Shorewall-5
cp /etc/shorewall/interfaces /etc/shorewall/interfaces.ORG
cp /etc/shorewall/policy /etc/shorewall/policys.ORG
cp /etc/shorewall/rules /etc/shorewall/rules.ORG
cp /etc/shorewall/shorewall.conf /etc/shorewall/shorewall.conf.ORG
~# rpm -ql shorewall | fgrep two-interfaces
/usr/share/doc/packages/shorewall/Samples/two-interfaces
/usr/share/doc/shorewall-5.0.14.1/Samples/two-interfaces
[root@mail]# systemctl start shorewall
[root@mail]# systemctl enable shorewall
systemctl restart shorewall
systemctl status shorewall
Usage: /var/lib/shorewall/firewall [ -q ] [ -v ] [ -n ] [ start|stop|clear|reset|refresh|restart|status|version ]
# /var/lib/shorewall/firewall -n restart
/var/lib/shorewall/firewall -n status
# /var/lib/shorewall/firewall -n clear
# shorewall check
How do I list firewall rules?
# shorewall show | less
How do I see the IP connections currently being tracked by the firewall?
# shorewall show connections
How do I see firewall logs?
# shorewall show hits|less
How do I displays my kernel/iptables capabilities?
# shorewall show capabilities
# yum -y install shorewall *
# cd /usr/share/doc/shorewall-5.0.14.1/Samples/two-interfaces/
# cp interfaces policy rules shorewall.conf snat stoppedrules zones /etc/shorewall/
cp /etc/shorewall/zones /etc/shorewall/zones.ORG
cp /etc/shorewall/interfaces /etc/shorewall/interfaces.ORG
cp /etc/shorewall/policy /etc/shorewall/policy.ORG
cp /etc/shorewall/rules /etc/shorewall/rules.ORG
cp /etc/shorewall/stoppedrules /etc/shorewall/stoppedrules.ORG
cp /etc/shorewall/blrules /etc/shorewall/blrules.ORG
cp /etc/shorewall/snat /etc/shorewall/snat.ORG
cp /etc/shorewall/shorewall.conf /etc/shorewall/shorewall.conf.ORG
cp /usr/share/doc/shorewall-5.0.14.1/Samples/two-interfaces/* /etc/shorewall/
OR
cp /usr/share/doc/packages/shorewall-5.1.3/Samples/two-interfaces/* /etc/shorewall/
OR
cp /etc/shorewall/zones /etc/shorewall/zones.ORG
stoppedrules snat blrules
# cd /usr/share/doc/shorewall-5.1.10.2/Samples/two-interfaces/
# cp interfaces policy rules shorewall.conf snat stoppedrules zones /etc/shorewall/
#### interface
# vi /etc/shorewall/interfaces
#ZONE INTERFACE OPTIONS
net em1 dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
loc em2 tcpflags,nosmurfs,routefilter,logmartians
-----------------------------------------------------------------
#### vi zone
# vi /etc/shorewall/zones
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
#### vi policy
# vi /etc/shorewall/policy
loc net ACCEPT
loc $FW ACCEPT
loc all REJECT info
# Policies for traffic originating from the firewall ($FW)
$FW net ACCEPT
$FW loc ACCEPT
$FW all REJECT info
# Policies for traffic originating from the Internet zone (net)
net $FW DROP info
net loc DROP info
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
---------------------------------------------------------------------
loc net ACCEPT
loc $FW ACCEPT
loc all REJECT $LOG_LEVEL
# Policies for traffic originating from the firewall ($FW)
$FW net ACCEPT
$FW loc ACCEPT
$FW all REJECT $LOG_LEVEL
# Policies for traffic originating from the Internet zone (net)
net $FW DROP $LOG_LEVEL
net loc DROP $LOG_LEVEL
net all DROP $LOG_LEVEL
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT $LOG_LEVEL
--------------------------------------
##### vi rules
# vi /etc/shorewall/rules
# PORT PORT(S) DEST LIMIT GROUP
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
DNS/ACCEPT $FW net
DNS/ACCEPT loc net
NTP/ACCEPT $FW net
##WEBMIN
ACCEPT net $FW tcp 10000
ACCEPT loc $FW tcp 10000
ACCEPT net $FW tcp 20000
ACCEPT loc $FW tcp 20000
## Accept connections from the Internet to the Server
ACCEPT net $FW tcp 22
ACCEPT net $FW tcp 7575
ACCEPT net $FW tcp 80
ACCEPT net $FW tcp 143
ACCEPT net $FW tcp 443
ACCEPT net $FW tcp 123
ACCEPT net $FW udp 123
ACCEPT net $FW tcp 667
ACCEPT net $FW tcp 465
ACCEPT net $FW tcp 587
ACCEPT net $FW tcp 993
ACCEPT net $FW tcp 995
ACCEPT net $FW tcp 3000 # [nTop]
ACCEPT net $FW tcp 8000 # [Ajenti]
ACCEPT net $FW tcp 9090 # [cockpit]
ACCEPT net $FW tcp 3389 # [Remote DeskTop]
##VNC
ACCEPT net $FW tcp 5800
ACCEPT net $FW tcp 5900
ACCEPT net $FW tcp 5901
ACCEPT net $FW tcp 5902
ACCEPT net $FW tcp 6000
##SpamAssassin
ACCEPT net $FW tcp 6277
ACCEPT loc $FW tcp 6277
ACCEPT net $FW tcp 24441
ACCEPT loc $FW tcp 24441
ACCEPT net $FW tcp 2703
ACCEPT loc $FW tcp 2703
# Make ping work
#
ACCEPT fw loc icmp 8
ACCEPT loc fw icmp 8
ACCEPT fw net icmp 8
ACCEPT net fw icmp 8
## POP 3
ACCEPT fw loc tcp 110
ACCEPT loc fw tcp 110
ACCEPT fw net tcp 110
ACCEPT net fw tcp 110
##Allow here any outside SMTP server that the client needs to connect in 25 port
ACCEPT:info loc net:202.22.192.1 tcp 25
ACCEPT:info loc net:202.22.192.3 tcp 25
ACCEPT:info loc net:202.22.192.2 tcp 25
ACCEPT:info net fw tcp 25
ACCEPT:info loc fw tcp 25
ACCEPT:info fw net tcp 25
REJECT:info loc net tcp 25
ACCEPT:info net fw tcp 465
ACCEPT:info net fw tcp 587
ACCEPT:info net fw tcp 993
ACCEPT:info net fw tcp 995
ACCEPT:info net fw tcp 2526
##To redirect 80 port request to 3128 port
#REDIRECT loc 3128 tcp www
---------------------------------------------------
[root@mail shorewall]# vi /etc/shorewall/stoppedrules
#ACTION SOURCE DEST PROTO DEST SOURCE
# PORT(S) PORT(S)
ACCEPT eth2 -
ACCEPT - eth1
# eth1 mens Local Lan #
#### vi /etc/shorewall/snat
#MASQUERADE 10.0.0.0/8,\
# 169.254.0.0/16,\
# 172.16.0.0/12,\
# 92.168.0.0/16 eth0
#### vi /etc/shorewall/blrules [Block IP]
WHITELIST net:70.90.191.126 all
BLACKLIST net:+blacklist all BLACKLIST net all udp 1023:1033,1434,5948,23773 DROP net all tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,5948,6101,8081,9898,23773 DROP net:63.149.127.103 all DROP net:175.143.53.113 all DROP net:121.134.248.190 all REJECT net:188.176.145.22 dmz tcp 25 DROP net fw udp 111 Invalid(DROP) net all
# Shorewall drop all incoming traffic from one internet IP except for all local host except two
DROP local:!192.168.5.1,192.168.5.2 inet:78.31.8.0/24 - -
DROP net:176.139.17.222/32 all
DROP net:190.158.227.102/32 all
stopped rules
# vi /etc/shorewall/stoppedrules
#TARGET HOST(S) DEST PROTO DEST SOURCE # PORT(S) PORT(S) ACCEPT INT_IF:172.20.1.0/24 $FW NOTRACK COMB_IF - 41 NOTRACK $FW COMB_IF 41 ACCEPT COMB_IF $FW 41 ACCEPT COMC_IF $FW udp 67:68
/etc/shorewall/stoppedrules
#TARGET HOST(S) DEST PROTO DEST SOURCE # PORT(S) PORT(S) ACCEPT INT_IF:172.20.1.0/24 $FW NOTRACK COMB_IF - 41 NOTRACK $FW COMB_IF 41 ACCEPT COMB_IF $FW 41 ACCEPT COMC_IF $FW udp 67:68
#### vi /etc/shorewall/shorewall.conf
STARTUP_ENABLED=Yes
To:
LOGFILE=/var/log/shorewall
-------------------------------------------------------------
# iptables-save
systemctl start shorewall.service
systemctl enable shorewall.service
systemctl restart shorewall.service
Created symlink from /etc/systemd/system/basic.target.wants/shorewall.service to /usr/lib/systemd/system/shorewall.service.
Verify that it is running and enabled;
# systemctl status shorewall
● shorewall.service - Shorewall IPv4 firewall Loaded: loaded (/usr/lib/systemd/system/shorewall.service; enabled; vendor preset: disabled) Active: active (exited) since Sat 2016-07-02 03:59:53 EDT; 53s ago Main PID: 1568 (code=exited, status=0/SUCCESS) Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: Setting up Route Filtering... Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: Setting up Martian Logging... Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: Setting up Proxy ARP... Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: Preparing iptables-restore input... Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: Running /sbin/iptables-restore ... Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: IPv4 Forwarding Enabled Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: Processing /etc/shorewall/start ... Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: Processing /etc/shorewall/started ... Jul 02 03:59:53 an-fw05.alteeve.ca shorewall[1568]: done. Jul 02 03:59:53 an-fw05.alteeve.ca systemd[1]: Started Shorewall IPv4 firewall.
To see the new rules in place, simply run:
systemctl stop firewalld systemctl disable firewalld
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.
# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: inactive (dead) Jul 02 02:11:20 an-fw05.alteeve.ca systemd[1]: Starting firewalld - dynamic firewall daemon... Jul 02 02:11:21 an-fw05.alteeve.ca systemd[1]: Started firewalld - dynamic firewall daemon. Jul 02 03:56:48 an-fw05.alteeve.ca systemd[1]: Stopping firewalld - dynamic firewall daemon... Jul 02 03:56:50 an-fw05.alteeve.ca systemd[1]: Stopped firewalld - dynamic firewall daemon.
# iptables-save