Fanpage Facebook

Tích hợp firewall shorewall vào máy chủ Linux

Giải pháp 07-06-2017

Để giảm chi phí thiết bị firewall độc lập chúng ta có thể tận dụng server đang chạy Linux tích hợp tính năng firewall

Chúng ta download chương trình firewall về để cài trên Server như sau:

#wget http://slovakia.shorewall.net/pub/sh…8-1.noarch.rpm
#wget http://slovakia.shorewall.net/pub/sh…wall-3.4.8.tgz

Trước khi cài đặt chúng ta phải kiểm tra lại trên máy cài Firewall đã có cài Iptables chưa. Nếu kiểm tra có rồi chúng ta mới cài đặt phần mềm Firewall.
Bắt đầu cài đặt:

# rpm –Uvh shorewall-3.4.8-1.noarch.rpm

Cấu hình Firewall
1. Shorewall.conf

STARTUP_ENABLED=Yes
LOGFILE=/var/log/messages
LOGFORMAT=”Shorewall:%s:%s:”
LOGTAGONLY=No
LOGRATE=
LOGBURST=
LOGALLNEW=
BLACKLIST_LOGLEVEL=
LOGNEWNOTSYN=info
MACLIST_LOG_LEVEL=info
TCP_FLAGS_LOG_LEVEL=info
RFC1918_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
BOGON_LOG_LEVEL=info
LOG_MARTIANS=No
IPTABLES=
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=/var/lock/subsys/shorewall
STATEDIR=/var/lib/shorewall
MODULESDIR=
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
RESTOREFILE=
FW=fw
IP_FORWARDING=On
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=No
RETAIN_ALIASES=No
TC_ENABLED=No
CLEAR_TC=Yes
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=No
ROUTE_FILTER=No
DETECT_DNAT_IPADDRS=Yes
MUTEX_TIMEOUT=60
NEWNOTSYN=Yes
ADMINISABSENTMINDED=Yes
BLACKLISTNEWONLY=Yes
DELAYBLACKLISTLOAD=No
MODULE_SUFFIX=
DISABLE_IPV6=Yes
BRIDGING=No
DYNAMIC_ZONES=No
PKTTYPE=Yes
DROPINVALID=No
RFC1918_STRICT=No
MACLIST_TTL=
SAVE_IPSETS=No
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP

2. Zones File

#ZONE DISPLAY COMMENTS
net ipv4
dmz ipv4
#LAST LINE – ADD YOUR ENTRIES ABOVE THIS ONE – DO NOT REMOVE

3. Interfaces File

#ZONE INTERFACE BROADCAST OPTIONS GATEWAY
net eth0 detect –
dmz eth1 detect –
#LAST LINE — ADD YOUR ENTRIES BEFORE THIS ONE — DO NOT REMOVE

4. Blacklist File

#ADDRESS/SUBNET PROTOCOL PORT
192.168.1.150 udp 53
#LAST LINE — ADD YOUR ENTRIES BEFORE THIS ONE — DO NOT REMOVE

5. Policy File

#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
net net DROP
fw all ACCEPT
net all DROP info
all all REJECT info
#LAST LINE — DO NOT REMOVE

6. Masq File

#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
eth0 eth1
#LAST LINE — ADD YOUR ENTRIES ABOVE THIS LINE — DO NOT REMOVE

7. NAT File

#EXTERNAL INTERFACE INTERNAL ALL LOCAL
# INTERFACES

#206.124.146.177 eth0:0 192.168.1.7 No No
#206.124.146.178 eth0:1 192.168.1.5 No No
#LAST LINE — ADD YOUR ENTRIES ABOVE THIS LINE — DO NOT REMOVE

.8 Rules File

###################### Create ICMP #####################################
ACCEPT net all icmp echo-request
ACCEPT dmz net icmp echo-request
ACCEPT fw all icmp echo-request
ACCEPT dmz fw icmp echo-request
################### Create DMZ Access FW, NET############################
ACCEPT dmz fw tcp 22
ACCEPT dmz net tcp –
ACCEPT dmz net udp 53
###########################End rule######################################
################### Create NET Access FW, DMZ############################
ACCEPT net fw tcp 22,80,443
ACCEPT net dmz:172.16.2.10 tcp 80,443 #Server1
ACCEPT net dmz: 172.16.2.11 tcp 80,443 #Server2
###########################End rule######################################
###################Check Fail Over######################################
ACCEPT net:192.168.2.2 fw all –
ACCEPT dmz: 172.16.2.2 fw all –
###########################End rule######################################

Tag: firewall