Upload
pelleboll
View
1.194
Download
22
Embed Size (px)
Citation preview
Install Shorewall on Proxmox host
Contents Sources of knowledge ................................................................................................................................................................................................................................................ 2
Linux at Proxmox host ................................................................................................................................................................................................................................................ 2
IP configuration ...................................................................................................................................................................................................................................................... 2
Changes to Linux network configuration ............................................................................................................................................................................................................... 2
Shorewall at Proxmox host ........................................................................................................................................................................................................................................ 3
Try Shorewall installation ....................................................................................................................................................................................................................................... 6
More things to do in order to prevent locking out yourself .............................................................................................................................................................................. 6
Proxmox ..................................................................................................................................................................................................................................................................... 8
New configuration with DNAT and 7 public IP-addresses ......................................................................................................................................................................................... 9
Address space ........................................................................................................................................................................................................................................................ 9
IP configuration ...................................................................................................................................................................................................................................................... 9
Fixing multiple ip-addresses at one NIC ............................................................................................................................................................................................................... 11
New configuration with ProxyARP and 7 public IP-addresses ................................................................................................................................................................................. 12
Address space ...................................................................................................................................................................................................................................................... 12
IP configuration .................................................................................................................................................................................................................................................... 12
Fixing multiple ip-addresses at one NIC ............................................................................................................................................................................................................... 15
Sammanställning till forum ...................................................................................................................................................................................................................................... 16
/etc/vz/conf/111.conf ...................................................................................................................................................................................................................................... 16
/etc/vz/conf/105.conf ...................................................................................................................................................................................................................................... 16
/etc/network/interfaces .................................................................................................................................................................................................................................. 16
/etc/shorewall/zones ....................................................................................................................................................................................................................................... 16
/etc/shorewall/interfaces ................................................................................................................................................................................................................................ 16
/etc/shorewall/policy ....................................................................................................................................................................................................................................... 17
/etc/shorewall/rules ........................................................................................................................................................................................................................................ 17
/etc/shorewall/proxyarp .................................................................................................................................................................................................................................. 17
/proc/sys/net/ipv4/conf/all/proxy_arp ........................................................................................................................................................................................................... 17
Ping 167.99.29.154 .......................................................................................................................................................................................................................................... 18
Sources of knowledge http://www.myatus.com/2010/03/20/guide-firewall-and-router-with-proxmox-extending-its-us/
http://www.myatus.co.uk/2009/08/31/guide-firewall-and-router-with-proxmox/
http://www.shorewall.net/shorewall_setup_guide.htm
http://comments.gmane.org/gmane.comp.security.shorewall/27059
Linux at Proxmox host
IP configuration interface vmbr0
IP address 176.9.63.203
Broadcast 176.9.63.223
Netmask 255.255.255.224
Def. gateway 176.9.63.193
Changes to Linux network configuration vs3:~# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 14:da:e9:ef:6f:dd
inet6 addr: fe80::16da:e9ff:feef:6fdd/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:279708 errors:0 dropped:0 overruns:0 frame:0
TX packets:202651 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:212406440 (202.5 MiB) TX bytes:31461601 (30.0 MiB)
Interrupt:35 Base address:0xc000
EX1:~# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:ff:ff:ff:ff:ff
inet addr: 176.9.63.203 Bcast: 176.9.63.223 Mask:255.255.255.224
...
vs3:~# ifconfig vmbr0
vmbr0 Link encap:Ethernet HWaddr 14:da:e9:ef:6f:dd
inet addr:176.9.63.203 Bcast:176.9.63.223 Mask:255.255.255.224
inet6 addr: fe80::16da:e9ff:feef:6fdd/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:278945 errors:0 dropped:0 overruns:0 frame:0
TX packets:201662 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:208161026 (198.5 MiB) TX bytes:31424604 (29.9 MiB)
vs3:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
176.9.63.192 0.0.0.0 255.255.255.224 U 0 0 0 vmbr0
0.0.0.0 176.9.63.193 0.0.0.0 UG 0 0 0 vmbr0
EX1:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 176.9.63.193 0.0.0.0 UG 0 0 0 eth0
vs3:~# nano /etc/network/interfaces
auto lo
iface lo inet loopback
auto vmbr0
iface vmbr0 inet static
address 176.9.63.203
netmask 255.255.255.224
gateway 176.9.63.193
bridge_ports eth0
bridge_stp off
bridge_fd 0
EX1:~# nano /etc/network/interfaces
auto eth0
iface eth0 inet static
address 176.9.63.203
netmask 255.255.255.224
broadcast 176.9.63.223
gateway 176.9.63.193
auto vmbr0
iface vmbr0 inet static
address 10.254.254.254
netmask 255.0.0.0
broadcast 10.255.255.255
bridge_ports none
bridge_stp off
bridge_fd 0
Restart network
/etc/init.d/networking restart
Shorewall at Proxmox host Install Shorewall
apt-get install shorewall
Change Shorewall configuration
nano /etc/shorewall/shorewall.conf
IP_FORWARDING=Off IP_FORWARDING=On
Above should not be done before configuration is completed otherwise you could be locked out from your server.
nano /etc/shorewall/zones
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
dmz ipv4
nano /etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect blacklist,nosmurfs
dmz venet0 detect routeback
dmz vmbr0 detect routeback,bridge
nano /etc/shorewall/policy
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
# LEVEL BURST MASK
# From Firewall Policy
fw fw ACCEPT
fw net ACCEPT
fw dmz ACCEPT
# From DMZ Policy
dmz dmz ACCEPT
dmz net ACCEPT
dmz fw DROP info
# From Net Policy
net fw DROP info
net dmz DROP info
# THE FOLLOWING POLICY MUST BE LAST
#
all all REJECT info
nano /etc/shorewall/rules
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# Permit access to SSH
SSH/ACCEPT net fw - - - - 6/min:5
# Permit access to Proxmox Manager and Console
ACCEPT net fw tcp 443,5900:5999
# PING Rules
Ping/ACCEPT all all
# LAST LINE -- DO NOT REMOVE
Try Shorewall installation Below command will activate new settings of Shorewall for 60 sec. In this way you can try a configuration without locking out yourself. After 60 sec the previous
configuration will be reactivated.
shorewall try /etc/shorewall 60
Start Shorewall at boot
This should only be done when you have tried all new settings with above command and your firewall is secure.
nano /etc/default/shorewall
startup=0 startup=1
Start Shorewall manually
shorewall start
Restart Shorwall
shorewall restart
More things to do in order to prevent locking out yourself
Alex Athanasopoulos ([email protected]) has written some steps to secure testing of firewall rules in Shorewall mailing list:
Make sure that Shorewall is not started automatically at boot (startup=0 in /etc/default/shorewall). That way, if I misconfigure shorewall, I can recover with a
reboot.
When experimenting with Shorewall, I setup a root cron job that reboots the system at a certain time (usually 10 minutes into the future from when I want to try
the new firewall). That way, if I lock myself out, I can just wait a few minutes until the software reboot removes the firewall, instead of resorting to a hardware
reboot.
I familiarized myself with the Shorewall start, stop, clear, try, save, restore commands. Don't try to fix a firewall by installing another firewall. I think I locked myself out by trying to reinstall my previous home-made iptables configuration while
Shorewall was in an unsatisfactory "try" state. My existing ssh connection froze. I still don't know why this happened. I plan to familiarize myself with my server's rescue procedures. I already learned about the hardware reboot the hard way.
Setup a firewall early, while the server is not used for much else. That will cut down on disruptions. Setup backup procedures sooner rather than later.
More discussions at: http://comments.gmane.org/gmane.comp.security.shorewall/27059
Proxmox Virtual machines assign a private IP address in range 10.0.0.0/8.
Outgoing internet traffic
nano /etc/shorewall/masq
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
eth0 10.0.0.0/8
# LAST LINE -- DO NOT REMOVE
All traffic will appear from 91.121.0.1
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
eth0 10.0.0.0/8 91.121.0.1
All traffic from ip 10.0.1.101 will appear from 91.121.0.2
+eth0 10.0.1.101 91.121.0.2
eth0 10.0.0.0/8 91.121.0.1
Incoming internet traffic
Forward HTTP traffic on any external IP address to a virtual server with the assigned IP of 10.0.1.101.
nano /etc/shorewall/rules
...(existing rules)...
DNAT net dmz:10.0.1.101 tcp 80
New configuration with DNAT and 7 public IP-addresses
Address space
Public IP-Address Private IP-address Hostname Services Ports
176.9.63.203 vs3.riverman.com https, vnc TCP: 443, 5900 UDP:
176.9.209.152 10.0.1.101 www.riverman.com http, https, smtp, pop3, imap, mysql TCP:80, 443, 25, 110, 143 UDP:
176.9.209.153 10.0.1.102 sip.riverman.com https, sip, rtp TCP: 443, 3830, 5060 UDP: 3830, 5004-5079, 10000-20000
176.9.209.154 10.0.1. sip2.riverman.com https, sip, rtp TCP: 443, 3830, 5060 UDP: 3830, 5004-5079, 10000-20000
176.9.209.155 10.0.1.110 webconf.riverman.com http, https, vnc, (rtp) TCP: 80, 443, 5900,1935,9123,5080,8080 UDP:
176.9.209.156 - 176.9.209.157 - 176.9.209.158 - 176.9.209.159 -
IP configuration interface vmbr0
IP address 176.9.63.203
Broadcast 176.9.63.223
Netmask 255.255.255.224
Def. gateway 176.9.63.193
EX1:~# nano /etc/network/interfaces
auto eth0
iface eth0 inet static
address 176.9.63.203
netmask 255.255.255.224
broadcast 176.9.63.223
gateway 176.9.63.193
auto vmbr0
iface vmbr0 inet static
address 10.254.254.254
netmask 255.0.0.0
broadcast 10.255.255.255
bridge_ports none
EX1:~# nano /etc/network/interfaces
auto eth0
iface eth0 inet static
address 176.9.63.203
netmask 255.255.255.224
broadcast 176.9.63.223
gateway 176.9.63.193
auto vmbr0
iface vmbr0 inet static
address 10.254.254.254
netmask 255.0.0.0
broadcast 10.255.255.255
bridge_ports none
bridge_stp off
bridge_fd 0
bridge_stp off
bridge_fd 0
nano /etc/shorewall/rules
#ACTION SOURCE DEST PROTO DEST
SOURCE ORIGINAL RATE
# Permit access to SSH
SSH/ACCEPT net fw - -
- - 6/min:5
# Permit access to Proxmox Manager and Console
ACCEPT net fw tcp
443,5900:5999
# PING Rules
Ping/ACCEPT all all
# LAST LINE -- DO NOT REMOVE
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# Permit access to SSH
SSH/ACCEPT net fw:176.9.63.203 - - - - 6/min:5
# Permit access to Proxmox Manager and Console
ACCEPT net fw:176.9.63.203 tcp 443,5900:5999
# PING Rules
Ping/ACCEPT all all
# LAST LINE -- DO NOT REMOVE
Outgoing internet traffic
nano /etc/shorewall/masq
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
eth0 10.0.0.0/8
# LAST LINE -- DO NOT REMOVE
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
eth0 10.0.0.0/8 176.9.63.203
+eth0 10.0.1.101 176.9.209.152
+eth0 10.0.1.102 176.9.209.153
+eth0 10.0.1.110 176.9.209.155
# LAST LINE -- DO NOT REMOVE
All traffic will appear from 176.9.63.203 except from bellow ip-addresses.
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
eth0 10.0.0.0/8 176.9.63.203
All traffic from ip 10.0.1.101 will appear from 176.9.209.152, from ip 10.0.1.102 will appear from 176.9.209.153 and from ip 10.0.1.110 will appear from 176.9.209.155
+eth0 10.0.1.101 91.121.0.2
eth0 10.0.0.0/8 91.121.0.1
Incoming internet traffic
nano /etc/shorewall/rules
OLD ...(existing rules)...
DNAT net dmz:10.0.1.101 tcp 8
NEW
...(existing rules)...
DNAT net dmz:10.0.1.101 tcp 22,25,80,81,110,143,443,993,995 - 176.9.209.152
DNAT net dmz:10.0.1.102 tcp 443,3830,5060 - 176.9.209.153
DNAT net dmz:10.0.1.102 udp 3830,5004:5079,10000:20000 - 176.9.209.153
Fixing multiple ip-addresses at one NIC Copying /etc/sysconfig/network-scripts/ifcfg-eth1 as ifcfg-eth1:0
ifcfg-eth1:1 and then changing the content of the ifcfg-eth0:X file regarding DEVICE name, IP data and HWADDR (MAC).
A "service network restart" will bring up the new aliased device(s) together with the real ones. "ifconfig" shows eth0:X (X0number) and "ip addr ls" will show the additional
IP(s) as part of the real device.
New configuration with ProxyARP and 7 public IP-addresses
Address space
Public IP-Address Hostname Services Ports
176.9.63.203 vs3.riverman.com https, vnc TCP: 443, 5900 UDP:
176.9.209.153 sip.riverman.com https, sip, rtp TCP: 443, 3830, 5060 UDP: 3830, 5004-5079, 10000-20000
176.9.209.154 www.riverman.com http, https, smtp, pop3, imap, mysql TCP:80, 443, 25, 110, 143 UDP:
176.9.209.155 sip2.riverman.com https, sip, rtp TCP: 443, 3830, 5060 UDP: 3830, 5004-5079, 10000-20000
176.9.209.156 webconf.riverman.com http, https, vnc, (rtp) TCP: 80, 443, 5900,1935,9123,5080,8080 UDP:
176.9.209.157 - 176.9.209.158 - 176.9.209.159 -
IP configuration interface vmbr0
IP address 176.9.63.203
Broadcast 176.9.63.223
Netmask 255.255.255.224
Def. gateway 176.9.63.193
EX1:~# nano /etc/network/interfaces
auto eth0
iface eth0 inet static
address 176.9.63.203
netmask 255.255.255.224
broadcast 176.9.63.223
gateway 176.9.63.193
auto vmbr0
iface vmbr0 inet static
address 10.254.254.254
netmask 255.0.0.0
broadcast 10.255.255.255
bridge_ports none
bridge_stp off
EX1:~# nano /etc/network/interfaces
auto eth0
iface eth0 inet static
address 176.9.63.203
netmask 255.255.255.224
broadcast 176.9.63.223
gateway 176.9.63.193
post-up echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp
auto vmbr0
iface vmbr0 inet static
address 10.254.254.254
netmask 255.0.0.0
broadcast 10.255.255.255
bridge_ports none
bridge_fd 0
bridge_stp off
bridge_fd 0
nano /etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect blacklist,nosmurfs
dmz venet0 detect routeback
dmz vmbr0 detect routeback,bridge
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect proxyarp,blacklist,nosmurfs
dmz venet0 detect routeback,bridge
dmz vmbr0 detect routeback,bridge
nano /etc/shorewall/proxyarp
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
176.9.209.154 vmbr0 eth0
176.9.209.153 vmbr0 eth0
nano /etc/shorewall/rules
#ACTION SOURCE DEST PROTO
DEST SOURCE ORIGINAL RATE
# Permit access to SSH
SSH/ACCEPT net fw -
- - -
# Permit access to Proxmox Manager and Console
ACCEPT net fw tcp
443,5900:5999
# PING Rules
Ping/ACCEPT all all
# Access to virtual servers
DNAT net dmz:10.0.1.103
tcp 80
DNAT net dmz:10.0.1.110 tcp 1935
DNAT net dmz:10.0.1.110
tcp 9123
DNAT net dmz:10.0.1.110
tcp 5080
DNAT net dmz:10.0.1.110
tcp 8080
DNAT net dmz:10.0.1.109
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# Permit access to SSH
SSH/ACCEPT net fw:176.9.63.203 - - - - 6/min:5
# Permit access to Proxmox Manager and Console
ACCEPT net fw:176.9.63.203 tcp 443,5900:5999
# PING Rules
Ping/ACCEPT all all
ACCEPT net dmz:176.9.209.154 tcp 22,25,80,81,110,143,443,993,995
ACCEPT net dmz:176.9.209.153 tcp 443,3830,5060
ACCEPT net dmz:176.9.209.153 udp 3830,5004:5079,10000:20000
# LAST LINE -- DO NOT REMOVE
tcp 21
# Test of ssh to virtual server
DNAT net
dmz:10.0.1.103:22 tcp 222
# LAST LINE -- DO NOT REMOVE
Outgoing internet traffic
nano /etc/shorewall/masq
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
eth0 10.0.0.0/8 176.9.63.203
+eth0 10.0.1.101 176.9.209.152
+eth0 10.0.1.102 176.9.209.153
+eth0 10.0.1.110 176.9.209.155
# LAST LINE -- DO NOT REMOVE
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
eth0 10.0.0.0/8 176.9.63.203
# LAST LINE -- DO NOT REMOVE
All traffic will appear from 176.9.63.203 except from bellow ip-addresses.
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
eth0 10.0.0.0/8 176.9.63.203
All traffic from ip 10.0.1.101 will appear from 176.9.209.152, from ip 10.0.1.102 will appear from 176.9.209.153 and from ip 10.0.1.110 will appear from 176.9.209.155
+eth0 10.0.1.101 91.121.0.2
eth0 10.0.0.0/8 91.121.0.1
Incoming internet traffic
nano /etc/shorewall/rules
OLD
...(existing rules)...
DNAT net dmz:10.0.1.101 tcp 8
DNAT net dmz:176.9.209.152 tcp 22,25,80,81,110,143,443,993,995
DNAT net dmz:176.9.209.153 tcp 443,3830,5060
DNAT net dmz:176.9.209.153 udp 3830,5004:5079,10000:20000
NEW
...(existing rules)...
ACCEPT net dmz:176.9.209.154 tcp 22,25,80,81,110,143,443,993,995
ACCEPT net dmz:176.9.209.153 tcp 443,3830,5060
ACCEPT net dmz:176.9.209.153 udp 3830,5004:5079,10000:20000
Fixing multiple ip-addresses at one NIC Copying /etc/sysconfig/network-scripts/ifcfg-eth1 as ifcfg-eth1:0
ifcfg-eth1:1 and then changing the content of the ifcfg-eth0:X file regarding DEVICE name, IP data and HWADDR (MAC).
A "service network restart" will bring up the new aliased device(s) together with the real ones. "ifconfig" shows eth0:X (X0number) and "ip addr ls" will show the additional
IP(s) as part of the real device.
Sammanställning till forum
/etc/vz/conf/111.conf IP_ADDRESS="167.99.29.154"
HOSTNAME="web6.domain.com"
NAMESERVER="208.67.220.220 208.67.222.222"
SEARCHDOMAIN="domain.com"
/etc/vz/conf/105.conf IP_ADDRESS="167.99.29.153"
HOSTNAME="sip8.domain.com"
NAMESERVER="213.133.98.98 213.133.99.99"
SEARCHDOMAIN="domain.com"
/etc/network/interfaces auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 176.89.15.203
netmask 255.255.255.224
broadcast 176.89.15.223
gateway 176.89.15.193
post-up echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp
auto vmbr0
iface vmbr0 inet static
address 10.254.254.254
netmask 255.0.0.0
broadcast 10.255.255.255
bridge_ports none
bridge_stp off
bridge_fd 0
/etc/shorewall/zones #ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
dmz ipv4
/etc/shorewall/interfaces #ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect proxyarp,blacklist,nosmurfs
dmz venet0 detect routeback
dmz vmbr0 detect routeback,bridge
/etc/shorewall/policy #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
# LEVEL BURST MASK
# From Firewall Policy
fw fw ACCEPT
fw net ACCEPT
fw dmz ACCEPT
# From DMZ Policy
dmz dmz ACCEPT
dmz net ACCEPT
dmz fw DROP info
# From Net Policy
net fw DROP info
net dmz DROP info
# THE FOLLOWING POLICY MUST BE LAST
#
all all REJECT info
/etc/shorewall/rules #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# Permit access to SSH
SSH/ACCEPT net fw:176.89.15.203 - - - - 6/min:5
# Permit access to Proxmox Manager and Console
ACCEPT net fw:176.89.15.203 tcp 443,5900:5999
# PING Rules
Ping/ACCEPT all all
ACCEPT net dmz:167.99.29.154 tcp 22,25,80,81,110,143,443,993,995
ACCEPT net dmz:167.99.29.153 tcp 443,3830,5060
ACCEPT net dmz:167.99.29.153 udp 3830,5004:5079,10000:20000
# LAST LINE -- DO NOT REMOVE
/etc/shorewall/proxyarp #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
167.99.29.154 vmbr0 eth0 no yes
167.99.29.153 vmbr0 eth0 no yes
/proc/sys/net/ipv4/conf/all/proxy_arp 1
Ping 167.99.29.154 vm1:~# ping 167.99.29.154 PING 167.99.29.154 (167.99.29.154) 56(84) bytes of data. From 176.89.15.203 icmp_seq=1 Destination Host Unreachable From 176.89.15.203 icmp_seq=2 Destination Host Unreachable (…)