Differences between revisions 5 and 8 (spanning 3 versions)
Revision 5 as of 2018-06-01 04:55:16
Size: 523
Comment:
Revision 8 as of 2018-06-01 05:26:04
Size: 1919
Comment:
Deletions are marked like this. Additions are marked like this.
Line 7: Line 7:
The firewall setting plan and status are shown in the figure above. In an ideal setting, the NAT router on the firewall should filter the packets while allowing the necessary ports open (Figure left). At the 40m, currently, the half of nodus is exposed to the net and handling the web/elog/rsync requests, while other access to the intranet ("local") is blocked (Figure right). The firewall setting plan and status are shown in the figure above. In an ideal setting, the NAT router on the firewall should filter the packets while allowing the necessary ports open (Figure left). At the 40m, currently, the half of nodus is exposed to the net and handling the web/elog/rsync requests, while other access to the intranet ("local") is blocked (Figure right). So nodus needs to have the function of the firewall.

The command (and settings) iptables are supposed to handle this filtering of the packets by the ports. However, iptables configuration is complicated. A mistake in iptables may cause security issue or malfunction of the network which the cause could be tricky to track down. Therefore '''shorewall''' is introduced as the configration tool for iptables, which is simpler and user friendly.

== Requirement ==

 * Block all the connection from net to local. The exceptions are: ssh, 8080 (http), 8081 (https), 30889 (apache), ping, and rsync.

 * Block all the connection from local to net (via nodus). This is because the connection from local to outside should go through NAT router rather than nodus.

 * Allow fw (firewall) to net, fw to local, and local to fw.

 * To expose NDS service on megatron to net, we want to allow net to access 31200 of nodus. This connection should be port forwarded to 31200 of megatron.

== Shorewall settings ==
 * Installation info of shorewall is in {{{~root/.shorewallrc}}}. We don't need to touch it.
 
 * {{/etc/shorewall/zones}} defines the names of the net zones (fw, net, loc)

{{{
#ZONE TYPE
fw firewall
net ipv4
loc ipv4
}}}
Line 10: Line 34:
 * {{/etc/shorewall/interfaces}} defines which network interface belongs to which zone.
Line 11: Line 36:
== Shorewall settings == {{{
#ZONE INTERFACE OPTIONS
net enp1s0f1 -
loc enp1s0f0 -
}}}

 *

Shorewall Setting on Nodus

Network Topology

network_topology.png

The firewall setting plan and status are shown in the figure above. In an ideal setting, the NAT router on the firewall should filter the packets while allowing the necessary ports open (Figure left). At the 40m, currently, the half of nodus is exposed to the net and handling the web/elog/rsync requests, while other access to the intranet ("local") is blocked (Figure right). So nodus needs to have the function of the firewall.

The command (and settings) iptables are supposed to handle this filtering of the packets by the ports. However, iptables configuration is complicated. A mistake in iptables may cause security issue or malfunction of the network which the cause could be tricky to track down. Therefore shorewall is introduced as the configration tool for iptables, which is simpler and user friendly.

Requirement

  • Block all the connection from net to local. The exceptions are: ssh, 8080 (http), 8081 (https), 30889 (apache), ping, and rsync.
  • Block all the connection from local to net (via nodus). This is because the connection from local to outside should go through NAT router rather than nodus.
  • Allow fw (firewall) to net, fw to local, and local to fw.
  • To expose NDS service on megatron to net, we want to allow net to access 31200 of nodus. This connection should be port forwarded to 31200 of megatron.

Shorewall settings

  • Installation info of shorewall is in ~root/.shorewallrc. We don't need to touch it.

  • /etc/shorewall/zones defines the names of the net zones (fw, net, loc)

#ZONE           TYPE
fw              firewall
net             ipv4
loc             ipv4
  • /etc/shorewall/interfaces defines which network interface belongs to which zone.

#ZONE           INTERFACE               OPTIONS
net             enp1s0f1                -
loc             enp1s0f0                -

NodusShorewallSetting (last edited 2019-12-09 20:42:07 by KojiaraiATligoDOTorg)