Differences between revisions 5 and 16 (spanning 11 versions)
Revision 5 as of 2018-06-01 04:55:16
Size: 523
Comment:
Revision 16 as of 2019-12-09 20:42:07
Size: 4607
Comment:
Deletions are marked like this. Additions are marked like this.
Line 2: Line 2:

<<TableOfContents()>>
Line 7: Line 10:
The firewall setting plan and status are shown in the figure above. In an ideal setting, the NAT router on the firewall should filter the packets while allowing the necessary ports open (Figure left). At the 40m, currently, the half of nodus is exposed to the net and handling the web/elog/rsync requests, while other access to the intranet ("local") is blocked (Figure right). ^ This final is the current, and the current means previous.

The firewall setting plan and status are shown in the figure above. In an ideal setting, the NAT router on the firewall should filter the packets while allowing the necessary ports open (Figure left). --(At the 40m, currently, the half of nodus is exposed to the net and handling the web/elog/rsync requests, while other access to the intranet ("local") is blocked (Figure right). So nodus needs to have the function of the firewall.)---

(On June 27th, 2018, the new NAT router was installed between the GC net and martian. This made the nodus hidden in the firewall.)

The command (and settings) iptables are supposed to handle this filtering of the packets by the ports. However, iptables configuration is complicated. A mistake in iptables may cause security issue or malfunction of the network which the cause could be tricky to track down. Therefore '''shorewall''' is introduced as the configuration tool for iptables, which is simpler and user-friendly.

--(Once we switch to the firewall only by a NAT router, shorewall will become unnecessary. Just simply stop the service.)--
We still need to use shorewall to keep the ports open.

== Requirement ==

 * --(Block all the connection from net to local. The exceptions are: ssh (22), 8080 (http), 8081 (https), 30889 (apache), ping, and rsync (873).)--

 * --(Block all the connection from local to net (via nodus). This is because the connection from local to the outside should go through NAT router rather than nodus.)--

 * Allow fw (firewall) to net, fw to local, and local to fw.

 * --(To expose NDS service on megatron to net, we want to allow net to access 31200 of nodus. This connection should be port forwarded to 31200 of megatron. '''This is not implemented yet''')--

== Shorewall settings ==
 * Installation info of shorewall is in {{{~root/.shorewallrc}}}. We don't need to touch it.
 
 * {{/etc/shorewall/zones}} defines the names of the net zones (fw, net, loc)

{{{
#ZONE TYPE
fw firewall
net ipv4
loc ipv4
}}}
Line 10: Line 44:
 * {{/etc/shorewall/interfaces}} defines which network interface belongs to which zone.
Line 11: Line 46:
== Shorewall settings == {{{
#ZONE INTERFACE OPTIONS
net enp1s0f1 -
loc enp1s0f0 -
}}}

 * {{/etc/shorewall/policy}} defines the grobal policy of the network. Individual exceptions are not defined here but in {{{./rules}}}. The policy is:
   * loc->net is dropped (make no response).
   * net->fw is rejected immediately.
   * fw->net, fw->loc, and loc->fw are accepted.
   * Everything else is dropped.

{{{
#SOURCE DEST POLICY LOGLEVEL RATE CONNLIMIT
loc net DROP info

$FW net ACCEPT
net $FW REJECT info

$FW loc ACCEPT
loc $FW ACCEPT

all all DROP info
}}}

 * --({{/etc/shorewall/rules}} defines individual rules for each ports. The service names such as SSH, Rsync, Ping, etc are defined in {{{/usr/share/shorewall}}} as macro.SSH, macro.Rsync, etc ... '''Therefore they are case sensitive'''. The last DNAT line is related to the setting for NDS, but this is commented out as this did not work. )-- These rules are no longer necessary. They were commented out.

{{{
?SECTION ALL

SSH(ACCEPT) net $FW
# elog
ACCEPT net $FW tcp 8080
ACCEPT net $FW tcp 8081
# apache
ACCEPT net $FW tcp 30889
# rsync
Rsync(ACCEPT) net $FW

# Ping
Ping(ACCEPT) net $FW

?SECTION ESTABLISHED

ACCEPT net $FW tcp
ACCEPT net $FW icmp

?SECTION RELATED

ACCEPT net $FW tcp
ACCEPT net $FW icmp

?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW

#DNAT net loc:192.168.113.209:31200 tcp 31200
}}}

 * {{/etc/shorewall/snat}} has the setting for 31200. But because the port forwarding has not yet been successful, this line was commented out.

== Deploying iptables via shorewall ==

 * The command {{{sudo shorewall compile}}}, checks the syntax of the configuration files and produce the firewall rules for iptables as {{{/var/lib/shorewall/firewall}}} (?)

 * The manual control of shorewall was initially be checked by {{{shorewall (start/stop/restart/reload)}}}. On nodus, shorewall was registered in init.d by executing
{{{
sudo systemctl enable shorewall
}}}
Therefore, the current commands to control shorewall is
{{{
sudo systemctl start|stop|restart|reload shorewall
}}}
Note that stopping shorewall may cause isolation of nodus from the terminal which you are working on. Just be careful.

Shorewall Setting on Nodus

Network Topology

network_topology.png

^ This final is the current, and the current means previous.

The firewall setting plan and status are shown in the figure above. In an ideal setting, the NAT router on the firewall should filter the packets while allowing the necessary ports open (Figure left). At the 40m, currently, the half of nodus is exposed to the net and handling the web/elog/rsync requests, while other access to the intranet ("local") is blocked (Figure right). So nodus needs to have the function of the firewall.-

(On June 27th, 2018, the new NAT router was installed between the GC net and martian. This made the nodus hidden in the firewall.)

The command (and settings) iptables are supposed to handle this filtering of the packets by the ports. However, iptables configuration is complicated. A mistake in iptables may cause security issue or malfunction of the network which the cause could be tricky to track down. Therefore shorewall is introduced as the configuration tool for iptables, which is simpler and user-friendly.

Once we switch to the firewall only by a NAT router, shorewall will become unnecessary. Just simply stop the service. We still need to use shorewall to keep the ports open.

Requirement

  • Block all the connection from net to local. The exceptions are: ssh (22), 8080 (http), 8081 (https), 30889 (apache), ping, and rsync (873).

  • Block all the connection from local to net (via nodus). This is because the connection from local to the outside should go through NAT router rather than nodus.

  • Allow fw (firewall) to net, fw to local, and local to fw.
  • To expose NDS service on megatron to net, we want to allow net to access 31200 of nodus. This connection should be port forwarded to 31200 of megatron. This is not implemented yet

Shorewall settings

  • Installation info of shorewall is in ~root/.shorewallrc. We don't need to touch it.

  • /etc/shorewall/zones defines the names of the net zones (fw, net, loc)

#ZONE           TYPE
fw              firewall
net             ipv4
loc             ipv4
  • /etc/shorewall/interfaces defines which network interface belongs to which zone.

#ZONE           INTERFACE               OPTIONS
net             enp1s0f1                -
loc             enp1s0f0                -
  • /etc/shorewall/policy defines the grobal policy of the network. Individual exceptions are not defined here but in ./rules. The policy is:

    • loc->net is dropped (make no response).

    • net->fw is rejected immediately.

    • fw->net, fw->loc, and loc->fw are accepted.

    • Everything else is dropped.

#SOURCE         DEST            POLICY  LOGLEVEL        RATE    CONNLIMIT
loc             net             DROP    info

$FW             net             ACCEPT
net             $FW             REJECT  info

$FW             loc             ACCEPT
loc             $FW             ACCEPT

all             all             DROP    info
  • /etc/shorewall/rules defines individual rules for each ports. The service names such as SSH, Rsync, Ping, etc are defined in /usr/share/shorewall as macro.SSH, macro.Rsync, etc ... Therefore they are case sensitive. The last DNAT line is related to the setting for NDS, but this is commented out as this did not work. These rules are no longer necessary. They were commented out.

?SECTION ALL

SSH(ACCEPT)     net             $FW
# elog
ACCEPT          net             $FW             tcp     8080
ACCEPT          net             $FW             tcp     8081
# apache
ACCEPT          net             $FW             tcp     30889
# rsync
Rsync(ACCEPT)   net             $FW

# Ping
Ping(ACCEPT)    net             $FW

?SECTION ESTABLISHED

ACCEPT          net             $FW             tcp
ACCEPT          net             $FW             icmp

?SECTION RELATED

ACCEPT          net             $FW             tcp
ACCEPT          net             $FW             icmp

?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW

#DNAT           net             loc:192.168.113.209:31200       tcp     31200
  • /etc/shorewall/snat has the setting for 31200. But because the port forwarding has not yet been successful, this line was commented out.

Deploying iptables via shorewall

  • The command sudo shorewall compile, checks the syntax of the configuration files and produce the firewall rules for iptables as /var/lib/shorewall/firewall (?)

  • The manual control of shorewall was initially be checked by shorewall (start/stop/restart/reload). On nodus, shorewall was registered in init.d by executing

sudo systemctl enable shorewall

Therefore, the current commands to control shorewall is

sudo systemctl start|stop|restart|reload shorewall

Note that stopping shorewall may cause isolation of nodus from the terminal which you are working on. Just be careful.

NodusShorewallSetting (last edited 2019-12-09 20:42:07 by KojiaraiATligoDOTorg)