shorewall是一个优秀的netfilter管理工具,它通过perl将配置文件转换成iptables语句,极大降低了netfilter的学习曲线。然而,shorewall依赖于perl,而perl对于一些嵌入式linux(譬如OpenWRT)来说太庞大了。另外,shorewall只是单机版的iptables外壳程序,假如有多个netfilter需要管理的时候,shorewall能否实现配置文件的统一管理呢?于是shorewall-lite诞生了。

工作原理

shorewall和shorewall-lite组网示意图
administrative system

管理节点,安装了shorewall,firewall system配置文件的集中地,负责向firewall system分发和更新配置

firewall system

防火墙节点,安装了shorewall-lite,负责接收来自管理节点的配置文件,并转换成iptables语句,并应用到linux/netfilter中。

管理节点统一掌管防火墙节点配置文件,完成某防火墙节点配置后,通过shorewall compile来生成firewall脚本[1],接着通过scp将该脚本拷贝至防火墙节点的/etc/shorewall-lite/state目录,然后使用ssh远程执行防火墙节点的shorewall-lite命令,将firewall脚本转换成iptables rules并加载到防火墙节点的netfilter中。

这就是shorewall-lite的运作原理。所以,shorewall-lite工作流如下:

  1. 安装和配置管理节点中的shorewall;

  2. 准备防火墙节点中的shorewall-lite;

  3. 在管理节点中将配置分发到各防火墙节点;

  4. 后续更新防火墙节点的配置均在管理节点中完成,并重新分发至各防火墙节点。

管理节点/shorewall

本文的管理节点OS为debian

  • 安装shorewall

    $ sudo apt-get update && apt-get install shorewall
  • 为每个防火墙节点创建一个export目录

    $ sudo make -p /etc/shorewall/export/rb450g && cd /etc/shorewall/export/rb450g
  • 准备防火墙节点配置文件

    对于debian系,需下载tarball,解压后将/usr/share/shorewall/configfiles中的文件拷贝至/etc/shorewall/export/rb450g目录

    • params

      WAN_IF=eth0
      LAN_IF=br-lan
      OA_IF=br-oa
      VPN_IF=tun0
      LOG=ULOG
    • zones

      fw      firewall
      oa      ipv4
      lan     ipv4
      wan     ipv4
      vpn     ipv4
    • interfaces

      wan             $WAN_IF                 dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0
      lan             $LAN_IF                 tcpflags,logmartians,nosmurfs,sourceroute=0
      vpn             $VPN_IF                 tcpflags,logmartians,nosmurfs,sourceroute=0
      oa              $OA_IF                  tcpflags,logmartians,nosmurfs,sourceroute=0 ```
    • policy

      $FW     all     ACCEPT
      lan     all     ACCEPT
      wan     all     DROP            $LOG    10/sec:40
      all     all     REJECT
    • rules

      SECTION NEW
      Invalid(DROP)   wan             all
      
      ###############
      # vpn2fw
      
      Ping(ACCEPT)    vpn             $FW
      SSH(ACCEPT)     vpn             $FW
      HTTP(ACCEPT)    vpn             $FW
      
      ###############
      # wan2fw
      
      ACCEPT          wan             $FW     tcp     655
      ACCEPT          wan             $FW     udp     655
      SSH(ACCEPT)     wan             $FW
    • masq

      $OA_IF          192.168.44.0/24 10.199.27.17
      $VPN_IF         192.168.44.0/24 10.9.5.1
      $WAN_IF         192.168.44.0/24 192.168.7.21
    • nat

      10.9.5.2       tun0   192.168.44.3 No   No
      10.9.5.3       tun0   192.168.44.5 No   No
      10.9.5.4       tun0   192.168.44.14 No   No
    • params

      WAN_IF=eth0
      LAN_IF=br-lan
      OA_IF=br-oa
      VPN_IF=tun0
      LOG=ULOG
    • zones

      fw      firewall
      oa      ipv4
      lan     ipv4
      wan     ipv4
      vpn     ipv4
    • interfaces

      wan             $WAN_IF                 dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0
      lan             $LAN_IF                 tcpflags,logmartians,nosmurfs,sourceroute=0
      vpn             $VPN_IF                 tcpflags,logmartians,nosmurfs,sourceroute=0
      oa              $OA_IF                  tcpflags,logmartians,nosmurfs,sourceroute=0 ```
    • policy

      $FW     all     ACCEPT
      lan     all     ACCEPT
      wan     all     DROP            $LOG    10/sec:40
      all     all     REJECT
    • rules

      SECTION NEW
      Invalid(DROP)   wan             all
      
      ###############
      # vpn2fw
      
      Ping(ACCEPT)    vpn             $FW
      SSH(ACCEPT)     vpn             $FW
      HTTP(ACCEPT)    vpn             $FW
      
      ###############
      # wan2fw
      
      ACCEPT          wan             $FW     tcp     655
      ACCEPT          wan             $FW     udp     655
      SSH(ACCEPT)     wan             $FW
    • masq

      $OA_IF          192.168.44.0/24 10.199.27.17
      $VPN_IF         192.168.44.0/24 10.8.0.65
      $WAN_IF         192.168.44.0/24 192.168.7.21
    • nat

      10.8.0.66       tun0   192.168.44.3 No   No
      10.8.0.67       tun0   192.168.44.5 No   No
      10.8.0.68       tun0   192.168.44.14 No   No
  • 编译生成防火墙节点目标文件

    虽然可用shorewall compile来生成firewall脚本,但是过程略显繁琐,所以shorewall作者Thomas M. Eastep自己又写了Makefile这个工具。通过该工具,管理员可以使用makemake install命令来编译和部署firewall脚本。

    首先下载Makefile并修改该文件中的防火墙节点地址:HOST,域名和IP地址均可。若用域名,则需要确保可以被正确解析

    $ sudo make
    shorewall compile -e . firewall
    Compiling...
    Processing /etc/shorewall/export/rb450g/params ...
    Processing /etc/shorewall/export/rb450g/shorewall.conf...
       WARNING: Your capabilities file is out of date -- it does not contain all of the capabilities defined by Shorewall version 4.5.5.3
    Compiling /etc/shorewall/export/rb450g/zones...
    Compiling /etc/shorewall/export/rb450g/interfaces...
    Determining Hosts in Zones...
    Locating Action Files...
    Compiling /usr/share/shorewall/action.Drop for chain Drop...
    Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast...
    Compiling /usr/share/shorewall/action.Invalid for chain Invalid...
    Compiling /usr/share/shorewall/action.NotSyn for chain NotSyn...
    Compiling /usr/share/shorewall/action.Reject for chain Reject...
    Compiling /etc/shorewall/export/rb450g/policy...
    Compiling /etc/shorewall/export/rb450g/notrack...
    Running /etc/shorewall/export/rb450g/initdone...
    Adding Anti-smurf Rules
    Adding rules for DHCP
    Compiling TCP Flags filtering...
    Compiling Kernel Route Filtering...
    Compiling Martian Logging...
    Compiling Accept Source Routing...
    Compiling /etc/shorewall/export/rb450g/tcrules...
    Compiling /etc/shorewall/export/rb450g/masq...
    Compiling MAC Filtration -- Phase 1...
    Compiling /etc/shorewall/export/rb450g/rules...
    Compiling /usr/share/shorewall/action.Invalid for chain %Invalid...
    Compiling MAC Filtration -- Phase 2...
    Applying Policies...
    Generating Rule Matrix...
    Creating iptables-restore input...
    Shorewall configuration compiled to /etc/shorewall/export/rb450g/firewall

    编译结束后将会在当前目录生成firewall脚本,随后管理节点执行make install即可将firewall脚本部署至防火墙节点:

    $ sudo make install
    scp firewall firewall.conf root@192.168.44.1:/etc/shorewall-lite/state
    root@192.168.44.1's password:
    firewall                                                                  100%   79KB  79.3KB/s   00:00 (1)
    firewall.conf                                                             100%  862     0.8KB/s   00:00 (1)
    ssh root@192.168.44.1 "/sbin/shorewall-lite restart" (2)
    root@192.168.44.1's password:Restarting Shorewall Lite....
    Initializing...
    Processing init user exit ...
    Processing tcclear user exit ...
    Setting up Route Filtering...
    Setting up Martian Logging...
    Setting up Accept Source Routing...
    Setting up Proxy ARP...
    Setting up Traffic Control...
    Preparing iptables-restore input...
    Running /usr/sbin/iptables-restore...
    IPv4 Forwarding EnabledProcessing start user exit ...
    Processing started user exit ...
    done.
    touch: /var/lock/subsys/shorewall: No such file or directory
    1 管理节点将firewallfirewall.conf分发到防火墙节点中的/etc/shorewall-lite/state目录中
    2 管理节点通过ssh,触发防火墙节点的/etc/init.d/shorewall-lite指令,解析并加载firewall脚本中的iptables规则

防火墙节点/shorewall-lite

  • 创建state

    root@RB450G:/ # mkdir /etc/shorewall-lite/state
  • 禁用firewall

    root@RB450G:/ # /etc/init.d/firewall disable
    root@RB450G:/ # /etc/init.d/firewall stop
  • 启用shorewall-lite

    root@RB450G:/# /etc/init.d/shorewall-lite enable
  • 检查firewall脚本

    # ls -alh
    drwxr-xr-x    1 root     root        2.0K Sep  3 13:49 .
    drwxr-xr-x    1 root     root        2.0K Sep  3 11:05 ..
    -rw-------    1 root     root           0 Sep  3 13:49 .dynamic
    -rw-------    1 root     root        9.8K Sep  3 13:49 .iptables-restor
    -rw-------    1 root     root        3.4K Sep  3 13:49 .modules
    -rw-------    1 root     root          12 Sep  3 13:49 .modulesdir
    -rw-r--r--    1 root     root        1.0K Sep  3 11:09 capabilities
    -rwx------    1 root     root       79.3K Sep  3 13:43 firewall
    -rw-------    1 root     root         862 Sep  3 13:43 firewall.conf
    -rw-------    1 root     root         162 Sep  3 13:49 marks
    -rw-------    1 root     root           0 Sep  3 13:49 nat
    -rw-------    1 root     root         740 Sep  3 13:49 policies
    -rw-------    1 root     root           0 Sep  3 13:49 proxyarp
    -rw-------    1 root     root          29 Sep  3 13:49 restarted
    -rw-------    1 root     root          74 Sep  3 13:49 state
    -rw-------    1 root     root         110 Sep  3 13:49 zones

1. 管理节点根据防火墙配置文件编译出来的目标脚本