Dear All,
I''m tasked to setup a RH Enterprise Linux based HTTP, DNS, Mail Server
on a datacenter that is supposed to be protected with its own firewall.
I''ve evaluated several firewall scripting agents, and I found shorewall
the best. The machine is still at office and I''m supposed to up it this
friday (2 days from now!).
I''ve read the docs, the HOWTOs, did quite a lot of investigation and
searching and I really can''t find much. I might be confused or blur,
but
I think I need help. As such, I would like to seek your kind advise.
Here is my setup
1: 1 hardware interface eth0, 1 virtual interface ppp0 (for pptp VPN
Clients Only)
2: RHEL 3.0, Errata Kernel kernel-2.4.21-9
3: iptables-1.2.8-12
4: Shorewall 2.0.1
All RPM installed are either Redhat Vanilla / Updated using up2date. No
manual source patching was done (except for qmail, but thats not
important here)
Here are my requirements
1: Allow hosts "usr" (Authorised users from external network) and
"vpn"
(PPTP VPN Users) to have full, uninhibited access to the server.
2: Allow hosts "net" (Internet users) to access certain services only.
3: Deny hosts "net" from accessing any unauthorised services, drop and
log all connections.
I''ve successfully been able to get hosts "vpn" (tied to
interface ppp0)
to have full, uninhibited access to the server, but not host "usr"
Apparently, the firewall somehow skips the rules and jumps to the
default action (drop).
Here are a sample of the error message that i''ve captured when i tried
to do a telnet 192.168.0.179 1352 (Note that 192.168.0.179 is the
machine''s IP and there are services running on port 1352)
Apr 28 18:16:11 localhost kernel: Shorewall:net2all:DROP:IN=eth0 OUT=
MAC=00:07:e9:d7:ef:cb:00:a0:c9:16:63:2e:08:00 SRC=192.168.0.117
DST=192.168.0.179 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=10943 DF
PROTO=TCP SPT=1143 DPT=1352 WINDOW=64240 RES=0x00 SYN URGP=0
Apr 28 18:16:11 localhost kernel: Shorewall:net2all:DROP:IN=eth0 OUT=
MAC=00:07:e9:d7:ef:cb:00:a0:c9:16:63:2e:08:00 SRC=192.168.0.117
DST=192.168.0.179 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=10943 DF
PROTO=TCP SPT=1143 DPT=1352 WINDOW=64240 RES=0x00 SYN URGP=0
Apr 28 18:16:17 localhost kernel: Shorewall:net2all:DROP:IN=eth0 OUT=
MAC=00:07:e9:d7:ef:cb:00:a0:c9:16:63:2e:08:00 SRC=192.168.0.117
DST=192.168.0.179 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=10945 DF
PROTO=TCP SPT=1143 DPT=1352 WINDOW=64240 RES=0x00 SYN URGP=0
Here are my config files. I''ve only added in stuff which I''ve
modified.
This which I''ve not modified are not included.
===== start /etc/shorewall/hosts ====
usr eth0:192.168.0.0/24 routeback
===== end /etc/shorewall/hosts ====
Note that the RFC1918 IPs are used because the machine is still in my
office and as such, require a segment that is reflective for my
office''s
network. Will be changed to an external IP when deployed at datacentre.
===== start /etc/shorewall/interface ====
net eth0 detect routefilter,dhcp,tcpflags
vpn ppp0 172.16.16.1
===== end /etc/shorewall/interface ====
I''ve only got 1 hardware interface, eth0. Its currently running DHCP,
but is to be converted to static IP before deployment. Will convert
accordingly. Interface vpn refers to client connecting to pptpd.
===== start /etc/shorewall/zones ====
net Net Internet
vpn VPN VPN Users
usr Users Netvity Networks Authorised Users
===== end /etc/shorewall/zones ====
Zone "net" refers to interface eth0, which is connected internet.
Zone "vpn" refers to interface ppp0, which is connected to the VPN
clients
Zone "usr" refers to authorised users, which is also connected to
interface eth0, on the internet.
===== start /etc/shorewall/masq ====
eth0 172.16.16.0/24
===== end /etc/shorewall/masq ====
To provide masquerading support for clients connected on VPN.
===== start /etc/shorewall/policy ====
fw net ACCEPT
usr fw ACCEPT
vpn all ACCEPT
net all DROP info
===== end /etc/shorewall/policy ====
Rational for policies.
1. Allow the firewall to connect to internet.
2. Allow host usr to connect to firewall without any inhibition
3. Allow host vpn to connect to firewall without any inhibition
4. Drop all internet traffic for clients connecting to unauthorised ports.
===== start /etc/shorewall/routestop ====
eth0 192.168.0.0/24 routeback
===== end /etc/shorewall/routestop ====
To allow office network segment to configure firewall without fear of
disconnection upon fw error / restart. Will be changed to external IP
when moved to datacenter.
===== start /etc/shorewall/rules ====
# Accepting SSH
ACCEPT net fw tcp ssh
# Accepting FTP
ACCEPT net fw tcp ftp
ACCEPT net fw tcp ftp-data
# Accepting SMTP
ACCEPT net fw tcp smtp
# Accepting DNS
ACCEPT net fw udp domain
ACCEPT net fw tcp domain
# Accepting HTTP
ACCEPT net fw tcp http
===== end /etc/shorewall/rules ====
To accept SSH, FTP, SMTP, DNS and HTTP traffic from internet. Drop All
others. Will also remove SSH from rules later as only authorised users
(IP segment from host "usr" and VPN users") will be allowed to
connect
to SSH.
===== start /etc/shorewall/tunnels ====
pptpserver net
===== end /etc/shorewall/tunnels ====
The FW is running poptop VPN PPTP Daemon for clients to connect.
Apologise for the long email. But would appreciate any help rendered.
Regards
David