Konfiguracja programu Shorewall - problem

Krzysztof Raciniewski · Sierpień 28, 2011

Witam wszystkich.

Przed napisaniem tego tematu dogłębnie przeszukałem forum jak i google w poszukiwaniu rozwiązania mojego problemu, niestety nie udało się.

Posiadam od niedawna serwer VPS, postanowiłem zainstalować Shorewall żeby nie motać się w iptables którego składnia jest dość skomplikowana i dla mnie mało zrozumiała, shorewall był firewallem dość polecanym przez internautów, dlatego się na niego zdecydowałem, czytając poradniki w internecie konfiguracja wydawał mi się bardzo prosta, wszystko robiłem zgodnie z poradnikiem na stronie:

http://notatnik.mekk.waw.pl/archives/60-Konfigurujemy_VPS_-_czesc_1,_przygotowanie.html

i nie tylko.

Okazuje się że po instalacji i skopiowaniu wymaganych plików do katalogu /etc/shorewall/ program ładnie się uruchamia, nie wyświetla żadnych błędów i widać jakieś efekty po wpisaniu polecenia iptables -L, niestety program zamyka mi wszystkie porty i nie bierze pod uwagę tych które umieściłem w pliku rules(jako porty otwarte). Nie mam pojęcia co zrobiłem źle, cała specyfikacja programu na stronie shorewall.net jest niby zrozumiała ale postępując zgodnie z opisami nie widać żadnych efektów.

Teraz przedstawię tu treść moich plików konfiguracyjnych:

HOSTS - jest obecny, ale nie ma w nim żadnych wpisów więc sobie daruję

INTERFACES:

#
# Shorewall version 4.0 - Sample Interfaces File for two-interface configuration.
# Copyright (C) 2006 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-interfaces"
###############################################################################
#ZONE	INTERFACE	BROADCAST	OPTIONS
net 	eth0        	detect      	dhcp,tcpflags,nosmurfs,routefilter,logmartians

POLICY:

#
# Shorewall version 4.0 - Sample Policy File for two-interface configuration.
# Copyright (C) 2006 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-policy"
###############################################################################
#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST


net		all		DROP		info
$FW		net		ACCEPT

# THE FOLLOWING POLICY MUST BE LAST
all		all		REJECT		info

ZONES:

#
# Shorewall version 4.0 - Sample Zones File for two-interface configuration.
# Copyright (C) 2006 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-zones"
###############################################################################
#ZONE	TYPE	OPTIONS			IN			OUT
#					OPTIONS			OPTIONS
fw	firewall
net	ipv4

RULES:

#
# Shorewall version 4.0 - Sample Rules File for two-interface configuration.
# Copyright (C) 2006,2007 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-rules"
#############################################################################################################
#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
#							PORT	PORT(S)		DEST		LIMIT		GROUP
#
#	Accept DNS connections from the firewall to the network
#
DNS(ACCEPT)	$FW		net
#
#	Accept SSH connections from the local network for administration
#
SSH(ACCEPT)	net		$FW
#
#	Allow Ping from the local network
#
# 	Allow WEB connections from the local network and net
#
HTTP(ACCEPT)	net		$FW
HTTPS(ACCEPT)	net		$FW
#
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
#

Ping(DROP)	net		$FW

ACCEPT		$FW		net		icmp
#

Po uruchomieniu programu wynik iptables -L wygląda tak:

Chain INPUT (policy DROP)
target 	prot opt source       		destination 		
dynamic	all  --  anywhere     		anywhere        	ctstate INVALID,NEW 
net2fw 	all  --  anywhere     		anywhere        	
ACCEPT 	all  --  anywhere     		anywhere        	
ACCEPT 	all  --  anywhere     		anywhere        	ctstate RELATED,ESTABLISHED 
Reject 	all  --  anywhere     		anywhere        	
LOG    	all  --  anywhere     		anywhere        	LOG level info prefix `Shorewall:INPUT:REJECT:' 
reject 	all  --  anywhere     		anywhere        	[goto] 

Chain FORWARD (policy DROP)
target 	prot opt source       		destination 		
dynamic	all  --  anywhere     		anywhere        	ctstate INVALID,NEW 
ACCEPT 	all  --  anywhere     		anywhere        	ctstate RELATED,ESTABLISHED 
Reject 	all  --  anywhere     		anywhere        	
LOG    	all  --  anywhere     		anywhere        	LOG level info prefix `Shorewall:FORWARD:REJECT:' 
reject 	all  --  anywhere     		anywhere        	[goto] 

Chain OUTPUT (policy DROP)
target 	prot opt source       		destination 		
fw2net 	all  --  anywhere     		anywhere        	
ACCEPT 	all  --  anywhere     		anywhere        	
ACCEPT 	all  --  anywhere     		anywhere        	ctstate RELATED,ESTABLISHED 
Reject 	all  --  anywhere     		anywhere        	
LOG    	all  --  anywhere     		anywhere        	LOG level info prefix `Shorewall:OUTPUT:REJECT:' 
reject 	all  --  anywhere     		anywhere        	[goto] 

Chain Drop (1 references)
target 	prot opt source       		destination 		
  		all  --  anywhere     		anywhere        	
reject 	tcp  --  anywhere     		anywhere        	tcp dpt:auth /* Auth */ 
dropBcast  all  --  anywhere     		anywhere        	
ACCEPT 	icmp --  anywhere     		anywhere        	icmp fragmentation-needed /* Needed ICMP types */ 
ACCEPT 	icmp --  anywhere     		anywhere        	icmp time-exceeded /* Needed ICMP types */ 
dropInvalid  all  --  anywhere     		anywhere        	
DROP   	udp  --  anywhere     		anywhere        	multiport dports loc-srv,microsoft-ds /* SMB */ 
DROP   	udp  --  anywhere     		anywhere        	udp dpts:netbios-ns:netbios-ssn /* SMB */ 
DROP   	udp  --  anywhere     		anywhere        	udp spt:netbios-ns dpts:1024:65535 /* SMB */ 
DROP   	tcp  --  anywhere     		anywhere        	multiport dports loc-srv,netbios-ssn,microsoft-ds /* SMB */ 
DROP   	udp  --  anywhere     		anywhere        	udp dpt:1900 /* UPnP */ 
dropNotSyn  tcp  --  anywhere     		anywhere        	
DROP   	udp  --  anywhere     		anywhere        	udp spt:domain /* Late DNS Replies */ 

Chain Reject (3 references)
target 	prot opt source       		destination 		
  		all  --  anywhere     		anywhere        	
reject 	tcp  --  anywhere     		anywhere        	tcp dpt:auth /* Auth */ 
dropBcast  all  --  anywhere     		anywhere        	
ACCEPT 	icmp --  anywhere     		anywhere        	icmp fragmentation-needed /* Needed ICMP types */ 
ACCEPT 	icmp --  anywhere     		anywhere        	icmp time-exceeded /* Needed ICMP types */ 
dropInvalid  all  --  anywhere     		anywhere        	
reject 	udp  --  anywhere     		anywhere        	multiport dports loc-srv,microsoft-ds /* SMB */ 
reject 	udp  --  anywhere     		anywhere        	udp dpts:netbios-ns:netbios-ssn /* SMB */ 
reject 	udp  --  anywhere     		anywhere        	udp spt:netbios-ns dpts:1024:65535 /* SMB */ 
reject 	tcp  --  anywhere     		anywhere        	multiport dports loc-srv,netbios-ssn,microsoft-ds /* SMB */ 
DROP   	udp  --  anywhere     		anywhere        	udp dpt:1900 /* UPnP */ 
dropNotSyn  tcp  --  anywhere     		anywhere        	
DROP   	udp  --  anywhere     		anywhere        	udp spt:domain /* Late DNS Replies */ 

Chain dropBcast (2 references)
target 	prot opt source       		destination 		
DROP   	all  --  anywhere     		anywhere        	ADDRTYPE match dst-type BROADCAST 
DROP   	all  --  anywhere     		base-address.mcast.net/4 

Chain dropInvalid (2 references)
target 	prot opt source       		destination 		
DROP   	all  --  anywhere     		anywhere        	ctstate INVALID 

Chain dropNotSyn (2 references)
target 	prot opt source       		destination 		
DROP   	tcp  --  anywhere     		anywhere        	tcp flags:!FIN,SYN,RST,ACK/SYN 

Chain dynamic (2 references)
target 	prot opt source       		destination 		

Chain eth0_fwd (0 references)
target 	prot opt source       		destination 		
smurfs 	all  --  anywhere     		anywhere        	ctstate INVALID,NEW 
tcpflags   tcp  --  anywhere     		anywhere        	

Chain fw2net (1 references)
target 	prot opt source       		destination 		
ACCEPT 	udp  --  anywhere     		anywhere        	udp dpts:bootps:bootpc 
ACCEPT 	all  --  anywhere     		anywhere        	ctstate RELATED,ESTABLISHED 
ACCEPT 	udp  --  anywhere     		anywhere        	udp dpt:domain /* DNS */ 
ACCEPT 	tcp  --  anywhere     		anywhere        	tcp dpt:domain /* DNS */ 
ACCEPT 	icmp --  anywhere     		anywhere        	
ACCEPT 	all  --  anywhere     		anywhere        	

Chain logdrop (0 references)
target 	prot opt source       		destination 		
DROP   	all  --  anywhere     		anywhere        	

Chain logflags (5 references)
target 	prot opt source       		destination 		
LOG    	all  --  anywhere     		anywhere        	LOG level info ip-options prefix `Shorewall:logflags:DROP:' 
DROP   	all  --  anywhere     		anywhere        	

Chain logreject (0 references)
target 	prot opt source       		destination 		
reject 	all  --  anywhere     		anywhere        	

Chain net2fw (1 references)
target 	prot opt source       		destination 		
smurfs 	all  --  anywhere     		anywhere        	ctstate INVALID,NEW 
ACCEPT 	udp  --  anywhere     		anywhere        	udp dpts:bootps:bootpc 
tcpflags   tcp  --  anywhere     		anywhere        	
ACCEPT 	all  --  anywhere     		anywhere        	ctstate RELATED,ESTABLISHED 
ACCEPT 	tcp  --  anywhere     		anywhere        	tcp dpt:ssh /* SSH */ 
ACCEPT 	tcp  --  anywhere     		anywhere        	tcp dpt:www /* HTTP */ 
ACCEPT 	tcp  --  anywhere     		anywhere        	tcp dpt:https /* HTTPS */ 
DROP   	icmp --  anywhere     		anywhere        	icmp echo-request /* Ping */ 
Drop   	all  --  anywhere     		anywhere        	
LOG    	all  --  anywhere     		anywhere        	LOG level info prefix `Shorewall:net2fw:DROP:' 
DROP   	all  --  anywhere     		anywhere        	

Chain reject (10 references)
target 	prot opt source       		destination 		
DROP   	all  --  anywhere     		anywhere        	ADDRTYPE match src-type BROADCAST 
DROP   	all  --  base-address.mcast.net/4  anywhere        	
DROP   	igmp --  anywhere     		anywhere        	
REJECT 	tcp  --  anywhere     		anywhere        	reject-with tcp-reset 
REJECT 	udp  --  anywhere     		anywhere        	reject-with icmp-port-unreachable 
REJECT 	icmp --  anywhere     		anywhere        	reject-with icmp-host-unreachable 
REJECT 	all  --  anywhere     		anywhere        	reject-with icmp-host-prohibited 

Chain shorewall (0 references)
target 	prot opt source       		destination 		

Chain smurflog (2 references)
target 	prot opt source       		destination 		
LOG    	all  --  anywhere     		anywhere        	LOG level info prefix `Shorewall:smurfs:DROP:' 
DROP   	all  --  anywhere     		anywhere        	

Chain smurfs (2 references)
target 	prot opt source       		destination 		
RETURN 	all  --  0.0.0.0          	anywhere        	
smurflog   all  --  anywhere     		anywhere        	[goto] ADDRTYPE match src-type BROADCAST 
smurflog   all  --  base-address.mcast.net/4  anywhere        	[goto] 

Chain tcpflags (2 references)
target 	prot opt source       		destination 		
logflags   tcp  --  anywhere     		anywhere        	[goto] tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG 
logflags   tcp  --  anywhere     		anywhere        	[goto] tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE 
logflags   tcp  --  anywhere     		anywhere        	[goto] tcp flags:SYN,RST/SYN,RST 
logflags   tcp  --  anywhere     		anywhere        	[goto] tcp flags:FIN,SYN/FIN,SYN 
logflags   tcp  --  anywhere     		anywhere        	[goto] tcp spt:0 flags:FIN,SYN,RST,ACK/SYN

Proszę o jakieś podpowiedzi, wskazówki i wyrozumiałość, to jest pierwszy mój VPS, wcześniej miałem styczność z linuksem ale się w niego nie zagłębiałem. Na serwerze zainstalowany jest UBUNTU 10.10.

Zaloguj się

Konfiguracja programu Shorewall - problem

Polecane posty

Krzysztof Raciniewski 0

Udostępnij ten post

Link to postu

Udostępnij na innych stronach

Bądź aktywny! Zaloguj się lub utwórz konto

Utwórz konto

Zaloguj się

Przeglądaj

Aktywność