Shorewall6

Is your firewall IPv6 aware?
The Shoreline Firewall, known as "Shorewall", is a iptables based firewall that can be used on servers, dedicated firewall systems or on a standalone Linux system.

 

				iptables -A INPUT -p tcp --dport 22 -j DROP 

Iptables alone just does not cut it anymore, you will also need to drop IPv6 traffic.

				ip6tables -A INPUT -p tcp --dport 22 -j DROP

So lets try to install shorewall6 ....................

 

 

Shorewall6 Tutorial for dummies This is a 'howto' to install shorewall6 on a Linux system. (Shorewall6 requires shorewall and linux-image-2.6.26)

Souce:

This tarball
http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.4/shorewall-4.4.4.2.tar.bz2
is the origional version of shorewall for IPv4, shorewall6 
depends on this so it needs te be installed first.
Luckally shorewall comes with samples of config files.

Shorewall (skip this step if you allready have shorewall)

cd /home/beheer/software
apt-get update
apt-get install bzip2
apt-get install iproute
apt-get install perl
wget http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.4/shorewall-4.4.4.2.tar.bz2
tar -xjvf shorewall-4.4.4.2.tar.bz2
cd shorewall-4.4.4.2
./install.sh
 


 

The files for installation of shorewall6 are found here.
Shorewall6 (This version 4.4.2 is for IPv6, update later to 4.4.17)

wget http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.2/shorewall6-4.4.2.tar.bz2
tar -xjvf shorewall6-4.4.2.tar.bz2
cd shorewall6-4.4.2
./install.sh
cd /etc/shorewall6

Config files for Shorewall6

Interfaces

Connecting interfaces to zones

vi /etc/shorewall6/interfaces

#
###########################################################
#ZONE   INTERFACE       ANYCAST    OPTIONS
net     eth0            detect  nosmurfs,tcpflags,blacklist
net     ppp0            detect  nosmurfs,tcpflags,blacklist
net     wlan0           detect  nosmurfs,tcpflags,blacklist

When using SixXs

#ZONE   INTERFACE       BROADCAST       OPTIONS
net     sixxs            detect          tcpflags


 

Zones

The properties of the zones created in interfaces.

vi /etc/shorewall6/zones

#
# Shorewall6 version 4 - Zones File
#
# The manpage is also online at
# http://www.shorewall.net/manpages6/shorewall6-zones.html
#
###########################################################
#ZONE   TYPE        OPTIONS     IN                  OUT
#                               OPTIONS             OPTIONS
fw      firewall
net     ipv6                       

Policy

In the policy file we create default actions for the interfaces. 
In this example shorewall allows traffic from te machine (fw) to the (net). 
Traffic from the internet (net) to the machine (fw) is not allowed.

vi /etc/shorewall6/policy

#
# Shorewall6 version 4 - Policy File
#
# For information about entries in this file, 
# type "man shorewall6-policy"
#
# The manpage is also online at
# www.shorewall.net/manpages6/shorewall6-policy.html
#
#######################################################
#SOURCE DEST    POLICY          LOG   LIMIT: CONNLIMIT:
#                               LEVEL BURST     MASK
fw      net     ACCEPT
net     all     DROP
all     all     REJECT

Rules

In the rules file we allow some traffic from the net.

vi /etc/shorewall6/rules

#
# Shorewall6 version 4 - Rules File
#
# For information on the settings in this file,                     
# type "man shorewall6-rules"
#
# The manpage is also online at
#  
# Shoot a hole in your firewall
#
#################################################### 
#ACTION   SOURCE DEST PROTO DEST SOURCE ORIGINAL ...
#                           PORT PORT(S)DEST     ...  
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
ACCEPT    net    fw   ipv6-icmp
ACCEPT    net    fw   tcp    80,443,22
ACCEPT    net    fw   udp    33434:33465 

 

Powered by