diff options
| author | Silvio Rhatto <rhatto@riseup.net> | 2010-02-02 21:49:43 -0200 |
|---|---|---|
| committer | Silvio Rhatto <rhatto@riseup.net> | 2010-02-02 21:49:43 -0200 |
| commit | 8c22ff697fc5df6e9646f6834d9b3750dd863f59 (patch) | |
| tree | 8cd2308017892b3f6dbd39988708a96bb97cf89e | |
| parent | 52de4478f790aeccee5ba6c4164a3486bd779756 (diff) | |
| download | padrao-8c22ff697fc5df6e9646f6834d9b3750dd863f59.tar.gz padrao-8c22ff697fc5df6e9646f6834d9b3750dd863f59.tar.bz2 | |
Adicionando procedimento de firewall
| -rw-r--r-- | firewall.mdwn | 76 |
1 files changed, 76 insertions, 0 deletions
diff --git a/firewall.mdwn b/firewall.mdwn index e69de29..bb3687a 100644 --- a/firewall.mdwn +++ b/firewall.mdwn @@ -0,0 +1,76 @@ +Configuração do shorewall +========================= + +De início, instale o shorewall: + + apt-get install shorewall + +É necessário que o iptables esteja configurado para encaminhar os pacotes de uma porta externa para os vservers. As seguinte diretiva precisa ser alterada na configuração original no arquivo `/etc/shorewall/shorewall.conf`: + + IP_FORWARDING=Yes + +O arquivo `/etc/shorewall/interfaces` deve conter a interface de rede: + + #ZONE INTERFACE BROADCAST OPTIONS + - eth0 detect tcpflags,blacklist,routefilter,nosmurfs,logmartians,norfc1918 + #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE + +O arquivo `/etc/shorewall/zones` deve conter as zonas da rede: + + ############################################################################### + #ZONE TYPE OPTIONS IN OUT + # OPTIONS OPTIONS + fw firewall + vm ipv4 + net ipv4 + #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE + +O arquivo `/etc/shorewall/hosts` associa zonas a subredes: + + #ZONE HOST(S) OPTIONS + vm eth0:192.168.0.0/24 + net eth0:0.0.0.0/0 + #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE + +O arquivo `/etc/shorewall/policy` define as regras para tráfego de pacotes: + + ############################################################################### + #SOURCE DEST POLICY LOG LIMIT:BURST + # LEVEL + vm net ACCEPT + $FW net ACCEPT + $FW vm ACCEPT + net all DROP info + # THE FOLLOWING POLICY MUST BE LAST + all all REJECT info + #LAST LINE -- DO NOT REMOVE + +E o arquivo `/etc/shorewall/rules` define exceções às regras gerais: + + ################################################################ + #ACTION SOURCE DEST PROTO DEST + SSH/ACCEPT net $FW + Ping/ACCEPT net $FW + HTTP/ACCEPT net $FW + HTTPS/ACCEPT net $FW + #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE + +Adicionamos máscaras NAT aos pacotes da rede interna através do `/etc/shorewall/masq`: + + ############################################################################### + #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK + eth0:!192.168.0.0/24 192.168.0.0/24 + #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE + +Habilite o shorewall mudando o valor de startup de `/etc/default/shorewall` para `1`: + + startup=1 + +Finalmente podemos ligar o shorewall: + + /etc/init.d/shorewall start + +Shorewall e Puppet +================== + +Uma vez que um nodo puppetmaster estiver rodando, o módulo [puppet-shorewall](http://git.sarava.org/?p=puppet-shorewall.git;a=summary) poderá ser utilizado para gerenciar o firewall. No entanto, se você for substituir o presente procedimento pela sua versão via puppet, certifique-se de apagar os arquivos `/etc/shorewall/{masq,policy,zones,rules,interfaces}`. |