Appreciate life and record it

shorewall5简单使用

本文介绍你使用下linux下的一个防火墙管理软件
 Posts  2574  6   

shorewall

shorewall是linux下一个比较方便的防火墙管理,特别适合用配置固定防火墙, 方便运维进行维护管理,然而看官网,你可能比较模糊它究竟如何使用,这里简 单介绍下我的使用。

安装 

1

apt-get install shorewall

使用和配置

使用前的说明

更多具体的使用你可以去 /usr/share/doc/shorewall/examples/ 查看

shorewall官网 https://shorewall.org/

确保enable是yes

注意有两个地方需要确保是打开的

1
2
3
4
5
6

root@debian:/etc/shorewall# cat shorewall.conf |grep -i enable
STARTUP_ENABLED=Yes
root@debian:/etc/shorewall# cat /etc/default/shorewall|grep -i start
# prevent startup with default configuration
# set the following variable to 1 in order to allow Shorewall to start
startup=1

配置接口

定义你的loc和net接口,没有net接口可以不写,loc表示你的内网,net表示外 网

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

root@debian:/etc/shorewall# cat interfaces
#
# Shorewall - Sample Interfaces File for two-interface configuration.
# Copyright (C) 2006-2017 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-interfaces"
###############################################################################
?FORMAT 2
###############################################################################
#ZONE	INTERFACE	OPTIONS
net     NET_IF          dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,physical=ens192
loc     LOC_IF          tcpflags,nosmurfs,routefilter,logmartians,physical=ens224

定义空间zones 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

root@debian:/etc/shorewall# cat zones 
#
# Shorewall - Sample Zones File for two-interface configuration.
# Copyright (C) 2006-2014 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-zones"
###############################################################################
#ZONE	TYPE	OPTIONS			IN			OUT
#					OPTIONS			OPTIONS
fw	firewall
net	ipv4
loc	ipv4

定义广义的策略policy 

1
2
3
4
5
6
7

root@debian:/etc/shorewall# cat policy
$FW	all		ACCEPT # 表示防火墙到内到外都是通行的
loc     all             ACCEPT # 表示内网到哪都是通行的,如果你是drop,则需要单独加rules来放行
net     $FW	        DROP # 表示外部到防火墙默认是drop的,拒绝外部流量,除非在rules里面
net	all		DROP		$LOG_LEVEL 
# THE FOLOWING POLICY MUST BE LAST
all	all		REJECT		$LOG_LEVEL # 其他情况都是拒绝的

定义特殊放行规则

规则的写法比较多,你按照需求进行google或者baidu或者参考官网规则等进行 即可,这里建议是把内网ping打开,把22进行白名单放行,否则就ssh不上去了, 规则请先测试再考虑放到其他机器上面,启动shorewall以后之前的规则将会不 生效,请确认后进行操作

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64

root@debian:/etc/shorewall# cat rules 
#
# Shorewall - Sample Rules File for two-interface configuration.
# Copyright (C) 2006-2015 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-rules"
######################################################################################################################################################################################################
#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
#							PORT	PORT(S)		DEST		LIMIT		GROUP
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW

#       Don't allow connection pickup from the net
#
Invalid(DROP)	net		all		tcp
#
#	Accept DNS connections from the firewall to the network
#
DNS(ACCEPT)	$FW		net
#
#	Accept SSH connections from the local network for administration
#
SSH(ACCEPT)	loc		$FW
#
#	Allow Ping from the local network
#
Ping(ACCEPT)	loc		$FW
#invalid-pickup 
Invalid(DROP) net all tcp
#allow-ssh-to-local 
SSH(ACCEPT) loc $FW
#allow-local-to-ssh 
SSH(ACCEPT) $FW loc

#allow-icmp-local 
Ping(ACCEPT)	loc $FW

#drop-icmp-from-net 
Ping(ACCEPT) net $FW
#allow-icmp-to-net 
ACCEPT $FW net icmp


ACCEPT		$FW		loc		icmp
ACCEPT		$FW		net		icmp

# add by liuliancao allow ssh
ACCEPT net:1.1.1.1,2.2.2.2 $FW TCP 22
ACCEPT net:3.3.3.3 $FW TCP 9090
ACCEPT net $FW TCP 5201-5210
ACCEPT net $FW UDP 5201-5210
SSH(ACCEPT)	$FW		loc
Ping(ACCEPT)	$FW		loc

尝试启动shorewall 

1

systemctl start shorewall

如果报错就systemctl status shorewall看看,基本会告诉你缺啥了

最后可以iptables -nL查看规则,后续想修改防火墙的时候就改rules就可以了

固化

我是使用puppet进行固化,具体文件我贴下,仅供参考

modules/shorewall/init.pp

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104

# Class Shorewall init for puppet shorewall module.

class shorewall (
  $ensure = 'true',
  $purge  = false,
  $intes = $undef,
  $rules = $undef,
  $shorewall_dir_path = $::shorewall::params::shorewall_dir_path,
  $shorewall_dir_owner = $::shorewall::params::shorewall_dir_owner,
  $shorewall_dir_group = $::shoreall::params::shorewall_dir_group,
  $shorewall_dir_mode = $::shorewall::params::shoreall_dir_mode,
  $recurse = true,
  $cluster = 'default',
  $public_interface = nil,
  $private_interface = nil,
) inherits ::shorewall::params {
  file { $shorewall_dir_path:
    ensure  => 'directory',
    owner   => $shorewall_dir_owner,
    group   => $shoreawll_dir_group,
    mode    => $shoreawll_dir_mode,
    purge   => $purge,
    force   => true,
    recurse => $recurse,
  }


  case $facts['os']['name'] {
    'RedHat', 'CentOS':  {
      file {'/etc/yum.repos.d/epel.repo':
        ensure => 'file',
        source => 'puppet:///modules/shorewall/epel.repo',
        group  => 'root',
        owner  => 'root',
        mode   => '0644',
      }
    }
    default:  {
    }
  }

  package {'shorewall':
    ensure => latest,
    allow_virtual => false,
  }

  file {"/etc/shorewall/shorewall.conf":
    ensure => 'file',
    source => "puppet:///modules/shorewall/shorewall-${cluster}.conf",
    purge  => $purge,
    notify => Service['shorewall'],
  }

  file {"/etc/shorewall/README.txt":
    ensure => 'file',
    source => 'puppet:///modules/shorewall/README.txt',
  }
  
  file {"/etc/shorewall/interfaces":
    ensure  => 'file',
    owner   => $shorewall_dir_owner,
    group   => $shorewall_dir_group,
    mode    => $shorewall_dir_mode,
    content => template("shorewall/interfaces.erb"),
    notify => Service['shorewall'],
  }

  file {"/etc/shorewall/policy":
    ensure  => 'file',
    owner   => $shorewall_dir_owner,
    group   => $shorewall_dir_group,
    mode    => $shorewall_dir_mode,
    source => "puppet:///modules/shorewall/policy-${cluster}",
    purge  => $purge,
    notify => Service['shorewall'],
  }

  file {"/etc/shorewall/zones":
    ensure  => 'file',
    owner   => $shorewall_dir_owner,
    group   => $shorewall_dir_group,
    mode    => $shorewall_dir_mode,
    source => "puppet:///modules/shorewall/zones-${cluster}",
    purge  => $purge,
    notify => Service['shorewall'],
  }


  file {"/etc/shorewall/rules":
    ensure  => 'file',
    owner   => $shorewall_dir_owner,
    group   => $shorewall_dir_group,
    mode    => $shorewall_dir_mode,
    content => template("shorewall/rules.erb"),
    notify => Service['shorewall'],
  }

  service {"shorewall":
    ensure => true,
    enable => true,
    hasrestart => true,
    hasstatus => true,
  }
}

modules/shorewall/params.pp

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# Class: shorewall::params related
#
# Shorewall params related.
#

class shorewall::params {
  $shorewall_dir_path = '/etc/shorewall'
  $shorewall_dir_owner = 'root'
  $shorewall_dir_group = 'root'
  $shorewall_dir_mode = '0755'
}

modules/shorewall/files/epel.repo

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

[epel]
name=Extra Packages for Enterprise Linux 7 - $basearch
#baseurl=http://download.fedoraproject.org/pub/epel/7/$basearch
metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=$basearch
failovermethod=priority
enabled=1
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7

[epel-debuginfo]
name=Extra Packages for Enterprise Linux 7 - $basearch - Debug
#baseurl=http://download.fedoraproject.org/pub/epel/7/$basearch/debug
metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-debug-7&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
gpgcheck=1

[epel-source]
name=Extra Packages for Enterprise Linux 7 - $basearch - Source
#baseurl=http://download.fedoraproject.org/pub/epel/7/SRPMS
metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-source-7&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
gpgcheck=0

modules/shorewall/files/policy-default

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

# MANAGED BY PUPPET
#
# Shorewall - Sample Policy File for two-interface configuration.
# Copyright (C) 2006-2015 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-policy"
###############################################################################
#SOURCE	DEST		POLICY		LOGLEVEL	RATE	CONNLIMIT

$FW	all		ACCEPT
loc     all             ACCEPT
net     $FW	        DROP
net	all		DROP		$LOG_LEVEL
# THE FOLOWING POLICY MUST BE LAST
all	all		REJECT		$LOG_LEVEL

modules/shorewall/files/shorewall-default.conf

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128

# Shorewall config default by wooduan ops at 20230328.
STARTUP_ENABLED=Yes
VERBOSITY=1
PAGER=
FIREWALL=
LOG_LEVEL="info"
BLACKLIST_LOG_LEVEL=
INVALID_LOG_LEVEL=
LOG_BACKEND=
LOG_MARTIANS=Yes
LOG_VERBOSITY=2
LOG_ZONE=Both
LOGALLNEW=
LOGFILE=/var/log/shorewall-info.log
LOGFORMAT="%s %s "
LOGTAGONLY=No
LOGLIMIT="s:1/sec:10"
MACLIST_LOG_LEVEL="$LOG_LEVEL"
RELATED_LOG_LEVEL=
RPFILTER_LOG_LEVEL="$LOG_LEVEL"
SFILTER_LOG_LEVEL="$LOG_LEVEL"
SMURF_LOG_LEVEL="$LOG_LEVEL"
STARTUP_LOG=/var/log/shorewall-init.log
TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
UNTRACKED_LOG_LEVEL=
ARPTABLES=
CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
GEOIPDIR=/usr/share/xt_geoip/LE
IPTABLES=
IP=
IPSET=
LOCKFILE=
MODULESDIR=
NFACCT=
PERL=/usr/bin/perl
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
RESTOREFILE=restore
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=
TC=
ACCEPT_DEFAULT="none"
BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
NFQUEUE_DEFAULT="none"
QUEUE_DEFAULT="none"
REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
RSH_COMMAND='ssh ${root}@${system} ${command}'
ACCOUNTING=Yes
ACCOUNTING_TABLE=filter
ADD_IP_ALIASES=No
ADD_SNAT_ALIASES=No
ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=Yes
BALANCE_PROVIDERS=No
BASIC_FILTERS=No
BLACKLIST="NEW,INVALID,UNTRACKED"
CLAMPMSS=Yes
CLEAR_TC=Yes
COMPLETE=No
DEFER_DNS_RESOLUTION=Yes
DISABLE_IPV6=No
DOCKER=No
DELETE_THEN_ADD=Yes
DETECT_DNAT_IPADDRS=No
DONT_LOAD=
DYNAMIC_BLACKLIST=Yes
EXPAND_POLICIES=Yes
EXPORTMODULES=Yes
FASTACCEPT=No
FORWARD_CLEAR_MARK=
HELPERS=
IGNOREUNKNOWNVARIABLES=No
IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes
IP_FORWARDING=On
KEEP_RT_TABLES=No
MACLIST_TABLE=filter
MACLIST_TTL=
MANGLE_ENABLED=Yes
MINIUPNPD=No
MARK_IN_FORWARD_CHAIN=No
MULTICAST=No
MUTEX_TIMEOUT=60
NULL_ROUTE_RFC1918=No
OPTIMIZE=All
OPTIMIZE_ACCOUNTING=No
PERL_HASH_SEED=0
REJECT_ACTION=
RENAME_COMBINED=Yes
REQUIRE_INTERFACE=No
RESTART=restart
RESTORE_DEFAULT_ROUTE=Yes
RESTORE_ROUTEMARKS=Yes
RETAIN_ALIASES=No
ROUTE_FILTER=No
SAVE_ARPTABLES=No
SAVE_IPSETS=No
TC_ENABLED=Internal
TC_EXPERT=No
TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
TRACK_PROVIDERS=Yes
TRACK_RULES=No
USE_DEFAULT_RT=Yes
USE_NFLOG_SIZE=No
USE_PHYSICAL_NAMES=No
USE_RT_NAMES=No
VERBOSE_MESSAGES=Yes
WARNOLDCAPVERSION=Yes
WORKAROUNDS=No
ZERO_MARKS=No
ZONE2ZONE=-
BLACKLIST_DISPOSITION=DROP
INVALID_DISPOSITION=CONTINUE
MACLIST_DISPOSITION=REJECT
RELATED_DISPOSITION=ACCEPT
RPFILTER_DISPOSITION=DROP
SMURF_DISPOSITION=DROP
SFILTER_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP
UNTRACKED_DISPOSITION=CONTINUE
TC_BITS=
PROVIDER_BITS=
PROVIDER_OFFSET=
MASK_BITS=
ZONE_BITS=0

modules/shorewall/files/zones-default

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

# MANAGED BY PUPPET, DONNOT CHANGE!
#
# Shorewall - Sample Zones File for two-interface configuration.
# Copyright (C) 2006-2014 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-zones"
###############################################################################
#ZONE	TYPE	OPTIONS			IN			OUT
#					OPTIONS			OPTIONS
fw	firewall
net	ipv4
loc	ipv4

modules/shorewall/templates/interfaces.erb

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

# Managed by Puppet

#
# Shorewall - Sample Interfaces File for two-interface configuration.
# Copyright (C) 2006-2017 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-interfaces"
###############################################################################
?FORMAT 2
###############################################################################
#ZONE	INTERFACE	OPTIONS

<% @intes.each do |inte| -%>
<%= inte['zone'] %>  <%= inte['interface'] %> <%= inte['options'] %>
<% end -%>

modules/shorewall/templates/rules.erb

1
2
3
4
5
6

# Managed by Puppet

<% @rules.each do |key| -%>
#<%= key['name'] %> 
<%= key['rule'] %>
<% end -%>

yaml使用

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

classes:
  - shorewall
shorewall::purge: true
shorewall::intes:
  - name: ens192
    zone: net
    interface: NET_IF
    options: dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,physical=ens192

  - name: ens224
    zone: loc
    interface: LOC_IF
    options: tcpflags,nosmurfs,routefilter,logmartians,physical=ens224
shorewall::rules:
  - name: invalid-pickup
    rule: "Invalid(DROP) net all tcp"
  - name: allow-ssh-to-local
    rule: "SSH(ACCEPT) loc $FW"
  - name: allow-local-to-ssh
    rule: "SSH(ACCEPT) $FW loc"
  - name: allow-icmp-local
    rule: "Ping(ACCEPT)	loc $FW"
  - name: drop-icmp-from-net
    rule: "Ping(DROP) net $FW"
  - name: allow-icmp-to-net
    rule: "ACCEPT $FW net icmp"
  - name: allow-office-ssh
    rule: "ACCEPT net:YOUR_OFFICE_IPS $FW TCP 22"

总结

如果你正在考虑固化防火墙,并且希望是配置管理的方式,你可以使用下 shorewall,还是比较方便的。固化的时候最好通过iac工具进行管理。