Configuração do shorewall ========================= De início, instale o shorewall: apt-get install shorewall É necessário que o iptables esteja configurado para encaminhar os pacotes de uma porta externa para os vservers. As seguinte diretiva precisa ser alterada na configuração original no arquivo `/etc/shorewall/shorewall.conf`: IP_FORWARDING=Yes O arquivo `/etc/shorewall/interfaces` deve conter a interface de rede: #ZONE INTERFACE BROADCAST OPTIONS - eth0 detect tcpflags,blacklist,routefilter,nosmurfs,logmartians,norfc1918 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE O arquivo `/etc/shorewall/zones` deve conter as zonas da rede: ############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall vm ipv4 net ipv4 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE O arquivo `/etc/shorewall/hosts` associa zonas a subredes: #ZONE HOST(S) OPTIONS vm eth0:192.168.0.0/24 net eth0:0.0.0.0/0 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE O arquivo `/etc/shorewall/policy` define as regras para tráfego de pacotes: ############################################################################### #SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL vm net ACCEPT $FW net ACCEPT $FW vm ACCEPT net all DROP info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info #LAST LINE -- DO NOT REMOVE E o arquivo `/etc/shorewall/rules` define exceções às regras gerais: ################################################################ #ACTION SOURCE DEST PROTO DEST SSH/ACCEPT net $FW Ping/ACCEPT net $FW HTTP/ACCEPT net $FW HTTPS/ACCEPT net $FW #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE Adicionamos máscaras NAT aos pacotes da rede interna através do `/etc/shorewall/masq`: ############################################################################### #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK eth0:!192.168.0.0/24 192.168.0.0/24 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE Habilite o shorewall mudando o valor de startup de `/etc/default/shorewall` para `1`: startup=1 Finalmente podemos ligar o shorewall: /etc/init.d/shorewall start Shorewall e Puppet ================== Uma vez que um nodo puppetmaster estiver rodando, o módulo [puppet-shorewall](http://git.sarava.org/?p=puppet-shorewall.git;a=summary) poderá ser utilizado para gerenciar o firewall. No entanto, se você for substituir o presente procedimento pela sua versão via puppet, certifique-se de apagar os arquivos `/etc/shorewall/{masq,policy,zones,rules,interfaces}`.