Configuração do shorewall

De início, instale o shorewall:

apt-get install shorewall

É necessário que o iptables esteja configurado para encaminhar os pacotes de uma porta externa para os vservers. As seguinte diretiva precisa ser alterada na configuração original no arquivo /etc/shorewall/shorewall.conf:

IP_FORWARDING=Yes

O arquivo /etc/shorewall/interfaces deve conter a interface de rede:

#ZONE   INTERFACE       BROADCAST       OPTIONS
- eth0 detect tcpflags,blacklist,routefilter,nosmurfs,logmartians,norfc1918
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

O arquivo /etc/shorewall/zones deve conter as zonas da rede:

###############################################################################
#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
vm      ipv4
net     ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

O arquivo /etc/shorewall/hosts associa zonas a subredes:

#ZONE   HOST(S)                                 OPTIONS
vm      eth0:192.168.0.0/24
net     eth0:0.0.0.0/0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

O arquivo /etc/shorewall/policy define as regras para tráfego de pacotes:

###############################################################################
#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
#                                               LEVEL
vm              net             ACCEPT
$FW             net             ACCEPT
$FW             vm              ACCEPT
net             all             DROP            info
# THE FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info
#LAST LINE -- DO NOT REMOVE

E o arquivo /etc/shorewall/rules define exceções às regras gerais:

################################################################
#ACTION         SOURCE          DEST            PROTO   DEST
SSH/ACCEPT      net             $FW
Ping/ACCEPT     net             $FW
HTTP/ACCEPT     net             $FW
HTTPS/ACCEPT    net             $FW
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Adicionamos máscaras NAT aos pacotes da rede interna através do /etc/shorewall/masq:

###############################################################################
#INTERFACE              SOURCE          ADDRESS         PROTO   PORT(S) IPSEC   MARK
eth0:!192.168.0.0/24    192.168.0.0/24
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Habilite o shorewall mudando o valor de startup de /etc/default/shorewall para 1:

startup=1

Finalmente podemos ligar o shorewall:

/etc/init.d/shorewall start

Shorewall e Puppet

Uma vez que um nodo puppetmaster estiver rodando, o módulo puppet-shorewall poderá ser utilizado para gerenciar o firewall. No entanto, se você for substituir o presente procedimento pela sua versão via puppet, certifique-se de apagar os arquivos /etc/shorewall/{masq,policy,zones,rules,interfaces}.