On 07/03/2017 07:12 AM, Domibay - Hugo wrote:
> Hi there,
>
> On a Server that has its Firewall configured with Shorewall there is an
> application running that dynamically inserts and deletes its own rules
> in the Firewall.
> To work properly it needs some configurations in the Firewall.
> 1) Some IPs that are directly configured to be prefered
> 2) A Custom Chain that holds Rules to define Actions on dynamically
> inserted IPs
>
> # shorewall show raw
> Shorewall 5.0.14.1 RAW Table at dev-lan34.domibay.org - lun jul 3
> 14:50:09 WEST 2017
> Counters reset lun jul 3 13:50:33 WEST 2017
> Chain PREROUTING (policy ACCEPT 49746 packets, 2017K bytes)
> pkts bytes target prot opt in out source destination
> 0 0 ACCEPT all -- * * 80.32.1.20 0.0.0.0/0
> 0 0 ACCEPT all -- * * 217.125.25.169 0.0.0.0/0
> Chain BLOCKLIST (0 references)
> pkts bytes target prot opt in out source destination
> 0 0 LOG all -- * * 0.0.0.0/0
> 0.0.0.0/0 limit: avg 10/sec burst 10 LOG flags 0 level 4
> 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
>
> # iptables -t filter -nL INPUT
> Chain INPUT (policy DROP)
> target prot opt source destination
> ACCEPT all -- 80.32.1.20 0.0.0.0/0
> ACCEPT all -- 217.125.25.169 0.0.0.0/0
>
> to achieve this configuration I wanted to create a "initdone" script
> with the Shorewall-perl API
>
> [2017-07-03 14:02:18 - root@dev-lan34 shorewall]# cat initdone
> use lib '/usr/share/shorewall';
> use Shorewall::Chains;
> use Data::Dump qw(dump);
>
> my $chainpreroute = $chain_table{"raw"}{"PREROUTING"};
> my $chaininput = $chain_table{"filter"}{"INPUT"};
> #my $chainblocklist = new_chain "raw", "BLOCKLIST";
> my $chainblocklist = new_manual_chain "BLOCKLIST";
> #my $chainblocklist = $chain_table{"raw"}{"BLOCKLIST"};
>
> print "nw mnl chn dmp:\n"
> . dump($chainblocklist);
> print "\n";
>
> my $sipnet1 = "80.32.1.20";
> my $sipnet2 = "217.125.25.169";
>
> my $srulenet1accept = "-s $sipnet1 -j ACCEPT";
> my $srulenet2accept = "-s $sipnet2 -j ACCEPT";
> my $sruleblocklistlog = "-m limit --limit 10/sec --limit-burst 10 -j LOG";
> my $sruleblocklistdrop = "-j DROP";
>
> my $iscs = 1;
>
> add_rule $chainpreroute, $srulenet1accept;
> add_rule $chainpreroute, $srulenet2accept;
> add_rule $chaininput, $srulenet1accept;
> add_rule $chaininput, $srulenet2accept;
>
> add_rule $chainblocklist, $sruleblocklistlog;
> add_rule $chainblocklist, $sruleblocklistdrop;
>
> print "tbl raw dmp:\n"
> . dump($chain_table{"raw"});
> print "\n";
>
> print "tbl filter dmp:\n"
> . dump($chain_table{"filter"});
> print "\n";
>
> return $iscs;
>
> I found that the IPs from $srulenet1accept and $srulenet2accept were
> published in the Firewall. but the Custom Chain was not published at all.
>
> I was visualizing the Content of $chain_table to see how the Custom
> Chain was created in Shorewall and I saw:
>
> # shorewall check
> Checking using Shorewall 5.0.14.1...
> Processing /etc/shorewall/params ...
> Processing /etc/shorewall/shorewall.conf...
> Loading Modules...
> Checking /etc/shorewall/zones...
> Checking /etc/shorewall/interfaces...
> Interface "lan enp3s0 tcpflags,nosmurfs,logmartians" Validated
> Determining Hosts in Zones...
> fw (firewall)
> lan (ipv4)
> enp3s0:0.0.0.0/0
> Locating Action Files...
> Checking /etc/shorewall/policy...
> Policy for lan to fw is DROP using chain lan-all
> Policy for fw to lan is REJECT using chain fw-all
> Running /etc/shorewall/initdone...
>
> $chainblocklist
> {
> cmdlevel => 0,
> filtered => 0,
> log => 1,
> loglevel => "",
> manual => 1,
> name => "BLOCKLIST",
> optflags => 0,
> origin => "",
> referenced => 1,
> references => {},
> restriction => 0,
> rules => [],
> table => "filter",
> }
>
> $chain_table{"filter"}{"BLOCKLIST"}
> and also was created and the rules where added
> "BLOCKLIST" => {
> cmdlevel => 0,
> complete => 1,
> filtered => 0,
> log => 1,
> loglevel => "",
> manual => 1,
> name => "BLOCKLIST",
> optflags => 0,
> origin => "",
> referenced => 1,
> references => {},
> restriction => 0,
> rules => [
> {
> cmdlevel => 0,
> comment => "",
> jump => "j",
> limit => "--limit 10/sec
> --limit-burst 10",
> matches => ["limit",
> "targetopts"],
> mode => 1,
> origin => "",
> simple => 0,
> target => "LOG",
> targetopts => "",
> },
> {
> cmdlevel => 0,
> comment => "",
> jump => "j",
> matches => ["targetopts"],
> mode => 1,
> origin => "",
> simple => 1,
> target => "DROP",
> targetopts => "",
> },
> ],
> table => "filter",
> },
>
> but finally the new Custom Chain was not published in the Firewall
>
> Researching the Logs I found this notice:
> # vi /var/log/shorewall-init.log
> Jul 3 13:10:10 Chain BLOCKLIST deleted
>
> You find added also the Shorewall Dump. There you can see additional
> Details.
>
> So I am wondering why was my Manual Chain deleted?
>
> Please, let me know if you see how I can achieve this Firewall
> Configuration I am looking for.
>
> Best Regards,Hugo, There are no references to the chain, so by default the compiler simply deletes it. So either, there must be a rule that jumps to the chain or you need to set the "don't delete" flag on the chain. That flag is set by the dont_delete() function in Chains.pm. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
