[debian-lan-devel] a basic shorewall two-interfaces gtw + openvpn config.
Julien Lambot
jlambot at gmail.com
Sat May 4 23:20:56 UTC 2013
The configuration is based on
/usr/share/doc/shorewall/examples/two-interfaces/ with only a few
modifications for Debian-Lan.
It includes three zones amongst which "roa" stands for road-runners ;)
./files/etc/default/shorewall/SERVER_A
startup=1
./files/etc/shorewall/shorewall.conf
IP_FORWARDING=Yes
./files/etc/shorewall/interfaces
#ZONE INTERFACE OPTIONS
net eth1
dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
loc eth0 dhcp,tcpflags,nosmurfs,routefilter,logmartians
roa tun+
./files/etc/shorewall/routestopped
#INTERFACE HOST(S) OPTIONS
eth0 -
./files/etc/shorewall/masq
#INTERFACE SOURCE ADDRESS PROTO PORT(S)
IPSEC MARK
eth1 10.0.0.0/16
./files/etc/shorewall/policy
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
./files/etc/shorewall/tunnels
#TYPE ZONE GATEWAY GATEWAY ZONE
openvpnserver:your_port net 0.0.0.0/0
./files/etc/shorewall/zones
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
roa ipv
./files/etc/shorewall/rules
SECTION NEW
# Don't allow connection pickup from the net
#
Invalid(DROP) net all
#
# Accept DNS connections from the firewall to the network and from
the lan to the firewall
#
DNS(ACCEPT) $FW net
DNS(ACCEPT) loc $FW
#
# Accept SSH connections from the local network for administration
#
SSH(ACCEPT) loc $FW
SSH(ACCEPT) roa $FW
#SSH(ACCEPT) net $FW # No access from external
to ssh std port.
# or limit throughput to 3 attempts per minute
#SSH(ACCEPT) net $FW - -
- - s:1/min:3
SSH(ACCEPT) $FW all
# SSH on port 12345
ACCEPT loc $FW tcp 12345
ACCEPT net $FW tcp 12345
ACCEPT roa $FW tcp 12345
#
# Allow Ping from the local network
#
Ping(ACCEPT) $FW all
Ping(ACCEPT) loc $FW
Ping(ACCEPT) roa $FW
#
# Drop Ping from the "bad" net zone.. and prevent your log from being
flooded..
#
Ping(DROP) net $FW
ACCEPT $FW all icmp
#
#
# SPECIFIC RULES REQUIRED FOR Debian-Lan
#
HTTP(ACCEPT) $FW net
HTTP(ACCEPT) loc $FW
HTTP(ACCEPT) roa $FW
HTTPS(ACCEPT) $FW net
HTTPS(ACCEPT) loc $FW
HTTPS(ACCEPT) roa $FW
HTTPS(ACCEPT) net $FW
LDAP(ACCEPT) loc $FW
LDAP(ACCEPT) roa $FW
LDAPS(ACCEPT) loc $FW
LDAPS(ACCEPT) roa $FW
NTP(ACCEPT) $FW net
NTP(ACCEPT) $FW loc
NTP(ACCEPT) $FW roa
NTP(ACCEPT) loc $FW
NTP(ACCEPT) roa $FW
#
# Allow SAMBA to $FW
#
SMBBI(ACCEPT) $FW all
SMBBI(ACCEPT) loc $FW
SMBBI(ACCEPT) roa $FW
#
# Allow cups connection
#
ACCEPT loc $FW tcp 631
## lpr test
## ACCEPT loc $FW tcp 515
ACCEPT roa $FW tcp 631
Jetdirect(ACCEPT) $FW loc tcp 9100
Jetdirect(ACCEPT) $FW roa tcp 9100
#
# Allow apt-cacher
#
ACCEPT loc $FW tcp 3142
ACCEPT roa $FW tcp 3142
#
# Allow TFTP
#
TFTP(ACCEPT) loc $FW
TFTP(ACCEPT) $FW loc
#
# Allow Nagios NRPE
#
ACCEPT $FW loc tcp 5666
#
# Allow Munin
#
ACCEPT $FW loc tcp 4949
#
# Allow Syslog server
#
ACCEPT loc $FW udp 514
# Heimdal/Kerberos 5
#
# Kerberos v5 KDC
ACCEPT loc $FW tcp 88
ACCEPT roa $FW tcp 88
ACCEPT loc $FW udp 88
ACCEPT roa $FW udp 88
# kpasswd
#ACCEPT net $FW tcp 464
ACCEPT loc $FW udp 464
ACCEPT roa $FW udp 464
# kadmin v5 (required for remote administration)
#ACCEPT net $FW tcp 749
# Kerberos v4 KDC
#ACCEPT net $FW tcp 750
#ACCEPT net $FW udp 750
# Kerberos 524
#ACCEPT net $FW tcp 4444
#ACCEPT net $FW udp 4444
#
# Allow NFSv4
#
ACCEPT loc $FW udp 111
ACCEPT roa $FW udp 111
ACCEPT loc $FW tcp 111
ACCEPT roa $FW tcp 111
ACCEPT loc $FW tcp 2049
ACCEPT roa $FW tcp 2049
ACCEPT loc $FW udp 2049
ACCEPT roa $FW udp 2049
ACCEPT loc $FW tcp 32764:32769
ACCEPT roa $FW tcp 32764:32769
ACCEPT loc $FW udp 32764:32769
ACCEPT roa $FW udp 32764:32769
#
# SQUID Manual Proxy (see -
http://www.shorewall.net/Shorewall_Squid_Usage.html#Manual)
#
ACCEPT loc $FW tcp 3128
## below rules must be checked ## mostly triggered during FAI installation
ACCEPT loc $FW tcp 51105
ACCEPT loc $FW udp 55850
ACCEPT loc $FW tcp 36174
ACCEPT loc $FW tcp 4711
ACCEPT $FW loc tcp 39233
ACCEPT $FW loc tcp 53615
#### pay extra attention ####
./files/etc/openvpn/server.conf
# Which local IP address should OpenVPN
local 10.0.0.10
# Which TCP/UDP port should OpenVPN listen on?
port your_port
proto udp
dev tun
ca ssl/ca.crt
cert ssl/mainserver.crt
key ssl/mainserver.key # This file should be kept secret
dh ssl/dh1024.pem
server 10.100.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.0.0.0 255.255.0.0"
push "dhcp-option DNS 10.0.0.10"
keepalive 10 120
tls-auth ssl/ta.key 0 # This file is secret
cipher AES-128-CBC # AES
comp-lzo
max-clients 10
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 3
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/debian-lan-devel/attachments/20130505/f7cc16dd/attachment-0001.html>
More information about the debian-lan-devel
mailing list