Jump to content

NT-04: How to configure Shorewall (the default firewall)?


Recommended Posts

Browse: [About the FAQ Forum] [Table of Contents] [FAQs] [Contribute] [NT: Networking]

 

NT-04: How to configure Shorewall (the default firewall)?

 

You should read Part #1 if you have ONE ethernet card.

You should read Part #2 if you have TWO ethernets cards.

You shouldn't read anything here if you have THREE of more ethernets cards ;-)

 

Part #1

 

You want to be secure when surfing the net? Well, start by installing Shorewall, the default Mandrake's firewall. You can install it by typing as root:

urpmi shorewall

Now what!! Well, let's configure it to suit your needs. The first thing you need to know is that by default, all the ports on your computer all stealth from the Internet. This means that if someone tries to ping you, he will not get answered. So if you don't need to run any server of any kind (Apache, eDonkey, MSN (file transfer), SSH, Telnet ...), then the configuration is done. You can start to hack something else. However, if you want to run such server, you have to tweak the config file located at /etc/shorewall/rules a bit. What you need to know before starting to play with the config file is that Shorewall works in zones. You computer is seen as 'fw' and the Internet is seen as 'net'. So if you want to run SSH on your computer to remotely connect to it via the Internet, you have to add the following line in: /etc/shorewall/rules.

ACCEPT  net     fw      tcp     22      -

This line basically says to ACCEPT all tcp connections from the Internet (net) to your computer (fw) via the 22 port. Now, for the changes to take effect, you need to reboot... AHAH .. I got you for a sec ;-) . You only need to restart Shorewall. This is done by typing as root:

service shorewall restart

Now let's say you want to run eDonkey (a p2p client) but cannot connects to a server. Well, you need to open port 4662 both tcp and udp. So add the following lines in /etc/shorewall/rules:

ACCEPT    net     fw      tcp      4662    -

ACCEPT    net     fw      udp     4662    -

Then restart Shorewall.

 

Well, this is basically all you have to know for a one interface network. If you wonder which port a server is listening you can take a look at /etc/services. This is a file that list pretty much all the services with their respective port(s). If you don't find what you are looking for there, I suggest you search HERE.

 

Part #2

 

This part is designed for those that enabled Internet Connection Sharing (ICS) from the Mandrake Control Center (MCC) and have two networks cards ==> One connected to a modem (ADSL or CABLE) and the other one to the LAN (Cross-cable to another computer or Straight-cable to a hub). Notice that it should not be very different if you have a dial-up modem and one ethernet card connected to the LAN. I just have not tried that.

 

The firewall (the machine on which Shorewall is running) can access the Internet as well as the computer on your LAN? However, you cannot connect to the SSH server that runs on your firewall from the LAN or from the Internet? Well, you have to configure Shorewall because by default, it blocks everything. Secure? --> YES. Annoying? --> NO... if you can deal with that. The first thing you need to know is that Shorewall works in zones. So Shorewall sees the machine on which it runs (the firewall) as 'fw', the Internet as 'net' and the computer on the LAN as 'masq'. So if you want to access your SSH server that runs on the firewall (fw) from a computer on your LAN (masq), then add the following line in the Shorewall's config file (/etc/shorewall/rules). Note that you need to be root to read/write Shorewall's config files.

ACCEPT  masq    fw      tcp     22    -

This line basically say to ACCEPT all tcp connections from the LAN (masq) to the firewall (fw) via the 22 port. Now, for the changes to take effect, you need to reboot... AHAH .. I got you for a sec ;-) . You only need to restart Shorewall. This is done by typing as root:

service shorewall restart

Now, let's say you also want to access your SSH server that runs on your firewall (fw) from the Internet (net). Then you have to add the following line in the config file:

ACCEPT  net    fw      tcp     22    -

Don't forget to restart Shorewall!! If you want to run a server on one of your LAN's computer (masq) and access that server from the Internet (net), you have to forward the port on which the service is running to your LAN's computer. As an example, let's say a computer on your LAN wants to send a file (file transfer) with AMSN (an MSN clone for Linux). This computer basically act like a server while it sends the file to someone on the Internet. So to be able to do that, you have to enter the following line in the config file (/etc/shorewall/rules) and restart Shorewall:.

DNAT    net     masq:192.168.1.100      tcp     6891:6900  -

But the computer on your LAN does not get always the same IP (192.168.1.100 in the above example) from the firewall (DHCP server) you'll say. Well, let's configure it so that it receives always the same IP from the firewall. First of all, you need to know the MAC address of the computer on the LAN. To know that, type ifconfig as root on the computer on the LAN (have no idea how to get that on the other OS). You will get something like this:

eth0      Link encap:Ethernet  HWaddr 00:50:BA:B4:00:3E

         inet addr:192.168.1.100  Bcast:192.168.1.255  Mask:255.255.255.0

         UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1

         RX packets:193712 errors:0 dropped:0 overruns:0 frame:0

         TX packets:155603 errors:0 dropped:0 overruns:0 carrier:0

         collisions:0 txqueuelen:100

         RX bytes:206789603 (197.2 Mb)  TX bytes:11783187 (11.2 Mb)

         Interrupt:10 Base address:0x4f00

The MAC address is the serie of numbers-letters at the right of HWaddr. So my card's MAC address is 00:50:BA:B4:00:3E. Now, add the next block in /etc/dhcpd.conf of the server as root. Replace my MAC address with yours!

host PC {

hardware ethernet 00:50:ba:b4:00:3e;

fixed-address 192.168.1.100;

}

Now, restart the DHCP server by typing as root:

service dhcpd restart

This way, the computer having the MAC address 00:50:ba:b4:00:3e on the LAN should always receives 192.168.1.100 for IP. That simple things down for configuration, specially for DNAT rules (forwarding ports).

 

Well, this is basically all you have to know for a two interfaces network. If you wonder on which port a server is listening, you may take a look at /etc/services. This is a file that list pretty much all the services with their respective port(s). If you don't find what you are looking for there, I suggest you search HERE.

 

FOR EVERYONE

 

Test your firewall with those sites. They basically ping ports on your computer and return what they got. Good way to know if you are secure!

https://grc.com/x/ne.dll?bh0bkyd2

http://scan.sygatetech.com/

 

references:

http://www.shorewall.net/FAQ.htm

http://www.shorewall.net/ ;-)

Link to comment
Share on other sites

 Share

×
×
  • Create New...