diff options
Diffstat (limited to 'firewall.md')
-rw-r--r-- | firewall.md | 78 |
1 files changed, 78 insertions, 0 deletions
diff --git a/firewall.md b/firewall.md new file mode 100644 index 0000000..a76a114 --- /dev/null +++ b/firewall.md @@ -0,0 +1,78 @@ +[[!toc levels=4]] + +Configuração do shorewall +========================= + +De início, instale o shorewall: + + apt-get install shorewall + +É necessário que o iptables esteja configurado para encaminhar os pacotes de uma porta externa para os vservers. As seguinte diretiva precisa ser alterada na configuração original no arquivo `/etc/shorewall/shorewall.conf`: + + IP_FORWARDING=Yes + +O arquivo `/etc/shorewall/interfaces` deve conter a interface de rede: + + #ZONE INTERFACE BROADCAST OPTIONS + - eth0 detect tcpflags,blacklist,routefilter,nosmurfs,logmartians,norfc1918 + #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE + +O arquivo `/etc/shorewall/zones` deve conter as zonas da rede: + + ############################################################################### + #ZONE TYPE OPTIONS IN OUT + # OPTIONS OPTIONS + fw firewall + vm ipv4 + net ipv4 + #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE + +O arquivo `/etc/shorewall/hosts` associa zonas a subredes: + + #ZONE HOST(S) OPTIONS + vm eth0:192.168.0.0/24 + net eth0:0.0.0.0/0 + #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE + +O arquivo `/etc/shorewall/policy` define as regras para tráfego de pacotes: + + ############################################################################### + #SOURCE DEST POLICY LOG LIMIT:BURST + # LEVEL + vm net ACCEPT + $FW net ACCEPT + $FW vm ACCEPT + net all DROP info + # THE FOLLOWING POLICY MUST BE LAST + all all REJECT info + #LAST LINE -- DO NOT REMOVE + +E o arquivo `/etc/shorewall/rules` define exceções às regras gerais: + + ################################################################ + #ACTION SOURCE DEST PROTO DEST + SSH/ACCEPT net $FW + Ping/ACCEPT net $FW + HTTP/ACCEPT net $FW + HTTPS/ACCEPT net $FW + #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE + +Adicionamos máscaras NAT aos pacotes da rede interna através do `/etc/shorewall/masq`: + + ############################################################################### + #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK + eth0:!192.168.0.0/24 192.168.0.0/24 + #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE + +Habilite o shorewall mudando o valor de startup de `/etc/default/shorewall` para `1`: + + startup=1 + +Finalmente podemos ligar o shorewall: + + /etc/init.d/shorewall start + +Shorewall e Puppet +================== + +Uma vez que um nodo [puppetmaster](../puppet) estiver rodando, o módulo [puppet-shorewall](http://git.sarava.org/?p=puppet-shorewall.git;a=summary) poderá ser utilizado para gerenciar o firewall. No entanto, se você for substituir o presente procedimento pela sua versão via puppet, certifique-se de apagar os arquivos `/etc/shorewall/{masq,policy,zones,rules,interfaces}`. |