Shorewall users - Jun 2009 - Access to Server frm authorized range of IPs only

Guys,

i know i saw this somewhere but i cant seem to locate that info now...

Scenario:
...............

I have a simple two interface firewall. The firewall machine also provides some
services to the LAN and to the NET.
What i would like to do is allow only a particular range of IPs frm the internet
to access those services.

What do i need to do with my ''rules'' file. Ideally i should be
able to add ip , remove ip as required.

Can i make a file called ''Authorized_IP.txt'' and use that?


Thanx in advance.



      

------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

Linux Advocate wrote:
> Guys,
> 
> i know i saw this somewhere but i cant seem to locate that info now...
> 
> Scenario:
> ...............
> 
> I have a simple two interface firewall. The firewall machine also provides
some services to the LAN and to the NET.
> What i would like to do is allow only a particular range of IPs frm the
internet to access those services.
> 
> What do i need to do with my ''rules'' file. Ideally i
should be able to add ip , remove ip as required.
> 
> Can i make a file called ''Authorized_IP.txt'' and use
that?
No. But in /etc/shorewall/params, you can add:

	Authorized=<ip1>,<ip2>,...,<ipn>

And in /etc/shorewall/rules:

	ACCEPT	net:$Authorized	...

See http://www.shorewall.net/configuration_file_basics.htm#Variables

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

Tom Eastep wrote:
> Linux Advocate wrote:
>> Guys,
>>
>> i know i saw this somewhere but i cant seem to locate that info now...
>>
>> Scenario:
>> ...............
>>
>> I have a simple two interface firewall. The firewall machine also
provides some services to the LAN and to the NET.
>> What i would like to do is allow only a particular range of IPs frm the
internet to access those services.
>>
>> What do i need to do with my ''rules'' file. Ideally i
should be able to add ip , remove ip as required.
>>
>> Can i make a file called ''Authorized_IP.txt'' and use
that?
> 
> No. But in /etc/shorewall/params, you can add:
> 
> 	Authorized=<ip1>,<ip2>,...,<ipn>
Note that the list elements can be anything legal in a rule: IP ranges,
networks addresses, etc.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

will do tom thanx.



----- Original Message ----
> From: Tom Eastep <teastep@shorewall.net>
> To: Shorewall Users <shorewall-users@lists.sourceforge.net>
> Sent: Sunday, June 14, 2009 11:24:38 PM
> Subject: Re: [Shorewall-users] Access to Server frm authorized range of IPs
only
> 
> Tom Eastep wrote:
> > Linux Advocate wrote:
> >> Guys,
> >>
> >> i know i saw this somewhere but i cant seem to locate that info
now...
> >>
> >> Scenario:
> >> ...............
> >>
> >> I have a simple two interface firewall. The firewall machine also
provides
> some services to the LAN and to the NET.
> >> What i would like to do is allow only a particular range of IPs
frm the
> internet to access those services. 
> >>
> >> What do i need to do with my ''rules'' file.
Ideally i should be able to add ip
> , remove ip as required.
> >>
> >> Can i make a file called ''Authorized_IP.txt'' and
use that?
> > 
> > No. But in /etc/shorewall/params, you can add:
> > 
> >     Authorized=,,...,
> 
> Note that the list elements can be anything legal in a rule: IP ranges,
> networks addresses, etc.
> 
> -Tom
> -- 
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________


      

------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

----- Original Message ----
> From: Linux Advocate <linuxhousedn@yahoo.com>
> To: Shorewall Users <shorewall-users@lists.sourceforge.net>
> Sent: Monday, June 15, 2009 8:15:45 AM
> Subject: Re: [Shorewall-users] Access to Server frm authorized range of IPs
only
> 
> 
> will do tom thanx.
> 
> 
> 
> ----- Original Message ----
> > From: Tom Eastep 
> > To: Shorewall Users 
> > Sent: Sunday, June 14, 2009 11:24:38 PM
> > Subject: Re: [Shorewall-users] Access to Server frm authorized range
of IPs
> only
> > 
> > Tom Eastep wrote:
> > > Linux Advocate wrote:
> > >> Guys,
> > >>
> > >> i know i saw this somewhere but i cant seem to locate that
info now...
> > >>
> > >> Scenario:
> > >> ...............
> > >>
> > >> I have a simple two interface firewall. The firewall machine
also provides
> > some services to the LAN and to the NET.
> > >> What i would like to do is allow only a particular range of
IPs frm the
> > internet to access those services. 
> > >>
> > >> What do i need to do with my ''rules'' file.
Ideally i should be able to add
> ip 
> > , remove ip as required.
> > >>
> > >> Can i make a file called
''Authorized_IP.txt'' and use that?
> > > 
> > > No. But in /etc/shorewall/params, you can add:
> > > 
> > >     Authorized=,,...,
> > 
> > Note that the list elements can be anything legal in a rule: IP
ranges,
> > networks addresses, etc.
> > 

for record purposes; i did what tom recommended as shown below;

in ''params'' file

AUTH_IP=60.48.0.0-60.54.255.255,
        202.75.4.0-202.75.7.255,
        202.186.0.0-202.187.255.255,
        203.82.64.0-203.82.95.255

in ''rules'' file

HTTP/ACCEPT     net:$AUTH_IP             $FW             tcp 80,2812

works well, exactly what i needed. thanx !



      

------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

Linux Advocate wrote:
> 
> 
> 
> 
> ----- Original Message ----
>> From: Linux Advocate <linuxhousedn@yahoo.com>
>> To: Shorewall Users <shorewall-users@lists.sourceforge.net>
>> Sent: Monday, June 15, 2009 8:15:45 AM
>> Subject: Re: [Shorewall-users] Access to Server frm authorized range of
IPs only
>>
>>
>> will do tom thanx.
>>
>>
>>
>> ----- Original Message ----
>>> From: Tom Eastep 
>>> To: Shorewall Users 
>>> Sent: Sunday, June 14, 2009 11:24:38 PM
>>> Subject: Re: [Shorewall-users] Access to Server frm authorized
range of IPs
>> only
>>> Tom Eastep wrote:
>>>> Linux Advocate wrote:
>>>>> Guys,
>>>>>
>>>>> i know i saw this somewhere but i cant seem to locate that
info now...
>>>>>
>>>>> Scenario:
>>>>> ...............
>>>>>
>>>>> I have a simple two interface firewall. The firewall
machine also provides
>>> some services to the LAN and to the NET.
>>>>> What i would like to do is allow only a particular range of
IPs frm the
>>> internet to access those services. 
>>>>> What do i need to do with my ''rules''
file. Ideally i should be able to add
>> ip 
>>> , remove ip as required.
>>>>> Can i make a file called
''Authorized_IP.txt'' and use that?
>>>> No. But in /etc/shorewall/params, you can add:
>>>>
>>>>     Authorized=,,...,
>>> Note that the list elements can be anything legal in a rule: IP
ranges,
>>> networks addresses, etc.
>>>
> 
> 
> for record purposes; i did what tom recommended as shown below;
> 
> in ''params'' file
> 
> AUTH_IP=60.48.0.0-60.54.255.255,
>         202.75.4.0-202.75.7.255,
>         202.186.0.0-202.187.255.255,
>         203.82.64.0-203.82.95.255
> 
> in ''rules'' file
That exact statement would have resulted in a syntax error. To put the
ranges on separate lines, you would rather need:

AUTH_IP=60.48.0.0-60.54.255.255,\
202.75.4.0-202.75.7.255,\
202.186.0.0-202.187.255.255,\
203.82.64.0-203.82.95.255

Furthermore, I would have written the last three differently:

AUTH_IP=60.48.0.0-60.54.255.255,\
202.75.4.0/22,\
202.186.0.0/15,\
203.82.64.0/19

That form results in slightly faster comparison. The''shorewall
iprange''
command is your friend, provided that you are running Shorewall 4.2.9
where the command was corrected or that you are running 4.0 (before the
command was broken).

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

> > for record purposes; i did what tom recommended as shown below;
> > 
> > in ''params'' file
> > 
> > AUTH_IP=60.48.0.0-60.54.255.255,
> >         202.75.4.0-202.75.7.255,
> >         202.186.0.0-202.187.255.255,
> >         203.82.64.0-203.82.95.255
> > 
> > in ''rules'' file
> 
> That exact statement would have resulted in a syntax error. To put the
> ranges on separate lines, you would rather need:
> 
> AUTH_IP=60.48.0.0-60.54.255.255,\
> 202.75.4.0-202.75.7.255,\
> 202.186.0.0-202.187.255.255,\
> 203.82.64.0-203.82.95.255
> 
> Furthermore, I would have written the last three differently:
> 
> AUTH_IP=60.48.0.0-60.54.255.255,\
> 202.75.4.0/22,\
> 202.186.0.0/15,\
> 203.82.64.0/19
> 
> That form results in slightly faster comparison. The''shorewall
iprange''
> command is your friend, provided that you are running Shorewall 4.2.9
> where the command was corrected or that you are running 4.0 (before the
> command was broken).

Tom , its a centos 5.3 box with shorewall versions;

shorewall-common-4.0.15-1.el5
shorewall-perl-4.0.15-1.el5


U were right, i had just looked at the very last line of the output of
''shorewall -v restart which showed;

Processing /etc/shorewall/start ...
Processing /etc/shorewall/started ...
done.

earlier it could not compile. Now that it could i assumed it was all ok. And as
i tested frm the ip range that was right on the first line ( access ok)  and got
a friend to test from outside the ranges ( no access), i concluded it was all o.

After reading yr email , i reran the command and saw these messages ( u were
right of course ) on top;

/etc/shorewall/params: line 31: 202.75.4.0-202.75.7.255,: command not found
/etc/shorewall/params: line 32: 202.186.0.0-202.187.255.255,: command not found
/etc/shorewall/params: line 33: 202.190.0.0-202.190.255.255,: command not found
/etc/shorewall/params: line 34: 203.82.64.0-203.82.95.255,: command not found
/etc/shorewall/params: line 35: 203.153.80.0-203.153.87.255: command not found
Compiling...
Processing /etc/shorewall/params ...
/etc/shorewall/params: line 31: 202.75.4.0-202.75.7.255,: command not found
/etc/shorewall/params: line 32: 202.186.0.0-202.187.255.255,: command not found
/etc/shorewall/params: line 33: 202.190.0.0-202.190.255.255,: command not found
/etc/shorewall/params: line 34: 203.82.64.0-203.82.95.255,: command not found
/etc/shorewall/params: line 35: 203.153.80.0-203.153.87.255: command not found

oops ...  :)

i redid the entries the way u showed and it looks all ok now. Thanx Tom.



      

------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects