Shorewall Setup on a Gentoo Slice
So you have a Gentoo slice at Slicehost.com, and you want a host-based firewall? Go for shorewall, which makes configuring iptables a breeze.
I’m not gonna get into the specifics, because I’m way too lazy, but this should get you started.
1) emerge sys-kernel/xen-sources so iptables doesn’t freak out. You’ll have to edit package.keywords
2) Slicehost is nice enough to show us our kernel build options at /proc/config.gz. So copy that file to /usr/src/linux, then gunzip it. We’re not going to actually compile the kernel; emerging iptables simply needs to see the kernel build options.
3) emerge iptables
4) emerge shorewall
5) rc-update add shorewall default
6) Here are my various shorewall settings:
# egrep -v "^#|^$" shorewall.conf STARTUP_ENABLED=Yes LOGFILE=/var/log/messages LOGFORMAT="Shorewall:%s:%s:" LOGTAGONLY=No LOGRATE= LOGBURST= LOGALLNEW= BLACKLIST_LOGLEVEL= MACLIST_LOG_LEVEL=info TCP_FLAGS_LOG_LEVEL=info RFC1918_LOG_LEVEL=info SMURF_LOG_LEVEL=info LOG_MARTIANS=No IPTABLES= PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin SHOREWALL_SHELL=/bin/sh SUBSYSLOCK=/var/lock/subsys/shorewall MODULESDIR= CONFIG_PATH=/etc/shorewall:/usr/share/shorewall RESTOREFILE= IPSECFILE=zones FW= IP_FORWARDING=Off ADD_IP_ALIASES=Yes ADD_SNAT_ALIASES=No RETAIN_ALIASES=No TC_ENABLED=Internal CLEAR_TC=Yes MARK_IN_FORWARD_CHAIN=No CLAMPMSS=No ROUTE_FILTER=No DETECT_DNAT_IPADDRS=No MUTEX_TIMEOUT=60 ADMINISABSENTMINDED=No BLACKLISTNEWONLY=Yes DELAYBLACKLISTLOAD=No MODULE_SUFFIX= DISABLE_IPV6=Yes BRIDGING=No DYNAMIC_ZONES=No PKTTYPE=Yes RFC1918_STRICT=No MACLIST_TABLE=filter MACLIST_TTL= SAVE_IPSETS=No MAPOLDACTIONS=No FASTACCEPT=No BLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=REJECT TCP_FLAGS_DISPOSITION=DROP # tail -3 interfaces #ZONE INTERFACE BROADCAST OPTIONS net eth0tcpflags,nosmurfs,norfc1918,blacklist #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE # tail -5 zones #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE # tail -6 policy #SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL $FW net REJECT info # YES, I'm paranoid net all DROP info all all REJECT info #LAST LINE -- DO NOT REMOVE # tail -3 routestopped #INTERFACE HOST(S) OPTIONS eth0 # so I can get in from my remote host when I stop shorewall #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE # tail -40 rules #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP #SECTION ESTABLISHED #SECTION RELATED SECTION NEW # INBOUND Ping/ACCEPT net: $FW # ping from for nagios ACCEPT net: $FW tcp 22 # ssh from for nagios and remote access ACCEPT net $FW tcp 80 # http ACCEPT net $FW tcp 443 # https # OUTBOUND -- because I know exactly what my server should be connecting to, and I'll REJECT and log otherwise per policy DNS/ACCEPT $FW net:63.76.232.182 # dns to slicehost DNS/ACCEPT $FW net:63.99.9.195 # dns to slicehost SMTP/ACCEPT $FW net: # smtp to SMTP/ACCEPT $FW net: # smtp to Rsync/ACCEPT $FW net:209.59.138.21 # rsync for portage to rsync.namerica.gentoo.org Rsync/ACCEPT $FW net:209.221.142.124 # rsync for portage to rsync.namerica.gentoo.org Rsync/ACCEPT $FW net:209.189.242.21 # rsync for portage to rsync.namerica.gentoo.org Rsync/ACCEPT $FW net:208.209.50.18 # rsync for portage to rsync.namerica.gentoo.org Rsync/ACCEPT $FW net:206.75.218.53 # rsync for portage to rsync.namerica.gentoo.org Rsync/ACCEPT $FW net:198.7.230.249 # rsync for portage to rsync.namerica.gentoo.org Rsync/ACCEPT $FW net:156.56.247.193 # rsync for portage to rsync.namerica.gentoo.org Rsync/ACCEPT $FW net:150.135.81.231 # rsync for portage to rsync.namerica.gentoo.org Rsync/ACCEPT $FW net:141.219.155.230 # rsync for portage to rsync.namerica.gentoo.org Rsync/ACCEPT $FW net:134.153.48.2 # rsync for portage to rsync.namerica.gentoo.org Rsync/ACCEPT $FW net:132.207.4.160 # rsync for portage to rsync.namerica.gentoo.org Rsync/ACCEPT $FW net:129.110.111.9 # rsync for portage to rsync.namerica.gentoo.org Rsync/ACCEPT $FW net:128.61.111.9 # rsync for portage to rsync.namerica.gentoo.org Rsync/ACCEPT $FW net:128.213.5.35 # rsync for portage to rsync.namerica.gentoo.org Rsync/ACCEPT $FW net:128.104.70.17 # rsync for portage to rsync.namerica.gentoo.org Rsync/ACCEPT $FW net:216.194.64.133 # rsync for portage to rsync.namerica.gentoo.org Rsync/ACCEPT $FW net:216.176.132.235 # rsync for portage to rsync.namerica.gentoo.org Rsync/ACCEPT $FW net:216.165.129.134 # rsync for portage to rsync.namerica.gentoo.org ACCEPT $FW net:141.218.143.14 tcp 80 # http for portage to prometheus.cs.wmich.edu #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE