thehaze
asked on
iptables and Shorewall configuration
How would I go about configuring Shorewall to give the following policy and rules:
I already have zones: fw, net and lan.
~# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP tcp -- anywhere anywhere tcp option=!2 flags:SYN/SYN
input_rule all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT gre -- anywhere anywhere
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
forwarding_rule all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
output_rule all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain forward_vlan1 (1 references)
target prot opt source destination
Chain forwarding_rule (1 references)
target prot opt source destination
ACCEPT all -- anywhere 192.168.1.5
forward_vlan1 all -- anywhere anywhere
Chain input_rule (1 references)
target prot opt source destination
input_vlan1 all -- anywhere anywhere
Chain input_vlan1 (1 references)
target prot opt source destination
Chain output_rule (1 references)
target prot opt source destination
I already have zones: fw, net and lan.
~# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP tcp -- anywhere anywhere tcp option=!2 flags:SYN/SYN
input_rule all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT gre -- anywhere anywhere
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
forwarding_rule all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
output_rule all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain forward_vlan1 (1 references)
target prot opt source destination
Chain forwarding_rule (1 references)
target prot opt source destination
ACCEPT all -- anywhere 192.168.1.5
forward_vlan1 all -- anywhere anywhere
Chain input_rule (1 references)
target prot opt source destination
input_vlan1 all -- anywhere anywhere
Chain input_vlan1 (1 references)
target prot opt source destination
Chain output_rule (1 references)
target prot opt source destination
you could use 'iptables-save >> snapshot.iptables.txt' then import the file with your shorewall configuration.
ASKER
How are they then 'imported' to the shorewall configuration? Can this be done from the command prompt?
Yes you can use 'iptables-restore' to start the firewall without aid from shorewall, then when you start shorewall you can use it to capture the existing configuration. In other words, you have used iptables tool sets to create a snapshot of the rules, portable, then when you use iptables tools to reload the rule sets Shorewall should be able to obtain the EXISTING firewall configs and load it into your browser interface.
ASKER
How do I start shorewall you can use to capture the existing configuration.?
Google shorewall..
http://www.shorewall.net/starting_and_stopping_shorewall.htm#id2464306
You should be able to simply start shorewall with the existing configuration for IP Tables in effect, and it will grab all the running rules...
http://www.shorewall.net/starting_and_stopping_shorewall.htm#id2464306
You should be able to simply start shorewall with the existing configuration for IP Tables in effect, and it will grab all the running rules...
ASKER
I know how to start and stop shorewall. With 'shorewall start' it overwrites the current contents of iptables with the contents of the config files. I've tried shorewall save saved.txt, but it merely states that shorewall is not started.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I try doing the following:
root@lbox:/# iptables-save >> /var/lib/shorewall/new.ipt ables
root@lbox:/# shorewall restore /var/lib/shorewall/new.ipt ables
then recieve:
ERROR: <restore file> must specify a simple file name: /var/lib/shorewall/new.ipt ables
root@lbox:/# iptables-save >> /var/lib/shorewall/new.ipt
root@lbox:/# shorewall restore /var/lib/shorewall/new.ipt
then recieve:
ERROR: <restore file> must specify a simple file name: /var/lib/shorewall/new.ipt
ASKER
The format of iptables-save and 'shorewall save' are different. I can save the current shorewall firewall with 'shorewall save', then restore it using 'shorewall restore', without any issue. Likewise a iptables-save can be rebuilt using a iptables-restore without problems.
I have a complex iptables firewall which somehow has to imported into shorewall..?
I have a complex iptables firewall which somehow has to imported into shorewall..?
You're right. This method works on 2.x and older, but I see now that there is a spurious use of "printf" in the newer version.
Let me see if I can find an import filter, or perhaps someone here might have one...
Let me see if I can find an import filter, or perhaps someone here might have one...