
|
do_start
|
||||||
|
;;
|
||||||
|
status)
|
||||||
|
/sbin/brctl show
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
usage
|
||||||
|
;;
|
||||||
|
esac</programlisting>
|
||||||
|
|
||||||
|
<para>BRIDGING=No in
|
||||||
|
<filename>/etc/shorewall/shorewall.conf</filename>.</para>
|
||||||
|
|
||||||
|
<para><filename>/etc/shorewall/zones</filename>:</para>
|
||||||
|
|
||||||
|
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||||
|
# OPTIONS OPTIONS
|
||||||
|
fw firewall
|
||||||
|
Wifi ipv4
|
||||||
|
loc ipv4
|
||||||
|
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||||
|
|
||||||
|
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||||
|
|
||||||
|
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||||
|
Wifi eth4 192.168.3.255 dhcp,maclist
|
||||||
|
loc br0 192.168.1.255 dhcp,routeback
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||||
|
</programlisting>
|
||||||
|
|
||||||
|
<para><filename>/etc/shorewall/policy</filename>:</para>
|
||||||
|
|
||||||
|
<programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST
|
||||||
|
# LEVEL
|
||||||
|
Wifi all REJECT info
|
||||||
|
all all ACCEPT
|
||||||
|
#LAST LINE -- DO NOT REMOVE</programlisting>
|
||||||
|
|
||||||
|
<para><filename>/etc/shorewall/tunnels</filename>:</para>
|
||||||
|
|
||||||
|
<programlisting>#TYPE ZONE GATEWAY GATEWAY
|
||||||
|
# ZONE
|
||||||
|
openvpnserver Wifi 192.168.3.0/24
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||||
|
|
||||||
|
<para><filename>/etc/shorewall/maclist (Note that this system runs
|
||||||
|
Shorewall 3.2 so there is an additional 'TARGET'
|
||||||
|
column)</filename>:</para>
|
||||||
|
|
||||||
|
<programlisting>#TARGET INTERFACE MAC IP ADDRESSES (Optional)
|
||||||
|
ACCEPT eth4 00:04:5a:0e:85:b9 #WAP11
|
||||||
|
ACCEPT eth4 00:06:25:45:33:3c #WET11
|
||||||
|
ACCEPT eth4 00:0b:cd:53:cc:97 192.168.3.8 #TIPPER
|
||||||
|
ACCEPT eth4 00:0f:66:ef:b6:f6 192.168.3.8 #TIPPER1
|
||||||
|
ACCEPT eth4 00:12:79:3d:fe:2e 192.168.3.6 #Work Laptop
|
||||||
|
ACCEPT eth4 - 192.168.3.254 #Broadcast/Multicast from us
|
||||||
|
DROP:info eth4 - 192.168.3.0/24
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||||
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
</article>
|
</article>
|
Loading…
Reference in New Issue
Block a user