I'm using Shorewall on my server as simple standalone firewall and would like to use Docker as well.
By using a Docker container and its port redirection docker sets up its own iptables rules/chains which will be killed if shorewall is restarted. So the container will become unreachable.
Does anyone managed to save/restore the docker rules upon a shorewall restart or does anyone have another workaround?
See also:
I have this scenario and everything it's working OK, but I want to configure my Shorewall and I can't do it.
My interfaces are:
br0 (bridge of eth0)
tun0 (OpenVPN)
vnet* (each one of bridged interfaces with public IP's)
Public Main IP: 188.165.X.Y
OpenVPN IP's: 172.28.0.x
Bridge: public ip's
So, I have the next configuration for shorewall:
/etc/shorewall/zones
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
inet ipv4
road ipv4
/etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
inet br0 detect routeback
road tun+ detect routeback
/etc/shorewall/policy
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
# LEVEL BURST MASK
$FW all ACCEPT
inet $FW DROP info
road all DROP
inet road DROP
/etc/shorewall/tunnels
#TYPE ZONE GATEWAY GATEWAY
# ZONE
openvpnserver:1194 inet 0.0.0.0/0
The problem is that even with shorewall running I am able to ping or connect to the virtual machines behind the bridge
I'd like to migrate my old pure iptables firewall configuration to a shorewall setup. I get the basics, but I haven't been able to replicate my existing knockd setup:
The setup in /etc/knockd.conf is simple:
[tmpAndPermKnock]
sequence = 10000,11000,12000
seq_timeout = 9
tcpflags = syn
start_command = /sbin/iptables -I tmpknock -s %IP% -j ACCEPT;
/sbin/iptables -F permknock;
/sbin/iptables -I permknock -s %IP% -j ACCEPT
cmd_timeout = 30
stop_command = /sbin/iptables -D tmpknock -s %IP% -j ACCEPT
Now I can easily link from my existing chains to these chains, e.g.:
iptables -A open-in -p tcp --dport 22 -j tmpknock
iptables -A open-in -p tcp --dport 80 -j permknock
How can I integrate this with a simple shorewall setup? I'm really just starting out with shorewall, and don't know how to perform the jump to my chains. I imagine, it would be something like this:
/etc/shorewall/rules (does not work):
#ACTION SOURCE DEST PROTO DEST
JUMP(tmpknock) net fw tcp 22
JUMP(permknock) net fw tcp 80
... but there's no JUMP action in http://shorewall.net/manpages/shorewall-rules.html ...
We have a linux router providing internet connectivity to several PCs. It's currently using shorewall to help make the iptables setup easier. Is there a way I can set it such that any individual host is prevented from using the entire line? I'm thinking setting the limit at 80%: So any one PC can't use more than 80% of bandwidth, thus if someone is downloading/uploading large files, the connection isn't completely overwhelmed.
I have a spambot that likes to spam my websites. I mailed to abuse@isp, but he ignored me.
Attacks always come from the same ip, and i used IISIP to add the spammer IP to all of my websites.
I am wondering, since i am using a linux box with shorewall as a firewall... maybe is better to filter at that level?
Which one has better performance with a list that might grow and become huge? IIS giving a 403 page to the spammers, or shorewall dropping the connections?