Shorewall-5

cp /etc/shorewall/interfaces /etc/shorewall/interfaces.ORG

cp /etc/shorewall/policy /etc/shorewall/policys.ORG

cp /etc/shorewall/rules /etc/shorewall/rules.ORG

cp /etc/shorewall/shorewall.conf /etc/shorewall/shorewall.conf.ORG

~# rpm -ql shorewall | fgrep two-interfaces

/usr/share/doc/packages/shorewall/Samples/two-interfaces

/usr/share/doc/shorewall-5.0.14.1/Samples/two-interfaces

[root@mail]# systemctl start shorewall

[root@mail]# systemctl enable shorewall

systemctl restart shorewall

systemctl status shorewall

# /var/lib/shorewall/firewall -n restart

/var/lib/shorewall/firewall -n status

# /var/lib/shorewall/firewall -n clear

# shorewall check

How do I list firewall rules?

# shorewall show | less

How do I see the IP connections currently being tracked by the firewall?

# shorewall show connections

How do I see firewall logs?

# shorewall show hits|less

How do I displays my kernel/iptables capabilities?

# shorewall show capabilities

# yum -y install shorewall *

# cd /usr/share/doc/shorewall-5.0.14.1/Samples/two-interfaces/

# cp interfaces policy rules shorewall.conf snat stoppedrules zones /etc/shorewall/

cp /etc/shorewall/zones /etc/shorewall/zones.ORG

cp /etc/shorewall/interfaces /etc/shorewall/interfaces.ORG

cp /etc/shorewall/policy /etc/shorewall/policy.ORG

cp /etc/shorewall/rules /etc/shorewall/rules.ORG

cp /etc/shorewall/stoppedrules /etc/shorewall/stoppedrules.ORG

cp /etc/shorewall/blrules /etc/shorewall/blrules.ORG

cp /etc/shorewall/snat /etc/shorewall/snat.ORG

cp /etc/shorewall/shorewall.conf /etc/shorewall/shorewall.conf.ORG

cp /usr/share/doc/shorewall-5.0.14.1/Samples/two-interfaces/* /etc/shorewall/

OR

cp /usr/share/doc/packages/shorewall-5.1.3/Samples/two-interfaces/* /etc/shorewall/

OR

cp /etc/shorewall/zones /etc/shorewall/zones.ORG

stoppedrules snat blrules

# cd /usr/share/doc/shorewall-5.1.10.2/Samples/two-interfaces/

# cp interfaces policy rules shorewall.conf snat stoppedrules zones /etc/shorewall/

#### interface

# vi /etc/shorewall/interfaces

#ZONE INTERFACE OPTIONS

net em1 dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0

loc em2 tcpflags,nosmurfs,routefilter,logmartians

-----------------------------------------------------------------

#### vi zone

# vi /etc/shorewall/zones

# OPTIONS OPTIONS

fw firewall

net ipv4

loc ipv4

#### vi policy

# vi /etc/shorewall/policy

loc net ACCEPT

loc $FW ACCEPT

loc all REJECT info

# Policies for traffic originating from the firewall ($FW)

$FW net ACCEPT

$FW loc ACCEPT

$FW all REJECT info

# Policies for traffic originating from the Internet zone (net)

net $FW DROP info

net loc DROP info

net all DROP info

# THE FOLLOWING POLICY MUST BE LAST

all all REJECT info

---------------------------------------------------------------------

loc net ACCEPT

loc $FW ACCEPT

loc all REJECT $LOG_LEVEL

# Policies for traffic originating from the firewall ($FW)

$FW net ACCEPT

$FW loc ACCEPT

$FW all REJECT $LOG_LEVEL

# Policies for traffic originating from the Internet zone (net)

net $FW DROP $LOG_LEVEL

net loc DROP $LOG_LEVEL

net all DROP $LOG_LEVEL

# THE FOLLOWING POLICY MUST BE LAST

all all REJECT $LOG_LEVEL

--------------------------------------

##### vi rules

# vi /etc/shorewall/rules

# PORT PORT(S) DEST LIMIT GROUP

?SECTION ALL

?SECTION ESTABLISHED

?SECTION RELATED

?SECTION INVALID

?SECTION UNTRACKED

?SECTION NEW

DNS/ACCEPT $FW net

DNS/ACCEPT loc net

NTP/ACCEPT $FW net

##WEBMIN

ACCEPT net $FW tcp 10000

ACCEPT loc $FW tcp 10000

ACCEPT net $FW tcp 20000

ACCEPT loc $FW tcp 20000

## Accept connections from the Internet to the Server

ACCEPT net $FW tcp 22

ACCEPT net $FW tcp 7575

ACCEPT net $FW tcp 80

ACCEPT net $FW tcp 143

ACCEPT net $FW tcp 443

ACCEPT net $FW tcp 123

ACCEPT net $FW udp 123

ACCEPT net $FW tcp 667

ACCEPT net $FW tcp 465

ACCEPT net $FW tcp 587

ACCEPT net $FW tcp 993

ACCEPT net $FW tcp 995

ACCEPT net $FW tcp 3000 # [nTop]

ACCEPT net $FW tcp 8000 # [Ajenti]

ACCEPT net $FW tcp 9090 # [cockpit]

ACCEPT net $FW tcp 3389 # [Remote DeskTop]

##VNC

ACCEPT net $FW tcp 5800

ACCEPT net $FW tcp 5900

ACCEPT net $FW tcp 5901

ACCEPT net $FW tcp 5902

ACCEPT net $FW tcp 6000

##SpamAssassin

ACCEPT net $FW tcp 6277

ACCEPT loc $FW tcp 6277

ACCEPT net $FW tcp 24441

ACCEPT loc $FW tcp 24441

ACCEPT net $FW tcp 2703

ACCEPT loc $FW tcp 2703

# Make ping work

#

ACCEPT fw loc icmp 8

ACCEPT loc fw icmp 8

ACCEPT fw net icmp 8

ACCEPT net fw icmp 8

## POP 3

ACCEPT fw loc tcp 110

ACCEPT loc fw tcp 110

ACCEPT fw net tcp 110

ACCEPT net fw tcp 110

##Allow here any outside SMTP server that the client needs to connect in 25 port

ACCEPT:info loc net:202.22.192.1 tcp 25

ACCEPT:info loc net:202.22.192.3 tcp 25

ACCEPT:info loc net:202.22.192.2 tcp 25

ACCEPT:info net fw tcp 25

ACCEPT:info loc fw tcp 25

ACCEPT:info fw net tcp 25

REJECT:info loc net tcp 25

ACCEPT:info net fw tcp 465

ACCEPT:info net fw tcp 587

ACCEPT:info net fw tcp 993

ACCEPT:info net fw tcp 995

ACCEPT:info net fw tcp 2526

##To redirect 80 port request to 3128 port

#REDIRECT loc 3128 tcp www

---------------------------------------------------

[root@mail shorewall]# vi /etc/shorewall/stoppedrules

#ACTION SOURCE DEST PROTO DEST SOURCE

# PORT(S) PORT(S)

ACCEPT eth2 -

ACCEPT - eth1

# eth1 mens Local Lan #

#### vi /etc/shorewall/snat

#MASQUERADE 10.0.0.0/8,\

# 169.254.0.0/16,\

# 172.16.0.0/12,\

# 92.168.0.0/16 eth0

#### vi /etc/shorewall/blrules [Block IP]

WHITELIST net:70.90.191.126 all

BLACKLIST net:+blacklist all BLACKLIST net all udp 1023:1033,1434,5948,23773 DROP net all tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,5948,6101,8081,9898,23773 DROP net:63.149.127.103 all DROP net:175.143.53.113 all DROP net:121.134.248.190 all REJECT net:188.176.145.22 dmz tcp 25 DROP net fw udp 111 Invalid(DROP) net all

# Shorewall drop all incoming traffic from one internet IP except for all local host except two

DROP local:!192.168.5.1,192.168.5.2 inet:78.31.8.0/24 - -

DROP net:176.139.17.222/32 all

DROP net:190.158.227.102/32 all

stopped rules

# vi /etc/shorewall/stoppedrules

#TARGET HOST(S) DEST PROTO DEST SOURCE # PORT(S) PORT(S) ACCEPT INT_IF:172.20.1.0/24 $FW NOTRACK COMB_IF - 41 NOTRACK $FW COMB_IF 41 ACCEPT COMB_IF $FW 41 ACCEPT COMC_IF $FW udp 67:68

/etc/shorewall/stoppedrules

#TARGET HOST(S) DEST PROTO DEST SOURCE # PORT(S) PORT(S) ACCEPT INT_IF:172.20.1.0/24 $FW NOTRACK COMB_IF - 41 NOTRACK $FW COMB_IF 41 ACCEPT COMB_IF $FW 41 ACCEPT COMC_IF $FW udp 67:68

#### vi /etc/shorewall/shorewall.conf

STARTUP_ENABLED=Yes

To:

LOGFILE=/var/log/shorewall

-------------------------------------------------------------

# iptables-save

systemctl start shorewall.service

systemctl enable shorewall.service

systemctl restart shorewall.service

Created symlink from /etc/systemd/system/basic.target.wants/shorewall.service to /usr/lib/systemd/system/shorewall.service.

Verify that it is running and enabled;

# systemctl status shorewall

● shorewall.service - Shorewall IPv4 firewall Loaded: loaded (/usr/lib/systemd/system/shorewall.service; enabled; vendor preset: disabled) Active: active (exited) since Sat 2016-07-02 03:59:53 EDT; 53s ago Main PID: 1568 (code=exited, status=0/SUCCESS) Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: Setting up Route Filtering... Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: Setting up Martian Logging... Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: Setting up Proxy ARP... Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: Preparing iptables-restore input... Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: Running /sbin/iptables-restore ... Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: IPv4 Forwarding Enabled Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: Processing /etc/shorewall/start ... Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: Processing /etc/shorewall/started ... Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: done. Jul 02 03:59:53 an-fw05.alteeve.ca systemd[1]: Started Shorewall IPv4 firewall.

To see the new rules in place, simply run:

systemctl stop firewalld systemctl disable firewalld

Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.

# systemctl status firewalld

● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: inactive (dead) Jul 02 02:11:20 an-fw05.alteeve.ca systemd[1]: Starting firewalld - dynamic firewall daemon... Jul 02 02:11:21 an-fw05.alteeve.ca systemd[1]: Started firewalld - dynamic firewall daemon. Jul 02 03:56:48 an-fw05.alteeve.ca systemd[1]: Stopping firewalld - dynamic firewall daemon... Jul 02 03:56:50 an-fw05.alteeve.ca systemd[1]: Stopped firewalld - dynamic firewall daemon.

# iptables-save