By request: Shorewall on the B3
Posted: 24 Feb 2012, 14:48
First a statement: Shorewall is not a firewall - it's a script that uses your input variables to control iptables.
Now we got that sorted out let's start with some safety measurements. Since we're about to do funny stuff with iptables and there's no console on the B3, we will want to be able to revert in case we lock ourselves out. Now the problem with the standard firewall script in the B3 is that at shutdown it will actually save whatever we did wrong and reenable that when booting. That's not what we want, so let's alter the bubba-firewall script first. Take whatever editor you favor (that would be nano for everyone under 60 years old) and open the file /etc/init.d/bubba-firewall. Find and comment out the iptables-save line by placing a hashtag (#) in front of it as shown below:
Next step is to actually go get Shorewall:
Debian is somewhat particular in this because if you look at the Shorewall config folder (/etc/shorewall) it's practically empty while a regular install will have some 30 files in there. Opinions may vary, but I think it makes things more complicated (seeing a file name may hint what it will do, but trying to re-"invent" the file name for something you want will prove to be difficult). The install does provide some examples though, which you may find at /usr/share/doc/shorewall/examples. Since we're logically running a two-interface setup, let's go with that example and copy it's contents to /etc/shorewall.
You'll find find six files of interest here:
Zones:
This is perfectly fine for what we want, so don't change it.
Interfaces:
If you have a non-WiFi B3 that will be okay, but let's assume not (there are actually some deprecated options listed in this example):
As you can see I dropped most of the options and added a new one. I kept 'dhcp' because it adds rules for eth0 to receive DHCP messages (this is actually a bad in the standard bubba-firewall); routeback is required to allow traffic between the wired network and the wireless interface.
Policy:
Now the object is that we want to start by copying the default Bubba behaviour, so we're definitely going to want to add a policy:
Note the variable '$FW' - this is an auto-assigned variable that holds whatever name you specified in the 'zones' file for the firewall. The additional line instructs Shorewall to write a "policy" rule that will accept any incoming traffic coming from the 'loc zone' (i.e. the LAN). You may consider it to be equivalent with the standard bubba-firewall rule
I'll continue later....
Now we got that sorted out let's start with some safety measurements. Since we're about to do funny stuff with iptables and there's no console on the B3, we will want to be able to revert in case we lock ourselves out. Now the problem with the standard firewall script in the B3 is that at shutdown it will actually save whatever we did wrong and reenable that when booting. That's not what we want, so let's alter the bubba-firewall script first. Take whatever editor you favor (that would be nano for everyone under 60 years old) and open the file /etc/init.d/bubba-firewall. Find and comment out the iptables-save line by placing a hashtag (#) in front of it as shown below:
Code: Select all
stop|restart|force-reload)
log_action_begin_msg "Saving firewall"
# iptables-save > /etc/network/firewall.conf
log_action_end_msg $?
Code: Select all
apt-get install shorewall
You'll find find six files of interest here:
Zones:
Code: Select all
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
Interfaces:
Code: Select all
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,tcpflags,nosmurfs,routefilter,logmartians
loc eth1 detect tcpflags,nosmurfs,routefilter,logmartians
Code: Select all
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp
loc br0 detect routeback
Policy:
Code: Select all
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
Code: Select all
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
loc $FW ACCEPT
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
Code: Select all
-A INPUT -i br0 -j ACCEPT