Solved

iptables and Shorewall configuration

Posted on 2006-11-07
13
1,055 Views
Last Modified: 2007-12-19
How would I go about configuring Shorewall to give the following policy and rules:
I already have zones: fw, net and lan.

~# iptables -L
Chain INPUT (policy DROP)
target        prot  opt source               destination
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
DROP       tcp  --  anywhere             anywhere            tcp option=!2 flags:SYN/SYN
input_rule  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     gre  --  anywhere             anywhere
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain FORWARD (policy DROP)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            state INVALID
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
forwarding_rule  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy DROP)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
output_rule  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain forward_vlan1 (1 references)
target     prot opt source               destination

Chain forwarding_rule (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             192.168.1.5
forward_vlan1  all  --  anywhere             anywhere

Chain input_rule (1 references)
target     prot opt source               destination
input_vlan1  all  --  anywhere             anywhere

Chain input_vlan1 (1 references)
target     prot opt source               destination

Chain output_rule (1 references)
target     prot opt source               destination
0
Comment
Question by:thehaze
  • 5
  • 5
13 Comments
 
LVL 11

Expert Comment

by:kblack05
ID: 17911094
you could use 'iptables-save >> snapshot.iptables.txt' then import the file with your shorewall configuration.
0
 

Author Comment

by:thehaze
ID: 17912476
How are they then 'imported' to the shorewall configuration? Can this be done from the command prompt?
0
 
LVL 11

Expert Comment

by:kblack05
ID: 17914773
Yes you can use 'iptables-restore' to start the firewall without aid from shorewall, then when you start shorewall you can use it to capture the existing configuration. In other words, you have used iptables tool sets to create a snapshot of the rules, portable, then when you use iptables tools to reload the rule sets Shorewall should be able to obtain the EXISTING firewall configs and load it into your browser interface.
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 

Author Comment

by:thehaze
ID: 17915436
How do I start shorewall you can use to capture the existing configuration.?
0
 
LVL 11

Expert Comment

by:kblack05
ID: 17915525
Google shorewall..

http://www.shorewall.net/starting_and_stopping_shorewall.htm#id2464306

You should be able to simply start shorewall with the existing configuration for IP Tables in effect, and it will grab all the running rules...
0
 

Author Comment

by:thehaze
ID: 17915654
I know how to start and stop shorewall. With 'shorewall start' it overwrites the current contents of iptables with the contents of the config files. I've tried shorewall save saved.txt, but it merely states that shorewall is not started.
0
 
LVL 11

Accepted Solution

by:
kblack05 earned 500 total points
ID: 17916050

Try
Start iptables with the previous firewall config.

then issue

iptables-save >> /var/lib/shorewall/new.iptables

shorewall restore /var/lib/shorewall/new.iptables


###

Shorewall has now been integrated with iptables-save/restore.

Shorewall now supports multiple saved configurations.

The default saved configuration (restore script) in /var/lib/shorewall is now specified using the RESTOREFILE option in shorewall.conf. If this variable isn't set then to maintain backward compatibility, 'restore' is assumed.

The value of RESTOREFILE must be a simple file name; no slashes ("/") may be included.

The "save" command has been extended to be able to specify the name of a saved configuration.

           shorewall save [ <file name> ]

The current state is saved to /var/lib/shorewall/<file name>. If no <file name> is given, the configuration is saved to the file determined by the RESTOREFILE setting.

The "restore" command has been extended to be able to specify the name of a saved configuration:

          shorewall restore [ <file name> ]

The firewall state is restored from /var/lib/shorewall/<file name>. If no <file name> is given, the firewall state is restored from the file determined by the RESTOREFILE setting.

The "forget" command has changed. Previously, the command unconditionally removed the /var/lib/shorewall/save file which records the current dynamic blacklist. The "forget" command now leaves that file alone.

Also, the "forget" command has been extended to be able to specify the name of a saved configuration:

              shorewall forget [ <file name> ]

The file /var/lib/shorewall/<file name> is removed. If no <file name> is given, the file determined by the RESTOREFILE setting is removed.

The "shorewall -f start" command restores the state from the file determined by the RESTOREFILE setting.

0
 

Author Comment

by:thehaze
ID: 17916150
I try doing the following:
root@lbox:/# iptables-save >> /var/lib/shorewall/new.iptables
root@lbox:/# shorewall restore /var/lib/shorewall/new.iptables
then recieve:
ERROR: <restore file> must specify a simple file name: /var/lib/shorewall/new.iptables
0
 

Author Comment

by:thehaze
ID: 17916204
The format of iptables-save and 'shorewall save' are different. I can save the current shorewall firewall with 'shorewall save', then restore it using 'shorewall restore', without any issue. Likewise a iptables-save can be rebuilt using a iptables-restore without problems.

I have a complex iptables firewall which somehow has to imported into shorewall..?
0
 
LVL 11

Expert Comment

by:kblack05
ID: 17916295
You're right. This method works on 2.x and older, but I see now that there is a spurious use of "printf" in the newer version.

Let me see if I can find an import filter, or perhaps someone here might have one...
0

Featured Post

Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Kali Linux Word list 6 875
CentOS 6.7 - Show Open Ports 3 92
Fail2ban says an IP is banned, but not 12 126
create default folder structure and ownership on user creation 5 96
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Fine Tune your automatic Updates for Ubuntu / Debian
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question