Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
not sure of shorewall setup
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
nordic bro
Guru
Guru


Joined: 25 Oct 2003
Posts: 583

PostPosted: Sun Jul 12, 2020 7:45 pm    Post subject: not sure of shorewall setup Reply with quote

I think my basic network setup is pretty straightforward but aren't sure I have shorewall set up properly. it may be but I'm not sure (spent a couple weeks poring over shorewall docs/examples, searching gentoo forums, etc.).

it's a desktop machine with a single nic device plugged into my own router which is connected to fios. my computer can use internet just fine.

I have two vpns, one not regularly used, the main one starts at bootup via openvpn. afaik all my internet traffic passes through the latter (which I want) but aren't 100% sure.

my concerns:

#1 for some reason I do not know, I had to add a shorewall rule for eth0 to allow my desktop to access router admin account at 192.168.1.1 (via web browser). otherwise I get 'not reachable' or something like that in web browser.

and because eth0 is connected to the router which in turn is hooked to internet, I'm wondering if ANY outgoing/incoming internet traffic could now bypass the vpn and go directly through router/eth0?

#2 or even if everything does go in/out through main vpn I'm not sure I've properly set up shorewall to protect from malicious outside connections coming in via the vpn or router/eth0.

#3 or maybe eth0 should be my only shorewall interface and making the vpn tun(0) was a mistake? I changed 'net eth0' to 'net tun0' because (a) tun0 is my 'real' internet connection afaik and (b) ~all the basic shorewall docs use examples with at least two interfaces but I only had one (eth0); then thought since internet is supposed to go through tun0 perhaps that's my second shorewall interface?

thanks!

/etc/conf.d/net:

Code:
config_eth0="192.168.1.254 netmask 255.255.255.0 broadcast 192.168.1.255"
routes_eth0="default gw 192.168.1.1"

ifconfig:

Code:
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.254  netmask 255.255.255.0  broadcast 192.168.1.255
        ether 38:d5:47:e1:42:61  txqueuelen 1000  (Ethernet)
        RX packets 586315  bytes 854156630 (814.5 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 412696  bytes 68724348 (65.5 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 7949  bytes 2187783 (2.0 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 7949  bytes 2187783 (2.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.14.11.6  netmask 255.255.255.255  destination 10.14.11.5
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 585073  bytes 798408206 (761.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 411736  bytes 30258459 (28.8 MiB)
        TX errors 0  dropped 77 overruns 0  carrier 0  collisions 0

route:

Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.14.11.5      128.0.0.0       UG    0      0        0 tun0
0.0.0.0         192.168.1.1     0.0.0.0         UG    2      0        0 eth0
10.14.11.1      10.14.11.5      255.255.255.255 UGH   0      0        0 tun0
10.14.11.5      0.0.0.0         255.255.255.255 UH    0      0        0 tun0
127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo
128.0.0.0       10.14.11.5      128.0.0.0       UG    0      0        0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
209.95.50.103   192.168.1.1     255.255.255.255 UGH   0      0        0 eth0

/etc/dnsmasq.conf (main vpn/tun0 dns):

Code:
domain-needed
bogus-priv
no-dhcp-interface=
server=209.222.18.222
server=209.222.18.218
server=/(second vpn/tun1 domain/IP)
server=/(second vpn/tun1 domain/IP)

/etc/resolv.conf:

Code:
nameserver 127.0.0.1

/etc/shorewall/interfaces:

Code:
net    tun0   detect    routefilter,tcpflags,dhcp,logmartians,nosmurfs
loc    eth0   detect    routefilter,tcpflags,dhcp,logmartians,nosmurfs
ptvpn  tun1   detect    routefilter,tcpflags,dhcp,logmartians,nosmurfs

/etc/shorewall/policy:

Code:
loc     fw      ACCEPT
fw      net     ACCEPT
$FW     ptvpn   ACCEPT
net     all     DROP
all     all     REJECT

/etc/shorewall/rules:

Code:
?SECTION NEW
DROP    net     fw      icmp    8
DROP    net     fw      tcp     113,135
DROP    net     fw      udp     123
ACCEPT  loc:192.168.1.1 fw
ACCEPT  fw loc:192.168.1.1

/etc/shorewall/zones:

Code:
fw      firewall
net     ipv4
loc     ipv4
ptvpn   ipv4

shorewall ls policies:

Code:
fw      =>      net     ACCEPT using chain fw2net
fw      =>      loc     REJECT using chain fw2loc
fw      =>      ptvpn   ACCEPT using chain fw2ptvpn
net     =>      fw      DROP using chain net2fw
net     =>      loc     DROP using chain net2loc
net     =>      ptvpn   DROP using chain net2ptvpn
loc     =>      fw      ACCEPT using chain loc2fw
loc     =>      net     REJECT using chain loc2net
loc     =>      ptvpn   REJECT using chain loc2ptvpn
ptvpn   =>      fw      REJECT using chain ptvpn2fw
ptvpn   =>      net     REJECT using chain ptvpn2net
ptvpn   =>      loc     REJECT using chain ptvpn2loc
Back to top
View user's profile Send private message
digifuzzy
n00b
n00b


Joined: 31 Oct 2014
Posts: 60

PostPosted: Tue Jul 14, 2020 6:48 am    Post subject: Reply with quote

I have a different setup (two NICs -> one LAN; other WAN) but one thing jumps out at me from my setup and may be of use for you is the need for SNAT.

From my configuration...
Code:

#
# Shorewall -- /etc/shorewall/snat
#
# For information about entries in this file, type "man shorewall-snat"
#
# See https://shorewall.org/manpages/shorewall-snat.html for more information
#
###########################################################################################################################################
#ACTION         SOURCE         DEST      PROTO   PORT   IPSEC   MARK   USER   SWITCH   ORIGDEST   PROBABILITY
MASQUERADE              10.0.0.0/8              enp5s0
MASQUERADE              192.168.0.0/8           enp5s0


Use of SNAT allows the machine to take a LAN IP but also talk to the connected DHCP using the 192.168 address.
Back to top
View user's profile Send private message
digifuzzy
n00b
n00b


Joined: 31 Oct 2014
Posts: 60

PostPosted: Tue Jul 14, 2020 6:52 am    Post subject: Reply with quote

FYI, there is also the /etc/shorewall/tunnels file.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 46122
Location: 56N 3W

PostPosted: Tue Jul 14, 2020 10:29 am    Post subject: Reply with quote

nordic bro,

Lets look at what you actually have at the end of all this.

Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.14.11.5      128.0.0.0       UG    0      0        0 tun0
0.0.0.0         192.168.1.1     0.0.0.0         UG    2      0        0 eth0
10.14.11.1      10.14.11.5      255.255.255.255 UGH   0      0        0 tun0
10.14.11.5      0.0.0.0         255.255.255.255 UH    0      0        0 tun0
127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo
128.0.0.0       10.14.11.5      128.0.0.0       UG    0      0        0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
209.95.50.103   192.168.1.1     255.255.255.255 UGH   0      0        0 eth0

None of what follows takes any account of filtering. From the bottom of the routing table up.

Packets to 209.95.50.103/32 (just that one address) are routed via 192.168.1.1 which is your router.
I'll guess thats one of your VPN far end points.

Packets to 192.168.1.0/24 go out of eth0 without being addressed to a router.

Is that what you wanted?

Packets to 128.0.0.0/1 (that's odd, its the top half of the IPv4 address space) use 10.14.11.5 as a gateway and are sent over the tun0 interface.

127.0.0.0/8 is the loopback interface.

Packets to 10.14.11.5/32 go via tun0 and don't need a gateway.

Anything that's left over

Packets to 10.14.11.1 go via tun0 using 10.14.11.5 as the gateway.

Anything that's left over (0.0.0.0) gets sent out via 192.168.1.1 but ...
You have two default routes so its not quite that simple.
Code:
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.14.11.5      128.0.0.0       UG    0      0        0 tun0
0.0.0.0         192.168.1.1     0.0.0.0         UG    2      0        0 eth0

tun0 has a lower metric than eth0, so tun0 is preferred as the default route.

The shorewall filtering is applied on top of that routing.
It looks like you only have a single VPN going out of your system and the second one is reached through the first.

-- edit --

The route 128.0.0.0 10.14.11.5 128.0.0.0 UG 0 0 0 tun0 is probably redundant as its a subset of the default route.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum