Difference between revisions of "Server ports and shorewall installation"
m (160.45.63.55 → 212.201.100.117) |
|||
Line 24: | Line 24: | ||
| http ||8183/tcp || all||Fedora Commons 3 Tomcat! | | http ||8183/tcp || all||Fedora Commons 3 Tomcat! | ||
|- | |- | ||
− | | mysql ||8088/tcp || | + | | http ||10035/tcp || all||Allegrograph - responsible: Joel Sachs |
+ | |- | ||
+ | | mysql ||8088/tcp ||212.201.100.117/24||mysqld | ||
|} | |} | ||
Latest revision as of 17:26, 3 March 2015
Contents
Ports opened
Here is the information for the opened ports of the server. When this information is changed, such changes have to be done in the firewall/shorewall settings (and vice versa).
service | port/protocol | allow from | server |
---|---|---|---|
ssh | 22/tcp | all | sshd |
http | 80/tcp | all | nginx |
https | 443/tcp | all | nginx |
http | 8180/tcp | all | NO tomcat (only the fedora one is running, 8183) |
http | 8010/tcp | all | webmin |
http | 8880/tcp | all | apache for proxying |
http | 8183/tcp | all | Fedora Commons 3 Tomcat! |
http | 10035/tcp | all | Allegrograph - responsible: Joel Sachs |
mysql | 8088/tcp | 212.201.100.117/24 | mysqld |
The columns are:
- service: the name of the service
- port/protocol: the port number and protocol (tcp, udp ot icmp)
- allow from: filter by IP address, all means allow from all IP addresses
- server: the process name of the server
- Test Fedora 3 as http://212.201.100.117:8183/fedoragsearch/rest
- No, we do not use ftp (password is easily sniffable if you do).
Shorewall
Version 2.6 of the Linux kernel uses iptables to provide its firewall facilities. Iptables is installed by default as part of the minimal Debian installation, so there's no further installation needed. Iptables is wonderfully powerful, but unfortunately that power comes at a price ... namely configuration. While it can technically be configured by hand, it has been said that iptables configuration is not human readable. In short, it's very complex and can quickly become overwhelming. Luckily, we have a solution in the form of a program called wikipedia:Shorewall.
Shorewall Installation
To start, use apt-get to install the shorewall package:
Firewall:~# apt-get install shorewall
Shorewall is not a firewall, and in fact it's not even an application. The common notion of a program (or daemon) is that of an application that runs continuously. This is not the case with Shorewall. Instead, Shorewall is actually just a very large set of scripts which run once and then exit. Shorewall itself does not perform any firewalling work; it merely configures iptables to your specifications, then quits. We are provided with default configuration files in /usr/share/doc/shorewall/default-config
Since we will need to use these config files to actually make Shorewall work, the first thing to do is to copy them over to /etc/shorewall:
Firewall:~# cp /usr/share/doc/shorewall/default-config/{interfaces,policy,rules,zones} /etc/shorewall/
Please read the documentation in each config file you edit so you can fully understand what each step is really doing!
/etc/shorewall/zones
First we add our network "zones" Shorewall uses zones as a way of defining different logical portions of our network. This configuration is performed in /etc/shorewall/zones:
#ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4
/etc/shorewall/interfaces
Next, we have to add our network interfaces. This is done via /etc/shorewall/interfaces:
#ZONE INTERFACE BROADCAST OPTIONS net eth0 detect
/etc/shorewall/policy
Now comes the ever important firewall policy. The policy forms the basis for how all traffic on our network will be treated. This is not for fine grained control, we'll get to that later. This just sets the baseline actions for a zone. This is done via /etc/shorewall/policy:
#SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL $FW net ACCEPT net all DROP all all REJECT info
Each line (excepts these beginning with #) sets one policy. The first policy:
$FW net ACCEPT
says all traffic generated by the machine is allowed. Note that $FW refers to the firewall machine itself zone. The policy:
net all DROP
says that we don't trust external traffic from the internet. When we see internet traffic that doesn't match any specific rules (later), we want it DROPPED. Finally any traffic not matching the above is rejected (this must be the last rule):
all all REJECT info
/etc/shorewall/rules
This is the most used configuration file! For the current status of the opened ports of the our server see the top of this page!
Often, there are times when we need to make exceptions to the firewall policy we set up early. To accomplish this, we use the /etc/shorewall/rules file:
#ACTION SOURCE DEST PROTO DEST # PORT(S) ACCEPT net $FW tcp ssh,http,https Ping/ACCEPT net $FW Trcrt/ACCEPT net $FW
Let's say we have a server running on the firewall machine itself, for example SSH. Rather than deny connections, we want the firewall to pass the traffic to one of it's own servers. For this we use the ACCEPT option:
ACCEPT net $FW tcp ssh
This example will tell the firewall to accept any connections coming from the internet (net) zone to itself on port ssh (22). In other words, you can connect to an SSH server on your firewall with this rule.
Another option would be to allow people to ping and traceroute our firewall, which is disabled by our policy:
Ping/ACCEPT net $FW Trcrt/ACCEPT net $FW
Apply configuration
Run "shorewall check" to see if you've made any typos. It won't catch all possible errors, but it helps:
Firewall:~# shorewall check
If you get "Configuration Validated" you can go ahead and start Shorewall:
Firewall:~# shorewall start
If the firewall works fine then we can perform startup configuration in /etc/default/shorewall. Simply change "startup = 0" to "startup = 1".
Note: dropbox daemon needs no special setting of shorewall.