Build & Deploy Secure Shorewall Firewall Protected Network v1.2

Global Open Versity, ICT Labs Build & Deploy Secure Shorewall Firewall Network.v1.
Global Open Versity

IT Security & Network Defense Hands-on Labs Training Manual
Build & Deploy Secure Shorewall Firewall Protected Network

Kefa Rabah
Global Open Versity, Vancouver Canada
krabah@globalopenversity.org www.globalopenversity.org
Table of Contents Page No.
BUILD & DEPLOY SECURE SHOREWALL FIREWALL PROTECTED NETWORK 1
Introduction 1
Part 1: Network Configuration 3
Part 2: Dynamic Host Configuration Protocol (DHCP) 3

Step 1: Install and Configure DHCP Server 3
Part 3: Download and Install Shorewall 5

Step 1: Download & Install Shorewall 5
Step 2: Configure Shorewall 5
Part 4: Using Web Webmin to Configure Shorewall 6

Step 1: Basic Configuration 6
Step 2: Configure Network Zones 8
Step 3: Configure Network Interfaces 11
Step 4: Configure the Default Policies (Policy) 13
Step 5: Configure Masquerading (masq) Rule 15
Step 6: Check Firewall Configuration 17
Step 7: Finally Start the Shorewall Firewall 18
Part 5: Advanced Configuration for Shorewall Firewall 18

Step1: Configuring Shorewall Firewall Rules 18
Step 1: Webserver installed on the Firewall box 19
Step 2: Port forwarding – Webserver on a box on the LAN 20
1. Port forwarding for Clients on the LAN 20
2. Port forwarding for Clients on the DMZ 21
3. Port Redirection 22
Step 3: Test DMZ Connectivity 23
Step 4: Type of Service (ToS) 24
Part 6: Troubleshooting 25
Part 7: Installing and configuring anti-virus software ClamAV 26
Part 8: Need More Training on Linux: 28

Secure Firewall Administration Training 28
Linux Administration Training 28
Part 9: Hands-on Lab Assignments 29

1
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
www.globalopenversity.org EBT107 – Secure Firewall System Administration Training

Global Open Versity, ICT Labs Build & Deploy Secure Shorewall Firewall Network.v1.2
Global Open Versity

IT Security & Network Defense Hands-on Labs Training Manual
Build & Deploy Secure Shorewall Firewall Protected Network

By Kefa Rabah, krabah@globalopenversity.org July 26, 2010 GTS Institute
Introduction
The Shorewall, is a high-level tool for configuring Netfilter. You describe your firewall/gateway
requirements using entries in a set of configuration files. Shorewall reads those configuration files and with
the help of the iptables utility, Shorewall configures Netfilter to match your requirements. Shorewall can be
used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux
system. Shorewall does not use Netfilter's ipchains compatibility mode and can thus take advantage of
Netfilter's connection state tracking capabilities.
CentOS is a community-supported, free and open source operating system based on Red Hat Enterprise
Linux. It exists to provide a free enterprise class computing platform and strives to maintain 100% binary
compatibility with its upstream distribution .CentOS stands for "Community ENTerprise Operating
System". CentOS is the perfect server for people who need an enterprise class operating system stability
without the cost of certification and support and pocket burning baggage that comes with proprietary
software. And the beauty is CentOS is free.
Webmin is a web-based GUI interface for system administration for Linux/UNIX. Using any modern web
browser, you can setup user accounts, Apache, DNS, file sharing and much more. Webmin removes the
need to manually edit UNIX configuration files like /etc/passwd, and lets you manage a system from
the console or remotely with ease. Here we’ll use Webmin mainly to configure Shorewall firewall.
Lockdown server: we also need to lockdown our firewall server to secure our application servers against
cyber-criminals and malwares. For this we’ll use Clamd. Clamd which comes integrated with ClamAV and
Clamav-db fits the bill for our task. It’s a multi-threaded daemon that uses libclamav to scan files for
viruses. The daemon listens for incoming connections on Unix and/or TCP socket and scans files or
directories on demand for viruses. The daemon is fully configurable via the clamd.conf file. It reads the
configuration from /etc/clamd.conf. Clam AntiVirus (ClamAV) is an open source (GPL) anti-virus
toolkit for UNIX, designed especially for e-mail scanning on mail gateways. It provides a number of utilities
including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for
automatic database updates. The core of the package is an anti-virus engine available in a form of shared
library.
Assumptions:
It’s assumed that you have a good understanding of Linux operating system and its working environment.
It’s also assumed that you know how to install and configure Linux CentOS5, if not go ahead and pop over
to scribd.com and check out a good howto entitled “Install Guide Linux CentOS5 Server v1.1” to get you
started.
1

Solution:
In this Lab session, you’ll learn how to setup virtual network on VMware (you may also use any other
virtual machines like MS VirtualPC, Linux Xen, or VirtualBox from Oracle). Next it’s assumed that you
know how to install and configure Linux CentOS5 (VM1) with three NIC adapters. On the Linux VM1, I’ll
show you how to install & configure a DHCP server and Shorewall firewall on it. I’ll show you how to use
Webmin to ease the pain of configuring Shorewall firewall. You’ll also learn how to configure to more
virtual machines (VM) either a Linux distros or any OS of choice to use for testing your firewalled network
connectivity form LAN and DMZ to public network (Internet). Finally, you’ll have an opportunity to do some
Hands-on Labs assignment to test what you have learned in this lab session. Once you’re done with this
labs session you should have gained an experience and capability to enable you to plan design implement
and deploy a secure private network or Home/SMB office network infrastructure.
Fig. 1: Private LAN, with test PC (Internal PC) added
Note: once you’re done with hands-on training and build a pilot test lab for prototype testing, and
all is working great then you can migrate your setup to your production environment.
2

Part 1: Network Configuration

Figure 1 show the setup for our hands-on lab session of our private Home/SMB LAN, which is configured
using VMware with two NIC adapters attached to VMnet2. The eth0 is attached to the public side of the
network or Internet and is receiving its IP address from DHCP. The eth1 is our internal LAN network, and
is configured with static IP address and is also the NIC that is attached to DHCP server, which feeds the
dynamic IP address to the devices located within the private LAN via the VMnet2 virtual switch. Machine 1
is running Linux CentOS5 server which we’ll use to install the DHCP server and the firewall on eth1, and
also the Shorewall firewall. The eth2 via the VMnet3 virtual switch is our DMZ network and, all the
servers located here, e.g., VM3 Webserver, are configured with static IP address.
Part 2: Dynamic Host Configuration Protocol (DHCP)

DHCP (Dynamic Host Configuration Protocol) is an Internet protocol for automating the configuration of
computers that use TCP/IP. DHCP can be used to automatically assign IP addresses, to deliver TCP/IP
stack configuration parameters such as the subnet mask and default router, and to provide other
configuration information such as the addresses for printer, time and news servers.
Step 1: Install and Configure DHCP Server

By default all Linux distros come with DHCP server. However, rather than use the default DHCP server
included with your Red Hat / Fedora Linux system, for security reasons, it’s recommend that you use the
latest version of software.
Why is it important to have the latest version? In IT security best practices, as is with any other software
that you're going to run on your server, it's critically important that you have the very latest version of this
'daemon' (the Linux lingo for programs that run on the server without intervention) on your system. It's
also very important to shut off any services that you’re not using
Installation
1. Head over to the Internet Software Consortium and Download the latest version of the
DHCP Server. As I write this, it's at version "dhcp-4.1.0p1.tar.gz".
2. Once you've downloaded it, move the file to your favorite location (/usr/local/src for this guide)
and unpack it by running the following command:
# tar -zxvf dhcp-*.tar.gz
3. This will create a directory called "DHCP 4.1.0p1" (in our case). Change into newly created
directory and run the following command as root:
# ./configure
4. If there are no errors you may run the following commands (as root):
# make && make install
3

to build and install the software. You may be prompted for the root password, then, if you typed it in
correctly, the new DHCP server will be installed onto your system.
Note: If you come across any errors when running the above commands you are likely missing some
library files or files on your system.
5. Good. Now you have the latest DHCP server it's time to configure it properly for your environment.
6. That’s, before launching the DHCP server, copy the file "server/dhcpd.conf" from the build
directory into your "/etc" directory,
# cp server/dhcpd.conf /etc/
7. Finally, it’s time to edit the configuration file to match your system configuration. Here's what the
"/etc/dhcpd.conf" file looks like:
ddns-update-style none; # keep it simple for now

ignore client-updates; # here too
DHCPARGS=eth1; # tells it what interface to listen on
subnet 192.168.0.0 netmask 255.255.255.0 {
# --- default gateway
option routers 192.168.0.1; # gateway on your eth1 internal interface
option subnet-mask 255.255.255.0; # subnet mask
# option domain-name "example.com"; # domain name given to client

# the IP of your ISP's nameservers and any other local name server(s) you're using. You can
# normally found under "/etc/resolv.conf" file. These will be distributed all DHCP clients
option domain-name-servers 192.168.1.1;
option time-offset off; # Pacific Standard Time - set to what you have
option ip-forwarding 21600;
range 192.168.0.128 192.168.0.254; # the range of IP's your clients will get
default-lease-time 21600; # how long the client's will keep the same IP
max-lease-time 43200;
# we want the nameserver to appear at a fixed address (optional)
host ns {
next-server ns1.ispserver.net; # change to your ISP's nameservers
hardware ethernet 0A:A9:5B:8E:05:67; # hardware MAC
fixed-address 192.68.0.7 # your ISP's nameserver IP
}
}
4

Note 1: For the DNS Server, you can use the OpenDNS for all your public DNS needs; it's free and
allows for content filtering. For production server remember to use public IP address.
Note 2: It’s very important that you make sure that you set the domain name properly, identify your
set of DNS servers by name, and define the subnet range for which you want to provide services via
DHCP.
8. Now we restart the DHCP server
# service dhcpd configtest

Syntax: OK
# service dhcpd restart
Note: When checking the configuration for errors, if there are errors, you'll find them listed in
/var/log/messages so the changes will take effect.
Part 3: Download and Install Shorewall
Step 1: Download & Install Shorewall

1. Hope over to shorewall official web site for newer versions. http://www.shorewall.net/download.htm. At
the time of writing this article we downloaded: shorewall-4.4.10.3.noarch.rpm
2. To install shorewall, just open a terminal and run:
rpm -ivh shorewall-4.4.10-3.noarch.rpm
3. Now use the whereis command to locate shorewall installed directory:
4. As you can observe above, we have configuration files located in /etc/shorewall.

5. We’re done with this section.
Step 2: Configure Shorewall

Here we need to modify shorewall configuration file /etc/shorewall/shorewall.conf to enable it
start.
6. To do this, use your favorite Text editor and it the file as follows::
5

vi /etc/shorewall/shorewall.conf
7. Change the first line from

STARTUP_ENABLED=No
to
STARTUP_ENABLED=Yes
8. Also ensure that forwarding is enabled forwarding and reads "IP_Forwarding=on"
9. Save and exit (in vi, hit [ESC] and then ':wq').
Note: Shorewall Web interface or GUI tool

You can download Webmin for GUI configuration of Shorewall. You’ll also need the Webmin interface
for Shorewall to configure through GUI. You can download from here.
Part 4: Using Web Webmin to Configure Shorewall
Step 1: Basic Configuration

As the Linux server implementation increases every year, it becomes more and more important to have
easy to use tools for server administration, instead of logging on with ssh. GUI based tools have the effect
of an increased accessibility and it creates a clearer understanding of the configuration and features of the
functions of a server and of course less prone to error which is common with manual script configuration.
In this section I show through a step-by-step procedure for configuring the Shorewall firewall using
Webmin as the interface instead of using the console for editing files. It assumed that you already have a
server in basic configuration with Webmin. After the installation of Webmin and configuring it you can login
using the URL http://localhost:10000 or http://yourdomain:10000
1. Now you see the first screen of the Webmin admin interface.
2. Here you can select the topics to different tasks, such as Webmin administration, different server
administration tasks etc.
3. Scroll down and click Networking Æ click Shorewall Firewall, link to access Shorewall
configuration screen, as shown in Fig. 1:
6

Fig. 2: Shorewall Firewall configuration screen
In the next section we’ll expand on the different options for configuring Shorewall Firewall.
1. Follow the link below to access the full document.
The full document has moved to Docstoc.com. You can access and download it from
here:
• Build & Deploy Secure Shorewall Firewall Protected Network v1.2
OR
http://www.docstoc.com/docs/50346510/Build-and-Deploy-Secure-Shorewall-Firewall-Protected-Network
Fellow us on Twitter: Global Open Versity and Kefa Rabah
-----------------------------------------------
Kefa Rabah is the Founder of Global Technology Solutions Institute. Kefa is knowledgeable in several
fields of Science & Technology, Information Security Compliance and Project Management, and
Renewable Energy Systems. He is also the founder of Global Open Versity, a place to enhance your
educating and career goals using the latest innovations and technologies.
7

Build &amp; Deploy Secure Shorewall Firewall Protected Network v1.2

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Build &amp; Deploy Secure Shorewall Firewall Protected Network v1.2

Uploaded by

Copyright:

Available Formats

Global Open Versity, ICT Labs Build & Deploy Secure Shorewall Firewall Network.v1.

Global Open Versity