Linking ipset into Shorewall

bwdjames · March 27, 2016, 6:55pm

I have created 2 IPSets and got the populated without any issues as well as getting the ipset-save and ipset restored setup so that it ipsets are persistent between reboots.

The aim of the 2 IP sets is to block inbound connections from either IP addresses or IP ranges on my red zone ppp0 internet connection.

So ideally, I would like these 2 IPSets to be the first 2 rules on the IPTables INPUT rule for the ppp connection (hot internet / red zone). I have had this setup working with iptables in ClearOS 6,6 with no issues.

The problem is that I haven’t managed to fully wrap my mind around Shorewall yet and I don’t know how to implement the above.

Does anyone have any pointers as to how to do it and some actual examples which I could follow to implement it?

Nas · March 27, 2016, 8:41pm

Hi, @bwdjames

Shorewall it is a simple configurable add-in feature for iptables.
All incoming connectios is blocked by default and in /etc/shorewall/rules we have rules to ACCEPT the connection for services like “Apache” and so on.

if you want to accept the connection for apropriate network range you need to specify it like:

net:8.8.8.0/24

bwdjames · March 28, 2016, 9:38am

Hi @Nas,

Thanks for the reply.

My aim of the IPSets are to completely drop all traffic from the IP Addresses/ranges specified in the IPSets.

As the /etc/shorewall/rules is generated from a template and should not be modified directly, how do I enter the relevant information to make the Shorewall rule persistent?

Nas · March 28, 2016, 10:48am

Hi, you can create the custom template for the /etc/shorewall/rules file and changes will be persists.

bwdjames · March 28, 2016, 2:03pm

Right, even though it is staring me in the face, I am having stupidly thick moment. Part of it is that this is the first time I am using Nethserver as well as Shorewall.

Exactly how do I specify that the specified rules in the template are processed so they end up at the top of the processing list?

giacomo · March 29, 2016, 7:30am

Shorewall already supports ipset but probably you don’t need them for your configuration in NethServer.
If I understand correctly, you have a static list of IPs to be blocked.

So you can do this:

create all the hosts inside ass firewall objects (Eg. host1, host2, host3)
create a host group containing all the hosts (Eg. bad_hosts)
create a new rule: BLOCK from bad_hosts to ANY

bwdjames · March 29, 2016, 10:50am

Basically I have a list of public networks and single public IP addresses which I know are bad IPs which attacks come from.

I wish to have 2 rules (1 for the list of network addresses and 1 for the IP addresses) to block/blacklist them and not to log any activity from them in the log files.

The aim of this is as follows:

I categorically know that they cannot access any services at all instead of blocking them one one service when they try to attack it and then have them attempting to get in via another service.
Prevent log file pollution that these networks or IP addresses would create.

bwdjames · March 29, 2016, 2:23pm

My apologies if I am sounding a bit thick, stupid and frustrated on this topic guys. NethServer and Shorewall is somewhat new to me and the methodologies that Shorewall uses is somewhat different from what I am used to and its taking a bit of time to get used to it.

Other than that, Nethserver looks to be a great product and I can’t wait to fully get my head around it enough to start giving back to the community effectively.

giacomo · March 29, 2016, 2:32pm

No need to apology, your questions are very pertinent!

You can simply follow my instructions on the previous post.
Since you want to block a network address, create also a CIDR object and a rule which block all the traffic from this object.

Feel free to ask more questions!

bwdjames · March 29, 2016, 3:51pm

Hi @giacomo,

Thank you for your patience and help.

Is there a way that this can be created or updated in a script as I would like it to be updated dynamically by script? I have done a quick Google search on the internet and nothing standards out with regards to doing this in a script.

I don’t feel like spending days entering a couple of hundred or thousand records to start with, especially having to add potentially dozens of records a day manually is something I don’t really want to do.

giacomo · March 29, 2016, 4:04pm

I thought the list of bad hosts was static, now the scenario is much clearer.

You should use Shorewall blacklist support, see the “Dynamic Blacklisting” chapter: http://shorewall.net/blacklisting_support.htm

Basically, from a script you can do something like this:

 shorewall drop 1.2.3.4
 shorewall reject 4.5.6.7

And if you want to persist the modification:

 shorewall save

I didn’t look where Shorewall saves this information, but I think you should add this file to configuration backup

bwdjames · March 29, 2016, 9:00pm

My apologies for not making it clearer. And thanks for the reply.

I looked at the link you provided (http://shorewall.net/blacklisting_support.htm) and managed to implement the IPSet version of it and I can see that the rule is being hit a couple of time now.

Thank you for the help so far!

If I may be a pedantic little sod (note the Cheshire cat grin on my face) and ask a different question: If I add a firewall rule to the /etc/shorewall/blrules file with the source as net (being the internet) and the destination being fw (being the ppp connection), how can I ensure that these rules end up as the first rules on the iptables INPUT list of rules?

giacomo · March 30, 2016, 7:09am

You can’t and you don’t need to, Shorewall takes cares of the logic and add blacklist rules in the right place.
If you really want to put custom rules inside the INPUT table, which is very discouraged, you should use extension scripts: http://shorewall.net/shorewall_extension_scripts.htm

alefattorini · March 30, 2016, 9:03am

Ehi James, welcome aboard! Glad to see you’re working very hard on NethServer
As rightly @giacomo already said one of the rules here is

Don’t be afraid to ask ‘stupid questions’. Someone else will learn from every stupid question that you ask.

How would you like to be involved in our community?

bwdjames · March 30, 2016, 12:45pm

@giacomo Thanks for the input. Digging around in the Shorewall docs and examples and config files indicate that the rules I put in are close enough to the top to have the desired effect.

Thanks for all the help on this!

bwdjames · March 30, 2016, 12:52pm

@alefattorini thank you for the warm welcome!

How would I like to be involved in the community? Good question, I am not sure as yet. I would like to contribute somehow, but sometimes there are time constraints.

I have started helping on the Fail2Ban testing for one.

One idea does come to mind, wouldn’t mind putting to get a little HOWTO or wiki article which covers the implementation of this topic that I was struggling with. The information was scattered around and it would be good to have a step-by-step guide from beginning to end and real live example config files, etc in one “article” for new people to look at to help them implement it.

Would that be something of some use to people?

alefattorini · March 30, 2016, 1:46pm

Love it, please create a new page there and ask here the community feedback opening a new topic
For getting started: http://wiki.nethserver.org/doku.php?id=howto:tips_to_create_how-to_s
I suggest you start from a small howto you can improve along the way

bwdjames · March 30, 2016, 2:44pm

Thanks for the tip and I will get into this shortly, most probably sometime early next week I shall start something there. Just need to do a bit of reading up and also catch my breath a bit.