Link to home
Start Free TrialLog in
Avatar of thehaze
thehaze

asked on

iptables and Shorewall configuration

How would I go about configuring Shorewall to give the following policy and rules:
I already have zones: fw, net and lan.

~# iptables -L
Chain INPUT (policy DROP)
target        prot  opt source               destination
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
DROP       tcp  --  anywhere             anywhere            tcp option=!2 flags:SYN/SYN
input_rule  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     gre  --  anywhere             anywhere
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain FORWARD (policy DROP)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            state INVALID
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
forwarding_rule  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy DROP)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
output_rule  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain forward_vlan1 (1 references)
target     prot opt source               destination

Chain forwarding_rule (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             192.168.1.5
forward_vlan1  all  --  anywhere             anywhere

Chain input_rule (1 references)
target     prot opt source               destination
input_vlan1  all  --  anywhere             anywhere

Chain input_vlan1 (1 references)
target     prot opt source               destination

Chain output_rule (1 references)
target     prot opt source               destination
Avatar of Kelly Black
Kelly Black
Flag of United States of America image
you could use 'iptables-save >> snapshot.iptables.txt' then import the file with your shorewall configuration.
Avatar of thehaze
thehaze

ASKER

How are they then 'imported' to the shorewall configuration? Can this be done from the command prompt?
Avatar of Kelly Black
Kelly Black
Flag of United States of America image
Yes you can use 'iptables-restore' to start the firewall without aid from shorewall, then when you start shorewall you can use it to capture the existing configuration. In other words, you have used iptables tool sets to create a snapshot of the rules, portable, then when you use iptables tools to reload the rule sets Shorewall should be able to obtain the EXISTING firewall configs and load it into your browser interface.
Avatar of thehaze
thehaze

ASKER

How do I start shorewall you can use to capture the existing configuration.?
Avatar of Kelly Black
Kelly Black
Flag of United States of America image
Google shorewall..

http://www.shorewall.net/starting_and_stopping_shorewall.htm#id2464306

You should be able to simply start shorewall with the existing configuration for IP Tables in effect, and it will grab all the running rules...
Avatar of thehaze
thehaze

ASKER

I know how to start and stop shorewall. With 'shorewall start' it overwrites the current contents of iptables with the contents of the config files. I've tried shorewall save saved.txt, but it merely states that shorewall is not started.
ASKER CERTIFIED SOLUTION
Avatar of Kelly Black
Kelly Black
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of thehaze
thehaze

ASKER

I try doing the following:
root@lbox:/# iptables-save >> /var/lib/shorewall/new.iptables
root@lbox:/# shorewall restore /var/lib/shorewall/new.iptables
then recieve:
ERROR: <restore file> must specify a simple file name: /var/lib/shorewall/new.iptables
Avatar of thehaze
thehaze

ASKER

The format of iptables-save and 'shorewall save' are different. I can save the current shorewall firewall with 'shorewall save', then restore it using 'shorewall restore', without any issue. Likewise a iptables-save can be rebuilt using a iptables-restore without problems.

I have a complex iptables firewall which somehow has to imported into shorewall..?
Avatar of Kelly Black
Kelly Black
Flag of United States of America image
You're right. This method works on 2.x and older, but I see now that there is a spurious use of "printf" in the newer version.

Let me see if I can find an import filter, or perhaps someone here might have one...