| View previous topic :: View next topic |
| Author |
Message |
Gentist
Apprentice
Joined: 20 Mar 2004
Posts: 247
|
 Posted: Sat Sep 30, 2006 7:44 am Post subject: Shorewall configuration |
 |
|
It's been a while since I last tried to set up Shorewall from scratch, and I've run into some module problems, as well as a misconfiguration, which blocks all traffic.
I need to set up a relatively good firewall config for my desktop. For the sake of ease, I'm going to keep it simple. I only have one interface, and I want a default to deny policy. Outside of that, I want to allow outgoing connections and resulting incoming connections, while denying incoming connections that I didn't initialize. I also want to block ICMP, since I have no use for that...
How would I go about setting that up?
My current attempt:
Zones:
| Code: |
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
dmz ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
Policy:
| Code: |
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
fw net ACCEPT info
net all DROP
all all REJECT info
#LAST LINE -- DO NOT REMOVE
|
Interfaces:
| Code: |
#ZONE INTERFACE BROADCAST OPTIONS
net eth0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
rules:
| Code: |
SECTION NEW
ACCEPT fw net tcp - -
ACCEPT fw net udp - -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
I'm currently getting the following error when trying to start shorewall:
| Code: |
WARNING: Zone dmz is empty
iptables: No chain/target/match by that name
ERROR: Command "/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT" Failed
ip6tables v1.3.5: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.3.5: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.3.5: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.3.5: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.3.5: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.3.5: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.3.5: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
/sbin/shorewall: line 524: 11512 Terminated ${VARDIR}/.start $debugging start
|
|
|
| Back to top |
|
 |
Kosmas
Apprentice
Joined: 14 Sep 2006
Posts: 280
Location: Greece
|
| Posted: Sat Sep 30, 2006 9:57 am Post subject: |
|
|
| I would try in shorewall.conf for start |
|
| Back to top |
|
|
Gentist
Apprentice
Joined: 20 Mar 2004
Posts: 247
|
| Posted: Sun Oct 01, 2006 9:31 am Post subject: |
|
|
| Kosmas wrote: | | I would try in shorewall.conf for start |
That's already set (I think it's the default value), and it says that it requires ip6tables, which I have.
Edit: Which module do you have to compile/what do you have to do in order for the following message to disappear:
| Code: |
ip6tables v1.3.6: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
|
Edit2: If I set DISABLE_IPV6 to "No", the IPv6 related errors disappear, though this is only a temporary fix, and it doesn't solve my problem.
I still need to get rid of the following errors:
| Code: |
iptables: No chain/target/match by that name
ERROR: Command "/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT" Failed
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
/sbin/shorewall: line 524: 11512 Terminated ${VARDIR}/.start $debugging start
|
If it's of any relevance, I'm running ~AMD64 with Athlon64 optimizations.
My current setup looks like this:
zones:
| Code: |
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
policy:
| Code: |
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
$FW net ACCEPT
net all DROP info
all all REJECT info
#LAST LINE -- DO NOT REMOVE
|
rules:
| Code: |
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINA$
# PORT PORT(S) DEST $
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
|
| Back to top |
|
|
Gentist
Apprentice
Joined: 20 Mar 2004
Posts: 247
|
| Posted: Sun Oct 01, 2006 10:57 am Post subject: |
|
|
Some googling suggests that it might be kernel related. Since I would like to have a functional basic firewall, how would I go about setting up those rules using only iptables?
Allow everything out (TCP), but block everything in (all), deny everything out (UDP), while making DHCP work? |
|
| Back to top |
|
|
Kosmas
Apprentice
Joined: 14 Sep 2006
Posts: 280
Location: Greece
|
| Posted: Tue Oct 03, 2006 1:36 pm Post subject: |
|
|
One tought that comes to mind is kernel/iptables compilation and emerging.
If it is of no trouble you could try to recompile the kernel enabling all the packet filtering modules and reemerging the iptables package changing the use flags to your needs. (eg. ipv6, extensions)
That should probably solve all your packet filtering problems. |
|
| Back to top |
|
|
vonr
Guru
Joined: 23 Mar 2006
Posts: 300
|
| Posted: Tue Oct 03, 2006 2:40 pm Post subject: |
|
|
| I recently set up my first iptables firewall as well. It not that hard, really. Have a look at this excellent guide to iptables. It also discusses kernel configuration. If you just want a basic firewall, I found this howto pretty handy. |
|
| Back to top |
|
|
|
Networking & Security
