Installing Shorewall on Proxmox

Install Shorewall on Proxmox host

Contents Sources of knowledge ................................................................................................................................................................................................................................................ 2

Linux at Proxmox host ................................................................................................................................................................................................................................................ 2

IP configuration ...................................................................................................................................................................................................................................................... 2

Changes to Linux network configuration ............................................................................................................................................................................................................... 2

Shorewall at Proxmox host ........................................................................................................................................................................................................................................ 3

Try Shorewall installation ....................................................................................................................................................................................................................................... 6

More things to do in order to prevent locking out yourself .............................................................................................................................................................................. 6

Proxmox ..................................................................................................................................................................................................................................................................... 8

New configuration with DNAT and 7 public IP-addresses ......................................................................................................................................................................................... 9

Address space ........................................................................................................................................................................................................................................................ 9

IP configuration ...................................................................................................................................................................................................................................................... 9

Fixing multiple ip-addresses at one NIC ............................................................................................................................................................................................................... 11

New configuration with ProxyARP and 7 public IP-addresses ................................................................................................................................................................................. 12

Address space ...................................................................................................................................................................................................................................................... 12

IP configuration .................................................................................................................................................................................................................................................... 12

Fixing multiple ip-addresses at one NIC ............................................................................................................................................................................................................... 15

Sammanställning till forum ...................................................................................................................................................................................................................................... 16

/etc/vz/conf/111.conf ...................................................................................................................................................................................................................................... 16

/etc/vz/conf/105.conf ...................................................................................................................................................................................................................................... 16

/etc/network/interfaces .................................................................................................................................................................................................................................. 16

/etc/shorewall/zones ....................................................................................................................................................................................................................................... 16

/etc/shorewall/interfaces ................................................................................................................................................................................................................................ 16

/etc/shorewall/policy ....................................................................................................................................................................................................................................... 17

/etc/shorewall/rules ........................................................................................................................................................................................................................................ 17

/etc/shorewall/proxyarp .................................................................................................................................................................................................................................. 17

/proc/sys/net/ipv4/conf/all/proxy_arp ........................................................................................................................................................................................................... 17

Ping 167.99.29.154 .......................................................................................................................................................................................................................................... 18

Sources of knowledge http://www.myatus.com/2010/03/20/guide-firewall-and-router-with-proxmox-extending-its-us/

http://www.myatus.co.uk/2009/08/31/guide-firewall-and-router-with-proxmox/

http://www.shorewall.net/shorewall_setup_guide.htm

http://comments.gmane.org/gmane.comp.security.shorewall/27059

Linux at Proxmox host

IP configuration interface vmbr0

IP address 176.9.63.203

Broadcast 176.9.63.223

Netmask 255.255.255.224

Def. gateway 176.9.63.193

Changes to Linux network configuration vs3:~# ifconfig eth0

eth0 Link encap:Ethernet HWaddr 14:da:e9:ef:6f:dd

inet6 addr: fe80::16da:e9ff:feef:6fdd/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:279708 errors:0 dropped:0 overruns:0 frame:0

TX packets:202651 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:212406440 (202.5 MiB) TX bytes:31461601 (30.0 MiB)

Interrupt:35 Base address:0xc000

EX1:~# ifconfig eth0

eth0 Link encap:Ethernet HWaddr 00:ff:ff:ff:ff:ff

inet addr: 176.9.63.203 Bcast: 176.9.63.223 Mask:255.255.255.224

...

http://www.myatus.com/2010/03/20/guide-firewall-and-router-with-proxmox-extending-its-us/

http://www.myatus.co.uk/2009/08/31/guide-firewall-and-router-with-proxmox/

http://www.shorewall.net/shorewall_setup_guide.htm


vs3:~# ifconfig vmbr0

vmbr0 Link encap:Ethernet HWaddr 14:da:e9:ef:6f:dd

inet addr:176.9.63.203 Bcast:176.9.63.223 Mask:255.255.255.224

inet6 addr: fe80::16da:e9ff:feef:6fdd/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:278945 errors:0 dropped:0 overruns:0 frame:0

TX packets:201662 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:208161026 (198.5 MiB) TX bytes:31424604 (29.9 MiB)

vs3:~# route -n

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface

176.9.63.192 0.0.0.0 255.255.255.224 U 0 0 0 vmbr0

0.0.0.0 176.9.63.193 0.0.0.0 UG 0 0 0 vmbr0

EX1:~# route -n

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface

0.0.0.0 176.9.63.193 0.0.0.0 UG 0 0 0 eth0

vs3:~# nano /etc/network/interfaces

auto lo

iface lo inet loopback

auto vmbr0

iface vmbr0 inet static

address 176.9.63.203

netmask 255.255.255.224

gateway 176.9.63.193

bridge_ports eth0

bridge_stp off

bridge_fd 0

EX1:~# nano /etc/network/interfaces

auto eth0

iface eth0 inet static

address 176.9.63.203

netmask 255.255.255.224

broadcast 176.9.63.223

gateway 176.9.63.193

auto vmbr0


address 10.254.254.254

netmask 255.0.0.0

broadcast 10.255.255.255

bridge_ports none

bridge_stp off

bridge_fd 0

Restart network

/etc/init.d/networking restart

Shorewall at Proxmox host Install Shorewall

apt-get install shorewall

Change Shorewall configuration

nano /etc/shorewall/shorewall.conf

IP_FORWARDING=Off IP_FORWARDING=On

Above should not be done before configuration is completed otherwise you could be locked out from your server.

nano /etc/shorewall/zones

#ZONE TYPE OPTIONS IN OUT

# OPTIONS OPTIONS

fw firewall

net ipv4

dmz ipv4

nano /etc/shorewall/interfaces

#ZONE INTERFACE BROADCAST OPTIONS

net eth0 detect blacklist,nosmurfs

dmz venet0 detect routeback

dmz vmbr0 detect routeback,bridge

nano /etc/shorewall/policy

#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:

# LEVEL BURST MASK

# From Firewall Policy

fw fw ACCEPT

fw net ACCEPT

fw dmz ACCEPT

# From DMZ Policy

dmz dmz ACCEPT

dmz net ACCEPT

dmz fw DROP info

# From Net Policy

net fw DROP info

net dmz DROP info

# THE FOLLOWING POLICY MUST BE LAST

#

all all REJECT info

nano /etc/shorewall/rules

#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE

# Permit access to SSH

SSH/ACCEPT net fw - - - - 6/min:5

# Permit access to Proxmox Manager and Console

ACCEPT net fw tcp 443,5900:5999

# PING Rules

Ping/ACCEPT all all

# LAST LINE -- DO NOT REMOVE

Try Shorewall installation Below command will activate new settings of Shorewall for 60 sec. In this way you can try a configuration without locking out yourself. After 60 sec the previous

configuration will be reactivated.

shorewall try /etc/shorewall 60

Start Shorewall at boot

This should only be done when you have tried all new settings with above command and your firewall is secure.

nano /etc/default/shorewall

startup=0 startup=1

Start Shorewall manually

shorewall start

Restart Shorwall

shorewall restart

More things to do in order to prevent locking out yourself

Alex Athanasopoulos ([email protected]) has written some steps to secure testing of firewall rules in Shorewall mailing list:

Make sure that Shorewall is not started automatically at boot (startup=0 in /etc/default/shorewall). That way, if I misconfigure shorewall, I can recover with a

reboot.

When experimenting with Shorewall, I setup a root cron job that reboots the system at a certain time (usually 10 minutes into the future from when I want to try

the new firewall). That way, if I lock myself out, I can just wait a few minutes until the software reboot removes the firewall, instead of resorting to a hardware

reboot.

I familiarized myself with the Shorewall start, stop, clear, try, save, restore commands. Don't try to fix a firewall by installing another firewall. I think I locked myself out by trying to reinstall my previous home-made iptables configuration while

Shorewall was in an unsatisfactory "try" state. My existing ssh connection froze. I still don't know why this happened. I plan to familiarize myself with my server's rescue procedures. I already learned about the hardware reboot the hard way.

mailto:[email protected]

Setup a firewall early, while the server is not used for much else. That will cut down on disruptions. Setup backup procedures sooner rather than later.

More discussions at: http://comments.gmane.org/gmane.comp.security.shorewall/27059


Proxmox Virtual machines assign a private IP address in range 10.0.0.0/8.

Outgoing internet traffic

nano /etc/shorewall/masq

#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK

eth0 10.0.0.0/8


All traffic will appear from 91.121.0.1


eth0 10.0.0.0/8 91.121.0.1

All traffic from ip 10.0.1.101 will appear from 91.121.0.2

+eth0 10.0.1.101 91.121.0.2

eth0 10.0.0.0/8 91.121.0.1

Incoming internet traffic

Forward HTTP traffic on any external IP address to a virtual server with the assigned IP of 10.0.1.101.


...(existing rules)...

DNAT net dmz:10.0.1.101 tcp 80

New configuration with DNAT and 7 public IP-addresses

Address space

Public IP-Address Private IP-address Hostname Services Ports

176.9.63.203 vs3.riverman.com https, vnc TCP: 443, 5900 UDP:

176.9.209.152 10.0.1.101 www.riverman.com http, https, smtp, pop3, imap, mysql TCP:80, 443, 25, 110, 143 UDP:

176.9.209.153 10.0.1.102 sip.riverman.com https, sip, rtp TCP: 443, 3830, 5060 UDP: 3830, 5004-5079, 10000-20000

176.9.209.154 10.0.1. sip2.riverman.com https, sip, rtp TCP: 443, 3830, 5060 UDP: 3830, 5004-5079, 10000-20000

176.9.209.155 10.0.1.110 webconf.riverman.com http, https, vnc, (rtp) TCP: 80, 443, 5900,1935,9123,5080,8080 UDP:

176.9.209.156 - 176.9.209.157 - 176.9.209.158 - 176.9.209.159 -


IP address 176.9.63.203


Netmask 255.255.255.224



auto eth0


address 176.9.63.203

netmask 255.255.255.224


gateway 176.9.63.193

auto vmbr0


address 10.254.254.254

netmask 255.0.0.0

broadcast 10.255.255.255

bridge_ports none


auto eth0


address 176.9.63.203

netmask 255.255.255.224


gateway 176.9.63.193

auto vmbr0


address 10.254.254.254

netmask 255.0.0.0

broadcast 10.255.255.255

bridge_ports none

bridge_stp off

bridge_fd 0

bridge_stp off

bridge_fd 0


#ACTION SOURCE DEST PROTO DEST

SOURCE ORIGINAL RATE


SSH/ACCEPT net fw - -

- - 6/min:5


ACCEPT net fw tcp

443,5900:5999

# PING Rules

Ping/ACCEPT all all




SSH/ACCEPT net fw:176.9.63.203 - - - - 6/min:5


ACCEPT net fw:176.9.63.203 tcp 443,5900:5999

# PING Rules

Ping/ACCEPT all all





eth0 10.0.0.0/8



eth0 10.0.0.0/8 176.9.63.203

+eth0 10.0.1.101 176.9.209.152

+eth0 10.0.1.102 176.9.209.153

+eth0 10.0.1.110 176.9.209.155


All traffic will appear from 176.9.63.203 except from bellow ip-addresses.


eth0 10.0.0.0/8 176.9.63.203

All traffic from ip 10.0.1.101 will appear from 176.9.209.152, from ip 10.0.1.102 will appear from 176.9.209.153 and from ip 10.0.1.110 will appear from 176.9.209.155

+eth0 10.0.1.101 91.121.0.2

eth0 10.0.0.0/8 91.121.0.1



OLD ...(existing rules)...


NEW


DNAT net dmz:10.0.1.101 tcp 22,25,80,81,110,143,443,993,995 - 176.9.209.152

DNAT net dmz:10.0.1.102 tcp 443,3830,5060 - 176.9.209.153

DNAT net dmz:10.0.1.102 udp 3830,5004:5079,10000:20000 - 176.9.209.153

Fixing multiple ip-addresses at one NIC Copying /etc/sysconfig/network-scripts/ifcfg-eth1 as ifcfg-eth1:0

ifcfg-eth1:1 and then changing the content of the ifcfg-eth0:X file regarding DEVICE name, IP data and HWADDR (MAC).

A "service network restart" will bring up the new aliased device(s) together with the real ones. "ifconfig" shows eth0:X (X0number) and "ip addr ls" will show the additional

IP(s) as part of the real device.

New configuration with ProxyARP and 7 public IP-addresses

Address space

Public IP-Address Hostname Services Ports

176.9.63.203 vs3.riverman.com https, vnc TCP: 443, 5900 UDP:

176.9.209.153 sip.riverman.com https, sip, rtp TCP: 443, 3830, 5060 UDP: 3830, 5004-5079, 10000-20000

176.9.209.154 www.riverman.com http, https, smtp, pop3, imap, mysql TCP:80, 443, 25, 110, 143 UDP:

176.9.209.155 sip2.riverman.com https, sip, rtp TCP: 443, 3830, 5060 UDP: 3830, 5004-5079, 10000-20000

176.9.209.156 webconf.riverman.com http, https, vnc, (rtp) TCP: 80, 443, 5900,1935,9123,5080,8080 UDP:

176.9.209.157 - 176.9.209.158 - 176.9.209.159 -


IP address 176.9.63.203


Netmask 255.255.255.224



auto eth0


address 176.9.63.203

netmask 255.255.255.224


gateway 176.9.63.193

auto vmbr0


address 10.254.254.254

netmask 255.0.0.0

broadcast 10.255.255.255

bridge_ports none

bridge_stp off


auto eth0


address 176.9.63.203

netmask 255.255.255.224


gateway 176.9.63.193

post-up echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp

auto vmbr0


address 10.254.254.254

netmask 255.0.0.0

broadcast 10.255.255.255

bridge_ports none

bridge_fd 0

bridge_stp off

bridge_fd 0

nano /etc/shorewall/interfaces


net eth0 detect blacklist,nosmurfs




net eth0 detect proxyarp,blacklist,nosmurfs

dmz venet0 detect routeback,bridge


nano /etc/shorewall/proxyarp

#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT

176.9.209.154 vmbr0 eth0

176.9.209.153 vmbr0 eth0


#ACTION SOURCE DEST PROTO

DEST SOURCE ORIGINAL RATE


SSH/ACCEPT net fw -

- - -


ACCEPT net fw tcp

443,5900:5999

# PING Rules

Ping/ACCEPT all all

# Access to virtual servers

DNAT net dmz:10.0.1.103

tcp 80



tcp 9123


tcp 5080


tcp 8080






ACCEPT net fw:176.9.63.203 tcp 443,5900:5999

# PING Rules

Ping/ACCEPT all all

ACCEPT net dmz:176.9.209.154 tcp 22,25,80,81,110,143,443,993,995

ACCEPT net dmz:176.9.209.153 tcp 443,3830,5060

ACCEPT net dmz:176.9.209.153 udp 3830,5004:5079,10000:20000


tcp 21

# Test of ssh to virtual server

DNAT net

dmz:10.0.1.103:22 tcp 222





eth0 10.0.0.0/8 176.9.63.203

+eth0 10.0.1.101 176.9.209.152

+eth0 10.0.1.102 176.9.209.153

+eth0 10.0.1.110 176.9.209.155



eth0 10.0.0.0/8 176.9.63.203


All traffic will appear from 176.9.63.203 except from bellow ip-addresses.


eth0 10.0.0.0/8 176.9.63.203

All traffic from ip 10.0.1.101 will appear from 176.9.209.152, from ip 10.0.1.102 will appear from 176.9.209.153 and from ip 10.0.1.110 will appear from 176.9.209.155

+eth0 10.0.1.101 91.121.0.2

eth0 10.0.0.0/8 91.121.0.1



OLD



DNAT net dmz:176.9.209.152 tcp 22,25,80,81,110,143,443,993,995

DNAT net dmz:176.9.209.153 tcp 443,3830,5060

DNAT net dmz:176.9.209.153 udp 3830,5004:5079,10000:20000

NEW





Fixing multiple ip-addresses at one NIC Copying /etc/sysconfig/network-scripts/ifcfg-eth1 as ifcfg-eth1:0

ifcfg-eth1:1 and then changing the content of the ifcfg-eth0:X file regarding DEVICE name, IP data and HWADDR (MAC).

A "service network restart" will bring up the new aliased device(s) together with the real ones. "ifconfig" shows eth0:X (X0number) and "ip addr ls" will show the additional

IP(s) as part of the real device.

Sammanställning till forum

/etc/vz/conf/111.conf IP_ADDRESS="167.99.29.154"

HOSTNAME="web6.domain.com"

NAMESERVER="208.67.220.220 208.67.222.222"

SEARCHDOMAIN="domain.com"

/etc/vz/conf/105.conf IP_ADDRESS="167.99.29.153"

HOSTNAME="sip8.domain.com"

NAMESERVER="213.133.98.98 213.133.99.99"

SEARCHDOMAIN="domain.com"

/etc/network/interfaces auto lo

iface lo inet loopback

auto eth0


address 176.89.15.203

netmask 255.255.255.224

broadcast 176.89.15.223

gateway 176.89.15.193

post-up echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp

auto vmbr0


address 10.254.254.254

netmask 255.0.0.0

broadcast 10.255.255.255

bridge_ports none

bridge_stp off

bridge_fd 0

/etc/shorewall/zones #ZONE TYPE OPTIONS IN OUT

# OPTIONS OPTIONS

fw firewall

net ipv4

dmz ipv4

/etc/shorewall/interfaces #ZONE INTERFACE BROADCAST OPTIONS

net eth0 detect proxyarp,blacklist,nosmurfs



/etc/shorewall/policy #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:

# LEVEL BURST MASK

# From Firewall Policy

fw fw ACCEPT

fw net ACCEPT

fw dmz ACCEPT

# From DMZ Policy

dmz dmz ACCEPT

dmz net ACCEPT

dmz fw DROP info

# From Net Policy

net fw DROP info

net dmz DROP info

# THE FOLLOWING POLICY MUST BE LAST

#

all all REJECT info

/etc/shorewall/rules #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE




ACCEPT net fw:176.89.15.203 tcp 443,5900:5999

# PING Rules

Ping/ACCEPT all all





/etc/shorewall/proxyarp #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT

167.99.29.154 vmbr0 eth0 no yes

167.99.29.153 vmbr0 eth0 no yes

/proc/sys/net/ipv4/conf/all/proxy_arp 1

Ping 167.99.29.154 vm1:~# ping 167.99.29.154 PING 167.99.29.154 (167.99.29.154) 56(84) bytes of data. From 176.89.15.203 icmp_seq=1 Destination Host Unreachable From 176.89.15.203 icmp_seq=2 Destination Host Unreachable (…)

Documents

Installing Shorewall on Proxmox