Configuring shorewall for LAN ipv4 connection.

Hi folks.

What is shorewall? Well this is not a Wikipedia so I won’t go into the details. Suffice to say it’s a firewall. I must underline here that I am in no way expert on security subject neither am I a firewall expert. I am posting this info for my own use as those settings have served me well (unlike my memory) in the past and I would like to re-use them in the future without struggling to remember – but if You want to use them (and maybe later improve them to suite Your needs) then go ahead – feel free to do so just be aware that I am taking no responsibility whatsoever for the security of Your machine and consequences of it getting hacked. I hereby confirm that this config is what I use at home and that it’s safe and secure to my best of knowledge.

Here it goes:

1) First install the shorewall

su

give it root’s password

pacman -S shorewall

resolving dependencies…
looking for inter-conflicts…

Packages (1): shorewall-4.5.19-1

Total Installed Size: 2.23 MiB

:: Proceed with installation? [Y/n] y
(1/1) checking keys in keyring [###############################################] 100%
(1/1) checking package integrity [###############################################] 100%
(1/1) loading package files [###############################################] 100%
(1/1) checking for file conflicts [###############################################] 100%
(1/1) checking available disk space [###############################################] 100%
(1/1) installing shorewall [###############################################] 100%

2) Enable shorewall at boot time.

systemctl enable shorewall

You should see this as an output:

ln -s ‘/usr/lib/systemd/system/shorewall.service’ ‘/etc/systemd/system/multi-user.target.wants/shorewall.service’

3) Find out what network interfaces do You have:

ip link

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000
link/ether 00:1e:52:7a:46:5d brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT qlen 1000
link/ether 00:0a:e4:f6:d4:8f brd ff:ff:ff:ff:ff:ff

4) Check what ports are open on the machine before shorewall gets configured and started (optional) by scanning it from another machine using nmap. wishmacer is using 192.168.0.100 ip addy and I am scanning it from another local machine icsserver which is using 192.168.0.1 ip addy:

date && nmap -p 0-65535 192.168.0.100 && date

Hint: You will be able to see the ETA if You press space durring the scan.

Sat Aug 10 17:04:03 IST 2013

Starting Nmap 6.40 ( http://nmap.org ) at 2013-08-10 17:04 IST
Stats: 0:00:01 elapsed; 0 hosts completed (0 up), 1 undergoing ARP Ping Scan
Parallel DNS resolution of 1 host. Timing: About 0.00% done
Stats: 0:00:13 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 4.46% done; ETC: 17:41 (0:00:21 remaining)
Nmap scan report for 192.168.0.100
Host is up (0.00014s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE
7634/tcp open hddtemp
50505/tcp open unknown
MAC Address: 00:0A:E4:F6:D4:8F (Wistron)

Nmap done: 1 IP address (1 host up) scanned in 16.37 seconds
Sat Aug 10 17:04:20 IST 2013

It took 16.5 seconds roughly to scan all the 65536 ports and it discovered 2 open tcp ports 7634 and 50505.

5) Configure shorewall accordingly:

To configure shorewall You will use Your favorite text editor (vi, mcedit, nano etc. whatever ails You) as root. Config files are stored in the folder:

/etc/shorewall

A) /etc/shorewall/shorewall.conf

Find and change values:

STARTUP_ENABLED=No

AUTOMAKE=No

BLACKLIST="NEW,INVALID,UNTRACKED"

from

No

to

Yes

and from

"NEW,INVALID,UNTRACKED"

to

ALL

So they look like this:

STARTUP_ENABLED=Yes

AUTOMAKE=Yes

BLACKLIST=ALL

Now check if your shorewall.conf contains an entry (if you have the latest version of shorewall from ArchLinux repository and you’ve merged your .pacnew file it will):

WORKAROUND=Yes

and if it does – change it to:

WORKAROUND=No

Why? Workarounds are needed for non-modern distros like Debian or CentOS. ArchLinux does not need them.

B) /etc/shorewall/zones

Add these 2 lines at the end of the file:

net ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

so it looks like this:

#
# Shorewall version 4 – Zones File
#
# For information about this file, type “man shorewall-zones”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-zones.html
#
##################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
#LAST LINE – ADD YOUR ENTRIES ABOVE THIS ONE – DO NOT REMOVE

C) /etc/shorewall/interfaces

Here You will use the info gathered in point 4. So in my case network interfaces are eth0 and wlan0 – wireless network is not used at the moment (but we will define it anyway) and the interface eth0 is connected to my router.

Add these 3 lines at the end of the file:

net eth0 -
net wlan0 -
#LAST LINE -- DO NOT REMOVE

so it looks like this:

#
# Shorewall version 4 – Interfaces File
#
# For information about entries in this file, type “man shorewall-interfaces”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-interfaces.html
#
##################################
FORMAT 2
##################################
#ZONE INTERFACE OPTIONS
net eth0 –
net wlan0 –
#LAST LINE — DO NOT REMOVE

D) /etc/shorewall/policy

Add these 4 lines to the end of the file:

fw net ACCEPT
net all DROP info
all all DROP info
#LAST LINE -- DO NOT REMOVE

so it looks like this:

#
# Shorewall version 4 – Policy File
#
# For information about entries in this file, type “man shorewall-policy”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-policy.html
#
##################################
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
# LEVEL BURST MASK
fw net ACCEPT
net all DROP info
all all DROP info
#LAST LINE — DO NOT REMOVE

6) Start shorewall:

systemctl start shorewall

7) Check it’s status:

journalctl -xn

— Logs begin at Fri 2013-08-09 23:23:46 IST, end at Sat 2013-08-10 17:01:44 IST. —
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Setting up Martian Logging…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Setting up Proxy ARP…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Preparing iptables-restore input…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Running /sbin/iptables-restore…
Aug 10 17:01:44 wishmacer.loc shorewall[2069]: IPv4 Forwarding Enabled
Aug 10 17:01:44 wishmacer.loc shorewall[2069]: Processing /etc/shorewall/start …
Aug 10 17:01:44 wishmacer.loc shorewall[2069]: Processing /etc/shorewall/started …
Aug 10 17:01:44 wishmacer.loc logger[2279]: Shorewall started
Aug 10 17:01:44 wishmacer.loc shorewall[2069]: done.
Aug 10 17:01:44 wishmacer.loc systemd[1]: Started Shorewall IPv4 firewall.
— Subject: Unit shorewall.service has finished start-up
— Defined-By: systemd
— Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

— Unit shorewall.service has finished starting up.

— The start-up result is done.

systemctl status shorewall

shorewall.service – Shorewall IPv4 firewall
Loaded: loaded (/usr/lib/systemd/system/shorewall.service; enabled)
Active: active (exited) since Sat 2013-08-10 17:01:44 IST; 2min 57s ago
Process: 2069 ExecStart=/usr/bin/shorewall $OPTIONS start (code=exited, status=0/SUCCESS)

Aug 10 17:01:42 wishmacer.loc systemd[1]: Starting Shorewall IPv4 firewall…
Aug 10 17:01:42 wishmacer.loc shorewall[2069]: Compiling…
Aug 10 17:01:42 wishmacer.loc shorewall[2069]: perl: warning: Setting locale failed.
Aug 10 17:01:42 wishmacer.loc shorewall[2069]: perl: warning: Please check that your locale settings:
Aug 10 17:01:42 wishmacer.loc shorewall[2069]: LANGUAGE = (unset),
Aug 10 17:01:42 wishmacer.loc shorewall[2069]: LC_ALL = (unset),
Aug 10 17:01:42 wishmacer.loc shorewall[2069]: LANG = “en_UK.UTF-8”
Aug 10 17:01:42 wishmacer.loc shorewall[2069]: are supported and installed on your system.
Aug 10 17:01:42 wishmacer.loc shorewall[2069]: perl: warning: Falling back to the standard locale (“C”).
Aug 10 17:01:42 wishmacer.loc shorewall[2069]: Processing /etc/shorewall/params …
Aug 10 17:01:42 wishmacer.loc shorewall[2069]: Processing /etc/shorewall/shorewall.conf…
Aug 10 17:01:42 wishmacer.loc shorewall[2069]: Loading Modules…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Compiling /etc/shorewall/zones…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Compiling /etc/shorewall/interfaces…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Determining Hosts in Zones…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Locating Action Files…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Compiling /etc/shorewall/policy…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Running /etc/shorewall/initdone…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Compiling Kernel Route Filtering…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Compiling Martian Logging…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Compiling MAC Filtration — Phase 1…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Compiling /etc/shorewall/rules…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Compiling /etc/shorewall/conntrack…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Compiling MAC Filtration — Phase 2…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Applying Policies…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Compiling /usr/share/shorewall/action.Drop for chain Drop…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Generating Rule Matrix…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Compiling /usr/share/shorewall/action.Reject for chain Reject…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Creating iptables-restore input…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Shorewall configuration compiled to /var/lib/shorewall/.start
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Starting Shorewall….
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Initializing…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Processing /etc/shorewall/init …
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Processing /etc/shorewall/tcclear …
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Setting up Route Filtering…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Setting up Martian Logging…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Setting up Proxy ARP…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Preparing iptables-restore input…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Running /sbin/iptables-restore…
Aug 10 17:01:44 wishmacer.loc shorewall[2069]: IPv4 Forwarding Enabled
Aug 10 17:01:44 wishmacer.loc shorewall[2069]: Processing /etc/shorewall/start …
Aug 10 17:01:44 wishmacer.loc shorewall[2069]: Processing /etc/shorewall/started …
Aug 10 17:01:44 wishmacer.loc logger[2279]: Shorewall started
Aug 10 17:01:44 wishmacer.loc shorewall[2069]: done.
Aug 10 17:01:44 wishmacer.loc systemd[1]: Started Shorewall IPv4 firewall.

8) Check if its working as expected (optional) and scan it from another machine using nmap. wishmacer is using 192.168.0.100 ip addy and I am scanning it from another local machine icsserver which is using 192.168.0.1 ip addy:

Hint: You will be able to see the ETA if You press space during the scan.

date && nmap -p 0-65535 192.168.0.100 && date

Sat Aug 10 17:14:00 IST 2013

Starting Nmap 6.40 ( http://nmap.org ) at 2013-08-10 17:14 IST
Stats: 0:10:22 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 46.31% done; ETC: 17:36 (0:11:46 remaining)
Stats: 0:21:33 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 97.43% done; ETC: 17:36 (0:00:34 remaining)
Nmap scan report for 192.168.0.100
Host is up (0.00016s latency).
All 65536 scanned ports on 192.168.0.100 are filtered
MAC Address: 00:0A:E4:F6:D4:8F (Wistron)

Nmap done: 1 IP address (1 host up) scanned in 1327.34 seconds
Sat Aug 10 17:36:07 IST 2013

It took 22 minutes roughly to scan all the 65536 ports. All of them are closed / filtered.

9) Add Your custom rules. For example on Wishmacer / 192.168.0.100 I have a service running at tcp port 50505. I want to open it.

Modify this file:

/etc/shorewall/rules

by adding those 2 lines:

ACCEPT net fw tcp 50505 -
#LAST LINE -- DO NOT REMOVE

so it looks like this:

#
# Shorewall version 4 – Rules File
#
# For information on the settings in this file, type “man shorewall-rules”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
##################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
# Allow access to port 50505 TCP – SSHD
ACCEPT net fw tcp 50505 –
#LAST LINE — DO NOT REMOVE

and restart Your firewall using this command:

systemctl restart shorewall

and test if it worked from a different machine:

date && nmap -p 7634 192.168.0.100 && date

Sat Aug 10 17:48:25 IST 2013

Starting Nmap 6.40 ( http://nmap.org ) at 2013-08-10 17:48 IST
Nmap scan report for 192.168.0.100
Host is up (0.00016s latency).
PORT STATE SERVICE
7634/tcp filtered hddtemp
MAC Address: 00:0A:E4:F6:D4:8F (Wistron)

Nmap done: 1 IP address (1 host up) scanned in 13.41 seconds
Sat Aug 10 17:48:38 IST 2013

date && nmap -p 50505 192.168.0.100 && date

Sat Aug 10 17:48:45 IST 2013

Starting Nmap 6.40 ( http://nmap.org ) at 2013-08-10 17:48 IST
Nmap scan report for 192.168.0.100
Host is up (0.00019s latency).
PORT STATE SERVICE
50505/tcp open unknown
MAC Address: 00:0A:E4:F6:D4:8F (Wistron)

Nmap done: 1 IP address (1 host up) scanned in 13.25 seconds
Sat Aug 10 17:48:59 IST 2013

As You can see port 7634 which was previously (before shorewall configuration / start) open is now marked as filtered and the 50505 which I chose to open on my firewall is now open and ready to use.

Now You can add more lines in this configuration file. Different ports, different protocols, different rules.

Example if You want to add port 123 udp as open add this line:

ACCEPT net fw udp 123 -

so it looks like this:

#
# Shorewall version 4 – Rules File
#
# For information on the settings in this file, type “man shorewall-rules”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
##################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
#SECTION INVALID
#SECTION UNTRACKED
SECTION NEW
ACCEPT net fw udp 123 –
ACCEPT net fw tcp 50505 –
#LAST LINE — DO NOT REMOVE

save the file and restart firewall as You did before.

And what if I want to open a large range of ports? Lets say… I want to open 250 TCP ports starting at 5000?

No problem – add another rule that looks like this:

ACCEPT net fw tcp 5000:5250 -

so it looks like this:

#
# Shorewall version 4 – Rules File
#
# For information on the settings in this file, type “man shorewall-rules”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
##################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
#SECTION INVALID
#SECTION UNTRACKED
SECTION NEW
ACCEPT net fw udp 123 –
ACCEPT net fw tcp 5000:5250 –
ACCEPT net fw tcp 50505 –
#LAST LINE — DO NOT REMOVE

save the file and restart firewall as You did before.

Ok Andy… I have a problem… I cannot ping the machine anymore after the shorewall was started…

Ok… I am guessing You want the machine to respond to ping for whatever the reason.

Add this as a rule:

Ping(ACCEPT) net fw

so it looks like this:

#
# Shorewall version 4 – Rules File
#
# For information on the settings in this file, type “man shorewall-rules”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
##################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
#SECTION INVALID
#SECTION UNTRACKED
SECTION NEW
Ping(ACCEPT) net fw
ACCEPT net fw udp 123 –
ACCEPT net fw tcp 5000:5250 –
ACCEPT net fw tcp 50505 –
#LAST LINE — DO NOT REMOVE

save the file and restart firewall as You did before.

If You want to block a pest (lets assume IP 1.2.3.4) that is messing with Your server add this line:

DROP net:1.2.3.4 all

so it looks like this:

#
# Shorewall version 4 – Rules File
#
# For information on the settings in this file, type “man shorewall-rules”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
##################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
#SECTION INVALID
#SECTION UNTRACKED
SECTION NEW
DROP net:1.2.3.4 all
Ping(ACCEPT) net fw
ACCEPT net fw udp 123 –
ACCEPT net fw tcp 5000:5250 –
ACCEPT net fw tcp 50505 –
#LAST LINE — DO NOT REMOVE

save the file and restart firewall as You did before.

If the pest is using a dynamic IP and You know the range (lets assume IP 2.*.*.*) then add this line:

DROP net:2.0.0.0/24 all

so it looks like this:

#
# Shorewall version 4 – Rules File
#
# For information on the settings in this file, type “man shorewall-rules”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
##################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
#SECTION INVALID
#SECTION UNTRACKED
SECTION NEW
DROP net:1.2.3.4 all
DROP net:2.0.0.0/24 all
Ping(ACCEPT) net fw
ACCEPT net fw udp 123 –
ACCEPT net fw tcp 5000:5250 –
ACCEPT net fw tcp 50505 –
#LAST LINE — DO NOT REMOVE

save the file and restart firewall as You did before.

It’s very important that You place the DROP lines before the ACCEPT lines.

If You want to forward a port (destination nat) to another IP / machine add a rule that will do it for You. Example:

I have 2 NICs in my machine.

– First has IP 192.168.1.50 and is defined as a wan zone.
– Second has IP 192.168.0.1 and is recognized by shorewall as a net zone.

There is another machine in my net zone. The machine’s IP is 192.168.0.100.

I want to forward port 4000 (both TCP and UDP) from the wan zone – IP 192.168.1.50 to the port 4000 on the net zone machine with the IP 192.168.0.100. This means that if any packet will land on the port 4000 on the 192.168.1.50 machine it will be redirected (forwarded / dnated) to the port 4000 on the 192.168.0.100 machine.

The rule will look like this:

DNAT wan net:192.168.0.100 tcp 4000 - 192.168.1.50
DNAT wan net:192.168.0.100 udp 4000 - 192.168.1.50

and the rules file will look like this:

#
# Shorewall version 4 – Rules File
#
# For information on the settings in this file, type “man shorewall-rules”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
##################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
#SECTION INVALID
#SECTION UNTRACKED
SECTION NEW
DROP net:1.2.3.4 all
DROP net:2.0.0.0/24 all
Ping(ACCEPT) net fw
ACCEPT net fw udp 123 –
ACCEPT net fw tcp 5000:5250 –
ACCEPT net fw tcp 50505 –
DNAT wan net:192.168.0.100 tcp 4000 – 192.168.1.50
DNAT wan net:192.168.0.100 udp 4000 – 192.168.1.50
#LAST LINE — DO NOT REMOVE

save the file and restart firewall as You did before. Make sure that the port 4000 (both TPC and UDP) is open on the 192.168.0.100 machine. How?

su -c "nmap -Pn -p 4000 192.168.0.100 && nmap -sU -Pn -p 4000 192.168.0.100"

Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-09 18:43 GMT
Nmap scan report for wishmasus.loc (192.168.0.100)
Host is up (0.00012s latency).
PORT STATE SERVICE
4000/tcp open remoteanything

Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds

Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-09 18:43 GMT
Nmap scan report for wishmasus.loc (192.168.0.100)
Host is up.
PORT STATE SERVICE
4000/udp open|filtered icq

Nmap done: 1 IP address (1 host up) scanned in 2.13 seconds

The situation will look slightly different if the destination port and source port number are different. The scenario described above still applies. 2 NICs, wan and net zones, another machine in the net zone.

I want to forward port 6118 (both TCP and UDP) from the wan zone – IP 192.168.1.50 to the port 6112 on the net zone machine with the IP 192.168.0.100. This means that if any packet will land on the port 6118 on the 192.168.1.50 machine it will be redirected (forwarded / dnated) to the port 6112 on the 192.168.0.100 machine.

The rule will look like this:

DNAT wan net:192.168.0.100:6112 tcp 6118 - 192.168.1.50
DNAT wan net:192.168.0.100:6112 udp 6118 - 192.168.1.50

and the rules file will look like this:

#
# Shorewall version 4 – Rules File
#
# For information on the settings in this file, type “man shorewall-rules”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
##################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
#SECTION INVALID
#SECTION UNTRACKED
SECTION NEW
DROP net:1.2.3.4 all
DROP net:2.0.0.0/24 all
Ping(ACCEPT) net fw
ACCEPT net fw udp 123 –
ACCEPT net fw tcp 5000:5250 –
ACCEPT net fw tcp 50505 –
DNAT wan net:192.168.0.100 tcp 4000 – 192.168.1.50
DNAT wan net:192.168.0.100 udp 4000 – 192.168.1.50
DNAT wan net:192.168.0.100:6112 tcp 6118 – 192.168.1.50
DNAT wan net:192.168.0.100:6112 udp 6118 – 192.168.1.50
#LAST LINE — DO NOT REMOVE

save the file and restart firewall as You did before. Make sure that the port 6112 (both TPC and UDP) is open on the 192.168.0.100 machine. How?

su -c "nmap -Pn -p 6112 192.168.0.100 && nmap -sU -Pn -p 6112 192.168.0.100"

Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-09 18:43 GMT
Nmap scan report for wishmasus.loc (192.168.0.100)
Host is up (0.00012s latency).
PORT STATE SERVICE
6112/tcp open dtspc

Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds

Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-09 18:43 GMT
Nmap scan report for wishmasus.loc (192.168.0.100)
Host is up.
PORT STATE SERVICE
6112/udp open|filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 2.13 seconds

That’s it – You have just configured shorewall to Your liking.

Hint: Think of a firewall as of a naughty kid – if You will allow him to do something and then deny it – You know he will still do it… In other words the order of the rules / policies does matters. Deny first and ask questions later ;).

Hint: IF You are forwarding the port from machine 1 to machine 2 there is no need to open the port on the machine 1. DNAT rule will take care of that for You. You need to however make sure that the port is open on the machine 2. IF its not – check if the application that was suppose to open the port is running and IF You are running shorewall on the machine 2 as well make sure that the appropriate rule was added in the the machine 2 shorewall rule file.

Hint: Do not scan the ports from the same machine that You have configured firewall on – it will be considered as a local scan and firewall will not block ports.

Hint: IF You will run into a problem during the setup and firewall won’t start or restart use this command:

journalctl -xn

and read it’s output thoroughly. The answer to Your trouble is there.

Hint: If You want to test if shorewall is causing You trouble (blocks some port that You want to connect to) run:

systemctl stop shorewall && shorewall clear

This will stop the firewall and clear all it’s rules. IF after You did this You still cannot connect to the port on Your machine and it says its filtered or closed – look for a reason somewhere else…

Regards.

Andrzej

P.S. Breaking news… Someone actually reads this… This post has been translated (not very exactly I must say) to Polish by Wilczek. You can find it here.

AndrzejL

"Never meet Your heroes. Most of the time you'll only end up disappointed." White Polak Male Husband Employee Hetero Carnivorous Fugly Geek @$$hole with ADD Catholic “Some men just want to watch the world burn.”

Comments are closed.