Bering-uClibc 4.x - User Guide - IPv4 Networking - Configure Shorewall
IPv4 Networking - Configure Shorewall | ||
---|---|---|
Prev | Bering-uClibc 4.x - User Guide | Next |
Introduction
One of the distinctive feature of LEAF Bering-uClibc (introduced with Bering) is that it relies on Shorewall to provide its firewall facility.
The reasons behind this choice are numerous:
- Shorewall is an iptables based firewall which offers many features (Masquerading/SNAT, Port forwarding, Static NAT, Proxy ARP, VPN support, Traffic Control/Shaping) which are described in greater detail here.
- It is a very powerful tool with which it is "simple to do simple things" but which also offers a great flexibility.
- It is very well documented. We strongly recommend that you have a look at the full documentation available at shorewall.net and that you spend the time to understand the concept behind it. A worthwhile effort !
- It has a nice QuickStart Guide which will allow the reader to quickly grasp the basics. A prerequisite reading!
- It has a tremendous support from it's developer, Tom Eastep, who replies very quickly to requests addressed to the shorewall user's mailing list. Mail archives are also available and searchable.
Configuration
To configure Shorewall, start the LEAF packages configuration menu and choose shorwall. The following menu will appear:
shorwall configuration files 1) Shorewall Runtime Startup options 2) Params Assign parameter values 3) Zones Partition the network into Zones 4) Ifaces Shorewall Networking Interfaces 5) Hosts Define specific zones 6) Policy Firewall high-level policy 7) Rules Exceptions to policy 8) Masq Internal MASQ Server Configuration 9) RStopped Hosts admitted after 'shorewall stop' 10) Nat Static NAT Configuration 11) Config Shorewall Global Parameters 12) Modules Netfilter modules to load 13) TOS Type of Service policy 14) Blacklist Blacklisted hosts 15) ECN Disable ECN to hosts and networks 16) Init Commands executed before [re]start 17) Initdone Commands executed during [re]start 18) Start Commands executed after [re]start 19) Started Commands executed after complete [re]start 20) Stop Commands executed before stop 21) Stopped Commands executed after stop 22) Actions Define user actions 23) Netmap Network Mapping Table 24) Route_rules Routing to providers 25) Tunnels Tunnel Definition (ipsec 26) Account Traffic Accounting Rules 27) TCClasses Define htb classes 28) TCDevices Specify speed of devices for traffic shaping 29) TCFilters Classify traffic for shaping 30) TCInterfaces Devices for simplified traffic shaping 31) TCPri Classify traffic for simplified traffic shaping 32) TCRules FWMark Rules 33) Maclist MAC Verification 34) Providers Additional routing table 35) ProxyArp Proxy ARP Configuration 36) Notrack Exclude traffic from connection tracking q) quit ---------------------------------------------------------------------------- Selection:
Check the hyperlinks above, the Quickstart Guide or the Shorewall documentation to have a full explanation on those configuration files.
Three files must be checked absolutely to make sure they fit your needs:
A) The zones
file (entry 3). For a two interfaces setting - Bering-uClibc's default - it looks like:
#ZONE DISPLAY COMMENTS net ipv4 loc ipv4 #dmz ipv4 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
B) The interfaces
file (entry 4) defines your interfaces. Default in Bering-uClibc is:
(...) #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect dhcp loc eth1 detect dhcp #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
C) The rules
file (entry 7) is one of the most important files in Shorewall. Here is the one from Bering-uClibc:
(...) ###################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER # PORT PORT(S) DEST LIMIT GROUP # PORT PORT(S) DEST LIMIT # Accept DNS connections from the firewall to the network # and from the local network to the firewall (in case dnsmasq is DNS(ACCEPT) fw net DNS(ACCEPT) loc fw # Accept SSH connections from the local network for administrati # SSH(ACCEPT) loc fw # Allow Ping to Firewall # Ping(ACCEPT) net fw Ping(ACCEPT) loc fw # Allow all ICMP types (including ping) from firewall ACCEPT fw loc icmp ACCEPT fw net icmp # Allow local network to access weblet/webconf # HTTP(ACCEPT) loc fw HTTPS(ACCEPT) loc fw # timeserver (allow syncing with time servers (default: pool.ntp.org)) NTP(ACCEPT) fw net # timeserver (allow LAN clients to sync with the time service on the router) # NTP(ACCEPT) loc fw #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Important: If you change any of the shorewall parameters, remember to save your configuration!
Troubleshooting
- If you do not have IPv6 enabled (in other words no
ipv6.ko
Module loaded and noip6tables.lrp
Package installed) then expect to see the following error when (re)starting Shorewall:WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables
This is normal and should be ignored. You can always edit/etc/shorewall/shorewall.conf
and remove DISABLE_IPV6=Yes to stop the message from appearing.
Prev | Up | Next |