forked from extern/shorewall_code
c2ccd7fd3d
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@800 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
230 lines
16 KiB
HTML
230 lines
16 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
|
|
<html>
|
|
<head>
|
|
<!-- saved from url=(0118)file://C:\Documents%20and%20Settings\Graeme%20Boyle\Local%20Settings\Temporary%20Internet%20Files\OLKD\CorpNetwork.htm -->
|
|
<title>Corporate Shorewall Configuration</title>
|
|
<meta http-equiv="Content-Type"
|
|
content="text/html; charset=windows-1252">
|
|
<meta content="Microsoft FrontPage 5.0" name="GENERATOR">
|
|
<meta content="FrontPage.Editor.Document" name="ProgId">
|
|
<meta content="none" name="Microsoft Theme">
|
|
<meta content="Graeme Boyle" name="author">
|
|
</head>
|
|
<body>
|
|
<script><!--
|
|
function PrivoxyWindowOpen(){return(null);}
|
|
//--></script>
|
|
<blockquote></blockquote>
|
|
<h1 style="text-align: center;">Corporate Network</h1>
|
|
<p><font color="#ff0000" size="4"><b>Notes</b></font><big><font
|
|
color="#ff0000"><b>:</b></font></big></p>
|
|
<blockquote>
|
|
<ul>
|
|
<li><b>This configuration is used on a corporate network that has a
|
|
Linux (RedHat 8.0) server with three interfaces, running Shorewall
|
|
1.4.5 release,</b> </li>
|
|
<li><b>Make sure you know what public IP addresses are currently
|
|
being used and verify these </b><i>before</i><b> starting.</b> </li>
|
|
<li><b>Verify your DNS settings </b><i>before</i><b> starting any
|
|
Shorewall configuration especially if you have split DNS.</b> </li>
|
|
<li><b>System names and Internet IP addresses have been changed to
|
|
protect the innocent.</b> </li>
|
|
</ul>
|
|
<p><big><font color="#ff0000"><b>Warning: </b></font><b><small>This
|
|
configuration
|
|
uses a combination of One-to-one NAT and Proxy ARP. This is generally
|
|
not
|
|
relevant to a simple configuration with a single public IP address.</small></b></big><big><b><small>
|
|
If you have just a single public IP address, most of what you see here
|
|
won't apply to your setup so beware of copying parts of this
|
|
configuration
|
|
and expecting them to work for you. What you copy may or may not work
|
|
in your configuration.<br>
|
|
</small></b></big><br>
|
|
</p>
|
|
<p>I have a T1 with 64 static IP addresses (192.0.18.65-127/26). The
|
|
internet is connected to eth0. The local network is connected via eth1
|
|
(10.10.0.0/22) and the DMZ is connected to eth2 (192.168.21.0/24). I
|
|
have an IPSec tunnel connecting our offices in Germany to our offices
|
|
in the US. I host two Microsoft Exchange servers for two different
|
|
companies behind
|
|
the firewall hence, the two Exchange servers in the diagram below.</p>
|
|
<p>Summary:<br>
|
|
</p>
|
|
<ul>
|
|
<li>SNAT for all systems connected to the LAN - Internal addresses
|
|
10.10.x.x to external address 192.0.18.127. </li>
|
|
<li>One-to-one NAT for <i>Polaris</i> (Exchange Server #2).
|
|
Internal
|
|
address 10.10.1.8 and external address 192.0.18.70. </li>
|
|
<li>One-to-one NAT for <i>Sims</i> (Inventory Management server).
|
|
Internal address 10.10.1.56 and external address 192.0.18.75.<br>
|
|
</li>
|
|
<li>One-to-one NAT for <i>Project</i> (Project Web Server).
|
|
Internal
|
|
address 10.10.1.55 and external address 192.0.18.84. </li>
|
|
<li>One-to-one NAT for <i>Fortress</i> (Exchange Server). Internal
|
|
address 10.10.1.252 and external address 192.0.18.93. </li>
|
|
<li>One-to-one NAT for <i>BBSRV</i> (Blackberry Server). Internal
|
|
address 10.10.1.230 and external address 192.0.18.97. </li>
|
|
<li>One-to-one NAT for <i>Intweb</i> (Intranet Web Server).
|
|
Internal
|
|
address 10.10.1.60 and external address 192.0.18.115. </li>
|
|
</ul>
|
|
<p>The firewall runs on a 2Gb, Dual PIV/2.8GHz, Intel motherboard
|
|
with RH8.0.</p>
|
|
<p>The Firewall is also a proxy server running Privoxy 3.0.</p>
|
|
<p>The single system in the DMZ (address 192.0.18.80) runs sendmail,
|
|
imap, pop3, DNS, a Web server (Apache) and an FTP server (vsFTPd
|
|
1.1.0). That server is managed through Proxy ARP.</p>
|
|
<p>All administration and publishing is done using ssh/scp. I have X
|
|
installed on the firewall and the system in the DMZ. X applications
|
|
tunnel through SSH to Hummingbird Exceed running on a PC located in the
|
|
LAN. Access to the firewall using SSH is restricted to systems in the
|
|
LAN, DMZ or the system Kaos which is on the Internet and managed by me.</p>
|
|
<p align="center"><img height="1000" alt="(Corporate Network Diagram)"
|
|
src="images/CorpNetwork.gif" width="770" border="0"> </p>
|
|
<p></p>
|
|
<p>The Ethernet 0 interface in the Server is configured with IP
|
|
address 192.0.18.68, netmask 255.255.255.192. The server's default
|
|
gateway is 192.0.18.65, the Router connected to my network and the ISP.
|
|
This is the same default gateway used by the firewall itself. On the
|
|
firewall, Shorewall automatically adds a host route to 192.0.18.80
|
|
through Ethernet 2 (192.168.21.1) because of the entry in
|
|
/etc/shorewall/proxyarp (see below). I modified the start, stop and
|
|
init scripts to include the fixes suggested when having an IPSec tunnel.</p>
|
|
<p><b>Some Mistakes I Made:</b></p>
|
|
<p>Yes, believe it or not, I made some really basic mistakes when
|
|
building this firewall. Firstly, I had the new firewall setup in
|
|
parallel with the
|
|
old firewall so that there was no interruption of service to my users.
|
|
During my out-bound testing, I set up systems on the LAN to utilize the
|
|
firewall which worked fine. When testing my NAT connections, from the
|
|
outside,
|
|
these would fail and I could not understand why. Eventually, I changed
|
|
the default route on the internal system I was trying to access, to
|
|
point
|
|
to the new firewall and "bingo", everything worked as expected. This
|
|
oversight
|
|
delayed my deployment by a couple of days not to mention level of
|
|
frustration
|
|
it produced. </p>
|
|
<p>Another problem that I encountered was in setting up the Proxyarp
|
|
system in the DMZ. Initially I forgot to remove the entry for the eth2
|
|
from the /etc/shorewall/masq file. Once my file settings were correct,
|
|
I started verifying that the ARP caches on the firewall, as well as the
|
|
outside system "kaos", were showing the correct Ethernet MAC address.
|
|
However, in testing remote access, I could access the system in the DMZ
|
|
only from the firewall
|
|
and LAN but not from the Internet. The message I received was
|
|
"connection
|
|
denied" on all protocols. What I did not realize was that a "helpful"
|
|
administrator that had turned on an old system and assigned the same
|
|
address
|
|
as the one I was using for Proxyarp without notifying me. How did I
|
|
work
|
|
this out. I shutdown the system in the DMZ, rebooted the router and
|
|
flushed
|
|
the ARP cache on the firewall and kaos. Then, from kaos, I started
|
|
pinging
|
|
that IP address and checked the updated ARP cache and lo-and-behold a
|
|
different MAC address showed up. High levels of frustration etc., etc.
|
|
The administrator will <i>not</i> be doing that again! :-)</p>
|
|
<p><b>Lessons Learned:</b></p>
|
|
<ul>
|
|
<li>Read the documentation. </li>
|
|
<li>Draw your network topology before starting. </li>
|
|
<li>Understand what services you are going to allow in and out of
|
|
the firewall, whether they are TCP or UDP packets and make a note of
|
|
these port numbers. </li>
|
|
<li>Try to get quiet time to build the firewall - you need to focus
|
|
on the job at hand. </li>
|
|
<li>When asking for assistance, be honest and include as much
|
|
detail as requested. Don't try and hide IP addresses etc., you will
|
|
probably screw up the logs and make receiving assistance harder. </li>
|
|
<li>Read the documentation. </li>
|
|
</ul>
|
|
<p><b>Futures:</b></p>
|
|
<p>This is by no means the final configuration. In the near future, I
|
|
will be moving more systems from the LAN to the DMZ. I will also be
|
|
watching the logs for port scan programs etc. but, this should be
|
|
standard security maintenance.</p>
|
|
<p>Here are copies of my files. I have removed most of the internal
|
|
documentation
|
|
for the purpose of this space however, my system still has the original
|
|
files with all the comments and I highly recommend you do the same.</p>
|
|
</blockquote>
|
|
<h3>Shorewall.conf</h3>
|
|
<blockquote>
|
|
<pre>##############################################################################<br># /etc/shorewall/shorewall.conf V1.4 - Change the following variables to<br># match your setup<br>#<br># This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]<br>#<br># This file should be placed in /etc/shorewall<br>#<br># (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)<br>##############################################################################<br># L O G G I N G<br>##############################################################################<br>LOGFILE=/var/log/messages<br>LOGFORMAT="Shorewall:%s:%s:"<br>LOGRATE=<br>LOGBURST=<br>LOGUNCLEAN=info<br>BLACKLIST_LOGLEVEL=<br>LOGNEWNOTSYN=<br>MACLIST_LOG_LEVEL=info<br>TCP_FLAGS_LOG_LEVEL=debug<br>RFC1918_LOG_LEVEL=debug<br>PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin<br>SUBSYSLOCK=/var/lock/subsys/shorewall<br>STATEDIR=/var/lib/shorewall<br>MODULESDIR=<br>FW=fw<br>NAT_ENABLED=Yes<br>MANGLE_ENABLED=Yes<br>IP_FORWARDING=On<br>ADD_IP_ALIASES=Yes<br>ADD_SNAT_ALIASES=Yes<br>TC_ENABLED=Yes<br>CLEAR_TC=No<br>MARK_IN_FORWARD_CHAIN=No<br>CLAMPMSS=No<br>ROUTE_FILTER=Yes<br>NAT_BEFORE_RULES=No<br>MULTIPORT=Yes<br>DETECT_DNAT_IPADDRS=Yes<br>MUTEX_TIMEOUT=60<br>NEWNOTSYN=Yes<br>BLACKLIST_DISPOSITION=DROP<br>MACLIST_DISPOSITION=REJECT<br>TCP_FLAGS_DISPOSITION=DROP<br>#LAST LINE -- DO NOT REMOVE<br><br></pre>
|
|
</blockquote>
|
|
<h3>Zones File</h3>
|
|
<blockquote>
|
|
<pre><font face="Courier">#<br># Shorewall 1.4 -- Sample Zone File For Two Interfaces<br># /etc/shorewall/zones<br>#<br># This file determines your network zones. Columns are:<br>#<br># ZONE Short name of the zone<br># DISPLAY Display name of the zone<br># COMMENTS Comments about the zone<br>#<br>#ZONE DISPLAY COMMENTS<br>net Net Internet<br>loc Local Local Networks<br>dmz DMZ Demilitarized Zone<br>vpn1 VPN1 VPN to Germany<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font><font
|
|
face="Courier" size="2"><br></font></pre>
|
|
</blockquote>
|
|
<h3>Interfaces File: </h3>
|
|
<blockquote>
|
|
<p>##############################################################################<br>
|
|
#ZONE INTERFACE BROADCAST OPTIONS<br>
|
|
net eth0 62.123.106.127 routefilter,norfc1918,blacklist,tcpflags<br>
|
|
loc eth1 detect dhcp,routefilter<br>
|
|
dmz eth2 detect<br>
|
|
vpn1 ipsec0<br>
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE </p>
|
|
</blockquote>
|
|
<h3>Routestopped File:</h3>
|
|
<blockquote>
|
|
<pre><font face="Courier">#INTERFACE HOST(S)<br>eth1 -<br>eth2 -<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font><font
|
|
face="Courier" size="2"> </font></pre>
|
|
</blockquote>
|
|
<h3>Policy File:</h3>
|
|
<blockquote>
|
|
<pre>###############################################################################<br>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST<br>loc net ACCEPT<br>loc fw ACCEPT<br>loc dmz ACCEPT<br># If you want open access to the Internet from your Firewall <br># remove the comment from the following line.<br>fw net ACCEPT<br>fw loc ACCEPT<br>fw dmz ACCEPT<br>dmz fw ACCEPT<br>dmz loc ACCEPT<br>dmz net ACCEPT<br># <br># Adding VPN Access<br>loc vpn1 ACCEPT<br>dmz vpn1 ACCEPT<br>fw vpn1 ACCEPT<br>vpn1 loc ACCEPT<br>vpn1 dmz ACCEPT<br>vpn1 fw ACCEPT<br>#<br>net all DROP info<br>all all REJECT info<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
|
|
</blockquote>
|
|
<h3>Masq File: </h3>
|
|
<blockquote>
|
|
<pre>#INTERFACE SUBNET ADDRESS<br>eth0 eth1 1192.0.18.126<br>#<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
|
|
</blockquote>
|
|
<h3>NAT File: </h3>
|
|
<blockquote>
|
|
<pre>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL<br>#<br># Intranet Web Server<br>192.0.18.115 eth0:0 10.10.1.60 No No<br>#<br># Project Web Server<br>192.0.18.84 eth0:1 10.10.1.55 No No<br>#<br># Blackberry Server<br>192.0.18.97 eth0:2 10.10.1.55 No No<br>#<br># Corporate Mail Server<br>192.0.18.93 eth0:3 10.10.1.252 No No<br>#<br># Second Corp Mail Server<br>192.0.18.70 eth0:4 10.10.1.8 No No<br>#<br># Sims Server<br>192.0.18.75 eth0:5 10.10.1.56 No No<br>#<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
|
|
</blockquote>
|
|
<h3>Proxy ARP File:</h3>
|
|
<blockquote>
|
|
<pre><font face="Courier" size="2">#ADDRESS INTERFACE EXTERNAL HAVEROUTE<br>#<br># The Corporate email server in the DMZ<br>192.0.18.80 eth2 eth0 No<br>#<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE </font></pre>
|
|
</blockquote>
|
|
<h3>Tunnels File:</h3>
|
|
<blockquote>
|
|
<pre># TYPE ZONE GATEWAY GATEWAY ZONE PORT<br>ipsec net 134.147.129.82<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</pre>
|
|
</blockquote>
|
|
<h3>Rules File (The shell variables are set in /etc/shorewall/params):</h3>
|
|
<blockquote>
|
|
<pre>##############################################################################<br>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL<br># PORT PORT(S) DEST<br>#<br># Accept DNS connections from the firewall to the network<br>#<br>ACCEPT fw net tcp 53<br>ACCEPT fw net udp 53<br>#<br># Accept SSH from internet interface from kaos only<br>#<br>ACCEPT net:192.0.18.98 fw tcp 22<br>#<br># Accept connections from the local network for administration <br>#<br>ACCEPT loc fw tcp 20:22<br>ACCEPT loc net tcp 22<br>ACCEPT loc fw tcp 53<br>ACCEPT loc fw udp 53<br>ACCEPT loc net tcp 53<br>ACCEPT loc net udp 53<br>#<br># Allow Ping To And From Firewall<br>#<br>ACCEPT loc fw icmp 8<br>ACCEPT loc dmz icmp 8<br>ACCEPT loc net icmp 8<br>ACCEPT dmz fw icmp 8<br>ACCEPT dmz loc icmp 8<br>ACCEPT dmz net icmp 8<br>DROP net fw icmp 8<br>DROP net loc icmp 8<br>DROP net dmz icmp 8<br>ACCEPT fw loc icmp 8<br>ACCEPT fw dmz icmp 8<br>DROP fw net icmp 8<br>#<br># Accept proxy web connections from the inside<br>#<br>ACCEPT loc fw tcp 8118<br>#<br># Forward PcAnywhere, Oracle and Web traffic from outside to the Demo systems<br># From a specific IP Address on the Internet.<br># <br># ACCEPT net:207.65.110.10 loc:10.10.3.151 tcp 1521,http<br># ACCEPT net:207.65.110.10 loc:10.10.2.32 tcp 5631:5632<br>#<br># Intranet web server<br>ACCEPT net loc:10.10.1.60 tcp 443<br>ACCEPT dmz loc:10.10.1.60 tcp 443<br>#<br># Projects web server<br>ACCEPT net loc:10.10.1.55 tcp 80<br>ACCEPT dmz loc:10.10.1.55 tcp 80<br># <br># Blackberry Server<br>ACCEPT net loc:10.10.1.230 tcp 3101<br>#<br># Corporate Email Server<br>ACCEPT net loc:10.10.1.252 tcp 25,53,110,143,443<br>#<br># Corporate #2 Email Server<br>ACCEPT net loc:10.10.1.8 tcp 25,80,110,443<br>#<br># Sims Server<br>ACCEPT net loc:10.10.1.56 tcp 80,443<br>ACCEPT net loc:10.10.1.56 tcp 7001:7002<br>ACCEPT net:63.83.198.0/24 loc:10.10.1.56 tcp 5631:5632<br>#<br># Access to DMZ<br>ACCEPT loc dmz udp 53,177<br>ACCEPT loc dmz tcp 80,25,53,22,143,443,993,20,110 -<br>ACCEPT net dmz udp 53<br>ACCEPT net dmz tcp 25,53,22,21,123<br>ACCEPT dmz net tcp 25,53,80,123,443,21,22<br>ACCEPT dmz net udp 53<br>#<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</pre>
|
|
</blockquote>
|
|
<h3>Start File:</h3>
|
|
<blockquote>
|
|
<pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/start<br>#<br># Add commands below that you want to be executed after shorewall has<br># been started or restarted.<br>#<br>qt service ipsec start<br></pre>
|
|
</blockquote>
|
|
<h3>Stop File:</h3>
|
|
<blockquote>
|
|
<pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/stop<br>#<br># Add commands below that you want to be executed at the beginning of a<br># "shorewall stop" command.<br>#<br>qt service ipsec stop</pre>
|
|
</blockquote>
|
|
<h3>Init File:</h3>
|
|
<blockquote>
|
|
<pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/init<br>#<br># Add commands below that you want to be executed at the beginning of<br># a "shorewall start" or "shorewall restart" command.<br>#<br>qt service ipsec stop<br></pre>
|
|
</blockquote>
|
|
<p><font size="2">Last updated 11/13/2003</font>
|
|
<script><!--
|
|
function PrivoxyWindowOpen(a, b, c){return(window.open(a, b, c));}
|
|
//</script><br>
|
|
</p>
|
|
<p><small><a href="GnuCopyright.htm">Copyright 2003 Thomas M. Eastep
|
|
and
|
|
Graeme Boyle</a></small><br>
|
|
</p>
|
|
<br>
|
|
<br>
|
|
</body>
|
|
</html>
|