If IPtables is too daunting for you, then shorewall is probably the easiest way to setup and maintain an iptables based firewall on Linux. Let me go through the basics.

Interfaces & Zones

Shorewall builds some intelligence into your firewall thinking. Networks can be considered as ‘zones’ – i.e. your internet interface (ppp0) could be your ‘web’ zone and your internal network could be considered as your ‘int’ zone. I do not know why shorewall only allows 3 letter zone names… but that is not relevant here.

So –  what I am doing is setting up a basic internet sharing firewall. It has 2 zones (web & int) for WWW and internal network. first thing, setup up your interfaces file:

# vi /etc/shorewall/interfaces
#ZONE   INTERFACE       BROADCAST       OPTIONS
web     ppp+            -               dhcp,upnp
int     eth0

Here are my 2 zones – my dialup interface (ppp) and my internal network (eth0). The ‘+’ in ppp+ simply means it is a wildcard (ppp0,ppp1…etc). I have specified dhcp in my options to indicate that this interface gets it’s ipaddress dynamically. See man shorewall-interfaces for more information on interfaces.

For this example – /etc/shorewall/zones is very basic. Unless you are doing IPSEC tunnelling or any other fancy stuff, you can input the following:

# vi /etc/shorewall/zones
#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
web     -
int     -

You see that there are three zones in the zones file. The third one is a zone for the firewall itself.

Policies

This is where Shorewall makes some sense over other firewalls. Instead of having millions of rules from one zone to another, you can simply specifiy a policy for communication between entire zones. You need not have a separate rules in addition like some firewalls do – Juniper. Here I have setup two policies that allow the Firewall to get to the other zones:

# vi /etc/shorewall/policy
#SOURCE DEST POLICY LOG LIMIT CONNECTLIMIT
$FW     web     ACCEPT
$FW     int     ACCEPT

I then want to ensure that the internal zone (int) can get out to the internet (web) and I want to be able to administrate the firewall from my internal zone from any of my internal machines. You may not want the second policy, but I am just putting it in as an example.

int     web    ACCEPT
int     $FW    ACCEPT

I then want to implement a default drop policy for internet traffic (web) to the firewall or my internal network and it’s a good idea to have a reject ALL ALL rule at the end.

web     all     ACCEPT
all     all     ACCEPT

So now you have default policies based on your zones. You do not need to manage individual rules for inter-zone traffic.

Masquarade / NAT

Ok this is the part that makes your internet connection sharing work. Effectively what you want to do is have all your internal machines route through you firewall. To do this, you must NAT your internal traffic to your internet interface on your firewall. Shorewall makes this so simple. One line:

# vi /etc/shorewall/masq
eth0     192.168.2.0/24     detect

Done. Restart the service – /etc/init.d/shorewall restart. You now have internet sharing for your internal network users through your linux firewall.

The last thing that you may want to do is to have traffic from the web reach a particular machine in the network. For example, you may have a web server on your internal network that want to be accessible from the internet – this simple rule will allow traffic to be forwarded from the firewall to the correct machine on the internal network:

# vi /etc/shorewall/rules
DNAT     web     int:192.168.2.100     tcp     80,443

The rule implements allows traffic from the internet (web) to the internal network machine – 192.168.2.100 on tcp ports 80 and 443.

That is really just a basic introduction to shorewall. To see the syntax of any of the shorewall the man pages are accessible as follows:

# man shorewall-rules

Linux Proxy Server Dengan Squid dan ShoreWall

by Anton Picano Sanjay

Lisensi Dokumen:

Copyright © 2005 IlmuKomputer.Com Seluruh dokumen di IlmuKomputer.Com dapat digunakan, dimodifikasi dan disebarkan secara bebas untuk tujuan bukan komersial (nonprofit), dengan syarat tidak menghapus atau merubah atribut penulis dan pernyataan copyright yang disertakan dalam setiap dokumen. Tidak diperbolehkan melakukan penulisan ulang, kecuali mendapatkan ijin terlebih dahulu dari IlmuKomputer.Com.

S Q U I D

Proxy server mempunyai kemampuan untuk menghemat bandwidth, meningkatkan keamanan dan mempercepat proses surfing web. Squid merupakan software proxy yang banyak dipakai dan dapat diperoleh secara gratis. Squid juga dapat digunakan untuk mengendalikan pemakaian bandwidth berdasarkan ekstensi file-file tertentu, menyaring situs-situs yang boleh diakses.

File-file yang dibutuhkan :

• Squid (yang dipakain pada tulisan ini adalah versi squid-2.5.STABLE6.tar.gz), bisa didownload dari http://www.squid-cache.org
• malloc.tar.gz, bisa didownload dari http://www.gnu.org/order/ftp.html

I wanted to configure my home Linux box with vpnc.  I had done this before, but I’ve lost track of the documentation I made at the time.

First, I ran pcf2vpnc on the .pcf configuration file — what an easy way to get the .conf file needed by vpnc!

Then I tried running vpnc.  From the messages it gave, it looked like I was successfully connected… but I couldn’t ping any servers… hmm.

Diagnosing

After a few minutes, it began to dawn on me that I had experienced a very similar issue before, and that time it wasn’t the vpnc configuration.  It was the firewall that was rejecting all traffic from the vpn.

I stopped shorewall and sure enough, I was able to get into the network and ping things.

Solving

I:

1. Added this line to /etc/shorewall/zones:

   vpnc  ipv4
   

2. Added this line to /etc/shorewall/interfaces:

   vpnc  tun0  detect
   

3. Added this line to /etc/shorewall/tunnels, replacing xx.xx.xx.xx with the IP address of my  router:

   generic:udp:500    net  xx.xx.xx.xx
   

4. Finally, I believe I added this fw vpnc ACCEPT line to /etc/shorewall/policy:

   fw      vpnc    ACCEPT
   net     all     DROP    info
   all     all     REJECT  info

   (I believe this line needs to be above the more general net-all-DROP and all-all-REJECT lines, as shown.)

I then restarted shorewall and I was off and running.

Basically I guess we’re telling shorewall to allow all traffic from the firewall to the vpn interface, where by default it would deny such traffic otherwise.  I need to get a deeper understanding of what’s going on here, though.

Thanks to Gary Court and Tobias Weisserth, whose posts were helpful!

What a day to say the least. from a installation of a firewall going ok to a failed vpn setup, shorewall setup, email that worked, didnt work and then worked and then leaving us not sure if it worked, its been one hell of a day…

The afternoon ended with emails being sent and received from one internal account to external and then a reply back. That worked one site and not the other thus leaving me wondering if the vpn is working properly and in turn a sleepless nights.

Saying that the guy from watchguard firewall, which btw we went to because no one in sonicwall ever replies to an email. So if you are reading this sonic wall thats 5 units you lost out on with another 10 on the way.  Anyways watchguard guy was spot on and got things going. Odd thing is that I can ping the router but remote access to it is  no no.  With that being the least of the worries I just want to know the office email works

Site 2 , internal mail to external mail and then a reply from external mail worked
Yet site 1, the main fucking important office can send and not receive.

Who the fuck would use shorewall as a firewall when its got a limited support area and the documentation on a wiki isnt the best.  Still it does work to a point I suppose but you cant beat a product with that pick up and call someone for help ability.

So its another sleepness night not nowing if something is going to work or not. Yes I can roll back to the old hardware and prey a bit that it works leaving me in a situation of having hardware on a site that theres no control over.

On top of all this, pressures from work leading to a massive amount of friction arent helping.

For example, we have a banner on a site that points to a product.  This banner is on over 9000 pages.  THe product was disabled and therefore clicking the banner brings up a this product is out of stock link.  This was the case for over a week. ok the guys are busy so I emailed them to let them know…

No reply
So I email the people who I put the banner up for to email them to say it was down.
They got a reply straight away.  Interesting to say the least dont you think.

Coupled with that its the 1 year anniversary since I split with Kari. Thats not put me in a good mood. Along with her adding me to msn with a fake msn that I know isnt her most logged into one.  One year and the addage of be carefullof what you wih for comes true.  If you wish you were dead its not often smply as that, dead can be dead on the inside, emotionally, little or no desire.

Ack its bed time , theres a direct relationship between being tired and thinking things id rather not,a fter barely eating all day its time to sign off.

Take it easy all

Terusan dari tulisan :

http://bayuart.wordpress.com/2009/06/05/mandriva-2009-1-spring-in-action-d-part-deux/
http://bayu.blitar.org/2009/06/02/warung-internet-1/
http://bayu.blitar.org/2009/06/05/mandriva-20091-spring-in-action-d/

Sekarang kita mo menginjak ke konfigurasi dari mandriva linux yang sebelomnya telah terinstall sebagai gateway server warnet / pc router. Dari tulisan sebelumnya mandriva linux yang digunakan adalah versi mandriva linux 2009.1 spring free edition dual iso serta menggunakan aplikasi server gateway seperti :

• shorewall untuk firewall
• squid untuk layanan proxy
• dhcp-server untuk layanan ip dinamis
• bind untul layanan dns / cache lokal

Shorewall
Shorewall yang merupakan kependekan dari Shoreline Firewal, merupakan firewall yang berbasiskan kepada iptables yang dipermudah dalam penggunaanya, apabila anda telah terbiasa menggunakan iptables maka anda mungkin tidak akan membutuhkan tools semacam ini, shorewall dapat di installasi pada kebanyakan sistem Linux, disini saya menggunakan mandriva linux 2009.1 spring untuk dijadikan sebagai Gateway+Router dan juga transparent proxy, untuk mendapatkan versi terbarunya anda dapat mengunjungi web resmi Shorewall.

The Shoreline Firewall, more commonly known as “Shorewall”, is high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables, iptables-restore, ip and tc utilities, Shorewall configures Netfilter and the Linux networking subsystem to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall does not use Netfilter’s ipchains compatibility mode and can thus take advantage of Netfilter’s connection state tracking capabilities… from Shorewall.

Selengkapnya

Assume that you’re running a two interface firewall setup using Shorewall for your institute LAN. Suppose you have an internal webserver that you want to be made visible externally as well. To achieve this, you’d normally do a port forward using DNAT. Although this method gets a FAIL when it comes to security, it’s usually the easiest thing to do. The suggested alternative would obviously be to get an extra NIC and setup a DMZ but anyways I’ll be talking about a two interface setup here. Now this port forwarding thing works fine but what happens when a host in the internal network tries to access this website through the URL? The request will go out of the network, come back in and the response would follow the reverse route and this will take ridiculously long! There are two workarounds for this. The recommended method would be to configure your internal DNS to respond with the internal IP when a DNS query for the webserver’s URL is received. The other method would be to have your gateway masquerade as the internal webserver, which is nothing short of a quick hack and note that this is also rather poor when it comes to security. As per the shorewall website, for a transparent proxy, you’ll need to add the following rules.

Example IP addresses:

Gateway’s external interface (eth0): 210.45.21.55

Gateway’s internal interface (eth1) : 192.168.1.1

Internal Webserver: 192.168.1.10

So here come the rules:

In/etc/shorewall/rules:

REDIRECT        loc     3128    tcp     www     -       !210.45.21.55

DNAT              loc     loc:192.168.1.10      tcp     www     -       210.45.21.55

In/etc/shorewall/masq:

eth1:192.168.1.10        eth1           192.168.1.1      tcp     www

In /etc/shorewall/interfaces, make sure you have the ‘routeback’ option enabled for eth1.

Now here’s the part that you won’t find in the shoerwall documentation. In case you’re migrating to a non-transparent proxy, add the following rule after the above mentioned DNAT.

DNAT    $FW     loc:192.168.1.10:80      tcp     80      -       210.45.21.55

I wrote a bash script to automatically generate Shorewall blacklist from Spamhaus drop list and dshield.org’s block list .

Do not run this script automatically if ssh is the only mean you connect to your server, because you can accidentally blacklist yourself. And you may not run it more often then once per hour due to spamhaus limitation.

#!/bin/sh

echo "#ADDRESS/SUBNET         PROTOCOL        PORT" > /tmp/blacklist
wget  -q -O - http://feeds.dshield.org/block.txt | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.0\t/ { print $1 "/24";}' >> /tmp/blacklist
wget -q -O - http://www.spamhaus.org/drop/drop.lasso | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\// { print $1;}' >> /tmp/blacklist
echo "#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE" >> /tmp/blacklist
mv /tmp/blacklist /etc/shorewall/blacklist

shorewall refresh &>/dev/null

I also use fail2ban to generate dynamic shorewall ban list.

UPDATE: And don’t forget enable blacklist option in /etc/shorewall/shorewall.conf

BLACKLIST_DISPOSITION=DROP

Shorewall… salah satu alternatif firewall yang cukup mudah dibanding dengan iptables. Mudah di gunakan tapi bikin nggak paham bahasanya …hehe…tapi akan saya coba jelaskan konfigurasinya . Di sini, saya install Shorewall di web server

install Shorewall dari apt:

jangan lupa jadi root

 root@chic# apt-get install -y shorewall

Shorewall sudah terinstall, tinggal konfigurasi, sebelum konfigurasinya selesai, shorewall tidak bisa di aktifkan.
Konfigurasi yang di perlukan antara lain:

Mulai konfigurasi…

Untuk konfigurasi tinggal gunakan editor, misalnya medit atau nano atau pico untuk mempermudah daripada pake vi :-p… jadi misalya ketikkan
“mcedit /etc/default/shorewall”
untuk edit konfigurasi di /etc/default/shorewall

konfigurasi di /etc/default/shorewall
cukup ganti :

startup = 0

jadi

startup = 1

agar setiap mesin nyala, shorewall juga ikut aktif.

konfigurasi /etc/shorewall/shorewall.conf
Di konfigurasi ini, isi saja yang diperlukan, yang sebagian sudah terisi biasanya tidak perlu di ubah.

Lengkapnya…

###############################################################################
#		       S T A R T U P   E N A B L E D
###############################################################################
#agar aktif saat startup

STARTUP_ENABLED=YES

###############################################################################
#		              V E R B O S I T Y
###############################################################################
#menampilkan proses

VERBOSITY=1

###############################################################################
#                              C O M P I L E R
#      (setting this to 'perl' requires installation of Shorewall-perl)
###############################################################################
#karena tidak ada yang perlu di compile, kosongkan saja

SHOREWALL_COMPILER=

###############################################################################
#			       L O G G I N G
###############################################################################
#bagian ini, tidak ada yang diubah, periksa dulu tapinyaaa

LOGFILE=/var/log/messages

LOGFORMAT="Shorewall:%s:%s:"

LOGTAGONLY=No

LOGRATE=

LOGBURST=

LOGALLNEW=

BLACKLIST_LOGLEVEL=

MACLIST_LOG_LEVEL=info

TCP_FLAGS_LOG_LEVEL=info

RFC1918_LOG_LEVEL=info

SMURF_LOG_LEVEL=info

LOG_MARTIANS=No

###############################################################################
#	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
###############################################################################
#pada bagian ini, yang sebelah kanan setelah "=" berisi letak direktori file
#sebelah kiri yang sudah terisi tidak perlu di ubah, yang belum dan kalo akan
#digunakan cari dulu filenya, kemudian copy paste letak direktorinya.

#IPTABLES kosongkan, karena kita sudah jadikan shorewall sebagai firewall

IPTABLES=

PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

SHOREWALL_SHELL=/bin/sh

SUBSYSLOCK=/var/lock/subsys/shorewall

MODULESDIR=/lib/modules/2.6.24-19-server/kernel/net/netfilter

CONFIG_PATH=/etc/shorewall:/usr/share/shorewall

RESTOREFILE=

IPSECFILE=zones

LOCKFILE=

###############################################################################
#		D E F A U L T   A C T I O N S / M A C R O S
###############################################################################
#tak perlu ada yang diubah

DROP_DEFAULT="Drop"
REJECT_DEFAULT="Reject"
ACCEPT_DEFAULT="none"
QUEUE_DEFAULT="none"

###############################################################################
#                        R S H / R C P  C O M M A N D S
###############################################################################
#ini juga... biarkan

RSH_COMMAND='ssh ${root}@${system} ${command}'
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'

###############################################################################
#			F I R E W A L L	  O P T I O N S
###############################################################################
# konfigurasi yang biasanya digunakan...

IP_FORWARDING=On

ADD_IP_ALIASES=Yes

ADD_SNAT_ALIASES=No

RETAIN_ALIASES=No

TC_ENABLED=Internal

TC_EXPERT=No

CLEAR_TC=Yes

MARK_IN_FORWARD_CHAIN=No

CLAMPMSS=No

ROUTE_FILTER=No

DETECT_DNAT_IPADDRS=No

MUTEX_TIMEOUT=60

ADMINISABSENTMINDED=Yes

BLACKLISTNEWONLY=Yes

DELAYBLACKLISTLOAD=No

MODULE_SUFFIX=

DISABLE_IPV6=Yes

BRIDGING=No

DYNAMIC_ZONES=No

PKTTYPE=Yes

RFC1918_STRICT=No

MACLIST_TABLE=filter

MACLIST_TTL=

SAVE_IPSETS=No

MAPOLDACTIONS=No

FASTACCEPT=No

IMPLICIT_CONTINUE=Yes

HIGH_ROUTE_MARKS=No

USE_ACTIONS=Yes

OPTIMIZE=1

EXPORTPARAMS=No

###############################################################################
#			P A C K E T   D I S P O S I T I O N
###############################################################################
#yang ini juga nggak perlu ada yang diubah

BLACKLIST_DISPOSITION=DROP

MACLIST_DISPOSITION=REJECT

TCP_FLAGS_DISPOSITION=DROP

#LAST LINE -- DO NOT REMOVE

konfigurasi /etc/shorewall/policy
Bagian ini bersifat umum, berlaku unruk keseluruhan.

#pada baris pertama berarti dari firewall atau dari net yang berarti dari
#server kita menuju keluar atau ke net di ACCEPT semua... masa di larang!?

#pada baris kedua yang masuk dari net ke firewall kita di DROP semua

#pada baris ketiga saya tambahkan agar jika dari jaringan masuk ke server kita
#DROP dulu semuanya
###############################################################################
#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
$FW		net		ACCEPT
net		$FW		DROP		info
net		all		DROP		info
# The FOLLOWING POLICY MUST BE LAST
all		all		REJECT		info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

konfigurasi /etc/shorewall/rules
Bagian ini merupakan pengecualian dari kongigurasi policy

#######################################################################################
#ACTION	   SOURCE    DEST          PROTO     DEST	SOURCE
ORIGINAL   RATE	    USER/  MARK
#					     PORT       PORT(S)
DEST	   LIMIT     GROUP

# Reject Ping from the "bad" net zone.. and prevent your log from being flooded..

Ping/ACCEPT	net		$FW

# Permit all ICMP traffic FROM the firewall TO the net zone

#pada baris pertama berarti membolehkan semua dari server keluar atau ke net melalui icmp
#biar bisa ssh,treceroute,...etc kemana-manaaa

#pada baris kedua berarti kita membolehkan user dari net melakukan koneksi melalui tcp
#tepatnya port 22 ya... biar server kita bisa di kendalikan dengan ssh dari komp lain,
#setujui saja 

#pada baris ketiga berarti memperbolehkan server kita diakses lewat browser, yaitu port 80
#karena kebetulan firewall saya pasang di webserver^^

ACCEPT		$FW		net		icmp
ACCEPT		net		$FW		tcp       22
ACCEPT          all             $FW             tcp       80

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

konfigurasi /etc/shorewall/interfaces

#hmmm... yang ini nggak perlu ada yang diubah
###############################################################################
#ZONE	INTERFACE	BROADCAST	OPTIONS
net     eth0            detect          dhcp,tcpflags,logmartians,nosmurfs
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Beuh.. beres juga, tinggal aktifkan Shorewallnya

root@chic# /etc/init.d/shorewall start

Semoga berguna… trim’s

Per la serie post di utilità prima di tutto per la mia sempre più fallace memoria , e poi forse anche per qualcuno in cerca di una soluzione di routing per un setup simile.

Problema : Predisporre la connettività per un centro servizi da 10 uffici

Soluzione : un server Linux , uno switch managed layer 2 da 16 porte, 11 switch unmanaged da 6 porte , due router adsl alice business .

L’articolo è un pippone tecnico parecchio lungo , quindi se proprio ti interessa puoi continuare la lettura

Graficamente possiamo riassumere come segue :

Cliccare per ingrandire:

Per poter garantire l’isolamento di ogni ufficio abbiamo la necessità di assegnare ad ogni nodo un network da instradare poi all’interno del nostro router.

Prendiamo per prima cosa in esame come operare a livello server linux e switch managed layer 2.

Per un compito del genere non era possibile inserire nel server firewall tante schede di rete per quante reti c’era bisogno , per un evidente motivo di spazio e slot PCI disponibili. La tecnologia VLAN ci è venuta incontro per accompiere a questo scopo.

Grazie a VLAN una singola interfaccia fisica ethernet puo’ avere fino a 4096 interfacce virtuali con il loro indirizzo IP univoco e separate in network diversi eventualmente routabili tramite il nostro server linux.

Per implementare VLAN in Ubuntu i pacchetti necessari sono disponibili con il semplice comando

aptitude install vlan

Come secondo passo occorre definire gli indirizzi ip da assegnare ad ogni VLAN. Io avevo bisogno di 10 indirizzi di rete ed ho scelto blocchi in classe B editando il file /etc/network/interface come segue

auto lo
iface lo inet loopback

#eth0 è il primo gateway WAN
auto eth0
iface eth0 inet static
address 192.168.50.2
netmask 255.255.255.0
broadcast 192.168.50.255

gateway 192.168.50.1

#eth1 è il secondo gateway WAN
auto eth1
iface eth1 inet static
address 192.168.51.2
netmask 255.255.255.0
broadcast 192.168.51.255

#eth2 è l'interfaccia che ospiterà le nostre VLAN

auto eth2
iface eth2 inet static
address 172.16.0.1
netmask 255.255.255.0
broadcast 172.16.0.255

#qui comincia la definizione delle VLAN

auto vlan2
auto vlan3
auto vlan4
auto vlan5
auto vlan6
auto vlan7
auto vlan8
auto vlan9
auto vlan10
auto vlan11

#VLAN2
iface vlan2 inet static
address 172.16.1.1
netmask 255.255.255.0
broadcast 172.16.1.255
vlan_raw_device eth2

#VLAN3
iface vlan3 inet static
address 172.16.2.1
netmask 255.255.255.0
broadcast 172.16.2.255
vlan_raw_device eth2

#VLAN4
iface vlan4 inet static
address 172.16.3.1
netmask 255.255.255.0
broadcast 172.16.3.255
vlan_raw_device eth2

#VLAN5
iface vlan5 inet static
address 172.16.4.1
netmask 255.255.255.0
broadcast 172.16.4.255
vlan_raw_device eth2

#VLAN6
iface vlan6 inet static
address 172.16.5.1
netmask 255.255.255.0
broadcast 172.16.5.255
vlan_raw_device eth2

#VLAN7
iface vlan7 inet static
address 172.16.6.1
netmask 255.255.255.0
broadcast 172.16.6.255
vlan_raw_device eth2

#VLAN8
iface vlan8 inet static
address 172.16.7.1
netmask 255.255.255.0
broadcast 172.16.7.255
vlan_raw_device eth2

#VLAN9
iface vlan9 inet static
address 172.16.8.1
netmask 255.255.255.0
broadcast 172.16.8.255
vlan_raw_device eth2

#VLAN10
iface vlan10 inet static
address 172.16.9.1
netmask 255.255.255.0
broadcast 172.16.9.255
vlan_raw_device eth2

#VLAN11
iface vlan11 inet static
address 172.16.10.1
netmask 255.255.255.0
broadcast 172.16.10.255
vlan_raw_device eth2 

Non rimane a questo punto altro che far ripartire la rete con /etc/init.d/networking restart.
Se tutto è andato per il verso giusto , dovremmo avere una configurazione di rete con ben 10 interfacce virtuali vlanX e tre interfacce fisiche ethX ognuna appartenente alla sua rete ed isolata dalle altre.

Per distribuire queste reti appena create abbiamo bisogno di uno switch managed Layer 2 e N-switch unmanaged per quante reti necessitiamo.

Nel particolare esempio di sopra io ho troncato sullo switch le porte dalla 1 alla 10 marcandole UNTAGGED nei parametri “ports to vlan” , mode=general , admit-all e con PVID della VLAN di appartenenza . Sull’ultima porta dello switch , fisicamente collegata alla eth2 , ho settato mode=general , admit-all e PVID 1 ; la marcatura “ports to VLAN” impostata su TAGGED .

Questo passaggio è un po’ criptico , me ne rendo conto , e per questo inserisco alcuni screenshot relativi allo switch Linksys SRW2016. E’ ovvio che lo stesso setup puo’ essere fatto con un qualsiasi altro Layer2 managed .

Ora abbiamo bisogno di un po’ di sano dhcp e delle buone regole di iptables.

Cominciamo con il dhcp. La scelta è ricaduta su dhcp3-server che nella nostra ubuntu server e lontana giusto un

aptitude install dhcp3-server

Il file di configurazione usato è il seguente

ddns-update-style none;
default-lease-time 86400;
max-lease-time 86400;

subnet 172.16.1.0 netmask 255.255.255.0 {
range 172.16.1.100 172.16.1.150;
option routers 172.16.1.1;
option domain-name-servers 172.16.1.1;
interface vlan2;
}

subnet 172.16.2.0 netmask 255.255.255.0 {
range 172.16.2.100 172.16.2.150;
option routers 172.16.2.1;
option domain-name-servers 172.16.2.1;
interface vlan3;
}

subnet 172.16.3.0 netmask 255.255.255.0 {
range 172.16.3.100 172.16.3.150;
option routers 172.16.3.1;
option domain-name-servers 172.16.3.1;
interface vlan4;
}

subnet 172.16.4.0 netmask 255.255.255.0 {
range 172.16.4.100 172.16.4.150;
option routers 172.16.4.1;
option domain-name-servers 172.16.4.1;
interface vlan5;
}

subnet 172.16.5.0 netmask 255.255.255.0 {
range 172.16.5.100 172.16.5.150;
option routers 172.16.5.1;
option domain-name-servers 172.16.5.1;
interface vlan6;
}

subnet 172.16.6.0 netmask 255.255.255.0 {
range 172.16.6.100 172.16.6.150;
option routers 172.16.6.1;
option domain-name-servers 172.16.6.1;
interface vlan7;
}
subnet 172.16.7.0 netmask 255.255.255.0 {
range 172.16.7.100 172.16.7.150;
option routers 172.16.7.1;
option domain-name-servers 172.16.7.1;
interface vlan8;
}

subnet 172.16.8.0 netmask 255.255.255.0 {
range 172.16.8.100 172.16.8.150;
option routers 172.16.8.1;
option domain-name-servers 172.16.8.1;
interface vlan9;
}

subnet 172.16.9.0 netmask 255.255.255.0 {
range 172.16.9.100 172.16.9.150;
option routers 172.16.9.1;
option domain-name-servers 172.16.9.1;
interface vlan10;
}

subnet 172.16.10.0 netmask 255.255.255.0 {
range 172.16.10.100 172.16.10.150;
option routers 172.16.10.1;
option domain-name-servers 172.16.10.1;
interface vlan11;
}

A questo punto , dopo aver dato un /etc/init.d/dhcp3-server restart potete cominciare a divertirvi a giocare al telefonista anni 30 , inserendo e disinserendo lo spinotto di rete nelle varie porte dello switch e vedere il vostro computer cambiare ogni volta indirizzo IP . Io mi sono entusiasmato , ma si sa sono un inguaribile nerd.

Passiamo alle regole di iptables. Come per ogni altro lavoro , io mi affido all’ottimo frontend offerto da shorewall . Vediamo di seguito come procedere per garantire :

1. Connettività internet con due adsl e tramite transparent proxy
2. Isolamento delle vlan tra di loro e verso il proxy

Come detto sopra il nostro link verso internet è fornito da due adsl , di telecom nello specifico , quindi dopo aver cambiato gli indirizzi ip dei due router in 192.168.50.1 e 192.168.51.1 cominciamo ad editare il primo file di configurazione di shorewall: providers.

alice1    1       1       main            eth0            192.168.50.1  track,balance
alice2    2      2       main            eth1            192.168.51.1  track,balance

Con questo semplice script abbiamo detto di inserire nella tabella di routing un round robbing robin verso la WAN.

Ora definiamo le zone del nostro firewall editando il file zones

fw      firewall
net     ipv4
loc     ipv4
vlan2   ipv4
vlan3   ipv4
vlan4   ipv4
vlan5   ipv4
vlan6   ipv4
vlan7   ipv4
vlan8   ipv4
vlan9   ipv4
vln10   ipv4
vln11   ipv4

Da notare che a shorewall non piacciono le zone definite con più di 5 caratteri , quindi VLAN11 diventa VLN11

Il prossimo file è interfaces

net     eth0    detect
net     eth1    detect
loc     eth2    detect  dhcp
vlan2   vlan2   detect  dhcp
vlan3   vlan3   detect  dhcp
vlan4   vlan4   detect  dhcp
vlan5   vlan5   detect  dhcp
vlan6   vlan6   detect  dhcp
vlan7   vlan7   detect  dhcp
vlan8   vlan8   detect  dhcp
vlan9   vlan9   detect  dhcp
vln10   vlan10  detect  dhcp
vln11   vlan11  detect  dhcp

Eth0 e eth1 sono le nostre interfacce wan , eth2 è la nostra interfaccia locale a cui sono attestate tutte le vlan

Ora un po di sano masquerading tramite l’editing del file masq

eth0   192.168.51.2    192.168.50.2
eth1   192.168.50.2   192.168.51.2
eth0  eth2  192.168.50.2
eth1  eth2  192.168.51.2
eth2    vlan2
eth0    vlan2  192.168.50.2
eth1   vlan2    192.168.51.2
eth0    vlan3  192.168.50.2
eth1    vlan3   192.168.51.2
eth0    vlan4  192.168.50.2
eth1    vlan4   192.168.51.2
eth0    vlan5  192.168.50.2
eth1    vlan5   192.168.51.2
eth0    vlan6  192.168.50.2
eth1    vlan6   192.168.51.2
eth0    vlan7  192.168.50.2
eth1    vlan7   192.168.51.2
eth0    vlan8  192.168.50.2
eth1   vlan8    192.168.51.2
eth0    vlan9  192.168.50.2
eth1   vlan9    192.168.51.2
eth0    vlan10  192.168.50.2
eth1   vlan10   192.168.51.2
eth0    vlan11  192.168.50.2
eth1   vlan11    192.168.51.2

Già a questo punto le regole di masquerading permetterebbero il corretto funzionamento delle reti verso internet. Ma noi vogliamo un isolamento tra le reti a livello lan e soprattutto un filtraggio tramite proxy trasparente con controllo dei contenuti tramite dansguardian.

Mettiamo ora mano al file policy

net     net     DROP
vlan2   loc     ACCEPT
loc     vlan2   ACCEPT
$FW     loc     ACCEPT
vlan2   $FW     ACCEPT
$FW     vlan2   ACCEPT
loc     $FW     ACCEPT
loc     net     ACCEPT
$FW     net     ACCEPT
all     all     REJECT  info

Come possiamo vedere da queste regole solo la vlan2 ha accesso sia alla zona net ed al firewall , in quanto vlan2 verrà assegnata agli amministratori del centro uffici. La regola all all REJECT , posta come ultima della catena , impedisce qualsiasi connessione non indicata sopra.

Il prossimo file da editare è rules

ACCEPT  net     fw      tcp     1022
ACCEPT  loc     vlan2   tcp     135,139
ACCEPT  loc     vlan2   icmp    8
ACCEPT  vlan2   fw      tcp     1:65500
ACCEPT  vlan2   fw      udp     1:65500
ACCEPT  vlan2   net     tcp     1:65500
ACCEPT  vlan2   net     udp     1:65500
ACCEPT  vlan3   fw      tcp     8080
ACCEPT  vlan3   fw      udp     53
ACCEPT  vlan3   net     tcp     443
ACCEPT  vlan4   fw      tcp     8080
ACCEPT  vlan4   fw      udp     53
ACCEPT  vlan4   net     tcp     443
ACCEPT  vlan5   fw      tcp     8080
ACCEPT  vlan5   fw      udp     53
ACCEPT  vlan5   net     tcp     443
ACCEPT  vlan6   fw      tcp     8080
ACCEPT  vlan6   fw      udp     53
ACCEPT  vlan6   net     tcp     443
ACCEPT  vlan7   fw      tcp     8080
ACCEPT  vlan7   fw      udp     53
ACCEPT  vlan7   net     tcp     443
ACCEPT  vlan8   fw      tcp     8080
ACCEPT  vlan8   fw      udp     53
ACCEPT  vlan8   net     tcp     443
ACCEPT  vlan9   fw      tcp     8080
ACCEPT  vlan9   fw      udp     53
ACCEPT  vlan9   net     tcp     443
ACCEPT  vln10   fw      tcp     8080
ACCEPT  vln10   fw      udp     53
ACCEPT  vln10   net     tcp     443
ACCEPT  vln11   fw      tcp     8080
ACCEPT  vln11   fw      udp     53
ACCEPT  vln11   net     tcp     443
REDIRECT  vlan3    8080     tcp      www
REDIRECT  vlan4    8080     tcp      www
REDIRECT  vlan5    8080     tcp      www
REDIRECT  vlan6    8080     tcp      www
REDIRECT  vlan7    8080     tcp      www
REDIRECT  vlan8    8080     tcp      www
REDIRECT  vlan9    8080     tcp      www
REDIRECT  vln10   8080      tcp      www
REDIRECT  vln11   8080     tcp       www
ACCEPT    $FW        net      tcp      www

Vlan2 pieno accesso a internet e al firewall tutte le altre hanno accesso solo alla porta 8080 tcp del firewall , alla porta 53 udp sempre del firewall e alla porta 443 verso internet. Sulla porta 8080 TCP nel firewall rimane in ascolto Dansguardian che provvede poi a rigirare le richieste a squid sulla porta 3128 . Non mi dilungherò sul setup di questi due programmi .  La porta 53 UDP è aperta per le risoluzioni dei nomi e la 443 TCP per le connessioni in ssl , che non possono essere gestite da un transparent proxy.

Abbiamo finito . Con un shorewall restart ricostruimo la nostra catena di iptables e tutto dovrebbe funzionare.

Questa è una configurazione statica che però male si addice ad un centro uffici , dove le stanze vengono affittate per soli due giorni e quindi scaduti i termini la connessione verso internet  deve cadere.

Io ho pensato e realizzato un accrocchio per segare le rotte delle vlan degli uffici in affitto , tramite un’estensione del programma gestionale che gira sulla rete dell’amministrazione.

Con una aggiunta al suo programma di contabilità , Mirko ha approntato uno schedulatore che a seconda delle prenotazioni invia in ssh al server i seguenti comandi :

ip ro del 172.16.2.0/24

Quando deve tirare giù la vlan e

ip ro add 172.16.2.0/24 dev vlan3 

Se dobbiamo riattivare la vlan .

Attualmente il centro servizi è gia in produzione con questo setup . Prossime implementazioni saranno una rete wireless con captive portal e un sistema di stampe centralizzate con credito prepagato a scalare.

I have in one of my machines a pretty annoying situation related to the fact if the UBUNTU based firewall reboot’s, the firewall doesn’t start automatically…

This is pretty annoying because it means that after a power failure, there is a need for manual intervention to restore exterior access trough the firewall to internal servers.

The solution?

Well I’ve made a bash script, named resetfw.sh that checks the server uptime and if it falls bellow a threshold of 10 minutes, it restarts the firewall:

DAYS=`uptime | cut -d ‘ ‘  -f   4`
HOURS=`uptime | cut -d ‘ ‘  -f   6`
HOUR=`echo $HOURS | cut -d ‘:’ -f   1`
MIN_NP=`echo $HOURS | cut -d ‘:’ -f   2`
MIN=`echo $MIN_NP | cut -c 1-2`

if [ $DAYS = "0" ]; then

if [ $HOUR = "0" ]; then

if [ $MIN -lt "10" ]; then

/etc/init.d/shorewall stop
/etc/init.d/shorewall start
/etc/init.d/shorewall stop
/etc/init.d/shorewall restart

logger “Firewall reset due to reboot: Uptime on action: $DAYS days, $HOUR:$MIN”
fi
fi

fi

Then all we have to due is to run this script periodically through the crontab:

*/5 * * * * /root/resetfw.sh

Bila Anda punya 2 jalur internet, misalkan yang satu speedy satunya FO dari astinet, maka Anda dapat menggabungkannya sehingga jadi user dapat memilih saluran mana yg mau dikoneksikan ke internet. Caranya adalah menggunakan Load Balancing di Linux dengan Shorewall atau kalau anda pakai Mikrotik bisa dilakukan dengan mudah. Cara kerjanya umpama adalah ada ISP1 dan ISP2, ISP1 sebagai ISP primer sehingga nantu kalau ISP1 sudah Overload maka akan secar otomatis di Pindah jalur internetnya ke ISP 2
begitu terus menerus.

referensi
Shorewall.net
Mikrotik.co.id

————

sumber: agungsulistyo.wordpress.com

langsung aja, meskipun ini topik lama, yang penting tetep bisa kepake. kenapa ko di bilang lama ? ya karena tulisan-tulisan sebelome emang udah di buat. ya disini juga si. nanti daftare tak liate lagi, kebanyakan pake istilah linux internet connection sharing. ini cuman iseng aja. back to easy with mandriva linux

ok untuk masalah instal dari awal or dari live cd mandriva semuane boleh dilakukan. asal ya jangan instal windows aja. windows xp jangan, apalagi windows vista. jadi jangan pake windows lah. la wong ini tulisan buat yang pake linux kok, khususnya mandriva linux :p

setelah tahapan instalasi dari live cd or installer cd selesai boleh pake mode GUI (grafik) or text. langsung aja edit file /etc/inittab (sori pake cara console).

kalo dari GUI jalankan kan / masuk ke mode teks. masuk ke root pake su trus langsung edit

vim /etc/inittab

cari baris yang isinya kaya ini

id:5:initdefault:

init 5 seperti keterangan diatasnya adalah mode default ke GUI. jadi disini rencana buat server warnet yang text mode aja. so ganti nilai 5 dengan 3, jadi seperti ini

id:3:initdefault:

kemudian simpan dengan menekan tombol ESC (2x) trus tekan tombol “:” (titik dua, dengan cara tekan tombol shift dan titik dua), trus ketik “wq” tanpa tanda petik.

ok selesai buat bikin tu mandriva pas pertama booting langsung masuk mode text. itu cara manual. kalo kepengen pake cara otomatis begini: masuk ke root, kemudian jalankan perintah mcc (mandriva control center)

[root@localhost box]# mcc

di menu tu pake tombol tab buat mindah ke bagian, dan tanda panah kursor buat naik turinin pilihan.

di menu MCC, kemudian tekan tab, trus pilih menu Display, kalo menu Display udah kesorot pake kursor, trus tekan tab lagi pilih OK.

sekarang udah masuk ke menu Display, langsung aja pilih menu Option, trus tekan enter. di menu Option ada pilihan Graphical interface at startup, tuh dipilih bawahnya. dan tanda centangnya di ilangin aja pake tombol space. abis tu ya pilik OK lah. trus Quit.

hasilnya sama aja dengan mengedit file /etc/inittab secara manual.

bersambung dulu ya… udah laper nie. mo sarapan dulu…

Bawaan Mandriva Spring 2008.1 pake shorewall versi 4.0.9, dan hasil dari proses menu wizard Internet Connection Sharing nya Mandriva Control Center or mcc kaya ini :

cat /etc/shorewall/rules.drakx

ACCEPT+ fw      net     tcp     http    -       -       -       squid
REDIRECT        fw      3128    tcp     http    -
REDIRECT        loc     3128    tcp     http    -

untuk step by step nya ICS dari MCC bisa di cek di sini

http://picasaweb.google.com/bayuart/MandrivaInternetConnectionSharing

meskipun pake PCLinuxOS mode grafik, mode teks nya gak jauh beda. so pelajari aja.

dan hasil squid.conf nya bisa di cek disini :

http://bayu.blitar.org/2008/09/30/contoh-squidconf/

untuk DNS dan dhcp silahkan liat  langsung disistem nya

Ééééé.. nesse sábado passado dei inicio a mais uma de minhas “proezas”. Um server Debian 4.0 Etch.. =D

A idéia é rodar um server Web com aplicativo em Python (usando Django) e MySQL no qual será minha futura forma de renda.. =D

O server já está no ar, com SSH, OpenVPN, Shorewall, Samba, Python, Django, MySQL, Apache2 e No-IP.

Por enquanto não irei divulgar o endereço nem a idéia do aplicativo, mas assim que estiver tomando forma aqui será o primeiro lugar.. =D

abraços!

OK, I’m not entirely sure how useful this is, but since I know that I only want to give SSH access to my home box from one external box (with a fixed IP address), I might as well configure it to accept only connections from that machine.

It is my machine at work, which I trust to be parasite-free. I would never SSH in from just a random box – what use is a secure shell if you don’t trust the end-point you’re using? So anyway, I thought I’d make some nice shorewall rules. Accepting SSH connections only from one address and dropping requests from any other addresses doesn’t necessarily make things more secure, but at the very least it saves some log output.

Given the setup of the home network, it turned out that I in fact needed two rules (it took a few minutes before I got my head around that). The box that runs shorewall also acts as a wireless access point, using IP masquerading (set up through /etc/shorewall/masq) to share the wired connection. I already had these policies set up in /etc/shorewall/policy:

#SOURCE         DEST            POLICY          LOG LEVEL
net             $FW             DROP            info
net             loc             DROP            info
net             all             DROP            info

which I think is pretty much standard (note: I’m leaving out empty columns at the end). Now, I needed a rule in /etc/shorewall/rules to make an exception from these default policies:

#ACTION         SOURCE                DEST                  PROTO   DEST
#                                                                   PORT
ACCEPT          net:XXX.XXX.XXX.XXX   $FW                   tcp     ssh

where XXX is the IP address of the machine at work. Now, that (somewhat to my surprise) didn’t quite work. I could now see my home machine from the work machine (i.e. the SSH request was rejected rather than dropped), but I wasn’t allowed in. The reason is of course that when you use IP masquerading, the system needs to know where to route incoming connections to. So a second rule in /etc/shorewall/rules was needed:

DNAT            net:XXX.XXX.XXX.XXX   loc:YYY.YYY.YYY.YYY   tcp     ssh

…and that fixed it. Maybe I could have even more fun if I selected the incoming connections by MAC-address (through /etc/shorewall/maclist), but that’s for another day. The coolest thing: to get this going I didn’t need to refer to any documentation other than the examples at the top of the configuration files. Now that is good documentation.

speedol1 :

IP Modem 192.168.1.254 netmask 255.255.255.0 (masih standar pabrik, pake modem billion)

speedol2 :

IP Modem 192.168.3.254 netmask 255.255.255.0 (bawaan pabrik udah di ganti)

Mandriva Spring 2008 pake 3 NIC / Ethernet card, di Pentium-IV HDD 40GB RAM 1Gb

eth0 : 192.168.1.253 netmask 255.255.255.0

eth1: 192.168.3.253 netmask 255.255.255.0

eth2: 192.168.2.1 netmask 255.255.255.224

selengkapnya …

postfix+dovecot howto for an small mail server (router too)

our aging rh9 mail server started to show it’s caps age and started to fail (p3@350Mhz with 256M ram and 2G hdd)
on each day (hw errors) so we are switching to an more modern ubuntu gutsy on an
p4@1.6Ghz (712M ram) and 40G WD drive

Old config was sendmail+pop3+shorewall
The new config is postfix+dovecot+shorewall
Here is the guides i followed
https://help.ubuntu.com/community/Postfix
https://help.ubuntu.com/community/Dovecot
http://www.shorewall.net/two-interface.htm

ps: some of the hw errors we had in the logs

WARNING:  Kernel Errors Present  hda: task_no_data_intr: error=0x04 { DriveStat...:  2Time(s)  hda: task_no_data_intr: status=0x51 { DriveReady SeekComplete Error }...:  2Time(s)

(last update : Aug 31, 2006 7.30pm GMT +8)

Actually, this post is not totally all about shorewall, it applied to other iptables-based firewall as well. If you build your own iptables script, then this article might help too. By default, most of the iptables logs will be logged into /var/log/messages file by syslogd. The downside of this is that it will messed up with other daemon’s and systemlogs files as well. For example, if im to find some logs files other than iptables logs, i`ll need to search through the entire big log file(if you did not limit the number of logs per minute, that will make your life even more terrible ) and this wastes time. Checkout the below screenshot for an example:-

A messy /var/log/messages file with iptables logfiles and other systems log.

To make things much more simpler, Shorewall is able to support ulogd.Ulogd, as described at Netfilter website, is a userspace logging daemon for netfilter/iptables related logging. This includes per-packet logging of security violations, per-packet logging for accounting purpose as well as per-flow logging. To make life more easier and simpler, all iptables logs will be directed to user-specified logfile without interfering syslogd at all. So, here’s my little basic notes about setting up ulogd with Shorewall firewall kit.

Note that this tutorial is conducted on Slackware 10.2 linux with stock kernel, iptables version 1.3.3, Shorewall v3.2.2 and ulogd 1.2.4.

1) Your linux distro kernel should includes ulog target support by default unless you are using old distro though. So, there is no need to recompile your kernel. Simply obtain the latest ulogd from Netfilter website. The latest version is 1.2.4
2) As usual, compile it as root :-

./configure && make && make install

If you did not change anything during ./configure, ulogd binary should go to /usr/local/sbin/ and the config file will located at /usr/local/etc/ulogd.conf. By the way, there’s a support for MYSQL. If this is the case, you need to initiate ./configure –with-mysql

3) Configure ulogd.conf. There is nothing much to change actually. Maybe you might like to see other output of iptables log instead of old-style syslog output. Look under the “output plugins” section to change your favourite output format.
4) Next step, change the Shorewall’s target log into ULOG inside your /etc/shorewall folder. For me, i will have a look inside the “policy” and “rules” files and change the existings “:info” to “:ULOG”. For example :-

#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL

DROP:ULOG loc inet tcp 80,21,6667:7000
The ULOG must be in all CAPITAL LETTERS.

5) Finally, run the ulogd command as root at /usr/local/sbin/ulogd -d. It would be more convenient if you could figure a way out to automatically run it during your linux box startup. For slackware, create and edit the /etc/rc.d/rc.ulogd and simply enter the following lines :-

#!/bin/sh
# Start/stop/restart ulogd.

# Start ulogd:
ulogd_start() {
if [ -x /usr/local/sbin/ulogd ]; then
echo “Starting ulogd daemon: /usr/local/sbin/ulogd -d”
/usr/local/sbin/ulogd -d
fi
}

# Stop ulogd:
ulogd_stop() {
killall ulogd
}

# Restart ulogd:
ulogd_restart() {
ulogd_stop
sleep 1
ulogd_start
}

case “$1″ in
’start’)
ulogd_start
;;
’stop’)
ulogd_stop
;;
‘restart’)
ulogd_restart
;;
*)

and also, edit the /etc/rc.rd/rc.M file(add the entry which is in bold fonts) :-
# Start the system logger.
if [ -x /etc/rc.d/rc.syslog -a -x /usr/sbin/syslogd -a -d /var/log ]; then
. /etc/rc.d/rc.syslog start
fi

# Start the ulogd logger.
if [ -x /etc/rc.d/rc.ulogd ]; then
. /etc/rc.d/rc.ulogd start
fi

So..there you go, the ulogd daemon shall be started automatically before shorewall is loaded and all the shorewall logs(except shorewall initialization logs, which still will be logged at /var/log/messages) should go to the ulogd’s file which is mentioned at ulogd.conf.  As a side note, you might want to include it into your logrotate by editing /etc/logrotate.d/syslog :-

/var/log/shorewall.log  {
compress
daily
rotate 4
create
postrotate
/etc/rc.d/rc.ulogd restart 2>/dev/null
endscript
}

If you have any question,feel free to comment me then..