Using nfsroot to boot diskless clients on RHEL

Here is a brief outline on the steps needed to set up a Red Hat Enterprise Linux 6 server to boot diskless clients using nfs.

To do this, you need to set up dhcp, tftp (to pxe boot) and a nfs server to serve the rootfs.

To keep it simple, I did everything on the same server, but you can easily have multiple servers for each service. The same steps should also work on Fedora (14+) with minor changes.

Requirements :

Server : Fresh RHEL 6 installation (registered to RHN)

IP = 192.168.50.254/24 (static) on eth0

# vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
HWADDR=52:54:00:73:1C:CB
ONBOOT=yes
BOOTPROTO=static
IPADDR=192.168.50.254
NETMASK=255.255.255.0

Client : A box on the same network (with support for PXE)

MAC = 52:54:00:ca:c6:71

On the Server :

Step 1 – Create the nfs rootfs first :

# mkdir /netboot/
# rsync -av --progress --exclude=/proc --exclude=/sys --exclude=/netboot / /netboot/

(i.e. copy everything from root to the /netboot folder)

# mkdir /netboot/{proc,sys}
# vi /netboot/etc/fstab

192.168.50.254:/netboot/  /                      nfs     defaults       1 1
tmpfs                   /dev/shm                tmpfs   defaults        0 0
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
sysfs                   /sys                    sysfs   defaults        0 0
proc                    /proc                   proc    defaults        0 0

# vi /netboot/etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE="eth0"
HWADDR="52:54:00:ca:c6:71"
ONBOOT="no"
BOOTPROTO="dhcp"

Step 2 – Install and enable services :

# yum install dhcp syslinux tftp-server -y
# yum groupinstall "NFS file server" -y

# chkconfig dhcpd on
# chkconfig tftp on
# chkconfig nfs on
# service xinetd start

For simplicity, disable the firewall :

# iptables -F
# service iptables save

Step 3 – configure dhcp server :

# vi /etc/dhcp/dhcpd.conf

# DHCP Server Configuration file.
#   see /usr/share/doc/dhcp*/dhcpd.conf.sample
#   see 'man 5 dhcpd.conf'
#
ddns-update-style interim;
ignore client-updates;
allow booting;
allow bootp;
subnet 192.168.50.0 netmask 255.255.255.0 {
option routers      192.168.50.254;
option subnet-mask   255.255.255.0;
option nis-domain   "domain.org";
option domain-name  "domain.org";
option domain-name-servers  192.168.50.254;
option time-offset    -18000; # Eastern Standard Time
default-lease-time 21600;
max-lease-time 43200;

host netboot6 {
next-server 192.168.50.254;
hardware ethernet 52:54:00:ca:c6:71;
fixed-address 192.168.50.100;
filename "pxelinux.0";
}
}

# service dhcpd start

Tip : To restrict dhcpd to a particular interface edit the following file :

# cat /etc/sysconfig/dhcpd
# Command line options here
DHCPDARGS="eth1"

Step 4 – enable nfs and export the rootfs :

# vi /etc/exports
 /netboot/            *(rw,async,no_root_squash)

# service rpcbind start
# service nfs start

Step 5 – generate the initramfs file (here is where the magic happens):

# yum install dracut-network -y
# dracut -f /boot/netboot6.img `uname -r` root=dhcp root-path=nfs:192.168.50.254:/netboot/

Step 6 – configure pxe :

# mkdir /var/lib/tftpboot/pxelinux.cfg/
# cp /usr/share/syslinux/pxelinux.0 /var/lib/tftpboot/
# cp /boot/netboot6.img /var/lib/tftpboot/
# cp /boot/vmlinuz-2.6.32-71.el6.x86_64 /var/lib/tftpboot

# vi /var/lib/tftpboot/pxelinux.cfg/default

 default netboot6
 timeout 30
 prompt 1

 label netboot6
 kernel /vmlinuz-2.6.32-71.el6.x86_64
 append initrd=/netboot6.img rw root=nfs:192.168.50.254:/netboot/ selinux=0 enforcing=0

On the Client :

Configure the client to boot over the network (i.e. enable pxe boot) and start the system.

The following screen shots show a successful boot :

List information about block devices using lsblk

lsblk let’s you view information about block devices on a GNU/Linux system.

The output is tree-like and very elegant, with information that would generally require running 3-4 commands. It combines data from mount, df , dmsetup, lvm and raid commands.

lsblk get it’s data from the /sys filesystem.

Here is lsblk output on my system :

$ lsblk
NAME                       MAJ:MIN RM   SIZE RO MOUNTPOINT
sda                          8:0    0 298.1G  0
├─sda1                       8:1    0   500M  0 /boot
└─sda2                       8:2    0 297.6G  0
  ├─vg_rags-lv_swap (dm-0) 253:0    0   5.8G  0 [SWAP]
  ├─vg_rags-lv_root (dm-1) 253:1    0    50G  0 /
  └─vg_rags-lv_home (dm-2) 253:2    0 241.8G  0
    └─home (dm-3)          253:3    0 241.8G  0 /home
sr0                         11:0    1  1024M  0

lsblk is part of the util-liunx package :

$ rpm -qf `which lsblk`
util-linux-2.19.1-1.4.fc15.x86_64

Running fdisk -l gives similar data. But, fdisk requires root privileges, and It does not understand dm or lvm partitions.

Using WebDAV to access Box.net files on a Fedora system

Dropbox is by far the leader in the consumer “cloud storage” space; It is simple to use, feature rich and just works! But, there is only so much you can do with the provided 2 Gb free storage.

Enter: Box.net  — which has offered (for a limited period) 50 Gb free, lifetime storage, for all Ipone and Ipad users. Check here for the details.

However, I soon found out that Box.net does not provide syncing features that Dropbox is so good at, and there are no clients for Linux.

Lucky, for Linux users, a WebDAV interface exists.

I used fedora 15, but the instructions are generic enough that they should work on any release or any Linux distribution for that matter.

1. Create a folder to mount the box.net share :

$ mkdir ~/box

2. Install davfs2 :

$ sudo yum install davfs2
Note : Nautilus does support webdav, but I’ve found it to be buggy.

3. Run the following to add your user to the davfs2 group :

$ sudo /sbin/usermod -a -G davfs2 "username"

4. Disable locking, as this causes problems with box.net :

$ mkdir ~/.davfs2
$ vi ~/.davfs2/davfs2.conf

and add the following :

use_locks 0

5. (Optional) If you do not want to be prompted for the box.net username/password :

$ vi ~/.davfs2/secrets

and add the following :

http://www.box.net/dav  user@email.com   password

6. Add the following entry to /etc/fstab :

$ sudo vi /etc/fstab

http://www.box.net/dav /home/"username"/box  davfs rw,user,noauto 0 0
Note: Don’t forget to replace “username” with your actual username.

7. Finally, to mount the folder run :

$ mount  ~/box

and the files from your box.net account should be visible.

Use “rsync”, “unison”, or just plain “cp” to sync files directly to box.net. I find this very convenient for backups and file sharing.

How to debug ntp issues?

Ntp has been the de-facto protocol used by computers to synchronize their clocks over a network, and maintain very accurate time, with as much as 10 millisecond precision. The ntp daemon or ntpd is the reference implementation, that can be found running on almost all Linux (and Unix) systems. This may change in the future though, as Chrony is going to replace ntpd, and will be the default ntp client in Fedora 16. Nevertheless, many systems use ntpd, and I don’t see it going away any time soon.

In this post, we will take a brief look at how the ntp daemon works and look at ways to debug some common issues.

When the ntp service first starts, a clock selection process begins, with the daemon polling the servers configured in ntp.conf, at 64 second intervals. Depending on the configuration, this process can take 5 to 10 minutes. To check the status, run the following :

# ntpq
ntpq> peers
     remote           refid           st t when poll reach   delay   offset  jitter
=======================================================================================
*time.ferea.org       8.16.24.15       2 u  972 1024  377   28.066   -0.181   4.126
+dg1.rieta.net        15.15.26.3       3 u  467 1024  377  141.664  -23.531   0.140
 mighty.poclabs.      .STEP.          16 u    - 1024    0    0.000    0.000   0.000
 LOCAL(0)             .LOCL.          10 l   32   64  377    0.000    0.000   0.001

During the clock selection process the refid column should read .INIT.  and the st (stratum) set to 16.

The * indicates that this particular association is the chosen ntp source.
The  + indicates that this ntp peer is a candidate (a peer is a ntp server on the same stratum).
An empty space indicates that the server is unreachable and therefore rejected (stratum 16).

If the current local time is greater than 1000 seconds, ntpd will not set the clock. The time can then be manually set using the “date” command or using “ntpdate” :

# ntpdate time.ferea.org

If no ntp servers get selected, run the following :

ntpq> as

ind assID status  conf reach auth condition  last_event cnt
===========================================================
  1 29581  9624   yes   yes  none  sys.peer   reachable  1
  2 29582  9014   yes   yes  none  candidat   reachable  1
  4 29583  8000   yes   yes  none    reject
  5 29584  9024   yes   yes  none    reject   reachable  2

The associations shown above correspond to the entries shown in the peer command. Most of the fields are self-explanatory,  except the status column. Use the table here to decipher the status codes.

Use the “assID” for the following command  :

ntpq> rv 29583

assID=62236 status=9014 reach, conf, 1 event, event_reach,
srcadr=192.168.23.1, srcport=123, dstadr=192.168.247.11, dstport=123,
leap=00, stratum=3, precision=-6, rootdelay=218.750,
rootdispersion=1381.516, refid=24.1.4.14, reach=377, unreach=0,
hmode=3, pmode=4, hpoll=10, ppoll=10, flash=400 peer_dist, keyid=0,
ttl=0, offset=-29.750, delay=0.316, dispersion=30.400, jitter=1.136,
reftime=d1e4505b.d456f5b0  Thu, Aug  4 2011  0:55:23.829,
org=d1e4c793.e477ba4b  Thu, Aug  4 2011  9:24:03.892,
rec=d1e4c793.ec1fc3ac  Thu, Aug  4 2011  9:24:03.922,
xmt=d1e4c793.ec0b133c  Thu, Aug  4 2011  9:24:03.922,
filtdelay=     0.32    0.40    0.33    0.45    0.42    0.42    0.33    0.38,
filtoffset=  -29.75  -30.89  -29.97  -30.11  -30.15  -29.20  -30.25  -30.36,
filtdisp=     15.63   31.00   46.38   61.75   77.14   92.52  107.91  123.28

The flash codes in the rv command output give the reason for the ntp source to get rejected :

flash=400 peer_dist

This flash code corresponds to “distance threshold exceeded”. Check all the flash codes here.

Also, check the following variables :

rootdispersion=1381.516
dispersion=30.400
jitter=1.136

Dispersion is an estimate of error, and a large value indicates that the ntp server is not a reliable source, and can indicate conditions such as severe packet loss and network congestion.

Another useful aid is to run ntpdate with the -d switch :

# ntpdate -d time.rhl.com

17 Oct 00:20:51 ntpdate[26388]: ntpdate 4.2.2p1@1.1570-o Thu Nov 26 11:34:35 UTC 2009 (1)
Looking for host time.rhl.com and service ntp
host found : time.rhl.com
transmit(66.125.13.54)
receive(66.125.13.54)
transmit(66.125.13.54)
receive(66.125.13.54)
transmit(66.125.13.54)
receive(66.125.13.54)
transmit(66.125.13.54)
receive(66.125.13.54)
transmit(66.125.13.54)
server 66.125.13.54, port 123
stratum 1, precision -16, leap 00, trust 000
refid [CDMA], delay 0.32297, dispersion 0.00040
transmitted 4, in filter 4
reference time:    d245a5fe.2fdfe09b  Mon, Oct 17 2011  0:20:38.187
originate timestamp: d245a60c.e2117d1e  Mon, Oct 17 2011  0:20:52.883
transmit timestamp:  d245a60c.b9c9b413  Mon, Oct 17 2011  0:20:52.725
filter delay:  0.32361  0.32382  0.32297  0.32619
         0.00000  0.00000  0.00000  0.00000
filter offset: 0.003892 0.004005 0.003607 0.004972
         0.000000 0.000000 0.000000 0.000000
delay 0.32297, dispersion 0.00040
offset 0.003607
17 Oct 00:20:53 ntpdate[26388]: adjust time server 66.187.233.4 offset 0.003607 sec

Most, if not all ntp issues can be resolved with the information gathered from the above commands.

Do you have any tips on debugging ntp problems?

An Introduction to Shorewall Firewall

Shorewall-logo

Shorewall is a very powerful, high level configuration tool for the Linux firewall subsystem. The Linux kernel has an inbuilt framework to manipulate network packets called Netfilter. A front end tool “Iptables” is used to configure this netfilter subsystem. Iptables is sufficient for simple configurations and personal firewalls. However, for complex configuration scenarios you can easily get lost and bogged down with its syntax and myriad options.

Shorewall provides a high level abstraction and keeps the underlying complexity hidden. This makes firewall configurations easier to design and manage. Think of it as, Shorewall is to Iptables, what C is to assembly language. Also, keep in mind that Shorewall is not a daemon that runs in the background. It simply generates the rules, applies them and gets out-of-the-way.

To start with, I will cover a simple two interface firewall example configuration using Shorewall. We can move to more complex configurations in future posts.

In this scenario we have a server with one ADSL PPPOE connection – ppp0 and a local network on eth0. I have chosen this setup to hopefully explain the core concepts behind shorewall and set a stage for later enhancements.

1. First, install shorewall

# apt-get install shorewall

2. Shorewall configuration lives in /etc/shorewall folder which only has two files by default :

root@cronos:etc/shorewall# ls
Makefile shorewall.conf

3. In order to configure a simple firewall we should, at least, set up the following files:

  • /etc/shorewall/zones
  • /etc/shorewall/interfaces
  • /etc/shorewall/policy
  • /etc/shorewall/rules

4. Configuration file skeletons are stored in /usr/share/doc/shorewall-common/default-config, however we will be using the files form the two-interfaces example.

5. Except for “shorewall.conf” copy all files from /usr/share/doc/shorewall-common/examples/two-interfaces to /etc/shorewall directory :

root@cronos:/usr/share/doc/shorewall-common/examples/two-interfaces# ls
interfaces  masq  policy  README.txt  routestopped  rules  shorewall.conf  zones
root@cronos:/etc/shorewall# sudo cp /usr/share/doc/shorewall-common/default-config/zones zones
root@cronos:/etc/shorewall# ls
interfaces      Makefile      masq      policy    routestopped     rules    shorewall.conf     zones

6. Shorewall.conf

This is the main Shorewall configuration file. Most of the defaults should be fine, expect :

  • To enable IP forwarding you have to set the IP_FORWARDING variable “on”
  • To disable IPv6 set DISABLE_IPV6 to “yes”
  • Since our external interface is ppp0 we will want to set CLAMPMSS=yes. This sets the MSS to 1452 which is recommended on pppoe connections.

7. Zones

The network zones are defined by this file. Zones are an abstraction that help identify different areas of a network. This is a similar to the zones concept used in hardware based firewalls.

  • The $FW variable refers to Shorewall itself, which may be used to refer to the firewall zone throughout the Shorewall configuration.
  • Define a new zone called “modem” which will contain only our ADSL modem.
root@cronos:/etc/shorewall# cat zones
###########################################################
#ZONE   TYPE    OPTIONS           IN              OUT
#                                 OPTIONS         OPTIONS
fw              firewall
net             ipv4
loc             ipv4
modem           ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

8. Interfaces

This file is used to define the interfaces on the firewall and the zones they belong to.

root@cronos:/etc/shorewall# cat interfaces
###########################################################################
#ZONE   INTERFACE       BROADCAST             OPTIONS
net      ppp0              -      tcpflags,routefilter,nosmurfs,logmartians
modem    eth1            detect
loc      eth0            detect          tcpflags,nosmurfs
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

9. Masq

This file is used for masquerading and snat configuration. Masquerading or natting is used to allow a number of systems in a local network to get access to the internet over a single public IP.

Change the first column to the name of our external interface and the second column to the name of our internal interface.

root@cronos:/etc/shorewall# cat masq
########################################################################
#INTERFACE   SOURCE     ADDRESS    PROTO      PORT(S) IPSEC   MARK
ppp0          eth0
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

 

With the above files we have described our simple network layout from the perspective of the firewall. Next, we have to define the firewall policy and rules.

10. Policy

The Policy file is used to define our default policy for connections from one zone to another zone. This describes which zones are allowed to establish connections with other zones. Later, we define exceptions to these default policies in the rules file to allow/deny desired traffic.

root@cronos:/etc/shorewall# cat policy
######################################################################
#SOURCE        DEST        POLICY     LOG LEVEL       LIMIT:BURST
# Policies for traffic originating from the local LAN (loc)
#
# If you want to force clients to access the Internet via a proxy server
# on your firewall, change the loc to net policy to REJECT info.
loc                        net                  ACCEPT
loc                       $FW                   REJECT                info
loc                        all                  REJECT                info

#
# Policies for traffic originating from the firewall ($FW)
#
# If you want open access to the Internet from your firewall, change the
# $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL.
# This may be useful if you run a proxy server on the firewall.

$FW                     net           ACCEPT
$FW                     loc           REJECT              info
$FW                     all           REJECT              info

#
# Policies for traffic originating from the Internet zone (net)
#
net                     $FW                     DROP      info
net                     loc                     DROP      info
net                     all                     DROP      info

# THE FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info

#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

11. Rules

This file defines exceptions to the default policies established in the policy file. This is where you will be adding firewall rules to allow or deny traffic to the services running in your network – Usually accomplished thorough dnat or port forwarding rules.

root@cronos:/etc/shorewall# cat rules
################################################################################################
#ACTION    SOURCE    DEST    PROTO   DEST SOURCE      ORIGINAL    RATE            USER/   MARK
#                                    PORT PORT(S)     DEST        LIMIT           GROUP
#
#       Accept DNS connections from the firewall to the network
#
DNS/ACCEPT    $FW             net
#
#       Accept SSH connections from the local network for administration
#
SSH/ACCEPT      loc             $FW
#
#       Allow Ping from the local network
#
Ping/ACCEPT     loc             $FW

#
# Reject Ping from the "bad" net zone.. and prevent your log from being flooded..
#

Ping/REJECT     net             $FW

ACCEPT          $FW             loc     icmp
ACCEPT          $FW             net     icmp
#

########################################################
# Custom Lines

#ACTION         SOURCE    DEST               PROTO     DEST PORT(S)
# <macro>/ACCEPT  $FW       <destination zone>
# ACCEPT          $FW       <destination zone> <protocol> <port>

## From Local Network ##
Web/ACCEPT      loc       $FW

VNC/ACCEPT      loc       $FW

## From Internet ##
# Port Forwarding

# DNAT          net       loc:[:]
# Web/DNAT      net       loc:10.10.10.2
# FTP/DNAT      net       loc:10.10.10.1

SSH/ACCEPT      net       $FW

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12. Starting shorewall

Automatic startup is disabled by default. To enable it just edit the file /etc/default/shorewall and set the startup variable to 1. Also, set wait_interface=”ppp0″

root@cronos:/etc/shorewall# cat /etc/default/shorewall
# prevent startup with default configuration
# set the following varible to 1 in order to allow Shorewall to start
startup=1
wait_interface="ppp0""

The firewall is started using the shorewall start command and stopped using shorewall stop.

root@cronos:/# sudo shorewall start
Compiling...
Initializing...
Determining Zones...
 IPv4 Zones: net loc modem
 Firewall Zone: fw
Validating interfaces file...
...
Creating action chain dropInvalid
Creating action chain dropNotSyn
Applying Policies...
Setting up Masquerading/SNAT...
Activating Rules...
done.

The shorewall stop command does not remove all netfilter rules and open the firewall for all traffic to pass. It rather places the firewall in a safe state defined by the contents of /etc/shorewall/routestopped file. Use the shorewall clear command to remove all netfilter rules.

Note: For pppoe connections, when the PPP interface for the ADSL link goes down, Shorewall needs to be restarted to take the new IP address assignments into account. We will need to restart the firewall by placing /sbin/shorewall restart in the /etc/ppp/ip-up.d directory.

root@cronos:/etc/ppp/ip-up.d# cat shorewall
#!/bin/sh
/sbin/shorewall -f restart
exit 0

This concludes the short introduction to Shorewall. A lot has been introduced above and I haven’t gone thorough the details of each configuration file since most of it is quite self-explanatory. Hopefully, that is enough to get started on Shorewall.

To truly admire Shorewall’s versatility however, we need to explore more complex setups such as multi-isp, load-balancing , active failover , traffic shaping etc. I hope to bring these topics in future posts.

4. Configuration file skeletons are stored here, however we will be using the files form the two-interfaces example.#:/usr/share/doc/shorewall-common/default-config$ ls
accounting  continue  init        ipsec     masq     netmap  providers    routestopped  started  tcclasses  tos      zones
actions     ecn       initdone    ipsecvpn  modules  params  proxyarp     rules         stop     tcdevices  tunnel
blacklist   hosts     interfaces  maclist   nat      policy  route_rules  start         stopped  tcrules    tunnels5. Except for “shorewall.conf” copy all files from /usr/share/doc/shorewall-common/examples/two-interfaces to /etc/shorewall directory

#:/usr/share/doc/shorewall-common/examples/two-interfaces$ ls
interfaces  masq  policy  README.txt  routestopped  rules  shorewall.conf  zones

#:/etc/shorewall$ sudo cp /usr/share/doc/shorewall-common/default-config/zones zones
#:/etc/shorewall$ ls
interfaces  Makefile  masq  policy  routestopped  rules  shorewall.conf  zones

6. shorewall.conf

* IP forwarding is neither enabled nor disabled. It is set to “keep”. To enable IP forwarding you have to set to “on” the IP_FORWARDING variable.

* IPv6 support is enabled by default. To disable it set DISABLE_IPV6 to “yes”.

* Since our external interface is ppp0 we will want to set CLAMPMSS=yes.

7. zones

* This file is used to define the network zones

* Shorewall recognizes the firewall system as its own zone. The name of the firewall zone is stored in the shell variable $FW which may be used to refer to the firewall zone throughout the Shorewall configuration.

* Define a new zone called “modem” which will contain only our ADSL modem.

#:/etc/shorewall$ cat zones

###############################################################################
#ZONE   TYPE    OPTIONS              IN              OUT
#                                    OPTIONS            OPTIONS
fw      firewall
net     ipv4
loc     ipv4
modem   ipv4

#LAST LINE – ADD YOUR ENTRIES ABOVE THIS ONE – DO NOT REMOVE

8. interfaces

* This file is used to tell the firewall which of your firewall’s network interfaces are connected to which zone.

#:/etc/shorewall$ cat interfaces

###############################################################################
#ZONE   INTERFACE       BROADCAST    OPTIONS
net     ppp0               –            tcpflags,routefilter,nosmurfs,logmartians
modem   eth1            detect
loc     eth0            detect          tcpflags,nosmurfs
#LAST LINE — ADD YOUR ENTRIES BEFORE THIS ONE — DO NOT REMOVE

9. masq

* Masquerade describes the case where you let your firewall system automatically detect the external interface address.

* SNAT refers to the case when you explicitly specify the source address that you want outbound packets from your local network to use.

* In Shorewall, both Masquerading and SNAT are configured with entries in the /etc/shorewall/masq file. You will normally use Masquerading if your external IP is dynamic and SNAT if the IP is static.

* Edit /etc/shorewall/masq and change the first column to the name of your external interface and the second column to the name of your internal interface.

#:/etc/shorewall$ cat masq

###############################################################################
#INTERFACE              SOURCE       ADDRESS         PROTO      PORT(S) IPSEC   MARK
ppp0                    eth0
#LAST LINE — ADD YOUR ENTRIES ABOVE THIS LINE — DO NOT REMOVE

* policy

* Rules about what traffic to allow and what traffic to deny are expressed in terms of zones.

* We express our default policy for connections from one zone to another zone in the /etc/shorewall/policy file.

* We define exceptions to those default policies in the /etc/shorewall/rules file.

* This file is used to describe the firewall policy regarding establishment of connections. Connection establishment is described in terms of clients who initiate connections and servers who receive those connection requests.

* Policies defined in /etc/shorewall/policy describe which zones are allowed to establish connections with other zones.

#:/etc/shorewall$ cat policy

###############################################################################
#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST

#
# Note about policies and logging:
#       This file contains an explicit policy for every combination of
#       zones defined in this sample.  This is solely for the purpose of
#       providing more specific messages in the logs.  This is not
#       necessary for correct operation of the firewall, but greatly
#       assists in diagnosing problems. The policies below are logically
#       equivalent to:
#
#       loc     net             ACCEPT
#       net     all             DROP    info
#       all     all             REJECT          info
#
#       The Shorewall-perl compiler will generate the individual policies
#       below from the above general policies if you set
#       EXPAND_POLICIES=Yes in shorewall.conf.
#

# Policies for traffic originating from the local LAN (loc)
#
# If you want to force clients to access the Internet via a proxy server
# on your firewall, change the loc to net policy to REJECT info.
loc             net             ACCEPT
loc             $FW             REJECT          info
loc             all             REJECT          info

#
# Policies for traffic originating from the firewall ($FW)
#
# If you want open access to the Internet from your firewall, change the
# $FW to net policy to ACCEPT and remove the ‘info’ LOG LEVEL.
# This may be useful if you run a proxy server on the firewall.

# $FW           net             REJECT          info

$FW             net             ACCEPT
$FW             loc             REJECT          info
$FW             all             REJECT          info

#
# Policies for traffic originating from the Internet zone (net)
#
net             $FW             DROP    info
net             loc             DROP    info
net             all             DROP    info

# THE FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info

#LAST LINE — ADD YOUR ENTRIES ABOVE THIS LINE — DO NOT REMOVE

9. rules

* The /etc/shorewall/rules file defines exceptions to the policies established in the /etc/shorewall/policy file.

* There is one entry in /etc/shorewall/rules for each of these rules. Entries in this file only govern the establishment of new connections — packets that are part of an existing connection or that establish a connection that is related to an existing connection are automatically accepted.

* Rules : http://www.shorewall.net/3.0/Documentation.htm#Rules

#:/etc/shorewall$ cat rules

#############################################################################################################
#ACTION         SOURCE          DEST    PROTO   DEST SOURCE             ORIGINAL        RATE            USER/   MARK
#                                               PORT PORT(S)            DEST            LIMIT           GROUP
#
#       Accept DNS connections from the firewall to the network
#

# DNS/ACCEPT    $FW             net
#
#       Accept SSH connections from the local network for administration
#
SSH/ACCEPT      loc             $FW
#
#       Allow Ping from the local network
#
Ping/ACCEPT     loc             $FW

#
# Reject Ping from the “bad” net zone.. and prevent your log from being flooded..
#

Ping/REJECT     net             $FW

ACCEPT          $FW             loc     icmp
ACCEPT          $FW             net     icmp
#

########################################################
# Custom Lines

#ACTION         SOURCE    DEST               PROTO     DEST PORT(S)
# <macro>/ACCEPT  $FW       <destination zone>
# ACCEPT          $FW       <destination zone> <protocol> <port>

## From Local Network ##
# Accept DNS requests from local nw

DNS/ACCEPT      loc       $FW

Web/ACCEPT      loc       $FW

VNC/ACCEPT      loc       $FW

## From Internet ##
# Port Forwarding

# DNAT          net       loc:[:]
# Web/DNAT      net       loc:10.10.10.2
# FTP/DNAT      net       loc:10.10.10.1
SSH/ACCEPT      net       $FW

#LAST LINE — ADD YOUR ENTRIES BEFORE THIS ONE — DO NOT REMOVE

10. Port Forwarding (DNAT)

* Port forwarding configuration is done using DNAT rules in the /etc/shorewall/rules file.

The general form of a simple port forwarding rule in /etc/shorewall/rules is:

#ACTION   SOURCE    DEST                                          PROTO      DEST PORT(S)
DNAT      net       loc:[:]

* Shorewall has macros for many popular applications. Look at /usr/share/shorewall/macro.* to see what is available.

* Macros simplify creating DNAT rules by supplying the protocol and port(s) as shown in the following examples.

#:/usr/share/shorewall$ ls
action.Drop       macro.BitTorrent  macro.HTTPS         macro.Jetdirect  macro.PostgreSQL  macro.SPAMD       macro.Web
action.Reject     macro.CVS         macro.ICQ           macro.L2TP       macro.Printer     macro.SSH         macro.Webmin
actions.std       macro.Distcc      macro.IMAP          macro.LDAP       macro.Rdate       macro.Submission  macro.Whois
action.template   macro.DNS         macro.IMAPS         macro.LDAPS      macro.RDP         macro.SVN         Makefile-lite
configpath        macro.Drop        macro.IPIP          macro.MySQL      macro.Reject      macro.Syslog      modules
firewall          macro.DropDNSrep  macro.IPP           macro.NNTP       macro.Rsync       macro.Telnet      rfc1918
lib.base          macro.DropUPnP    macro.IPPserver     macro.NNTPS      macro.SixXS       macro.Telnets     strip
lib.cli           macro.Edonkey     macro.IPsec         macro.NTP        macro.SMB         macro.template    version
lib.config        macro.Finger      macro.IPsecah       macro.NTPbrd     macro.SMBBI       macro.TFTP        wait4ifup
lib.dynamiczones  macro.FTP         macro.IPsecnat      macro.PCA        macro.SMBswat     macro.Time
macro.AllowICMPs  macro.Gnutella    macro.Jabberd       macro.Ping       macro.SMTP        macro.Trcrt
macro.Amanda      macro.GRE         macro.JabberPlain   macro.POP3       macro.SMTPS       macro.VNC
macro.Auth        macro.HTTP        macro.JabberSecure  macro.POP3S      macro.SNMP        macro.VNCL

* Example :

#ACTION         SOURCE    DEST             PROTO     DEST PORT(S)
Web/DNAT        net       loc:10.10.10.2

VNC/ACCEPT      loc       $FW

* Starting shorewall

* In order to avoid the startup of the firewall on an unconfigured machine, automatic startup, on boot, is disabled by default. To enable it just edit the file /etc/default/shorewall and set the startup variable to 1.

* Also, set wait_interface=”ppp0″

#:/etc/shorewall$ cat /etc/default/shorewall
# prevent startup with default configuration
# set the following varible to 1 in order to allow Shorewall to start

startup=1

# if your Shorewall configuration requires detection of the ip address of a ppp
# interface, you must list such interfaces in “wait_interface” to get Shorewall to
# wait until the interface is configured. Otherwise the script will fail because
# it won’t be able to detect the IP address.
#
# Example:
#    wait_interface=”ppp0″
# or
#    wait_interface=”ppp0 ppp1″
# or, if you have defined  in /etc/shorewall/params
#    wait_interface=

wait_interface=”ppp0″

#
# Startup options
#

OPTIONS=””

# EOF
#:/etc/shorewall$

* The firewall is started using the shorewall start command and stopped using shorewall stop.

#:/$ sudo shorewall start
Compiling…
Initializing…
Determining Zones…
IPv4 Zones: net loc modem
Firewall Zone: fw
Validating interfaces file…
Validating hosts file…
Pre-processing Actions…
Pre-processing /usr/share/shorewall/action.Drop…
Pre-processing /usr/share/shorewall/action.Reject…
Validating Policy file…
Determining Hosts in Zones…
net Zone: ppp0:0.0.0.0/0
loc Zone: eth0:0.0.0.0/0
modem Zone: eth1:0.0.0.0/0
Deleting user chains…
Compiling /etc/shorewall/routestopped …
Creating Interface Chains…
Compiling Common Rules
Adding Anti-smurf Rules
Compiling TCP Flags checking…
Compiling Kernel Route Filtering…
Compiling Martian Logging…
Compiling IP Forwarding…
Compiling /etc/shorewall/rules…
Compiling Actions…
Compiling /usr/share/shorewall/action.Drop for Chain Drop…
Compiling /usr/share/shorewall/action.Reject for Chain Reject…
Compiling /etc/shorewall/policy…
Compiling Masquerading/SNAT
Compiling Traffic Control Rules…
Compiling Rule Activation…
Shorewall configuration compiled to /var/lib/shorewall/.start
Starting Shorewall….
Initializing…
Clearing Traffic Control/QOS
Deleting user chains…
Enabling Loopback and DNS Lookups
Creating Interface Chains…
Setting up SMURF control…
Setting up Black List…
Adding Anti-smurf Jumps…
Setting up TCP Flags checking…
Setting up ARP filtering…
Setting up Route Filtering…
Setting up Martian Logging…
Setting up Accept Source Routing…
IP Forwarding Enabled
Setting up SYN Flood Protection…
Setting up Rules…
Setting up Actions…
Creating action chain Drop
Creating action chain Reject
Creating action chain dropBcast
Creating action chain dropInvalid
Creating action chain dropNotSyn
Applying Policies…
Setting up Masquerading/SNAT…
Activating Rules…
done.
#:/$

* When the firewall is stopped, routing is enabled on those hosts that have an entry in /etc/shorewall/routestopped.

#:/etc/shorewall$ cat routestopped
#
# Shorewall version 4.0 – Sample Routestopped File for two-interface configuration.
# Copyright (C) 2006 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#——————————————————————————
# For information about entries in this file, type “man shorewall-routestopped”
#
# The manpage is also online at
# http://shorewall.net/manpages/shorewall-routestopped.html
#
# See
# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
# information.
#
##############################################################################
#INTERFACE      HOST(S)                  OPTIONS
eth0            –
#LAST LINE — ADD YOUR ENTRIES BEFORE THIS ONE — DO NOT REMOVE

* The shorewall stop command does not remove all netfilter rules and open your firewall for all traffic to pass. It rather places the firewall in a safe state defined by the contents of /etc/shorewall/routestopped file and the setting of ADMINISABSENTMINDED in /etc/shorewall/shorewall.conf

* If you want to remove all Netfilter rules and open your firewall for all traffic to pass, use the shorewall clear command.

* If you change your configuration and want to install the changes, use the shorewall restart command.

[edit] For pppoe

When the PPP interface for the ADSL link goes down, Shorewall needs to be restarted to take the new IP address assignments into account.

We will need to restart the firewall by placing /sbin/shorewall restart in the /etc/ppp/ip-up.d directory.

root@ubuntu:/etc/ppp/ip-up.d# cat shorewall
#!/bin/sh

/sbin/shorewall -f restart

exit 0
root@ubuntu:/etc/ppp/ip-up.d#