8 Steps to Setup Shorewall in CentOS 5.2

Shoreline Firewall atau Shorewall adalah perisian yang mampu untuk mengawal laluan keluar masuk packet melalui rangkaian. Fungsinya adalah sama seperti iptables cuma versi yang ditambahbaik dan segi fungsinya.Kali ni aku akan setup shorewall untuk server mysurfguard (mysg) aku.
STEP 1
Download shorewall (Kalau boleh cuba cari versi terkini)

#wget http://www.invoca.ch/pub/packages/shorewall/4.0/shorewall-4.0.11/shorewall-
4.0.11-2.noarch.rpm

#wget http://www.invoca.ch/pub/packages/shorewall/4.0/shorewall-4.0.11/shorewall-
perl-4.0.11-2.noarch.rpm

#wget http://www.invoca.ch/pub/packages/shorewall/4.0/shorewall-4.0.11/shorewall-
shell-4.0.11-2.noarch.rpm


Anda boleh download dari website shorewall untuk versi terkini.
http://www.shorewall.net/download.htm


STEP 2

Install Shorewall

#rpm -ivh shorewall-perl-4.0.11-2.noarch.rpm shorewall-shell-4.0.11-2.noarch.rpm shorewall-4.0.11-2.noarch.rpm

STEP 3

Setting Shorewall

Program shorewall tu takkan berfungsi selagi shorewall configuration file belum dikemaskini.

# nano /etc/shorewall/shorewall.conf

Tukar line pertama
STARTUP_ENABLED=No
hingga
STARTUP_ENABLED=Yes

Save and exit (in NANO, type Ctrl+X dan taip Y).

Sekiranya anda nak salin dari sampel tengok di /usr/share/doc/shorewall-4.0.11/Samples/. Dalam sampel ni ada 3 folder iaitu : one-interface/,two-interfaces/ and three-interfaces/.

Bergantung kepada situasi network di tempat anda. Situasi aku ni just nk setup pada mysg aku yang pakai 1 network sahaja dan tak berfungsi sebagai transparent, jika nak guna sampel ikut cara ni :

#cp /usr/share/doc/shorewall-4.0.11/Samples/one-interfaces
/{interfaces,policy,masq,routestopped,rules,zones} /etc/shorewall/

atau

#cp /usr/share/doc/shorewall-4.0.11/Samples/two-interfaces
/{interfaces,policy,masq,routestopped,rules,zones} /etc/shorewall/

atau

#cp /usr/share/doc/shorewall-4.0.11/Samples/three-interfaces
/{interfaces,policy,masq,routestopped,rules,zones} /etc/shorewall/

Sekarang anda dah ada configuration file di /etc/shorewall.

STEP 4

Zones Configuration


Buka dan edit file /etc/shorewall/zones untuk kenal[asti network zone. Ini hanya penglabelan aje.

# nano /etc/shorewall/zones

Kita setup 3 zone Internet(NET), Private Zon (DMZ) dan Zon firewall (FW):

#ZONE TYPE OPTIONS IN OPTIONS OUT OPTIONS
#
fw firewall
net ipv4
loc ipv4
dmz ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

STEP 5

Interfaces Configuration


Kemudian edit network interface firewall anda.

# nano /etc/shorewall/interfaces

Berikut adalah contoh configuration. Bagi penggunaan aku cuma ada satu network interface aje jadi hanya line pertama je aku guna :

#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect tcpflags,dhcp,routefilter,nosmurfs,logmartians
loc eth1 detect tcpflags,nosmurfs
dmz eth2 detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

STEP 6

Policy Configuration


Ok, part ni agak penting untuk pastikan flow data akan di alirkan berdasarkan zon yang kita dah define tadi. Polisi yang digunakan adalah REJECT atau DROP dan tentukan port apa yang akan allow seterusnya.

# nano /etc/shorewall/policy

Contoh polisi berdasarkan 3 zon tadi :

#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
#
# Policies for traffic originating from the local LAN (loc)
#
# If you want to force clients to access the Internet via a proxy server
# in your DMZ, change the following policy to REJECT info.
loc net ACCEPT
# If you want open access to DMZ from loc, change the following policy
# to ACCEPT. (If you chose not to do this, you will need to add a rule
# for each service in the rules file.)
loc dmz REJECT info
loc $FW REJECT info
loc all REJECT info
#
# Policies for traffic originating from the firewall ($FW)
#
# If you want open access to the Internet from your firewall, change the
# $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL.
$FW net REJECT info
$FW dmz REJECT info
$FW loc REJECT info
$FW all REJECT info
#
# Policies for traffic originating from the De-Militarized Zone (dmz)
#
# If you want open access from DMZ to the Internet change the following
# policy to ACCEPT. This may be useful if you run a proxy server in
# your DMZ.
dmz net REJECT info
dmz $FW REJECT info
dmz loc REJECT info
dmz all REJECT info
#
# Policies for traffic originating from the Internet zone (net)
#
net dmz DROP info
net $FW DROP info
net loc DROP info
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

STEP 7

Rules Configuration


Ni adalah configuration paling penting untuk kita tentukan subnet mana yang akan allow melalui firewall ini berdasarkan port yang dibenarkan dan port yang dihalang. Jika tiada setting dibuat maka ia akan merujuk kepada default polisi tadi.

Nota: Ni hanya untuk new connection, connection sedia ada akan automatik dikenalpasti.

# nano /etc/shorewall/rules

Contohnya seperti di bawah :

#############################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT PORT(S) DEST LIMIT GROUP
#
# Accept DNS connections from the firewall to the Internet
#
DNS/ACCEPT $FW net
#
#
# Accept SSH connections from the local network to the firewall and DMZ
#
SSH/ACCEPT loc $FW
SSH/ACCEPT loc dmz
#
# DMZ DNS access to the Internet
#
DNS/ACCEPT dmz net
#
# Drop Ping from the "bad" net zone.
#
Ping/DROP net $FW
#
# Make ping work bi-directionally between the dmz, net, Firewall and local zone
# (assumes that the loc-> net policy is ACCEPT).
#
Ping/ACCEPT loc $FW
Ping/ACCEPT dmz $FW
Ping/ACCEPT loc dmz
Ping/ACCEPT dmz loc
Ping/ACCEPT dmz net
ACCEPT $FW net icmp
ACCEPT $FW loc icmp
ACCEPT $FW dmz icmp
# Uncomment this if using Proxy ARP and static NAT and you want to allow ping from
# the net zone to the dmz and loc
#Ping/ACCEPT net dmz
#Ping/ACCEPT net loc
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

STEP 8

Finally


Untuk mulakan ujian run command ni :
# service shorewall start

Tapi semua ni kalau nak mudah boleh gunakan module yang ada dalam webmin. Terutama bagi step 7 tadi tu boleh gunakan webmin.

Cuma jika nak restart atau stop shorewall seeloknya gunakan command line sebab lebih stabil.
Skang ni aku boleh tetapkan rule untuk allow dari subnet mana-mana sahaja boleh gunakan mysg aku.

Sebab aku laksana mysg mengikut daerah jadi aku tanak daerah lain gunakan mysg tu. Selain tu aku boleh control port apa sahaja yang boleh melalui mysg aku.

Terima kasih pada nota dari howtoforge.

~ Be a Creator Not a User ~
http://muzzotechspot.blogspot.com
http://muzzoshah.blogspot.com

Ulasan

CT'S sTUDIO berkata…
salam bro,sye newbie dlm network security neh,mnx tlg pndapat bro cmne nk upgarade kn lg sistem kawalan keselamatan sye neh.. sye gune 1 server(shorewall) running dlm os ubuntu..and ad 2 client w7..lps kte install shorewall neh dye ad timbul gui dye x?
Muzamir Mokhtar berkata…
maaf tak perasan komen ni. gui untuk shorewall ni cuma ada web gui sahaja. Kena install webmin dahulu dan login dalam webmin tu akan dapat web gui shorewall dalam menu network.

semoga berjaya.