http://blog.185performance.com/ ummm, ya... en Serendipity 1.1.3 - http://www.s9y.org/ Tue, 27 Mar 2007 20:16:00 GMT http://blog.185performance.com/templates/default/img/s9y_banner_small.png http://blog.185performance.com/ 100 21 http://blog.185performance.com/archives/6-Shorewall-Setup-on-a-Gentoo-Slice.html Web Hosting http://blog.185performance.com/archives/6-Shorewall-Setup-on-a-Gentoo-Slice.html#comments http://blog.185performance.com/wfwcomment.php?cid=6 0 http://blog.185performance.com/rss.php?version=2.0&type=comments&cid=6 nospam@example.com (Josh McClain) So you have a Gentoo slice at Slicehost.com, and you want a host-based firewall? Go for shorewall, which makes configuring iptables a breeze.<br /> <br /> I’m not gonna get into the specifics, because I’m way too lazy, but this should get you started.<br /> <br /> 1) emerge sys-kernel/xen-sources so iptables doesn’t freak out. You’ll have to edit package.keywords<br /> <br /> 2) Slicehost is nice enough to show us our kernel build options at /proc/config.gz. So copy that file to /usr/src/linux, then gunzip it. We’re not going to actually compile the kernel; emerging iptables simply needs to see the kernel build options.<br /> <br /> 3) emerge iptables<br /> <br /> 4) emerge shorewall<br /> <br /> 5) rc-update add shorewall default<br /> <br /> 6) Here are my various shorewall settings:<br /> <br /> <blockquote># egrep -v "^#|^$" shorewall.conf<br /> STARTUP_ENABLED=Yes<br /> LOGFILE=/var/log/messages<br /> LOGFORMAT="Shorewall:%s:%s:" <br /> LOGTAGONLY=No<br /> LOGRATE=<br /> LOGBURST=<br /> LOGALLNEW=<br /> BLACKLIST_LOGLEVEL=<br /> MACLIST_LOG_LEVEL=info<br /> TCP_FLAGS_LOG_LEVEL=info<br /> RFC1918_LOG_LEVEL=info<br /> SMURF_LOG_LEVEL=info<br /> LOG_MARTIANS=No<br /> IPTABLES=<br /> PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin<br /> SHOREWALL_SHELL=/bin/sh<br /> SUBSYSLOCK=/var/lock/subsys/shorewall<br /> MODULESDIR=<br /> CONFIG_PATH=/etc/shorewall:/usr/share/shorewall<br /> RESTOREFILE=<br /> IPSECFILE=zones<br /> FW=<br /> IP_FORWARDING=Off<br /> ADD_IP_ALIASES=Yes<br /> ADD_SNAT_ALIASES=No<br /> RETAIN_ALIASES=No<br /> TC_ENABLED=Internal<br /> CLEAR_TC=Yes<br /> MARK_IN_FORWARD_CHAIN=No<br /> CLAMPMSS=No<br /> ROUTE_FILTER=No<br /> DETECT_DNAT_IPADDRS=No<br /> MUTEX_TIMEOUT=60<br /> ADMINISABSENTMINDED=No<br /> BLACKLISTNEWONLY=Yes<br /> DELAYBLACKLISTLOAD=No<br /> MODULE_SUFFIX=<br /> DISABLE_IPV6=Yes<br /> BRIDGING=No<br /> DYNAMIC_ZONES=No<br /> PKTTYPE=Yes<br /> RFC1918_STRICT=No<br /> MACLIST_TABLE=filter<br /> MACLIST_TTL=<br /> SAVE_IPSETS=No<br /> MAPOLDACTIONS=No<br /> FASTACCEPT=No<br /> BLACKLIST_DISPOSITION=DROP<br /> MACLIST_DISPOSITION=REJECT<br /> TCP_FLAGS_DISPOSITION=DROP<br /> <br /> # tail -3 interfaces <br /> #ZONE INTERFACE BROADCAST OPTIONS<br /> net eth0 <stripped> tcpflags,nosmurfs,norfc1918,blacklist<br /> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE<br /> <br /> # tail -5 zones<br /> #ZONE TYPE OPTIONS IN OUT<br /> # OPTIONS OPTIONS<br /> fw firewall<br /> net ipv4<br /> #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE<br /> <br /> # tail -6 policy<br /> #SOURCE DEST POLICY LOG LIMIT:BURST<br /> # LEVEL<br /> $FW net REJECT info # YES, I'm paranoid<br /> net all DROP info<br /> all all REJECT info<br /> #LAST LINE -- DO NOT REMOVE<br /> <br /> # tail -3 routestopped <br /> #INTERFACE HOST(S) OPTIONS<br /> eth0 <your remote IP> # so I can get in from my remote host when I stop shorewall<br /> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE<br /> <br /> # tail -40 rules<br /> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/<br /> # PORT PORT(S) DEST LIMIT GROUP<br /> #SECTION ESTABLISHED<br /> #SECTION RELATED<br /> SECTION NEW<br /> <br /> # INBOUND<br /> Ping/ACCEPT net:<stripped> $FW # ping from <stripped> for nagios<br /> ACCEPT net:<stripped> $FW tcp 22 # ssh from <stripped> for nagios and remote access<br /> ACCEPT net $FW tcp 80 # http<br /> ACCEPT net $FW tcp 443 # https<br /> <br /> # OUTBOUND -- because I know <strong>exactly</strong> what my server should be connecting to, and I'll REJECT and log otherwise per policy<br /> DNS/ACCEPT $FW net:63.76.232.182 # dns to slicehost<br /> DNS/ACCEPT $FW net:63.99.9.195 # dns to slicehost<br /> <br /> SMTP/ACCEPT $FW net:<stripped> # smtp to <stripped><br /> SMTP/ACCEPT $FW net:<stripped> # smtp to <stripped><br /> <br /> Rsync/ACCEPT $FW net:209.59.138.21 # rsync for portage to rsync.namerica.gentoo.org<br /> Rsync/ACCEPT $FW net:209.221.142.124 # rsync for portage to rsync.namerica.gentoo.org<br /> Rsync/ACCEPT $FW net:209.189.242.21 # rsync for portage to rsync.namerica.gentoo.org<br /> Rsync/ACCEPT $FW net:208.209.50.18 # rsync for portage to rsync.namerica.gentoo.org<br /> Rsync/ACCEPT $FW net:206.75.218.53 # rsync for portage to rsync.namerica.gentoo.org<br /> Rsync/ACCEPT $FW net:198.7.230.249 # rsync for portage to rsync.namerica.gentoo.org<br /> Rsync/ACCEPT $FW net:156.56.247.193 # rsync for portage to rsync.namerica.gentoo.org<br /> Rsync/ACCEPT $FW net:150.135.81.231 # rsync for portage to rsync.namerica.gentoo.org<br /> Rsync/ACCEPT $FW net:141.219.155.230 # rsync for portage to rsync.namerica.gentoo.org<br /> Rsync/ACCEPT $FW net:134.153.48.2 # rsync for portage to rsync.namerica.gentoo.org<br /> Rsync/ACCEPT $FW net:132.207.4.160 # rsync for portage to rsync.namerica.gentoo.org<br /> Rsync/ACCEPT $FW net:129.110.111.9 # rsync for portage to rsync.namerica.gentoo.org<br /> Rsync/ACCEPT $FW net:128.61.111.9 # rsync for portage to rsync.namerica.gentoo.org<br /> Rsync/ACCEPT $FW net:128.213.5.35 # rsync for portage to rsync.namerica.gentoo.org<br /> Rsync/ACCEPT $FW net:128.104.70.17 # rsync for portage to rsync.namerica.gentoo.org<br /> Rsync/ACCEPT $FW net:216.194.64.133 # rsync for portage to rsync.namerica.gentoo.org<br /> Rsync/ACCEPT $FW net:216.176.132.235 # rsync for portage to rsync.namerica.gentoo.org<br /> Rsync/ACCEPT $FW net:216.165.129.134 # rsync for portage to rsync.namerica.gentoo.org<br /> <br /> ACCEPT $FW net:141.218.143.14 tcp 80 # http for portage to prometheus.cs.wmich.edu<br /> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</blockquote> Tue, 27 Mar 2007 14:16:00 -0600 http://blog.185performance.com/archives/6-guid.html