带你使用Shorewall防火墙每台带公网IP的服务器都不能在公网裸奔，我们使用Shorewall来优雅的管理iptab

每台带公网IP的服务器都不能在公网裸奔，我们使用Shorewall来优雅的管理iptables。

Shorewall简介

Linux以其高度安全的平台而闻名。所述安全性的原因之一是Netfilter系统。Netfilter是一个由Linux内核提供的框架，它允许各种网络操作，例如包过滤，网络地址转换，端口转换以及阻止数据包到达特定位置的能力。对于大多数发行版，Netfilter是通过用户空间应用程序iptables实现的，但是iptables配置复杂。

Shorewall是GNU / Linux的网关/防火墙配置工具，不仅可以简化网络安全任务，还可以更轻松地处理区域。

Shorewall可用于专用防火墙系统，多功能网关，路由器，服务器或独立系统。需要注意的一点是，Shorewall不是守护进程。一旦Shorewall完成了配置网络子系统的工作（通过上面的配置文件），它的工作就完成了。您将找不到在后台运行的Shorewall进程。Shorewall还可以处理具有多个IP接口/地址的系统。

安装

$ sudo apt-get update
$ sudo apt-get install shorewall
# 开启shorewall
$ sudo sed -i  's/startup=0/startup=1/g'  /etc/default/shorewall
# 复制配置文件，示例文件有 one-interface  three-interfaces  two-interfaces
$ sudo cp /usr/share/doc/shorewall/examples/one-interface/* /etc/shorewall

常用命令

$ sudo shorewall show
$ sudo shorewall check
$ sudo shorewall restart

shorewall.conf

/etc/shorewall/shorewall.conf基础配置，参数较多，可以使用默认的：cp /usr/share/doc/shorewall/examples/two-interfaces/shorewall.conf.gz .

shorewall.org/manpages/sh…

STARTUP_ENABLED=Yes
LOGFILE=/var/log/messages
LOGNEWNOTSYN=info
CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall" # /etc/shorewall:/usr/share/shorewall

ROUTE_FILTER=Keep
### ROUTE_FILTER影响rp_filter，控制源地址校验
NULL_ROUTE_RFC1918=[Yes|No|blackhole|unreachable|prohibit]
IPv4 only.
When set to Yes, causes Shorewall to null-route the IPv4 address ranges reserved by RFC1918. The default value is 'No'.
When combined with route filtering (ROUTE_FILTER=Yes or routefilter in shorewall-interfaces(5)), this option ensures that packets with an RFC1918 source address are only accepted from interfaces having known routes to networks using such addresses.
Beginning with Shorewall 4.5.15, you may specify blackhole, unreachable or prohibit to set the type of route to be created. See https://shorewall.org/MultiISP.html#null_routing.

rp_filter

非常非常重要，在多网卡服务器上一定要注意，线上多次因为忽视了rp_filter的参数导致IP无法访问的情况。

关于rp_filter建议把规则添加到/etc/shorewall/started

$ cat /etc/shorewall/interfaces
# SVN:0
net     bond0.113       detect  arp_ignore=1,norfc1918 # norfc1918 表示禁止
loc     bond0.105       detect  arp_ignore=2,routeback # arp_ignore=2 rp_filter=2

# 保险起见，在添加started添加脚本，保证rp_filter不为1
$ cat /etc/shorewall/started
/etc/init.d/procps start
for i in `sysctl -a |grep ".rp_filter"|grep "= 1"|awk '{print $1}'`;do sysctl -w $i=0;done

zones

/etc/shorewall/zones 定义了network zones，在/etc/shorewall/interfaces or /etc/shorewall/hosts指定每个host的zone。可以通过man shorewall-zones查看帮助。

$ cat /etc/shorewall/zones
# ZONE DISPLAY COMMENTS
fw    firewall           # firewall指的是防火墙本身
net    ipv4
loc    ipv4
lvs    ipv4

interfaces

/etc/shorewall/interfaces定义了防火墙的interface到shorewall ZONE的关系。可以通过man shorewall-interfaces查看帮助。

$ sudo cat /etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net    bond1    detect    arp_ignore=1,norfc1918
loc    bond0    detect    arp_ignore=1
lvs    tunl0    detect    arp_ignore=8
lvs    dummy0    detect    arp_ignore=8
### trunk
net     bond1.500   detect  arp_ignore=1,norfc1918
net     bond1.600   detect  arp_ignore=1,norfc1918
net     bond1.700   detect  arp_ignore=1,norfc1918
loc     bond0   detect  arp_ignore=1

policy

/etc/shorewall/policy在shorewall-zone中定义的区域之间连接的高级策略。可以通过man shorewall-policy查看帮助。

$ sudo cat /etc/shorewall/policy
#SOURCE DEST POLICY LOG LIMIT:BURST
fw    all    ACCEPT
net    all    DROP
all    all    ACCEPT

rules

通过定义shorewall-policy中列出的策略的来管理连接建立。默认情况下，使用连接跟踪自动允许后续请求和响应。对于任何特定（源，目标）区域对，规则按顺序进行评估，匹配到后，除LOG和COUNT规则外，所有规则都将终止。可以通过man shorewall-rules查看帮助。

$ sudo cat /etc/shorewall/rules
#ACTION     SOURCE          DEST       PROTO       DPORT        SPORT     ORIGDEST         RATE
# SSH          (+ 22 1024)
ACCEPT         net:59.111.198.100,59.111.198.101,59.111.198.102,123.58.160.131,123.58.160.138,115.236.174.251,115.236.174.252,59.111.198.55,59.111.198.56,123.58.160.153,123.58.160.154,123.58.160.155,59.111.21.130     fw      tcp     1046
ACCEPT         net:123.58.180.186,123.58.180.188     fw      tcp     1046
Ping/ACCEPT    net    fw
# To allow multicast
ACCEPT        net    fw:224.0.0.0/4
ACCEPT        net    loc:224.0.0.0/4
# Addtion firewall
ACCEPT    net    fw    tcp    80,443

这里的action定义在/etc/shorewall/actions或是/usr/share/shorewall/actions.std中。

masq

nat转换，例如允许10.197.0.0/16访问公网

$ cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
bond1.3060 10.197.0.0/16
bond0.3000:172.17.0.233 10.197.0.0/16

start

自定义规则

$ cat /etc/shorewall/start
for i in `sysctl -a |grep ".rp_filter"|grep "= 1"|awk '{print $1}'`;do sysctl -w $i=0;done
iptables -I INPUT -s 18.228.82.216/32 -j DROP

debian11遇到的问题

Jul 17 22:59:32    WARNING: Support for the norfc1918 interface option has been removed from Shorewall /etc/shorewall/interfaces (line 2)
Jul 17 22:59:32    Interface "net bond0.122 detect arp_ignore=2,norfc1918" Validated
Jul 17 22:59:32    Interface "loc bond0.114 detect arp_ignore=1,routeback" Validated
Jul 17 22:59:32    Interface "lvs tunl0 detect arp_ignore=8" Validated
Jul 17 22:59:32    Interface "lvs dummy0 detect arp_ignore=8" Validated
Jul 17 22:59:32 Determining Hosts in Zones...
Jul 17 22:59:32    fw (firewall)
Jul 17 22:59:32    net (ipv4)
Jul 17 22:59:32       bond0.122:0.0.0.0/0
Jul 17 22:59:32    loc (ipv4)
Jul 17 22:59:32       bond0.114:0.0.0.0/0
Jul 17 22:59:32    lvs (ipv4)
Jul 17 22:59:32       dummy0:0.0.0.0/0
Jul 17 22:59:32       tunl0:0.0.0.0/0
Jul 17 22:59:32 Locating Action Files...
Jul 17 22:59:32    ERROR: Unknown Action (Drop) in DROP_DEFAULT setting /usr/share/shorewall/actions.std (EOF)

尴尬。。竟然忘记怎么解决了，大概就是puppet配置同步的原因导致的，改了一下Action

# grep DROP_DEFAULT  /etc/shorewall/shorewall.conf
DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"