Menu
▾
▴
Re: [Shorewall-users] Shorewall-Perl: Manual Chains are not published in the Firewall
|
From: Tom E. <te...@sh...> - 2017-07-03 15:26:07
|
On 07/03/2017 07:12 AM, Domibay - Hugo wrote: > Hi there, > > On a Server that has its Firewall configured with Shorewall there is an > application running that dynamically inserts and deletes its own rules > in the Firewall. > To work properly it needs some configurations in the Firewall. > 1) Some IPs that are directly configured to be prefered > 2) A Custom Chain that holds Rules to define Actions on dynamically > inserted IPs > > # shorewall show raw > Shorewall 5.0.14.1 RAW Table at dev-lan34.domibay.org - lun jul 3 > 14:50:09 WEST 2017 > Counters reset lun jul 3 13:50:33 WEST 2017 > Chain PREROUTING (policy ACCEPT 49746 packets, 2017K bytes) > pkts bytes target prot opt in out source destination > 0 0 ACCEPT all -- * * 80.32.1.20 0.0.0.0/0 > 0 0 ACCEPT all -- * * 217.125.25.169 0.0.0.0/0 > Chain BLOCKLIST (0 references) > pkts bytes target prot opt in out source destination > 0 0 LOG all -- * * 0.0.0.0/0 > 0.0.0.0/0 limit: avg 10/sec burst 10 LOG flags 0 level 4 > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 > > # iptables -t filter -nL INPUT > Chain INPUT (policy DROP) > target prot opt source destination > ACCEPT all -- 80.32.1.20 0.0.0.0/0 > ACCEPT all -- 217.125.25.169 0.0.0.0/0 > > to achieve this configuration I wanted to create a "initdone" script > with the Shorewall-perl API > > [2017-07-03 14:02:18 - root@dev-lan34 shorewall]# cat initdone > use lib '/usr/share/shorewall'; > use Shorewall::Chains; > use Data::Dump qw(dump); > > my $chainpreroute = $chain_table{"raw"}{"PREROUTING"}; > my $chaininput = $chain_table{"filter"}{"INPUT"}; > #my $chainblocklist = new_chain "raw", "BLOCKLIST"; > my $chainblocklist = new_manual_chain "BLOCKLIST"; > #my $chainblocklist = $chain_table{"raw"}{"BLOCKLIST"}; > > print "nw mnl chn dmp:\n" > . dump($chainblocklist); > print "\n"; > > my $sipnet1 = "80.32.1.20"; > my $sipnet2 = "217.125.25.169"; > > my $srulenet1accept = "-s $sipnet1 -j ACCEPT"; > my $srulenet2accept = "-s $sipnet2 -j ACCEPT"; > my $sruleblocklistlog = "-m limit --limit 10/sec --limit-burst 10 -j LOG"; > my $sruleblocklistdrop = "-j DROP"; > > my $iscs = 1; > > add_rule $chainpreroute, $srulenet1accept; > add_rule $chainpreroute, $srulenet2accept; > add_rule $chaininput, $srulenet1accept; > add_rule $chaininput, $srulenet2accept; > > add_rule $chainblocklist, $sruleblocklistlog; > add_rule $chainblocklist, $sruleblocklistdrop; > > print "tbl raw dmp:\n" > . dump($chain_table{"raw"}); > print "\n"; > > print "tbl filter dmp:\n" > . dump($chain_table{"filter"}); > print "\n"; > > return $iscs; > > I found that the IPs from $srulenet1accept and $srulenet2accept were > published in the Firewall. but the Custom Chain was not published at all. > > I was visualizing the Content of $chain_table to see how the Custom > Chain was created in Shorewall and I saw: > > # shorewall check > Checking using Shorewall 5.0.14.1... > Processing /etc/shorewall/params ... > Processing /etc/shorewall/shorewall.conf... > Loading Modules... > Checking /etc/shorewall/zones... > Checking /etc/shorewall/interfaces... > Interface "lan enp3s0 tcpflags,nosmurfs,logmartians" Validated > Determining Hosts in Zones... > fw (firewall) > lan (ipv4) > enp3s0:0.0.0.0/0 > Locating Action Files... > Checking /etc/shorewall/policy... > Policy for lan to fw is DROP using chain lan-all > Policy for fw to lan is REJECT using chain fw-all > Running /etc/shorewall/initdone... > > $chainblocklist > { > cmdlevel => 0, > filtered => 0, > log => 1, > loglevel => "", > manual => 1, > name => "BLOCKLIST", > optflags => 0, > origin => "", > referenced => 1, > references => {}, > restriction => 0, > rules => [], > table => "filter", > } > > $chain_table{"filter"}{"BLOCKLIST"} > and also was created and the rules where added > "BLOCKLIST" => { > cmdlevel => 0, > complete => 1, > filtered => 0, > log => 1, > loglevel => "", > manual => 1, > name => "BLOCKLIST", > optflags => 0, > origin => "", > referenced => 1, > references => {}, > restriction => 0, > rules => [ > { > cmdlevel => 0, > comment => "", > jump => "j", > limit => "--limit 10/sec > --limit-burst 10", > matches => ["limit", > "targetopts"], > mode => 1, > origin => "", > simple => 0, > target => "LOG", > targetopts => "", > }, > { > cmdlevel => 0, > comment => "", > jump => "j", > matches => ["targetopts"], > mode => 1, > origin => "", > simple => 1, > target => "DROP", > targetopts => "", > }, > ], > table => "filter", > }, > > but finally the new Custom Chain was not published in the Firewall > > Researching the Logs I found this notice: > # vi /var/log/shorewall-init.log > Jul 3 13:10:10 Chain BLOCKLIST deleted > > You find added also the Shorewall Dump. There you can see additional > Details. > > So I am wondering why was my Manual Chain deleted? > > Please, let me know if you see how I can achieve this Firewall > Configuration I am looking for. > > Best Regards, Hugo, There are no references to the chain, so by default the compiler simply deletes it. So either, there must be a rule that jumps to the chain or you need to set the "don't delete" flag on the chain. That flag is set by the dont_delete() function in Chains.pm. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________ |
