Shorewall Setting on Nodus
Contents
Network Topology
^ This final is the current, and the current means previous.
The firewall setting plan and status are shown in the figure above. In an ideal setting, the NAT router on the firewall should filter the packets while allowing the necessary ports open (Figure left). At the 40m, currently, the half of nodus is exposed to the net and handling the web/elog/rsync requests, while other access to the intranet ("local") is blocked (Figure right). So nodus needs to have the function of the firewall.-
(On June 27th, 2018, the new NAT router was installed between the GC net and martian. This made the nodus hidden in the firewall.)
The command (and settings) iptables are supposed to handle this filtering of the packets by the ports. However, iptables configuration is complicated. A mistake in iptables may cause security issue or malfunction of the network which the cause could be tricky to track down. Therefore shorewall is introduced as the configuration tool for iptables, which is simpler and user-friendly.
Once we switch to the firewall only by a NAT router, shorewall will become unnecessary. Just simply stop the service. We still need to use shorewall to keep the ports open.
Requirement
Block all the connection from net to local. The exceptions are: ssh (22), 8080 (http), 8081 (https), 30889 (apache), ping, and rsync (873).
Block all the connection from local to net (via nodus). This is because the connection from local to the outside should go through NAT router rather than nodus.
- Allow fw (firewall) to net, fw to local, and local to fw.
To expose NDS service on megatron to net, we want to allow net to access 31200 of nodus. This connection should be port forwarded to 31200 of megatron. This is not implemented yet
Shorewall settings
Installation info of shorewall is in ~root/.shorewallrc. We don't need to touch it.
defines the names of the net zones (fw, net, loc)
#ZONE TYPE fw firewall net ipv4 loc ipv4
defines which network interface belongs to which zone.
#ZONE INTERFACE OPTIONS net enp1s0f1 - loc enp1s0f0 -
defines the grobal policy of the network. Individual exceptions are not defined here but in ./rules. The policy is:
loc->net is dropped (make no response).
net->fw is rejected immediately.
fw->net, fw->loc, and loc->fw are accepted.
- Everything else is dropped.
#SOURCE DEST POLICY LOGLEVEL RATE CONNLIMIT loc net DROP info $FW net ACCEPT net $FW REJECT info $FW loc ACCEPT loc $FW ACCEPT all all DROP info
defines individual rules for each ports. The service names such as SSH, Rsync, Ping, etc are defined in /usr/share/shorewall as macro.SSH, macro.Rsync, etc ... Therefore they are case sensitive. The last DNAT line is related to the setting for NDS, but this is commented out as this did not work. These rules are no longer necessary. They were commented out.
?SECTION ALL SSH(ACCEPT) net $FW # elog ACCEPT net $FW tcp 8080 ACCEPT net $FW tcp 8081 # apache ACCEPT net $FW tcp 30889 # rsync Rsync(ACCEPT) net $FW # Ping Ping(ACCEPT) net $FW ?SECTION ESTABLISHED ACCEPT net $FW tcp ACCEPT net $FW icmp ?SECTION RELATED ACCEPT net $FW tcp ACCEPT net $FW icmp ?SECTION INVALID ?SECTION UNTRACKED ?SECTION NEW #DNAT net loc:192.168.113.209:31200 tcp 31200
has the setting for 31200. But because the port forwarding has not yet been successful, this line was commented out.
Deploying iptables via shorewall
The command sudo shorewall compile, checks the syntax of the configuration files and produce the firewall rules for iptables as /var/lib/shorewall/firewall (?)
The manual control of shorewall was initially be checked by shorewall (start/stop/restart/reload). On nodus, shorewall was registered in init.d by executing
sudo systemctl enable shorewall
Therefore, the current commands to control shorewall is
sudo systemctl start|stop|restart|reload shorewall
Note that stopping shorewall may cause isolation of nodus from the terminal which you are working on. Just be careful.