You are on page 1of 18

Install Shorewall on Proxmox host

Contents
Sources of knowledge ................................................................................................................................................................................................................................................ 2
Linux at Proxmox host................................................................................................................................................................................................................................................ 2
IP configuration ...................................................................................................................................................................................................................................................... 2
Changes to Linux network configuration ............................................................................................................................................................................................................... 2
Shorewall at Proxmox host ........................................................................................................................................................................................................................................ 3
Try Shorewall installation....................................................................................................................................................................................................................................... 6
More things to do in order to prevent locking out yourself .............................................................................................................................................................................. 6
Proxmox ..................................................................................................................................................................................................................................................................... 8
New configuration with DNAT and 7 public IP-addresses ......................................................................................................................................................................................... 9
Address space ........................................................................................................................................................................................................................................................ 9
IP configuration ...................................................................................................................................................................................................................................................... 9
Fixing multiple ip-addresses at one NIC ............................................................................................................................................................................................................... 11
New configuration with ProxyARP and 7 public IP-addresses ................................................................................................................................................................................. 12
Address space ...................................................................................................................................................................................................................................................... 12
IP configuration .................................................................................................................................................................................................................................................... 12
Fixing multiple ip-addresses at one NIC ............................................................................................................................................................................................................... 15
Sammanstllning till forum ...................................................................................................................................................................................................................................... 16
/etc/vz/conf/111.conf ...................................................................................................................................................................................................................................... 16
/etc/vz/conf/105.conf ...................................................................................................................................................................................................................................... 16
/etc/network/interfaces .................................................................................................................................................................................................................................. 16
/etc/shorewall/zones ....................................................................................................................................................................................................................................... 16
/etc/shorewall/interfaces ................................................................................................................................................................................................................................ 16

/etc/shorewall/policy ....................................................................................................................................................................................................................................... 17
/etc/shorewall/rules ........................................................................................................................................................................................................................................ 17
/etc/shorewall/proxyarp .................................................................................................................................................................................................................................. 17
/proc/sys/net/ipv4/conf/all/proxy_arp ........................................................................................................................................................................................................... 17
Ping 167.99.29.154 .......................................................................................................................................................................................................................................... 18

Sources of knowledge
http://www.myatus.com/2010/03/20/guide-firewall-and-router-with-proxmox-extending-its-us/
http://www.myatus.co.uk/2009/08/31/guide-firewall-and-router-with-proxmox/
http://www.shorewall.net/shorewall_setup_guide.htm
http://comments.gmane.org/gmane.comp.security.shorewall/27059

Linux at Proxmox host


IP configuration
interface
IP address
Broadcast
Netmask
Def. gateway

vmbr0
176.9.63.203
176.9.63.223
255.255.255.224
176.9.63.193

Changes to Linux network configuration


vs3:~# ifconfig eth0
eth0
Link encap:Ethernet HWaddr 14:da:e9:ef:6f:dd
inet6 addr: fe80::16da:e9ff:feef:6fdd/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:279708 errors:0 dropped:0 overruns:0 frame:0
TX packets:202651 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:212406440 (202.5 MiB) TX bytes:31461601 (30.0 MiB)
Interrupt:35 Base address:0xc000

EX1:~# ifconfig eth0


eth0
Link encap:Ethernet HWaddr 00:ff:ff:ff:ff:ff
inet addr: 176.9.63.203 Bcast: 176.9.63.223 Mask:255.255.255.224
...

vs3:~# ifconfig vmbr0


vmbr0
Link encap:Ethernet HWaddr 14:da:e9:ef:6f:dd
inet addr:176.9.63.203 Bcast:176.9.63.223 Mask:255.255.255.224
inet6 addr: fe80::16da:e9ff:feef:6fdd/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:278945 errors:0 dropped:0 overruns:0 frame:0
TX packets:201662 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:208161026 (198.5 MiB) TX bytes:31424604 (29.9 MiB)

vs3:~# route -n
Kernel IP routing table
Destination
Gateway
176.9.63.192
0.0.0.0
0.0.0.0
176.9.63.193

Genmask
Flags Metric Ref
255.255.255.224 U
0
0
0.0.0.0
UG
0
0

vs3:~# nano /etc/network/interfaces


auto lo
iface lo inet loopback
auto vmbr0
iface vmbr0 inet static
address 176.9.63.203
netmask 255.255.255.224
gateway 176.9.63.193
bridge_ports eth0
bridge_stp off
bridge_fd 0

Restart network
/etc/init.d/networking restart

Shorewall at Proxmox host


Install Shorewall
apt-get install shorewall

Use Iface
0 vmbr0
0 vmbr0

EX1:~# route -n
Kernel IP routing table
Destination
Gateway
0.0.0.0
176.9.63.193

Genmask
0.0.0.0

EX1:~# nano /etc/network/interfaces


auto eth0
iface eth0 inet static
address 176.9.63.203
netmask 255.255.255.224
broadcast 176.9.63.223
gateway 176.9.63.193
auto vmbr0
iface vmbr0 inet static
address 10.254.254.254
netmask 255.0.0.0
broadcast 10.255.255.255
bridge_ports none
bridge_stp off
bridge_fd 0

Flags Metric Ref


UG
0
0

Use Iface
0 eth0

Change Shorewall configuration


nano /etc/shorewall/shorewall.conf

IP_FORWARDING=Off

IP_FORWARDING=On

Above should not be done before configuration is completed otherwise you could be locked out from your server.
nano /etc/shorewall/zones
#ZONE
#
fw
net
dmz

TYPE

#ZONE
net
dmz
dmz

INTERFACE
eth0
venet0
vmbr0

OPTIONS

IN
OPTIONS

OUT
OPTIONS

BROADCAST
detect
detect
detect

OPTIONS
blacklist,nosmurfs
routeback
routeback,bridge

firewall
ipv4
ipv4

nano /etc/shorewall/interfaces

nano /etc/shorewall/policy
#SOURCE DEST
#

POLICY

LOG
LEVEL

# From Firewall Policy


fw
fw
ACCEPT
fw
net
ACCEPT
fw
dmz
ACCEPT
# From DMZ Policy
dmz
dmz
dmz

dmz
net
fw

ACCEPT
ACCEPT
DROP

info

# From Net Policy


net
fw
DROP
info
net
dmz
DROP
info
# THE FOLLOWING POLICY MUST BE LAST
#
all
all
REJECT
info

LIMIT:
BURST

CONNLIMIT:
MASK

nano /etc/shorewall/rules
#ACTION
SOURCE
# Permit access to SSH
SSH/ACCEPT
net

DEST

PROTO

DEST

fw

SOURCE
-

# Permit access to Proxmox Manager and Console


ACCEPT
net
fw
tcp
443,5900:5999
# PING Rules
Ping/ACCEPT

all

all

# LAST LINE -- DO NOT REMOVE

ORIGINAL
-

RATE
6/min:5

Try Shorewall installation


Below command will activate new settings of Shorewall for 60 sec. In this way you can try a configuration without locking out yourself. After 60 sec the previous
configuration will be reactivated.
shorewall try /etc/shorewall 60

Start Shorewall at boot


This should only be done when you have tried all new settings with above command and your firewall is secure.
nano /etc/default/shorewall
startup=0

startup=1

Start Shorewall manually


shorewall start

Restart Shorwall
shorewall restart

More things to do in order to prevent locking out yourself


Alex Athanasopoulos (alex@melato.org) has written some steps to secure testing of firewall rules in Shorewall mailing list:

Make sure that Shorewall is not started automatically at boot (startup=0 in /etc/default/shorewall). That way, if I misconfigure shorewall, I can recover with a
reboot.

When experimenting with Shorewall, I setup a root cron job that reboots the system at a certain time (usually 10 minutes into the future from when I want to try
the new firewall). That way, if I lock myself out, I can just wait a few minutes until the software reboot removes the firewall, instead of resorting to a hardware
reboot.

I familiarized myself with the Shorewall start, stop, clear, try, save, restore commands.

I plan to familiarize myself with my server's rescue procedures. I already learned about the hardware reboot the hard way.

Don't try to fix a firewall by installing another firewall. I think I locked myself out by trying to reinstall my previous home-made iptables configuration while
Shorewall was in an unsatisfactory "try" state. My existing ssh connection froze. I still don't know why this happened.

Setup a firewall early, while the server is not used for much else. That will cut down on disruptions.
Setup backup procedures sooner rather than later.

More discussions at: http://comments.gmane.org/gmane.comp.security.shorewall/27059

Proxmox
Virtual machines assign a private IP address in range 10.0.0.0/8.
Outgoing internet traffic
nano /etc/shorewall/masq
#INTERFACE
eth0

SOURCE
10.0.0.0/8

ADDRESS

PROTO

PORT(S) IPSEC

# LAST LINE -- DO NOT REMOVE

All traffic will appear from 91.121.0.1


#INTERFACE
eth0

SOURCE
10.0.0.0/8

ADDRESS
91.121.0.1

All traffic from ip 10.0.1.101 will appear from


+eth0
eth0

10.0.1.101
10.0.0.0/8

PROTO

PORT(S) IPSEC

MARK

91.121.0.2

91.121.0.2
91.121.0.1

Incoming internet traffic


Forward HTTP traffic on any external IP address to a virtual server with the assigned IP of 10.0.1.101.
nano /etc/shorewall/rules
...(existing rules)...
DNAT

net

dmz:10.0.1.101

tcp

80

MARK

New configuration with DNAT and 7 public IP-addresses


Address space
Public IP-Address

Private IP-address

176.9.63.203

Hostname

Services

vs3.riverman.com

https, vnc

176.9.209.152

10.0.1.101

www.riverman.com

http, https, smtp, pop3, imap, mysql

176.9.209.153

10.0.1.102

sip.riverman.com

https, sip, rtp

176.9.209.154

10.0.1.

sip2.riverman.com

https, sip, rtp

176.9.209.155

10.0.1.110

webconf.riverman.com

http, https, vnc, (rtp)

176.9.209.156
176.9.209.157
176.9.209.158
176.9.209.159

Ports
TCP: 443, 5900
UDP:
TCP:80, 443, 25, 110, 143
UDP:
TCP: 443, 3830, 5060
UDP: 3830, 5004-5079, 10000-20000
TCP: 443, 3830, 5060
UDP: 3830, 5004-5079, 10000-20000
TCP: 80, 443, 5900,1935,9123,5080,8080
UDP:

IP configuration
interface
IP address
Broadcast
Netmask
Def. gateway

vmbr0
176.9.63.203
176.9.63.223
255.255.255.224
176.9.63.193

EX1:~# nano /etc/network/interfaces


auto eth0
iface eth0 inet static
address 176.9.63.203
netmask 255.255.255.224
broadcast 176.9.63.223
gateway 176.9.63.193

EX1:~# nano /etc/network/interfaces


auto eth0
iface eth0 inet static
address 176.9.63.203
netmask 255.255.255.224
broadcast 176.9.63.223
gateway 176.9.63.193

auto vmbr0
iface vmbr0 inet static
address 10.254.254.254
netmask 255.0.0.0
broadcast 10.255.255.255
bridge_ports none

auto vmbr0
iface vmbr0 inet static
address 10.254.254.254
netmask 255.0.0.0
broadcast 10.255.255.255
bridge_ports none

bridge_stp off
bridge_fd 0

bridge_stp off
bridge_fd 0

nano /etc/shorewall/rules
#ACTION
SOURCE
SOURCE
ORIGINAL
# Permit access to SSH
SSH/ACCEPT
net
-

DEST
RATE

PROTO

DEST

fw
6/min:5

DEST

PROTO

# PING Rules
Ping/ACCEPT

all

DEST

fw:176.9.63.203

# Permit access to Proxmox Manager and Console


ACCEPT
net
fw:176.9.63.203

# Permit access to Proxmox Manager and Console


ACCEPT
net
fw
tcp
443,5900:5999
# PING Rules
Ping/ACCEPT

#ACTION
SOURCE
# Permit access to SSH
SSH/ACCEPT
net

SOURCE
-

tcp

ORIGINAL

RATE

6/min:5

443,5900:5999

all

# LAST LINE -- DO NOT REMOVE


all

all

# LAST LINE -- DO NOT REMOVE

Outgoing internet traffic


nano /etc/shorewall/masq
#INTERFACE
eth0

SOURCE
10.0.0.0/8

ADDRESS

PROTO

PORT(S) IPSEC

MARK

# LAST LINE -- DO NOT REMOVE

#INTERFACE
eth0
+eth0
+eth0
+eth0

SOURCE
10.0.0.0/8
10.0.1.101
10.0.1.102
10.0.1.110

ADDRESS
176.9.63.203
176.9.209.152
176.9.209.153
176.9.209.155

PROTO

PORT(S) IPSEC

MARK

# LAST LINE -- DO NOT REMOVE

All traffic will appear from 176.9.63.203 except from bellow ip-addresses.
#INTERFACE
eth0

SOURCE
10.0.0.0/8

ADDRESS
176.9.63.203

All traffic from ip 10.0.1.101 will appear from


+eth0
eth0

10.0.1.101
10.0.0.0/8

91.121.0.2
91.121.0.1

Incoming internet traffic


nano /etc/shorewall/rules

PROTO

PORT(S) IPSEC

176.9.209.152,

from ip

MARK

10.0.1.102

will appear from

176.9.209.153

and from ip

10.0.1.110

will appear from

176.9.209.155

OLD
NEW

...(existing rules)...
DNAT
...(existing rules)...
DNAT
DNAT
DNAT

net

dmz:10.0.1.101

tcp

net
net
net

dmz:10.0.1.101
dmz:10.0.1.102
dmz:10.0.1.102

tcp
tcp
udp

22,25,80,81,110,143,443,993,995
443,3830,5060
3830,5004:5079,10000:20000

176.9.209.152
176.9.209.153
176.9.209.153

Fixing multiple ip-addresses at one NIC


Copying /etc/sysconfig/network-scripts/ifcfg-eth1 as ifcfg-eth1:0
ifcfg-eth1:1 and then changing the content of the ifcfg-eth0:X file regarding DEVICE name, IP data and HWADDR (MAC).

A "service network restart" will bring up the new aliased device(s) together with the real ones. "ifconfig" shows eth0:X (X0number) and "ip addr ls" will show the additional
IP(s) as part of the real device.

New configuration with ProxyARP and 7 public IP-addresses


Address space
Public IP-Address

Hostname

Services

176.9.63.203

vs3.riverman.com

https, vnc

176.9.209.153

sip.riverman.com

https, sip, rtp

176.9.209.154

www.riverman.com

http, https, smtp, pop3, imap, mysql

176.9.209.155

sip2.riverman.com

https, sip, rtp

176.9.209.156

webconf.riverman.com

http, https, vnc, (rtp)

176.9.209.157
176.9.209.158
176.9.209.159

Ports
TCP: 443, 5900
UDP:
TCP: 443, 3830, 5060
UDP: 3830, 5004-5079, 10000-20000
TCP:80, 443, 25, 110, 143
UDP:
TCP: 443, 3830, 5060
UDP: 3830, 5004-5079, 10000-20000
TCP: 80, 443, 5900,1935,9123,5080,8080
UDP:

IP configuration
interface
IP address
Broadcast
Netmask
Def. gateway

vmbr0
176.9.63.203
176.9.63.223
255.255.255.224
176.9.63.193

EX1:~# nano /etc/network/interfaces


auto eth0
iface eth0 inet static
address 176.9.63.203
netmask 255.255.255.224
broadcast 176.9.63.223
gateway 176.9.63.193
auto vmbr0
iface vmbr0 inet static
address 10.254.254.254
netmask 255.0.0.0
broadcast 10.255.255.255
bridge_ports none
bridge_stp off

EX1:~# nano /etc/network/interfaces


auto eth0
iface eth0 inet static
address 176.9.63.203
netmask 255.255.255.224
broadcast 176.9.63.223
gateway 176.9.63.193
post-up echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp
auto vmbr0
iface vmbr0 inet static
address 10.254.254.254
netmask 255.0.0.0
broadcast 10.255.255.255
bridge_ports none

bridge_fd 0

bridge_stp off
bridge_fd 0

nano /etc/shorewall/interfaces
#ZONE
net
dmz
dmz

INTERFACE
eth0
venet0
vmbr0

BROADCAST
detect
detect
detect

OPTIONS
blacklist,nosmurfs
routeback
routeback,bridge

#ZONE
net
dmz
dmz

INTERFACE
eth0
venet0
vmbr0

BROADCAST
detect
detect
detect

OPTIONS
proxyarp,blacklist,nosmurfs
routeback,bridge
routeback,bridge

nano /etc/shorewall/proxyarp
#ADDRESS
176.9.209.154
176.9.209.153

INTERFACE
vmbr0
vmbr0

EXTERNAL
eth0
eth0

HAVEROUTE

PERSISTENT

nano /etc/shorewall/rules
#ACTION
SOURCE
DEST
DEST
SOURCE
ORIGINAL
# Permit access to SSH
SSH/ACCEPT
net
fw
-

PROTO
RATE
-

# Permit access to Proxmox Manager and Console


ACCEPT
net
fw
tcp
443,5900:5999
# PING Rules
Ping/ACCEPT

all

all

# Access to virtual servers


DNAT
net
dmz:10.0.1.103
tcp
80
DNAT
net
dmz:10.0.1.110
DNAT
net
dmz:10.0.1.110
tcp
9123
DNAT
net
dmz:10.0.1.110
tcp
5080
DNAT
net
dmz:10.0.1.110
tcp
8080
DNAT
net
dmz:10.0.1.109

#ACTION
SOURCE
# Permit access to SSH
SSH/ACCEPT
net

DEST

PROTO

fw:176.9.63.203

# Permit access to Proxmox Manager and Console


ACCEPT
net
fw:176.9.63.203
# PING Rules
Ping/ACCEPT
all
all
ACCEPT
net
dmz:176.9.209.154
ACCEPT
net
dmz:176.9.209.153
ACCEPT
net
dmz:176.9.209.153
# LAST LINE -- DO NOT REMOVE

tcp

1935

DEST

SOURCE
-

tcp

tcp
tcp
udp

ORIGINAL

RATE

443,5900:5999

22,25,80,81,110,143,443,993,995
443,3830,5060
3830,5004:5079,10000:20000

6/min:5

tcp

21

# Test of ssh to virtual server


DNAT
net
dmz:10.0.1.103:22
tcp

222

# LAST LINE -- DO NOT REMOVE

Outgoing internet traffic


nano /etc/shorewall/masq
#INTERFACE
eth0
+eth0
+eth0
+eth0

SOURCE
10.0.0.0/8
10.0.1.101
10.0.1.102
10.0.1.110

ADDRESS
176.9.63.203
176.9.209.152
176.9.209.153
176.9.209.155

PROTO

PORT(S) IPSEC

MARK

#INTERFACE
eth0

SOURCE
10.0.0.0/8

ADDRESS
176.9.63.203

PROTO

PORT(S) IPSEC

MARK

# LAST LINE -- DO NOT REMOVE

# LAST LINE -- DO NOT REMOVE

All traffic will appear from 176.9.63.203 except from bellow ip-addresses.
#INTERFACE
eth0

SOURCE
10.0.0.0/8

ADDRESS
176.9.63.203

PROTO

All traffic from ip 10.0.1.101 will appear from


+eth0
eth0

10.0.1.101
10.0.0.0/8

PORT(S) IPSEC

176.9.209.152,

from ip

MARK

10.0.1.102

will appear from

176.9.209.153

and from ip

91.121.0.2
91.121.0.1

Incoming internet traffic


nano /etc/shorewall/rules

OLD

NEW

...(existing rules)...
DNAT
DNAT
DNAT
DNAT
...(existing rules)...
ACCEPT
ACCEPT
ACCEPT

net
net
net
net
net
net
net

dmz:10.0.1.101
dmz:176.9.209.152
dmz:176.9.209.153
dmz:176.9.209.153
dmz:176.9.209.154
dmz:176.9.209.153
dmz:176.9.209.153

tcp
tcp
tcp
udp

tcp
tcp
udp

22,25,80,81,110,143,443,993,995
443,3830,5060
3830,5004:5079,10000:20000
22,25,80,81,110,143,443,993,995
443,3830,5060
3830,5004:5079,10000:20000

10.0.1.110

will appear from

176.9.209.155

Fixing multiple ip-addresses at one NIC


Copying /etc/sysconfig/network-scripts/ifcfg-eth1 as ifcfg-eth1:0
ifcfg-eth1:1 and then changing the content of the ifcfg-eth0:X file regarding DEVICE name, IP data and HWADDR (MAC).

A "service network restart" will bring up the new aliased device(s) together with the real ones. "ifconfig" shows eth0:X (X0number) and "ip addr ls" will show the additional
IP(s) as part of the real device.

Sammanstllning till forum


/etc/vz/conf/111.conf
IP_ADDRESS="167.99.29.154"
HOSTNAME="web6.domain.com"
NAMESERVER="208.67.220.220 208.67.222.222"
SEARCHDOMAIN="domain.com"

/etc/vz/conf/105.conf
IP_ADDRESS="167.99.29.153"
HOSTNAME="sip8.domain.com"
NAMESERVER="213.133.98.98 213.133.99.99"
SEARCHDOMAIN="domain.com"

/etc/network/interfaces
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 176.89.15.203
netmask 255.255.255.224
broadcast 176.89.15.223
gateway 176.89.15.193
post-up echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp

auto vmbr0
iface vmbr0 inet static
address 10.254.254.254
netmask 255.0.0.0
broadcast 10.255.255.255
bridge_ports none
bridge_stp off
bridge_fd 0

/etc/shorewall/zones
#ZONE
#
fw
net
dmz

TYPE

OPTIONS

IN
OPTIONS

OUT
OPTIONS

firewall
ipv4
ipv4

/etc/shorewall/interfaces
#ZONE
net
dmz
dmz

INTERFACE
eth0
venet0
vmbr0

BROADCAST
detect
detect
detect

OPTIONS
proxyarp,blacklist,nosmurfs
routeback
routeback,bridge

/etc/shorewall/policy
#SOURCE DEST
#

POLICY

LOG
LEVEL

LIMIT:
BURST

CONNLIMIT:
MASK

# From Firewall Policy


fw
fw
ACCEPT
fw
net
ACCEPT
fw
dmz
ACCEPT
# From DMZ Policy
dmz
dmz
dmz

dmz
net
fw

ACCEPT
ACCEPT
DROP

info

# From Net Policy


net
fw
DROP
info
net
dmz
DROP
info
# THE FOLLOWING POLICY MUST BE LAST
#
all
all
REJECT
info

/etc/shorewall/rules
#ACTION
SOURCE
# Permit access to SSH
SSH/ACCEPT
net

DEST

PROTO

fw:176.89.15.203

# Permit access to Proxmox Manager and Console


ACCEPT
net
fw:176.89.15.203
# PING Rules
Ping/ACCEPT
all
all
ACCEPT
net
dmz:167.99.29.154
ACCEPT
net
dmz:167.99.29.153
ACCEPT
net
dmz:167.99.29.153
# LAST LINE -- DO NOT REMOVE

DEST

SOURCE
-

ORIGINAL

INTERFACE
vmbr0
vmbr0

EXTERNAL
eth0
eth0

/proc/sys/net/ipv4/conf/all/proxy_arp
1

tcp

443,5900:5999

tcp
tcp
udp

22,25,80,81,110,143,443,993,995
443,3830,5060
3830,5004:5079,10000:20000

/etc/shorewall/proxyarp
#ADDRESS
167.99.29.154
167.99.29.153

RATE

HAVEROUTE
no
no

PERSISTENT
yes
yes

6/min:5

Ping 167.99.29.154
vm1:~# ping 167.99.29.154
PING 167.99.29.154 (167.99.29.154) 56(84) bytes of data.
From 176.89.15.203 icmp_seq=1 Destination Host Unreachable
From 176.89.15.203 icmp_seq=2 Destination Host Unreachable
()