Web Hosting

Tuesday, March 27. 2007

Shorewall Setup on a Gentoo Slice

So you have a Gentoo slice at Slicehost.com, and you want a host-based firewall? Go for shorewall, which makes configuring iptables a breeze.

I’m not gonna get into the specifics, because I’m way too lazy, but this should get you started.

1) emerge sys-kernel/xen-sources so iptables doesn’t freak out. You’ll have to edit package.keywords

2) Slicehost is nice enough to show us our kernel build options at /proc/config.gz. So copy that file to /usr/src/linux, then gunzip it. We’re not going to actually compile the kernel; emerging iptables simply needs to see the kernel build options.

3) emerge iptables

4) emerge shorewall

5) rc-update add shorewall default

6) Here are my various shorewall settings:

# egrep -v "^#|^$" shorewall.conf
STARTUP_ENABLED=Yes
LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:"
LOGTAGONLY=No
LOGRATE=
LOGBURST=
LOGALLNEW=
BLACKLIST_LOGLEVEL=
MACLIST_LOG_LEVEL=info
TCP_FLAGS_LOG_LEVEL=info
RFC1918_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
LOG_MARTIANS=No
IPTABLES=
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=/var/lock/subsys/shorewall
MODULESDIR=
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
RESTOREFILE=
IPSECFILE=zones
FW=
IP_FORWARDING=Off
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=No
RETAIN_ALIASES=No
TC_ENABLED=Internal
CLEAR_TC=Yes
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=No
ROUTE_FILTER=No
DETECT_DNAT_IPADDRS=No
MUTEX_TIMEOUT=60
ADMINISABSENTMINDED=No
BLACKLISTNEWONLY=Yes
DELAYBLACKLISTLOAD=No
MODULE_SUFFIX=
DISABLE_IPV6=Yes
BRIDGING=No
DYNAMIC_ZONES=No
PKTTYPE=Yes
RFC1918_STRICT=No
MACLIST_TABLE=filter
MACLIST_TTL=
SAVE_IPSETS=No
MAPOLDACTIONS=No
FASTACCEPT=No
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP

# tail -3 interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 tcpflags,nosmurfs,norfc1918,blacklist
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

# tail -5 zones
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

# tail -6 policy
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
$FW net REJECT info # YES, I'm paranoid
net all DROP info
all all REJECT info
#LAST LINE -- DO NOT REMOVE

# tail -3 routestopped
#INTERFACE HOST(S) OPTIONS
eth0 # so I can get in from my remote host when I stop shorewall
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

# tail -40 rules
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW

# INBOUND
Ping/ACCEPT net: $FW # ping from for nagios
ACCEPT net: $FW tcp 22 # ssh from for nagios and remote access
ACCEPT net $FW tcp 80 # http
ACCEPT net $FW tcp 443 # https

# OUTBOUND -- because I know exactly what my server should be connecting to, and I'll REJECT and log otherwise per policy
DNS/ACCEPT $FW net:63.76.232.182 # dns to slicehost
DNS/ACCEPT $FW net:63.99.9.195 # dns to slicehost

SMTP/ACCEPT $FW net: # smtp to
SMTP/ACCEPT $FW net: # smtp to

Rsync/ACCEPT $FW net:209.59.138.21 # rsync for portage to rsync.namerica.gentoo.org
Rsync/ACCEPT $FW net:209.221.142.124 # rsync for portage to rsync.namerica.gentoo.org
Rsync/ACCEPT $FW net:209.189.242.21 # rsync for portage to rsync.namerica.gentoo.org
Rsync/ACCEPT $FW net:208.209.50.18 # rsync for portage to rsync.namerica.gentoo.org
Rsync/ACCEPT $FW net:206.75.218.53 # rsync for portage to rsync.namerica.gentoo.org
Rsync/ACCEPT $FW net:198.7.230.249 # rsync for portage to rsync.namerica.gentoo.org
Rsync/ACCEPT $FW net:156.56.247.193 # rsync for portage to rsync.namerica.gentoo.org
Rsync/ACCEPT $FW net:150.135.81.231 # rsync for portage to rsync.namerica.gentoo.org
Rsync/ACCEPT $FW net:141.219.155.230 # rsync for portage to rsync.namerica.gentoo.org
Rsync/ACCEPT $FW net:134.153.48.2 # rsync for portage to rsync.namerica.gentoo.org
Rsync/ACCEPT $FW net:132.207.4.160 # rsync for portage to rsync.namerica.gentoo.org
Rsync/ACCEPT $FW net:129.110.111.9 # rsync for portage to rsync.namerica.gentoo.org
Rsync/ACCEPT $FW net:128.61.111.9 # rsync for portage to rsync.namerica.gentoo.org
Rsync/ACCEPT $FW net:128.213.5.35 # rsync for portage to rsync.namerica.gentoo.org
Rsync/ACCEPT $FW net:128.104.70.17 # rsync for portage to rsync.namerica.gentoo.org
Rsync/ACCEPT $FW net:216.194.64.133 # rsync for portage to rsync.namerica.gentoo.org
Rsync/ACCEPT $FW net:216.176.132.235 # rsync for portage to rsync.namerica.gentoo.org
Rsync/ACCEPT $FW net:216.165.129.134 # rsync for portage to rsync.namerica.gentoo.org

ACCEPT $FW net:141.218.143.14 tcp 80 # http for portage to prometheus.cs.wmich.edu
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE